Skip to content

Latest commit

 

History

History
92 lines (65 loc) · 2.5 KB

reference.md

File metadata and controls

92 lines (65 loc) · 2.5 KB

libFuzzer Integration Reference

Supported Platforms and Configurations

Linux

Linux is fully supported by libFuzzer and ClusterFuzz with following sanitizer configurations:

GN Argument Description
is_asan=true enables Address Sanitizer to catch problems like buffer overruns.
is_msan=true enables Memory Sanitizer to catch problems like uninitialed reads.
is_ubsan_security=true enables Undefined Behavior Sanitizer to catch[1] undefined behavior like integer overflow.

Configuration example:

# With address sanitizer
gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true enable_nacl=false' --check

Mac

Mac is experimentally supported by libFuzzer with is_asan configuration. Mac support is not provided by ClusterFuzz.

Configuration example:

gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true enable_nacl=false mac_deployment_target="10.7"' --check

fuzzer_test GN Template

Use fuzzer_test to define libFuzzer targets:

fuzzer_test("my_fuzzer") {
  ...
}

Following arguments are supported:

Argument Description
sources required list of fuzzer test source files.
deps fuzzer dependencies
additional_configs additional GN configurations to be used for compilation
dict a dictionary file for the fuzzer
libfuzzer_options runtime options file for the fuzzer. See Fuzzer Runtime Options

Fuzzer Runtime Options

There are many different runtime options supported by libFuzzer. Options are passed as command line arguments:

./fuzzer [-flag1=val1 [-flag2=val2 ...] ] [dir1 [dir2 ...] ]

Most common flags are:

Flag Description
max_len Maximum length of test input.
timeout Timeout of seconds. Units slower than this value will be reported as bugs.

A fuller list of options can be found at libFuzzer Usage page and by running the binary with -help=1.

To specify these options for ClusterFuzz, list all parameters in libfuzzer_options target attribute:

fuzzer_test("my_fuzzer") {
  ...
  libfuzzer_options = [
    "max_len=2048",
    "use_traces=1",
  ]
}