| # libFuzzer and ClusterFuzz Integration |
| |
| *** note |
| Most links on this page are private. |
| *** |
| |
| ClusterFuzz is a distributed fuzzing infrastructure |
| ([go/clusterfuzz](https://goto.google.com/clusterfuzz)) that automatically |
| executes libFuzzer tests on scale. |
| |
| ## Status Links |
| |
| * [Buildbot] - status of all libFuzzer builds. |
| * [ClusterFuzz Fuzzer Status] - fuzzing metrics, links to crashes and coverage |
| reports. |
| * [ClusterFuzz libFuzzer Logs] - individual fuzzer run logs. |
| * [Corpus GCS Bucket] - current corpus for each fuzzer. Can be used to upload |
| bootstrapped corpus. |
| |
| ## Integration Details |
| |
| The integration between libFuzzer and ClusterFuzz consists of: |
| |
| * Build rules definition in [fuzzer_test.gni]. |
| * [Buildbot] that automatically discovers fuzzers using `gn refs` facility, |
| builds fuzzers with multiple sanitizers and uploads binaries to a special |
| GCS bucket. Build bot recipe is defined in [chromium_libfuzzer.py]. |
| * ClusterFuzz downloads new binaries once a day and runs fuzzers continuously. |
| * Fuzzer run logs are uploaded to [ClusterFuzz libFuzzer Logs] GCS bucket. |
| * Fuzzing corpus is maintained for each fuzzer in [Corpus GCS Bucket]. Once a day |
| corpus is minimized to reduce number of duplicates and/or reduce effect of |
| parasitic coverage. |
| * [ClusterFuzz Fuzzer Status] displays fuzzer runtime |
| metrics as well as provides links to crashes and coverage reports. The information |
| is collected every 30 minutes. |
| |
| |
| ## Corpus |
| ClusterFuzz uses two corpus types with libFuzzer: |
| |
| * **Seed** (or **static**) corpus: files manually uploaded by developers. |
| ClusterFuzz uses these files for fuzzing but doesn't delete/overwrite them. |
| |
| * **General** (or **working**) corpus: files generated by fuzzers themselves. |
| These corpus files are frequently modified during fuzzing sessions and can be |
| deleted during corpus minimization. |
| |
| A fuzzer has two input corpus directories, seed and general, but its output |
| goes into general corpus directory. Seed corpus is read-only. |
| |
| |
| [Buildbot]: https://goto.google.com/libfuzzer-clusterfuzz-buildbot |
| [chromium_libfuzzer.py]: https://code.google.com/p/chromium/codesearch#chromium/build/scripts/slave/recipes/chromium_libfuzzer.py |
| [ClusterFuzz Fuzzer Status]: https://goto.google.com/libfuzzer-clusterfuzz-status |
| [ClusterFuzz libFuzzer Logs]: https://goto.google.com/libfuzzer-clusterfuzz-logs |
| [Corpus GCS Bucket]: https://goto.google.com/libfuzzer-clusterfuzz-corpus |
| [fuzzer_test.gni]: https://code.google.com/p/chromium/codesearch#chromium/src/testing/libfuzzer/fuzzer_test.gni |