What can be tested?
The interface can be used to test all C/C++ code that either ends up in
libxul (more precisely, the gtest version of
libxul) or is part of the JS engine.
Note that this is not the right testing approach for testing the full browser as a whole. It is rather meant for component-based testing (especially as some components cannot be easily separated out of the full build).
Getting Started with libFuzzer
Using Existing Builds
If you are just trying to use an existing fuzzing target (for reproducing a bug or testing), then you can simply download an ASan fuzzing build from Taskcluster. The easiest way to do this is using fuzzfetch, a tool that makes downloading and unpacking these builds very easy.
You can install
fuzzfetch from Github or via pip. Afterwards, you can run
to fetch the latest build. Afterwards, you can run any fuzzing target as described in the section "How to run your code". Alternatively you can make your own local build by following the steps below.
You will need a Linux environment with a recent Clang (recommend at least Clang 5).
You need to ensure that your build is
- an AddressSanitizer (ASan) build (
- a fuzzing build (
If you are adding a new fuzzing target, you also need to ensure that the code you are trying to test is instrumented for libFuzzer. This is done by adding a special include into each respective
moz.build file like in this example for mtransport.
By keeping coverage limited to the parts that are actually being tested using this tool, you not only increase the performance but also potentially reduce the amount of noise that libFuzzer sees.
Where to put your fuzzing code
You can put all of your code into a subdirectory of the code that you are trying to test and enable that directory when the build system flags for a fuzzing build are set.
How your code should look like
See this example.
How to build your code
After a regular
mach build, you need to run an additional
mach gtest nonexistant to ensure that the gtests are built but no tests are executed. You only need to rerun the gtest command for changes to your fuzzing implementation.
Note: If you have set the below mentioned environment variables, for example because you are rebuilding from the same shell which you used for a previous run, then this command will start the fuzzing. For cleanliness it is recommended to interrupt the running executable with CTRL+C at that point and restart just the firefox binary as described below.
You need to set the following environment variable to enable running the fuzzing code inside Firefox instead of the regular browser.
name is the name of your fuzzing module that you specified when calling the
MOZ_FUZZING_INTERFACE_RAW macro. For the example above, this would be “StunParser”.
Now when you invoke the firefox binary in your build directory with the
-help=1 parameter, you should see the regular libFuzzer help. On Linux for example:
$ FUZZER=StunParser obj-asan/dist/bin/firefox -help=1
You should see an output similar to this:
Running Fuzzer tests... Usage: To run fuzzing pass 0 or more directories. obj-asan/dist/bin/firefox [-flag1=val1 [-flag2=val2 ...] ] [dir1 [dir2 ...] ] To run individual tests without fuzzing pass 1 or more files: obj-asan/dist/bin/firefox [-flag1=val1 [-flag2=val2 ...] ] file1 [file2 ...] Flags: (strictly in form -flag=value) verbosity 1 Verbosity level. seed 0 Random seed. If 0, seed is generated. runs -1 Number of individual test runs (-1 for infinite runs). max_len 0 Maximum length of the test input. If 0, libFuzzer tries to guess a good value based on the corpus and reports it. ...
Reproducing a Crash
In order to reproduce a crash from a given test file, simply put the file as the only argument on the command line, e.g.
$ FUZZER=StunParser obj-asan/dist/bin/firefox test.bin
This should reproduce the given problem.
FuzzManager and libFuzzer
Our FuzzManager project comes with a harness for running libFuzzer with an optional connection to a FuzzManager server instance. Note that this connection is not mandatory, even without a server you can make use of the local harness.
You can find the harness here.
An example invocation for the harness to use with StunParser could look like this:
FUZZER=StunParser python /path/to/afl-libfuzzer-daemon.py --fuzzmanager \ --stats libfuzzer-stunparser.stats --libfuzzer-auto-reduce-min 500 --libfuzzer-auto-reduce 30 \ --tool libfuzzer-stunparser --libfuzzer --libfuzzer-instances 6 obj-asan/dist/bin/firefox \ -max_len=256 -use_value_profile=1 -rss_limit_mb=3000 corpus-stunparser
What this does is
- run libFuzzer on the
StunParsertarget with 6 parallel instances using the corpus in the
corpus-stunparserdirectory (with the specified libFuzzer options such as
- automatically reduce the corpus and restart if it grew by 30% (and has at least 500 files)
- use FuzzManager (need a local
firefox.fuzzmanagerconfbinary configuration as described in the FuzzManager manual) and submit crashes as
- write statistics to the
Fuzzing Interface: Error: No testing callback found
This error means that the fuzzing callback with the name you specified using the
FUZZER environment variable could not be found. Reasons for are typically either a misspelled name or that your code wasn't built (check your
moz.build file and build log).
mach build doesn't seem to update my fuzzing code
Keep in mind you always need to run both the
mach build and
mach gtest nonexistant commands in order to update your fuzzing code. The latter rebuilds the gtest version of
libxul, containing your code.