Google Git
Sign in
chromium / chromium / src.git / a71773efe9c828e87412c37081b61635b4d326be / . / docs / ipc_fuzzer.md
blob: 7cf3c96dcdb02c0c015d8c2798a81f74412ece3b [file] [log] [blame] [view]
andybonsad92aa32015-08-31 02:27:44[diff] [blame]1# IPC Fuzzer
andybons3322f762015-08-24 21:37:09[diff] [blame]2
qyearsleyc0dc6f42016-12-02 22:13:39[diff] [blame]3A Chromium IPC fuzzer is under development by aedla and tsepez. The fuzzer lives
andybonsad92aa32015-08-31 02:27:44[diff] [blame]4under `src/tools/ipc_fuzzer/` and is running on ClusterFuzz. A previous version
5of the fuzzer was a simple bitflipper, which caught around 10 bugs. A new
6version is doing smarter mutations and generational fuzzing. To do so, each
7`ParamTraits<Type>` needs a corresponding `FuzzTraits<Type>`. Feel free to
8contribute.
andybons3322f762015-08-24 21:37:09[diff] [blame]9
andybonsad92aa32015-08-31 02:27:44[diff] [blame]10[TOC]
andybons3322f762015-08-24 21:37:09[diff] [blame]11
andybonsad92aa32015-08-31 02:27:44[diff] [blame]12## Working with the fuzzer
andybons3322f762015-08-24 21:37:09[diff] [blame]13
andybonsad92aa32015-08-31 02:27:44[diff] [blame]14### Build instructions
andybons3322f762015-08-24 21:37:09[diff] [blame]15
ochangcc11d0e2016-04-26 19:58:26[diff] [blame]16* Run `gn args` and add `enable_ipc_fuzzer = true` to your args.gn. If you use
17 GYP, add `enable_ipc_fuzzer=1` to `GYP_DEFINES`.
andybonsad92aa32015-08-31 02:27:44[diff] [blame]18* build `ipc_fuzzer_all` target
19* component builds are currently broken, sorry
20* Debug builds are broken; only Release mode works.
andybons3322f762015-08-24 21:37:09[diff] [blame]21
andybonsad92aa32015-08-31 02:27:44[diff] [blame]22### Replaying ipcdumps
andybons3322f762015-08-24 21:37:09[diff] [blame]23
andybonsad92aa32015-08-31 02:27:44[diff] [blame]24* `tools/ipc_fuzzer/scripts/play_testcase.py path/to/testcase.ipcdump`
25* more help: `tools/ipc_fuzzer/scripts/play_testcase.py -h`
andybons3322f762015-08-24 21:37:09[diff] [blame]26
andybonsad92aa32015-08-31 02:27:44[diff] [blame]27### Listing messages in ipcdump
andybons3322f762015-08-24 21:37:09[diff] [blame]28
andybonsad92aa32015-08-31 02:27:44[diff] [blame]29* `out/<Build>/ipc_message_util --dump path/to/testcase.ipcdump`
andybons3322f762015-08-24 21:37:09[diff] [blame]30
andybonsad92aa32015-08-31 02:27:44[diff] [blame]31### Updating fuzzers in ClusterFuzz
andybons3322f762015-08-24 21:37:09[diff] [blame]32
andybonsad92aa32015-08-31 02:27:44[diff] [blame]33* `tools/ipc_fuzzer/scripts/cf_package_builder.py`
34* upload `ipc_fuzzer_mut.zip` and `ipc_fuzzer_gen.zip` under build directory
35 to ClusterFuzz
andybons3322f762015-08-24 21:37:09[diff] [blame]36
andybonsad92aa32015-08-31 02:27:44[diff] [blame]37### Contributing FuzzTraits
andybons3322f762015-08-24 21:37:09[diff] [blame]38
andybonsad92aa32015-08-31 02:27:44[diff] [blame]39* add them to `tools/ipc_fuzzer/fuzzer/fuzzer.cc`
40* thanks!
andybons3322f762015-08-24 21:37:09[diff] [blame]41
andybonsad92aa32015-08-31 02:27:44[diff] [blame]42## Components
andybons3322f762015-08-24 21:37:09[diff] [blame]43
andybonsad92aa32015-08-31 02:27:44[diff] [blame]44### ipcdump logger
andybons3322f762015-08-24 21:37:09[diff] [blame]45
andybonsad92aa32015-08-31 02:27:44[diff] [blame]46* add `enable_ipc_fuzzer=1` to `GYP_DEFINES`
47* build `chrome` and `ipc_message_dump` targets
48* run chrome with
49 `--no-sandbox --ipc-dump-directory=/path/to/ipcdump/directory`
50* ipcdumps will be created in this directory for each renderer using the
51 format `_pid_.ipcdump`
andybons3322f762015-08-24 21:37:09[diff] [blame]52
andybonsad92aa32015-08-31 02:27:44[diff] [blame]53### ipcdump replay
andybons3322f762015-08-24 21:37:09[diff] [blame]54
andybonsad92aa32015-08-31 02:27:44[diff] [blame]55Lives under `ipc_fuzzer/replay`. The renderer is replaced with
56`ipc_fuzzer_replay` using `--renderer-cmd-prefix`. This is done automatically
57with the `ipc_fuzzer/play_testcase.py` convenience script.
58
59### ipcdump mutator / generator
60
61Lives under `ipc_fuzzer/fuzzer`. This is the code that runs on ClusterFuzz. It
62uses `FuzzTraits<Type>` to mutate ipcdumps or generate them out of thin air.
63
64## Problems, questions, suggestions
65
66Send them to mbarbella@chromium.org.