testing/libfuzzer/efficient_fuzzing.md

*6777b538SAndroid Build Coastguard Worker# Efficient Fuzzing Guide
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard WorkerThis relates to fuzzers created using [libfuzzer] not [FuzzTests] - none of this
*6777b538SAndroid Build Coastguard Workeradvice is necessary for FuzzTests.
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard WorkerOnce you have a fuzz target running, you can analyze and tweak it to improve its
*6777b538SAndroid Build Coastguard Workerefficiency. This document describes techniques to minimize fuzzing time and
*6777b538SAndroid Build Coastguard Workermaximize your results.
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker*** note
*6777b538SAndroid Build Coastguard Worker**Note:** If you haven’t created your first fuzz target yet, see the [Getting
*6777b538SAndroid Build Coastguard WorkerStarted Guide].
*6777b538SAndroid Build Coastguard Worker***
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard WorkerThe most direct way to gauge the effectiveness of your fuzz target is to collect
*6777b538SAndroid Build Coastguard Workermetrics. You can get them manually, or take them from a [ClusterFuzz status]
*6777b538SAndroid Build Coastguard Workerpage after your fuzz target is checked into the Chromium repository.
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker[TOC]
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker## Key metrics of a fuzz target
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker### Execution speed
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard WorkerA fuzzing engine such as libFuzzer typically explores a large search space by
*6777b538SAndroid Build Coastguard Workerperforming randomized mutations, so it needs to run as fast as possible to find
*6777b538SAndroid Build Coastguard Workerinteresting code paths.
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard WorkerFuzz target speed is calculated in executions per second (`exec/s`). It is
*6777b538SAndroid Build Coastguard Workerprinted while a fuzz target is running:
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker```
*6777b538SAndroid Build Coastguard Worker#11002  NEW    cov: 1337 ft: 10934 corp: 707/409Kb lim: 1098 exec/s: 5333 rss: 27Mb L: 186/1098
*6777b538SAndroid Build Coastguard Worker```
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard WorkerYou should aim for at least 1,000 exec/s from your fuzz target locally before
*6777b538SAndroid Build Coastguard Workersubmitting it to the Chromium repository. If you’re under 1,000, consider the
*6777b538SAndroid Build Coastguard Workerfollowing improvements:
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker* [Simplifying initialization/cleanup](#Simplifying-initialization-cleanup)
*6777b538SAndroid Build Coastguard Worker* [Minimizing memory usage](#Minimizing-memory-usage)
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker#### Simplifying initialization/cleanup
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard WorkerIf your `LLVMFuzzerTestOneInput` function is too complex, it can decrease the
*6777b538SAndroid Build Coastguard Workerfuzzer’s execution speed. It can also cause the fuzzer to target specific
*6777b538SAndroid Build Coastguard Workeruse-cases or fail to account for unexpected scenarios.
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard WorkerInstead of performing setup and teardown on each input, use static
*6777b538SAndroid Build Coastguard Workerinitialization and shared resources. Check out this [startup initialization] in
*6777b538SAndroid Build Coastguard WorkerlibFuzzer’s documentation for an example.
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker*** note
*6777b538SAndroid Build Coastguard Worker**Note:** You can skip freeing static resources. However, all other resources
*6777b538SAndroid Build Coastguard Workerallocated within the `LLVMFuzzerTestOneInput` function should be de-allocated,
*6777b538SAndroid Build Coastguard Workersince the function gets called millions of times during a fuzzing session. If
*6777b538SAndroid Build Coastguard Workeryou don’t, you’ll often run out of memory and reduce overall fuzzing efficiency.
*6777b538SAndroid Build Coastguard Worker***
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker#### Minimizing memory usage
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard WorkerAvoid allocation of dynamic memory wherever possible. Memory instrumentation
*6777b538SAndroid Build Coastguard Workerworks faster for stack-based and static objects than for heap-allocated ones.
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker*** note
*6777b538SAndroid Build Coastguard Worker**Note:** It’s always a good idea to try different variants for your fuzz target
*6777b538SAndroid Build Coastguard Workerlocally, then submit only the fastest implementation to the Chromium repository.
*6777b538SAndroid Build Coastguard Worker***
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker### Code coverage
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard WorkerYou can check the percentage of code covered by your fuzz target to gauge
*6777b538SAndroid Build Coastguard Workerfuzzing effectiveness:
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker* Review aggregated Chrome coverage from recent runs by checking the [fuzzing
*6777b538SAndroid Build Coastguard Worker  coverage] report. This report can provide insight on how to improve code
*6777b538SAndroid Build Coastguard Worker  coverage.
*6777b538SAndroid Build Coastguard Worker* Generate a source-level coverage report for your fuzzer by running the
*6777b538SAndroid Build Coastguard Worker  [coverage script] stored in the Chromium repository. The script provides
*6777b538SAndroid Build Coastguard Worker  detailed instructions and a usage example.
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard WorkerFor the `out/coverage` target in the coverage script, make sure to add all of
*6777b538SAndroid Build Coastguard Workerthe gn args you needed to build the `out/libfuzzer` target; this could include
*6777b538SAndroid Build Coastguard Workerargs like `target_os=chromeos` and `is_asan=true` depending on the [gn config]
*6777b538SAndroid Build Coastguard Workeryou chose.
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker*** note
*6777b538SAndroid Build Coastguard Worker**Note:** The code coverage of a fuzz target depends heavily on the corpus. A
*6777b538SAndroid Build Coastguard Workerwell-chosen corpus will produce much greater code coverage. On the other hand,
*6777b538SAndroid Build Coastguard Workera coverage report generated by a fuzz target without a corpus won't cover much
*6777b538SAndroid Build Coastguard Workercode. If you don’t have a corpus to use, you can download the [corpus from
*6777b538SAndroid Build Coastguard WorkerClusterFuzz]. For more information on the corpus, see
*6777b538SAndroid Build Coastguard Worker[Corpus Size](#Corpus-Size).
*6777b538SAndroid Build Coastguard Worker***
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker### Corpus size
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard WorkerA guided fuzzing engine such as libFuzzer considers an input (a.k.a. testcase
*6777b538SAndroid Build Coastguard Workeror corpus unit) *interesting* if the input results in new code coverage (i.e.,
*6777b538SAndroid Build Coastguard Workerif the fuzzer reaches code that has not been reached before). The set of all
*6777b538SAndroid Build Coastguard Workerinteresting inputs is called the *corpus*. A corpus is shared across fuzzer runs
*6777b538SAndroid Build Coastguard Workerand grows over time.
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard WorkerIf a fuzz target stops discovering new interesting inputs after running for a
*6777b538SAndroid Build Coastguard Workerwhile, it typically indicates that the fuzz target is hitting a code barrier
*6777b538SAndroid Build Coastguard Worker(also called a *coverage plateau*). The corpus for a reasonably complex target
*6777b538SAndroid Build Coastguard Workershould contain hundreds (if not thousands) of inputs.
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard WorkerIf a fuzz target reaches coverage plateau with a small corpus, the common causes
*6777b538SAndroid Build Coastguard Workerare checksums and magic numbers. Or, it may be impossible for your fuzzer to
*6777b538SAndroid Build Coastguard Workerreach a lot of code. The easiest way to diagnose the problem is to generate and
*6777b538SAndroid Build Coastguard Workeranalyze a [coverage report](#code-coverage). Then, to fix the issue, try the
*6777b538SAndroid Build Coastguard Workerfollowing:
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker* Change the code (e.g., disable CRC checks while fuzzing) with a
*6777b538SAndroid Build Coastguard Worker  [custom build](#Custom-build).
*6777b538SAndroid Build Coastguard Worker* Prepare or improve the [seed corpus](#Seed-corpus).
*6777b538SAndroid Build Coastguard Worker* Prepare or improve the [fuzzer dictionary](#Fuzzer-dictionary).
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker## Ways to improve a fuzz target
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker### Seed corpus
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard WorkerYou can give your fuzz target a starting point by creating a set of valid and
*6777b538SAndroid Build Coastguard Workerinteresting inputs called a *seed corpus*. If you don’t provide a seed corpus,
*6777b538SAndroid Build Coastguard Workerthe fuzzing engine has to guess inputs from scratch, which can take time
*6777b538SAndroid Build Coastguard Worker(depending on the size of the inputs and the complexity of the target format).
*6777b538SAndroid Build Coastguard WorkerIn many cases, providing a seed corpus can increase code coverage by an order of
*6777b538SAndroid Build Coastguard Workermagnitude.
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard WorkerSeed corpuses work especially well for strictly defined file formats and data
*6777b538SAndroid Build Coastguard Workertransmission protocols:
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker* For file format parsers, add valid files from your test suite.
*6777b538SAndroid Build Coastguard Worker* For protocol parsers, add valid raw streams from a test suite into separate
*6777b538SAndroid Build Coastguard Worker  files.
*6777b538SAndroid Build Coastguard Worker* For graphics libraries, add a variety of small PNG/JPG/GIF files.
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker#### Using a corpus locally
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard WorkerIf you’re running a fuzz target locally, you can easily designate a corpus by
*6777b538SAndroid Build Coastguard Workerpassing a directory as an argument:
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker```
*6777b538SAndroid Build Coastguard Worker./out/libfuzzer/my_fuzzer ~/tmp/my_fuzzer_corpus
*6777b538SAndroid Build Coastguard Worker```
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard WorkerThe fuzzer stores all the interesting inputs it finds in the directory.
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker#### Creating a Chromium repository seed corpus
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard WorkerWhen running fuzz targets at scale, ClusterFuzz looks for a seed corpus defined
*6777b538SAndroid Build Coastguard Workerin the Chromium source repository. You can define one in your `BUILD.gn` file by
*6777b538SAndroid Build Coastguard Workeradding a `seed_corpus` attribute to your `fuzzer_test` target definition:
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker```
*6777b538SAndroid Build Coastguard Workerfuzzer_test("my_fuzzer") {
*6777b538SAndroid Build Coastguard Worker  ...
*6777b538SAndroid Build Coastguard Worker  seed_corpus = "test/fuzz/testcases"
*6777b538SAndroid Build Coastguard Worker  ...
*6777b538SAndroid Build Coastguard Worker}
*6777b538SAndroid Build Coastguard Worker```
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard WorkerIf you want to specify multiple seed corpus directories, use the `seed_corpuses`
*6777b538SAndroid Build Coastguard Workerattribute instead:
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker```
*6777b538SAndroid Build Coastguard Workerfuzzer_test("my_fuzzer") {
*6777b538SAndroid Build Coastguard Worker  ...
*6777b538SAndroid Build Coastguard Worker  seed_corpuses = [ "test/fuzz/testcases", "test/unittest/data" ]
*6777b538SAndroid Build Coastguard Worker  ...
*6777b538SAndroid Build Coastguard Worker}
*6777b538SAndroid Build Coastguard Worker```
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard WorkerAll files found in these directories and their subdirectories are stored in a
*6777b538SAndroid Build Coastguard Worker`<my_fuzzer>_seed_corpus.zip` output archive.
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker#### Uploading corpus files to GCS
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard WorkerIf you can't store your seed corpus in the Chromium repository (e.g., it’s too
*6777b538SAndroid Build Coastguard Workerlarge, can’t be open-sourced, etc.), you can upload the corpus to the Google
*6777b538SAndroid Build Coastguard WorkerCloud Storage (GCS) bucket used by ClusterFuzz.
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker1) Open the [Corpus GCS Bucket] in your browser.
*6777b538SAndroid Build Coastguard Worker2) Search for the directory named `<my_fuzzer>`. If the directory does not
*6777b538SAndroid Build Coastguard Worker   exist, create it.
*6777b538SAndroid Build Coastguard Worker3) In the `<my_fuzzer>` directory, upload your corpus files.
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker*** note
*6777b538SAndroid Build Coastguard Worker**Note:** If you upload your corpus to GCS, you don’t need to add the
*6777b538SAndroid Build Coastguard Worker`seed_corpus` attribute to your `fuzzer_test` target definition. However, adding
*6777b538SAndroid Build Coastguard Workerseed corpus to the Chromium repository is the preferred way.
*6777b538SAndroid Build Coastguard Worker***
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard WorkerYou can do the same thing by using the [gsutil] command line tool:
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker```bash
*6777b538SAndroid Build Coastguard Workergsutil -m rsync <path_to_corpus> gs://clusterfuzz-corpus/libfuzzer/<my_fuzzer>
*6777b538SAndroid Build Coastguard Worker```
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker*** note
*6777b538SAndroid Build Coastguard Worker**Note:** To write to this bucket using `gsutil`, you must be logged into your
*6777b538SAndroid Build Coastguard Worker@google.com account (@chromium.org will not work). You can use the `gcloud auth
*6777b538SAndroid Build Coastguard Workerlogin` command to log into your account in `gsutil` if you installed `gsutil`
*6777b538SAndroid Build Coastguard Workerthrough `gcloud`.
*6777b538SAndroid Build Coastguard Worker***
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker#### Minimizing a seed corpus
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard WorkerYour seed corpus is synced to all fuzzing bots for every iteration, so it's
*6777b538SAndroid Build Coastguard Workerimportant to minimize it to a small set of interesting inputs before uploading.
*6777b538SAndroid Build Coastguard WorkerKeeping the seed corpus small improves fuzzing efficiency and prevents our bots
*6777b538SAndroid Build Coastguard Workerfrom running out of disk space.
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard WorkerYou can minimize your seed corpus by using libFuzzer’s `-merge=1` option:
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker```bash
*6777b538SAndroid Build Coastguard Worker# Create an empty directory.
*6777b538SAndroid Build Coastguard Workermkdir seed_corpus_minimized
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker# Run the fuzzer with -merge=1 flag.
*6777b538SAndroid Build Coastguard Worker./my_fuzzer -merge=1 ./seed_corpus_minimized ./seed_corpus
*6777b538SAndroid Build Coastguard Worker```
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard WorkerAfter running the command, the `seed_corpus_minimized` directory will contain a
*6777b538SAndroid Build Coastguard Workerminimized corpus that gives the same code coverage as your initial `seed_corpus`
*6777b538SAndroid Build Coastguard Workerdirectory.
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker### Fuzzer dictionary
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard WorkerYou can help your fuzzer increase its coverage by providing a set of common
*6777b538SAndroid Build Coastguard Workerwords or values that you expect to find in the input. Such a dictionary works
*6777b538SAndroid Build Coastguard Workerespecially well for certain use-cases (e.g., fuzzing file format decoders or
*6777b538SAndroid Build Coastguard Workertext-based protocols like XML).
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard WorkerAdd a fuzzer dictionary:
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker1) Create a flat ASCII text file that lists one input token per line in the
*6777b538SAndroid Build Coastguard Worker   format `name="value"`. The value must appear in quotes with hex escaping
*6777b538SAndroid Build Coastguard Worker   (`\xNN`) applied to all non-printable, high-bit, or otherwise problematic
*6777b538SAndroid Build Coastguard Worker   characters (`\` and `"` shorthands are recognized, too). This syntax is
*6777b538SAndroid Build Coastguard Worker   similar to the one used by the [AFL] fuzzing engine (`-x` option).
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker   *** note
*6777b538SAndroid Build Coastguard Worker   **Note:** `name` can be omitted, but it is a convenient way to document the
*6777b538SAndroid Build Coastguard Worker   meaning of each token. Here’s an example dictionary:
*6777b538SAndroid Build Coastguard Worker   ***
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker   ```
*6777b538SAndroid Build Coastguard Worker   # Lines starting with '#' and empty lines are ignored.
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker   # Adds "blah" word (w/o quotes) to the dictionary.
*6777b538SAndroid Build Coastguard Worker   kw1="blah"
*6777b538SAndroid Build Coastguard Worker   # Use \\ for backslash and \" for quotes.
*6777b538SAndroid Build Coastguard Worker   kw2="\"ac\\dc\""
*6777b538SAndroid Build Coastguard Worker   # Use \xAB for hex values.
*6777b538SAndroid Build Coastguard Worker   kw3="\xF7\xF8"
*6777b538SAndroid Build Coastguard Worker   # Key name before '=' can be omitted:
*6777b538SAndroid Build Coastguard Worker   "foo\x0Abar"
*6777b538SAndroid Build Coastguard Worker   ```
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker2) Test your dictionary by running your fuzz target locally:
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker   ```bash
*6777b538SAndroid Build Coastguard Worker   ./out/libfuzzer/my_fuzzer -dict=<path_to_dict> <path_to_corpus>
*6777b538SAndroid Build Coastguard Worker   ```
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker   If the dictionary is effective, you should see `NEW` units discovered in the
*6777b538SAndroid Build Coastguard Worker   output.
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker3) Add the dictionary file in the same directory as your fuzz target, then add
*6777b538SAndroid Build Coastguard Worker   the `dict` attribute to the `fuzzer_test` definition in your `BUILD.gn` file:
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker   ```
*6777b538SAndroid Build Coastguard Worker   fuzzer_test("my_fuzzer") {
*6777b538SAndroid Build Coastguard Worker     ...
*6777b538SAndroid Build Coastguard Worker     dict = "my_fuzzer.dict"
*6777b538SAndroid Build Coastguard Worker   }
*6777b538SAndroid Build Coastguard Worker   ```
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker   The dictionary is submitted to the Chromium repository. Once ClusterFuzz
*6777b538SAndroid Build Coastguard Worker   picks up a new revision build, the dictionary is used automatically.
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker### Custom build
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard WorkerIf you need to change the code being tested by your fuzz target, you can use an
*6777b538SAndroid Build Coastguard Worker`#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION` macro in your target code.
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker*** note
*6777b538SAndroid Build Coastguard Worker**Note:** Patching target code is not a preferred way of improving the
*6777b538SAndroid Build Coastguard Workercorresponding fuzz target, but in some cases it might be the only way to do it
*6777b538SAndroid Build Coastguard Worker(e.g., when there is no intended API to disable checksum verification, or when
*6777b538SAndroid Build Coastguard Workerthe target code uses a random generator that affects the reproducibility of
*6777b538SAndroid Build Coastguard Workercrashes).
*6777b538SAndroid Build Coastguard Worker***
*6777b538SAndroid Build Coastguard Worker
*6777b538SAndroid Build Coastguard Worker[AFL]: http://lcamtuf.coredump.cx/afl/
*6777b538SAndroid Build Coastguard Worker[ClusterFuzz status]: libFuzzer_integration.md#Status-Links
*6777b538SAndroid Build Coastguard Worker[Corpus GCS Bucket]: https://console.cloud.google.com/storage/clusterfuzz-corpus/libfuzzer
*6777b538SAndroid Build Coastguard Worker[Getting Started Guide]: getting_started.md
*6777b538SAndroid Build Coastguard Worker[gn config]: getting_started.md#running-the-fuzz-target
*6777b538SAndroid Build Coastguard Worker[corpus from ClusterFuzz]: libFuzzer_integration.md#Corpus
*6777b538SAndroid Build Coastguard Worker[coverage script]: https://cs.chromium.org/chromium/src/tools/code_coverage/coverage.py
*6777b538SAndroid Build Coastguard Worker[fuzzing coverage]: https://analysis.chromium.org/coverage/p/chromium?platform=fuzz
*6777b538SAndroid Build Coastguard Worker[gsutil]: https://cloud.google.com/storage/docs/gsutil
*6777b538SAndroid Build Coastguard Worker[startup initialization]: https://llvm.org/docs/LibFuzzer.html#startup-initialization
*6777b538SAndroid Build Coastguard Worker[libfuzzer]: getting_started_with_libfuzzer.md
*6777b538SAndroid Build Coastguard Worker[fuzztests]: getting_started.md