1*6777b538SAndroid Build Coastguard Worker# Fuzzing browsertests 2*6777b538SAndroid Build Coastguard Worker 3*6777b538SAndroid Build Coastguard WorkerFuzzing is effective if either: 4*6777b538SAndroid Build Coastguard Worker 5*6777b538SAndroid Build Coastguard Worker* it's guided by code coverage, and can execute incredible numbers of test cases 6*6777b538SAndroid Build Coastguard Worker per second to explore the codebase (thousands); or 7*6777b538SAndroid Build Coastguard Worker* it has a smart mutator of some kind (out of scope here). 8*6777b538SAndroid Build Coastguard Worker 9*6777b538SAndroid Build Coastguard WorkerIf you have an API to be fuzzed, make a simple libfuzzer fuzzer for just that 10*6777b538SAndroid Build Coastguard WorkerAPI, to get the speed required to explore its attack surface. If however we want 11*6777b538SAndroid Build Coastguard Workerto fuzz a larger, more complex set of Chromium code, we usually need an entire 12*6777b538SAndroid Build Coastguard Workerbrowser process environment around us. The browser process takes seconds to 13*6777b538SAndroid Build Coastguard Workerstart, preventing coverage guided fuzzing from being effective. 14*6777b538SAndroid Build Coastguard Worker 15*6777b538SAndroid Build Coastguard WorkerWe now have an experimental 'in process fuzz test' framework which attempts to: 16*6777b538SAndroid Build Coastguard Worker* Start the browser process _once_ 17*6777b538SAndroid Build Coastguard Worker* Execute lots of fuzz cases in that pre-existing browser. 18*6777b538SAndroid Build Coastguard WorkerThis _may_ amortize the start up cost sufficiently to make such coverage-guided 19*6777b538SAndroid Build Coastguard Workerfuzzing plausible. We don't yet know. But this document shows how to use it, 20*6777b538SAndroid Build Coastguard Workerjust in case. 21*6777b538SAndroid Build Coastguard Worker 22*6777b538SAndroid Build Coastguard Worker# Writing an in process fuzz case 23*6777b538SAndroid Build Coastguard Worker 24*6777b538SAndroid Build Coastguard Worker* Use the template `chrome/test/fuzzing/in_process_fuzzer.gni` 25*6777b538SAndroid Build Coastguard Worker* Provide a source code file which inherits from `InProcessFuzzer`. This 26*6777b538SAndroid Build Coastguard Worker must override the `Fuzz` method. You'll find that your base class inherits 27*6777b538SAndroid Build Coastguard Worker from the full browser test infrastructure, so you can do anything you'd 28*6777b538SAndroid Build Coastguard Worker do in a normal Chrome browser test. 29*6777b538SAndroid Build Coastguard Worker* In your `cc` file, also use the macro `REGISTER_IN_PROCESS_FUZZER` to 30*6777b538SAndroid Build Coastguard Worker declare that this is the one and only such fuzzer in your executable. 31*6777b538SAndroid Build Coastguard Worker 32*6777b538SAndroid Build Coastguard Worker# Running such an in process fuzz case 33*6777b538SAndroid Build Coastguard Worker 34*6777b538SAndroid Build Coastguard WorkerThese cases can be run either with libfuzzer or centipede. 35*6777b538SAndroid Build Coastguard Worker 36*6777b538SAndroid Build Coastguard WorkerFor libfuzzer, provide gn arguments `use_sanitizer_coverage = true`, 37*6777b538SAndroid Build Coastguard Worker`use_libfuzzer = true`, `is_component_build = false` and `is_asan = true` 38*6777b538SAndroid Build Coastguard Worker(other permutations may work). 39*6777b538SAndroid Build Coastguard Worker 40*6777b538SAndroid Build Coastguard WorkerThis will give you a single binary you can run like this: 41*6777b538SAndroid Build Coastguard Worker`my_fuzzer /tmp/corpus -rss_limit_mb=81920` 42*6777b538SAndroid Build Coastguard Worker 43*6777b538SAndroid Build Coastguard WorkerHowever, you'll more likely want to use 44*6777b538SAndroid Build Coastguard Worker[centipede](https://github.com/google/centipede) which has an 45*6777b538SAndroid Build Coastguard Workerout-of-process co-ordinator. 46*6777b538SAndroid Build Coastguard Worker 47*6777b538SAndroid Build Coastguard WorkerTo use centipede, specify `use_centipede = true` instead of `use_libfuzzer = 48*6777b538SAndroid Build Coastguard Workertrue`. You should also build the `centipede` target as well as your fuzzer. 49*6777b538SAndroid Build Coastguard WorkerYou'll then want to run centipede using some command like: 50*6777b538SAndroid Build Coastguard Worker 51*6777b538SAndroid Build Coastguard Worker``` 52*6777b538SAndroid Build Coastguard Workermkdir wd && ASAN_OPTIONS=detect_odr_violation=0 out/ASAN/centipede --binary=out/ASAN/html_in_process_fuzz_tests --workdir=wd --shmem_size_mb 4096 --rss_limit_mb 0 --batch_size 100 --log_features_shards 2 --exit_on_crash 1 53*6777b538SAndroid Build Coastguard Worker``` 54