chromium/src
0
Fork 0
Code Activity
Files
cdc726dce58a90cfa81edec97a9b747dd56c44f0
src/docs/testing/ipc_fuzzer.md
Lei Lei 8aa9db627d Move testing related docs into testing/ folder and update doc index. 
This CL moves the following md files:
android_test_instructions.md
ipc_fuzzer.md
linux_running_asan_tests.md
test_descriptions.md
web_tests_linux.md

Change-Id: I88dd14f5c98b79a23f5607dbddd1e5b36eb41812
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1578589
Reviewed-by: Dirk Pranke <dpranke@chromium.org>
Commit-Queue: Lei Lei <leilei@chromium.org>
Cr-Commit-Position: refs/heads/master@{#655750}
2019-05-01 21:08:01 +00:00

2.0 KiB
Raw Blame History

IPC Fuzzer

A Chromium IPC fuzzer is under development by aedla and tsepez. The fuzzer lives under src/tools/ipc_fuzzer/ and is running on ClusterFuzz. A previous version of the fuzzer was a simple bitflipper, which caught around 10 bugs. A new version is doing smarter mutations and generational fuzzing. To do so, each ParamTraits<Type> needs a corresponding FuzzTraits<Type>. Feel free to contribute.

[TOC]

Working with the fuzzer

Build instructions

  • Run gn args and add enable_ipc_fuzzer = true to your args.gn.
  • build ipc_fuzzer_all target
  • component builds are currently broken, sorry
  • Debug builds are broken; only Release mode works.

Replaying ipcdumps

  • tools/ipc_fuzzer/scripts/play_testcase.py path/to/testcase.ipcdump
  • more help: tools/ipc_fuzzer/scripts/play_testcase.py -h

Listing messages in ipcdump

  • out/<Build>/ipc_message_util --dump path/to/testcase.ipcdump

Updating fuzzers in ClusterFuzz

  • tools/ipc_fuzzer/scripts/cf_package_builder.py
  • upload ipc_fuzzer_mut.zip and ipc_fuzzer_gen.zip under build directory to ClusterFuzz

Contributing FuzzTraits

  • add them to tools/ipc_fuzzer/fuzzer/fuzzer.cc
  • thanks!

Components

ipcdump logger

  • add enable_ipc_fuzzer = true to args.gn
  • build chrome and ipc_message_dump targets
  • run chrome with --no-sandbox --ipc-dump-directory=/path/to/ipcdump/directory
  • ipcdumps will be created in this directory for each renderer using the format _pid_.ipcdump

ipcdump replay

Lives under ipc_fuzzer/replay. The renderer is replaced with ipc_fuzzer_replay using --renderer-cmd-prefix. This is done automatically with the ipc_fuzzer/play_testcase.py convenience script.

ipcdump mutator / generator

Lives under ipc_fuzzer/fuzzer. This is the code that runs on ClusterFuzz. It uses FuzzTraits<Type> to mutate ipcdumps or generate them out of thin air.

Problems, questions, suggestions

Send them to mbarbella@chromium.org.