blob: 0ab9ce9f150dc161883015e6d245286ebb0c15de (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
# IPC Fuzzer
A chromium IPC fuzzer is under development by aedla and tsepez. The fuzzer lives
under `src/tools/ipc_fuzzer/` and is running on ClusterFuzz. A previous version
of the fuzzer was a simple bitflipper, which caught around 10 bugs. A new
version is doing smarter mutations and generational fuzzing. To do so, each
`ParamTraits<Type>` needs a corresponding `FuzzTraits<Type>`. Feel free to
contribute.
[TOC]
## Working with the fuzzer
### Build instructions
* add `enable_ipc_fuzzer=1` to `GYP_DEFINES`
* build `ipc_fuzzer_all` target
* component builds are currently broken, sorry
* Debug builds are broken; only Release mode works.
### Replaying ipcdumps
* `tools/ipc_fuzzer/scripts/play_testcase.py path/to/testcase.ipcdump`
* more help: `tools/ipc_fuzzer/scripts/play_testcase.py -h`
### Listing messages in ipcdump
* `out/<Build>/ipc_message_util --dump path/to/testcase.ipcdump`
### Updating fuzzers in ClusterFuzz
* `tools/ipc_fuzzer/scripts/cf_package_builder.py`
* upload `ipc_fuzzer_mut.zip` and `ipc_fuzzer_gen.zip` under build directory
to ClusterFuzz
### Contributing FuzzTraits
* add them to `tools/ipc_fuzzer/fuzzer/fuzzer.cc`
* thanks!
## Components
### ipcdump logger
* add `enable_ipc_fuzzer=1` to `GYP_DEFINES`
* build `chrome` and `ipc_message_dump` targets
* run chrome with
`--no-sandbox --ipc-dump-directory=/path/to/ipcdump/directory`
* ipcdumps will be created in this directory for each renderer using the
format `_pid_.ipcdump`
### ipcdump replay
Lives under `ipc_fuzzer/replay`. The renderer is replaced with
`ipc_fuzzer_replay` using `--renderer-cmd-prefix`. This is done automatically
with the `ipc_fuzzer/play_testcase.py` convenience script.
### ipcdump mutator / generator
Lives under `ipc_fuzzer/fuzzer`. This is the code that runs on ClusterFuzz. It
uses `FuzzTraits<Type>` to mutate ipcdumps or generate them out of thin air.
## Problems, questions, suggestions
Send them to mbarbella@chromium.org.
|
