1*bb4ee6a4SAndroid Build Coastguard Worker# Fuzzing 2*bb4ee6a4SAndroid Build Coastguard Worker 3*bb4ee6a4SAndroid Build Coastguard WorkerCrosvm contains several [fuzz testing](https://en.wikipedia.org/wiki/Fuzzing) programs that are 4*bb4ee6a4SAndroid Build Coastguard Workerintended to exercise specific subsets of the code with automatically generated inputs to help 5*bb4ee6a4SAndroid Build Coastguard Workeruncover bugs that were not found by human-written unit tests. 6*bb4ee6a4SAndroid Build Coastguard Worker 7*bb4ee6a4SAndroid Build Coastguard WorkerThe source code for the fuzzer target programs can be found in [`fuzz/fuzz_targets`] in the crosvm 8*bb4ee6a4SAndroid Build Coastguard Workersource tree. 9*bb4ee6a4SAndroid Build Coastguard Worker 10*bb4ee6a4SAndroid Build Coastguard Worker## OSS-Fuzz 11*bb4ee6a4SAndroid Build Coastguard Worker 12*bb4ee6a4SAndroid Build Coastguard WorkerCrosvm makes use of the OSS-Fuzz service, which automatically builds and runs fuzzers for many open 13*bb4ee6a4SAndroid Build Coastguard Workersource projects. Once a crosvm change is committed and pushed to the main branch, it will be tested 14*bb4ee6a4SAndroid Build Coastguard Workerautomatically by [ClusterFuzz], and if new issues are found, a bug will be filed. 15*bb4ee6a4SAndroid Build Coastguard Worker 16*bb4ee6a4SAndroid Build Coastguard Worker- [crosvm oss-fuzz configuration] 17*bb4ee6a4SAndroid Build Coastguard Worker- [crosvm oss-fuzz build status] 18*bb4ee6a4SAndroid Build Coastguard Worker 19*bb4ee6a4SAndroid Build Coastguard Worker## Running fuzzers locally 20*bb4ee6a4SAndroid Build Coastguard Worker 21*bb4ee6a4SAndroid Build Coastguard WorkerIt can be useful to run a fuzzer in order to test new changes locally or to reproduce a bug filed by 22*bb4ee6a4SAndroid Build Coastguard WorkerClusterFuzz. 23*bb4ee6a4SAndroid Build Coastguard Worker 24*bb4ee6a4SAndroid Build Coastguard WorkerTo build and run a specific fuzz target, install [`cargo fuzz`], then run it in the crosvm source 25*bb4ee6a4SAndroid Build Coastguard Workertree, specifying the desired fuzz target to run. If you have a testcase provided by the automated 26*bb4ee6a4SAndroid Build Coastguard Workerfuzzing infrastructure in a bug report, you can add that file to the fuzzer command line to 27*bb4ee6a4SAndroid Build Coastguard Workerreproduce the same fuzzer execution rather than using randomly generating inputs. 28*bb4ee6a4SAndroid Build Coastguard Worker 29*bb4ee6a4SAndroid Build Coastguard Worker```sh 30*bb4ee6a4SAndroid Build Coastguard Worker# Run virtqueue_fuzzer with randomly-generated input. 31*bb4ee6a4SAndroid Build Coastguard Worker# This will run indefinitely; it can be stopped with Ctrl+C. 32*bb4ee6a4SAndroid Build Coastguard Workercargo +nightly fuzz run virtqueue_fuzzer 33*bb4ee6a4SAndroid Build Coastguard Worker 34*bb4ee6a4SAndroid Build Coastguard Worker# Run virtqueue_fuzzer with a specific input file from ClusterFuzz. 35*bb4ee6a4SAndroid Build Coastguard Workercargo +nightly fuzz run virtqueue_fuzzer clusterfuzz-testcase-minimized-... 36*bb4ee6a4SAndroid Build Coastguard Worker``` 37*bb4ee6a4SAndroid Build Coastguard Worker 38*bb4ee6a4SAndroid Build Coastguard Worker[clusterfuzz]: https://google.github.io/clusterfuzz/ 39*bb4ee6a4SAndroid Build Coastguard Worker[crosvm oss-fuzz build status]: https://oss-fuzz-build-logs.storage.googleapis.com/index.html#crosvm 40*bb4ee6a4SAndroid Build Coastguard Worker[crosvm oss-fuzz configuration]: https://github.com/google/oss-fuzz/tree/master/projects/crosvm 41*bb4ee6a4SAndroid Build Coastguard Worker[`cargo fuzz`]: https://github.com/rust-fuzz/cargo-fuzz 42*bb4ee6a4SAndroid Build Coastguard Worker[`fuzz/fuzz_targets`]: https://chromium.googlesource.com/crosvm/crosvm/+/refs/heads/main/fuzz/fuzz_targets/ 43