1# Fuzz testing in Chromium 2 3[go/chrome-fuzzing](https://goto.google.com/chrome-fuzzing) 4 5[Fuzzing] is a testing technique that feeds auto-generated inputs to a piece 6of target code in an attempt to crash the code. It's one of the most effective 7methods we have for finding security and stability issues (see 8[go/fuzzing-success](http://go/fuzzing-success)). You can learn more about the 9benefits of fuzzing at [go/why-fuzz](http://go/why-fuzz). 10 11This documentation covers the in-process guided fuzzing approach employed by 12different fuzzing engines, such as [libFuzzer] or [AFL]. To learn more about 13out-of-process fuzzers, please refer to the [Blackbox fuzzing] page in the 14ClusterFuzz documentation. 15 16[TOC] 17 18## Getting Started 19 20In Chromium, you can easily create and submit fuzz targets. The targets are 21automatically discovered by buildbots, built with different fuzzing engines, 22then uploaded to the distributed [ClusterFuzz] fuzzing system to run at scale. 23 24Create your first fuzz target and submit it by stepping through our [Getting 25Started Guide]. 26 27## Advanced Topics 28 29* [Improving fuzz target efficiency]. 30* [Creating a fuzz target that expects a protobuf] instead of a byte stream as 31 input. 32 33 *** note 34 **Note:** You can also fuzz code that needs multiple mutated 35 inputs, or to generate inputs defined by a grammar. 36 *** 37 38* [Reproducing bugs] found by libFuzzer/AFL and reported by ClusterFuzz. 39* [Fuzzing mojo interfaces] using automatically generated libprotobuf-mutator fuzzers. 40 41## Further Reading 42 43* [LibFuzzer integration] with Chromium and ClusterFuzz. 44* [AFL integration] with Chromium and ClusterFuzz. 45* [Detailed references] for other integration parts. 46* Writing fuzzers for the [non-browser parts of Chrome OS]. 47* [Fuzzing browsertests] if you need to fuzz multiple Chrome subsystems. 48 49## Trophies 50* [Issues automatically filed] by ClusterFuzz. 51* [Issues filed manually] after running fuzz targets. 52* [Bugs found in PDFium] by manual fuzzing. 53* [Bugs found in open-source projects] with libFuzzer. 54 55## Other Links 56* [Guided in-process fuzzing of Chrome components] blog post. 57* [ClusterFuzz Stats] for fuzz targets built with AddressSanitizer and 58 libFuzzer. 59 60[AFL]: http://lcamtuf.coredump.cx/afl/ 61[AFL integration]: AFL_integration.md 62[Blackbox fuzzing]: https://google.github.io/clusterfuzz/setting-up-fuzzing/blackbox-fuzzing/ 63[Bugs found in open-source projects]: http://llvm.org/docs/LibFuzzer.html#trophies 64[Bugs found in PDFium]: https://bugs.chromium.org/p/pdfium/issues/list?can=1&q=libfuzzer&colspec=ID+Type+Status+Priority+Milestone+Owner+Summary&cells=tiles 65[ClusterFuzz]: https://clusterfuzz.com/ 66[ClusterFuzz Stats]: https://clusterfuzz.com/fuzzer-stats/by-fuzzer/fuzzer/libFuzzer/job/libfuzzer_chrome_asan 67[Creating a fuzz target that expects a protobuf]: libprotobuf-mutator.md 68[Detailed references]: reference.md 69[Fuzzing]: https://en.wikipedia.org/wiki/Fuzzing 70[Fuzzing browsertests]: fuzzing_browsertests.md 71[Fuzzing mojo interfaces]: ../../mojo/docs/mojolpm.md 72[Getting Started Guide]: getting_started.md 73[Guided in-process fuzzing of Chrome components]: https://security.googleblog.com/2016/08/guided-in-process-fuzzing-of-chrome.html 74[Improving fuzz target efficiency]: efficient_fuzzing.md 75[Issues automatically filed]: https://bugs.chromium.org/p/chromium/issues/list?sort=-modified&colspec=ID%20Pri%20M%20Stars%20ReleaseBlock%20Component%20Status%20Owner%20Summary%20OS%20Modified&q=label%3AStability-LibFuzzer%2CStability-AFL%20label%3AClusterFuzz%20-status%3AWontFix%2CDuplicate&can=1 76[Issues filed manually]: https://bugs.chromium.org/p/chromium/issues/list?can=1&q=label%3AStability-LibFuzzer+-label%3AClusterFuzz&sort=-modified&colspec=ID+Pri+M+Stars+ReleaseBlock+Component+Status+Owner+Summary+OS+Modified&x=m&y=releaseblock&cells=ids 77[non-browser parts of Chrome OS]: https://chromium.googlesource.com/chromiumos/docs/+/main/testing/fuzzing.md 78[Reproducing bugs]: reproducing.md 79[crbug.com/539572]: https://bugs.chromium.org/p/chromium/issues/detail?id=539572 80[go/fuzzing-success]: https://goto.google.com/fuzzing-success 81[libFuzzer]: http://llvm.org/docs/LibFuzzer.html 82[libFuzzer integration]: libFuzzer_integration.md 83