Clone this repo:

Branches

  1. 8202874 Don't add seed corpus as a dependency in seed corpus disabled builds by Jonathan Metzman · 2 days ago master
  2. 06f3cc1 Add gn arg archive_seed_corpus by Jonathan Metzman · 7 days ago
  3. ef8de90 Restrict maximum size for seed corpus in fuzzer archives. by Abhishek Arya · 7 days ago
  4. e28d7eb Revert "Allow proto_library()'s proto_out_dir to be a source-root-absolute path" by Avi Drissman · 14 days ago
  5. b75db21 Allow proto_library()'s proto_out_dir to be a source-root-absolute path by Andrew Grieve · 2 weeks ago

libFuzzer in Chromium

go/libfuzzer-chromium (Googler only)

This directory contains integration between libFuzzer and Chromium. LibFuzzer is an in-process coverage-driven evolutionary fuzzing engine. It helps engineers to uncover potential security & stability problems.

Requirements: libFuzzer in Chromium is supported with Linux, Chrome OS, Mac, and Windows.

Integration Status

Fuzzer tests are well-integrated with Chromium build system and distributed ClusterFuzz fuzzing system. Cover bug: crbug.com/539572.

Documentation

  • Getting Started Guide walks you through all the steps necessary to create your fuzz target and submit it to ClusterFuzz.
  • Efficient Fuzzer Guide explains how to measure fuzz target effectiveness and ways to improve it.
  • Guide to libprotobuf-mutator walks through the steps necessary to create a fuzz target that expects a protobuf as input (instead of a byte stream). In addition to fuzzing code that accepts protobufs, it can be used to fuzz code that requires multiple mutated inputs, or to generate inputs defined by a grammar.
  • ClusterFuzz Integration describes integration between ClusterFuzz and libFuzzer.
  • Reproducing Bugs describes how to reproduce bugs found by libFuzzer/AFL and reported by ClusterFuzz.
  • Fuzzing on Chrome OS describes how to write fuzzers for the non-browser parts of Chrome OS.
  • AFL Integration describes AFL's integration with Chromium and ClusterFuzz.
  • Reference contains detailed references for different integration parts.

Trophies

  • ClusterFuzz Bugs - issues found and automatically filed by ClusterFuzz.
  • Manual Bugs - issues that were filed manually after running fuzz targets.
  • Pdfium Bugs - bugs found in pdfium by manual fuzzing.
  • OSS Trophies - bugs found with libFuzzer in open-source projects.

Blog Posts

Project Links