1# Fuzz testing in Chromium 2 3[go/chrome-fuzzing](https://goto.google.com/chrome-fuzzing) 4 5[Fuzzing] is a testing technique that feeds auto-generated inputs to a piece 6of target code in an attempt to crash the code. It's one of the most effective 7methods we have for finding security and stability issues (see 8[go/fuzzing-success](http://go/fuzzing-success)). You can learn more about the 9benefits of fuzzing at [go/why-fuzz](http://go/why-fuzz). 10 11This documentation covers the in-process guided fuzzing approach employed by 12different fuzzing engines, such as [libFuzzer] or [AFL]. To learn more about 13out-of-process fuzzers, please refer to the [Blackbox fuzzing] page in the 14ClusterFuzz documentation. 15 16[TOC] 17 18## Getting Started 19 20In Chromium, you can easily create and submit fuzz targets. The targets are 21automatically discovered by buildbots, built with different fuzzing engines, 22then uploaded to the distributed [ClusterFuzz] fuzzing system to run at scale. 23 24You should fuzz any code which absorbs inputs from untrusted sources, such 25as the web. If the code parses, decodes, or otherwise manipulates that input, 26it's an especially good idea to fuzz it. 27 28Create your first fuzz target and submit it by stepping through our [Getting 29Started Guide]. 30 31## Advanced Topics 32 33* [Using libfuzzer instead of FuzzTest]. 34* [Improving fuzz target efficiency]. 35* [Creating a fuzz target that expects a protobuf] instead of a byte stream as 36 input. 37 38 *** note 39 **Note:** You can also fuzz code that needs multiple mutated 40 inputs, or to generate inputs defined by a grammar. 41 *** 42 43* [Reproducing bugs] found by libFuzzer/AFL and reported by ClusterFuzz. 44* [Fuzzing mojo interfaces] using automatically generated libprotobuf-mutator fuzzers. 45 46## Further Reading 47 48* [LibFuzzer integration] with Chromium and ClusterFuzz. 49* [Detailed references] for other integration parts. 50* Writing fuzzers for the [non-browser parts of Chrome OS]. 51* [Fuzzing browsertests] if you need to fuzz multiple Chrome subsystems. 52 53## Trophies 54* [Issues automatically filed] by ClusterFuzz. 55* [Issues filed manually] after running fuzz targets. 56* [Bugs found in PDFium] by manual fuzzing. 57* [Bugs found in open-source projects] with libFuzzer. 58 59## Other Links 60* [Guided in-process fuzzing of Chrome components] blog post. 61* [ClusterFuzz Stats] for fuzz targets built with AddressSanitizer and 62 libFuzzer. 63 64[Blackbox fuzzing]: https://google.github.io/clusterfuzz/setting-up-fuzzing/blackbox-fuzzing/ 65[Bugs found in open-source projects]: http://llvm.org/docs/LibFuzzer.html#trophies 66[Bugs found in PDFium]: https://bugs.chromium.org/p/pdfium/issues/list?can=1&q=libfuzzer&colspec=ID+Type+Status+Priority+Milestone+Owner+Summary&cells=tiles 67[ClusterFuzz]: https://clusterfuzz.com/ 68[ClusterFuzz Stats]: https://clusterfuzz.com/fuzzer-stats/by-fuzzer/fuzzer/libFuzzer/job/libfuzzer_chrome_asan 69[Creating a fuzz target that expects a protobuf]: libprotobuf-mutator.md 70[Detailed references]: reference.md 71[Fuzzing]: https://en.wikipedia.org/wiki/Fuzzing 72[Fuzzing browsertests]: fuzzing_browsertests.md 73[Fuzzing mojo interfaces]: ../../mojo/docs/mojolpm.md 74[Getting Started Guide]: getting_started.md 75[Guided in-process fuzzing of Chrome components]: https://security.googleblog.com/2016/08/guided-in-process-fuzzing-of-chrome.html 76[Improving fuzz target efficiency]: efficient_fuzzing.md 77[Issues automatically filed]: https://bugs.chromium.org/p/chromium/issues/list?sort=-modified&colspec=ID%20Pri%20M%20Stars%20ReleaseBlock%20Component%20Status%20Owner%20Summary%20OS%20Modified&q=label%3AStability-LibFuzzer%2CStability-AFL%20label%3AClusterFuzz%20-status%3AWontFix%2CDuplicate&can=1 78[Issues filed manually]: https://bugs.chromium.org/p/chromium/issues/list?can=1&q=label%3AStability-LibFuzzer+-label%3AClusterFuzz&sort=-modified&colspec=ID+Pri+M+Stars+ReleaseBlock+Component+Status+Owner+Summary+OS+Modified&x=m&y=releaseblock&cells=ids 79[non-browser parts of Chrome OS]: https://chromium.googlesource.com/chromiumos/docs/+/main/testing/fuzzing.md 80[Reproducing bugs]: reproducing.md 81[crbug.com/539572]: https://bugs.chromium.org/p/chromium/issues/detail?id=539572 82[go/fuzzing-success]: https://goto.google.com/fuzzing-success 83[libFuzzer]: http://llvm.org/docs/LibFuzzer.html 84[libFuzzer integration]: libFuzzer_integration.md 85[Using libfuzzer instead of FuzzTest]: getting_started_with_libfuzzer.md 86