1*c8dee2aaSAndroid Build Coastguard Worker--- 2*c8dee2aaSAndroid Build Coastguard Workertitle: 'Fuzzing' 3*c8dee2aaSAndroid Build Coastguard WorkerlinkTitle: 'Fuzzing' 4*c8dee2aaSAndroid Build Coastguard Worker--- 5*c8dee2aaSAndroid Build Coastguard Worker 6*c8dee2aaSAndroid Build Coastguard Worker## Reproducing using `fuzz` 7*c8dee2aaSAndroid Build Coastguard Worker 8*c8dee2aaSAndroid Build Coastguard WorkerWe assume that you can [build Skia](/docs/user/build). Many fuzzes only 9*c8dee2aaSAndroid Build Coastguard Workerreproduce when building with ASAN or MSAN; see 10*c8dee2aaSAndroid Build Coastguard Worker[those instructions for more details](../xsan). 11*c8dee2aaSAndroid Build Coastguard Worker 12*c8dee2aaSAndroid Build Coastguard WorkerWhen building, you should add the following args to BUILD.gn to make reproducing 13*c8dee2aaSAndroid Build Coastguard Workerless machine- and platform- dependent: 14*c8dee2aaSAndroid Build Coastguard Worker 15*c8dee2aaSAndroid Build Coastguard Worker skia_use_fontconfig=false 16*c8dee2aaSAndroid Build Coastguard Worker skia_use_freetype=true 17*c8dee2aaSAndroid Build Coastguard Worker skia_use_system_freetype2=false 18*c8dee2aaSAndroid Build Coastguard Worker skia_use_wuffs=true 19*c8dee2aaSAndroid Build Coastguard Worker skia_enable_skottie=true 20*c8dee2aaSAndroid Build Coastguard Worker skia_enable_fontmgr_custom_directory=false 21*c8dee2aaSAndroid Build Coastguard Worker skia_enable_fontmgr_custom_embedded=false 22*c8dee2aaSAndroid Build Coastguard Worker skia_enable_fontmgr_custom_empty=true 23*c8dee2aaSAndroid Build Coastguard Worker 24*c8dee2aaSAndroid Build Coastguard WorkerAll that is needed to reproduce a fuzz downloaded from ClusterFuzz or oss-fuzz 25*c8dee2aaSAndroid Build Coastguard Workeris to run something like: 26*c8dee2aaSAndroid Build Coastguard Worker 27*c8dee2aaSAndroid Build Coastguard Worker out/ASAN/fuzz -b /path/to/downloaded/testcase 28*c8dee2aaSAndroid Build Coastguard Worker 29*c8dee2aaSAndroid Build Coastguard WorkerThe fuzz binary will try its best to guess what the type/name should be based on 30*c8dee2aaSAndroid Build Coastguard Workerthe name of the testcase. Manually providing type and name is also supported, 31*c8dee2aaSAndroid Build Coastguard Workerlike: 32*c8dee2aaSAndroid Build Coastguard Worker 33*c8dee2aaSAndroid Build Coastguard Worker out/ASAN/fuzz -t filter_fuzz -b /path/to/downloaded/testcase 34*c8dee2aaSAndroid Build Coastguard Worker out/ASAN/fuzz -t api -n RasterN32Canvas -b /path/to/downloaded/testcase 35*c8dee2aaSAndroid Build Coastguard Worker 36*c8dee2aaSAndroid Build Coastguard WorkerTo enumerate all supported types and names, run the following: 37*c8dee2aaSAndroid Build Coastguard Worker 38*c8dee2aaSAndroid Build Coastguard Worker out/ASAN/fuzz --help # will list all types 39*c8dee2aaSAndroid Build Coastguard Worker out/ASAN/fuzz -t api # will list all names 40*c8dee2aaSAndroid Build Coastguard Worker 41*c8dee2aaSAndroid Build Coastguard WorkerIf the crash does not show up, try to add the flag --loops: 42*c8dee2aaSAndroid Build Coastguard Worker 43*c8dee2aaSAndroid Build Coastguard Worker out/ASAN/fuzz -b /path/to/downloaded/testcase --loops <times-to-run> 44*c8dee2aaSAndroid Build Coastguard Worker 45*c8dee2aaSAndroid Build Coastguard Worker## Writing fuzzers with libfuzzer 46*c8dee2aaSAndroid Build Coastguard Worker 47*c8dee2aaSAndroid Build Coastguard Workerlibfuzzer is an easy way to write new fuzzers, and how we run them on oss-fuzz. 48*c8dee2aaSAndroid Build Coastguard WorkerYour fuzzer entry point should implement this API: 49*c8dee2aaSAndroid Build Coastguard Worker 50*c8dee2aaSAndroid Build Coastguard Worker extern "C" int LLVMFuzzerTestOneInput(const uint8_t*, size_t); 51*c8dee2aaSAndroid Build Coastguard Worker 52*c8dee2aaSAndroid Build Coastguard WorkerFirst install Clang and libfuzzer, e.g. 53*c8dee2aaSAndroid Build Coastguard Worker 54*c8dee2aaSAndroid Build Coastguard Worker sudo apt install clang-10 libc++-10-dev libfuzzer-10-dev 55*c8dee2aaSAndroid Build Coastguard Worker 56*c8dee2aaSAndroid Build Coastguard WorkerYou should now be able to use `-fsanitize=fuzzer` with Clang. 57*c8dee2aaSAndroid Build Coastguard Worker 58*c8dee2aaSAndroid Build Coastguard WorkerSet up GN args to use libfuzzer: 59*c8dee2aaSAndroid Build Coastguard Worker 60*c8dee2aaSAndroid Build Coastguard Worker cc = "clang-10" 61*c8dee2aaSAndroid Build Coastguard Worker cxx = "clang++-10" 62*c8dee2aaSAndroid Build Coastguard Worker sanitize = "fuzzer" 63*c8dee2aaSAndroid Build Coastguard Worker extra_cflags = [ "-DSK_BUILD_FOR_LIBFUZZER", # enables fuzzer-constraints (see below) 64*c8dee2aaSAndroid Build Coastguard Worker "-O1" # Or whatever you want. 65*c8dee2aaSAndroid Build Coastguard Worker ] 66*c8dee2aaSAndroid Build Coastguard Worker ... 67*c8dee2aaSAndroid Build Coastguard Worker 68*c8dee2aaSAndroid Build Coastguard WorkerBuild Skia and your fuzzer entry point: 69*c8dee2aaSAndroid Build Coastguard Worker 70*c8dee2aaSAndroid Build Coastguard Worker ninja -C out/libfuzzer skia 71*c8dee2aaSAndroid Build Coastguard Worker clang++-10 -I. -O1 -fsanitize=fuzzer fuzz/oss_fuzz/whatever.cpp out/libfuzzer/libskia.a 72*c8dee2aaSAndroid Build Coastguard Worker 73*c8dee2aaSAndroid Build Coastguard WorkerRun your new fuzzer binary 74*c8dee2aaSAndroid Build Coastguard Worker 75*c8dee2aaSAndroid Build Coastguard Worker ./a.out 76*c8dee2aaSAndroid Build Coastguard Worker 77*c8dee2aaSAndroid Build Coastguard Worker## Fuzzing Defines 78*c8dee2aaSAndroid Build Coastguard Worker 79*c8dee2aaSAndroid Build Coastguard WorkerThere are some defines that can help guide a fuzzer to be more productive (e.g. 80*c8dee2aaSAndroid Build Coastguard Workeravoid OOMs, avoid unnecessarily slow code). 81*c8dee2aaSAndroid Build Coastguard Worker 82*c8dee2aaSAndroid Build Coastguard Worker // Required for fuzzing with afl-fuzz to prevent OOMs from adding noise. 83*c8dee2aaSAndroid Build Coastguard Worker SK_BUILD_FOR_AFL_FUZZ 84*c8dee2aaSAndroid Build Coastguard Worker 85*c8dee2aaSAndroid Build Coastguard Worker // Required for fuzzing with libfuzzer 86*c8dee2aaSAndroid Build Coastguard Worker SK_BUILD_FOR_LIBFUZZER 87*c8dee2aaSAndroid Build Coastguard Worker 88*c8dee2aaSAndroid Build Coastguard Worker // This define adds in guards to abort when we think some code path will take a long time or 89*c8dee2aaSAndroid Build Coastguard Worker // use a lot of RAM. It is set by default when either of the above defines are set. 90*c8dee2aaSAndroid Build Coastguard Worker SK_BUILD_FOR_FUZZER 91