docs/testing/ipc_fuzzer.md - chromium/src.git - Git at Google

 # IPC Fuzzer

 A Chromium IPC fuzzer is under development by aedla and tsepez. The fuzzer lives
 under `src/tools/ipc_fuzzer/` and is running on ClusterFuzz. A previous version
 of the fuzzer was a simple bitflipper, which caught around 10 bugs. A new
 version is doing smarter mutations and generational fuzzing. To do so, each
 `ParamTraits<Type>` needs a corresponding `FuzzTraits<Type>`. Feel free to
 contribute.

 [TOC]

 ## Working with the fuzzer

 ### Build instructions

 *   Run `gn args` and add `enable_ipc_fuzzer = true` to your args.gn.
 *   build `ipc_fuzzer_all` target
 *   component builds are currently broken, sorry
 *   Debug builds are broken; only Release mode works.

 ### Replaying ipcdumps

 *   `tools/ipc_fuzzer/scripts/play_testcase.py path/to/testcase.ipcdump`
 *   more help: `tools/ipc_fuzzer/scripts/play_testcase.py -h`

 ### Listing messages in ipcdump

 *   `out/<Build>/ipc_message_util --dump path/to/testcase.ipcdump`

 ### Updating fuzzers in ClusterFuzz

 *   `tools/ipc_fuzzer/scripts/cf_package_builder.py`
 *   upload `ipc_fuzzer_mut.zip` and `ipc_fuzzer_gen.zip` under build directory
     to ClusterFuzz

 ### Contributing FuzzTraits

 *   add them to `tools/ipc_fuzzer/fuzzer/fuzzer.cc`
 *   thanks!

 ## Components

 ### ipcdump logger

 *   add `enable_ipc_fuzzer = true` to `args.gn`
 *   build `chrome` and `ipc_message_dump` targets
 *   run chrome with
     `--no-sandbox --ipc-dump-directory=/path/to/ipcdump/directory`
 *   ipcdumps will be created in this directory for each renderer using the
     format `_pid_.ipcdump`

 ### ipcdump replay

 Lives under `ipc_fuzzer/replay`. The renderer is replaced with
 `ipc_fuzzer_replay` using `--renderer-cmd-prefix`. This is done automatically
 with the `ipc_fuzzer/play_testcase.py` convenience script.

 ### ipcdump mutator / generator

 Lives under `ipc_fuzzer/fuzzer`. This is the code that runs on ClusterFuzz. It
 uses `FuzzTraits<Type>` to mutate ipcdumps or generate them out of thin air.

 ## Problems, questions, suggestions

 Send them to mbarbella@chromium.org.
	# IPC Fuzzer

	A Chromium IPC fuzzer is under development by aedla and tsepez. The fuzzer lives
	under `src/tools/ipc_fuzzer/` and is running on ClusterFuzz. A previous version
	of the fuzzer was a simple bitflipper, which caught around 10 bugs. A new
	version is doing smarter mutations and generational fuzzing. To do so, each
	`ParamTraits<Type>` needs a corresponding `FuzzTraits<Type>`. Feel free to
	contribute.

	[TOC]

	## Working with the fuzzer

	### Build instructions

	* Run `gn args` and add `enable_ipc_fuzzer = true` to your args.gn.
	* build `ipc_fuzzer_all` target
	* component builds are currently broken, sorry
	* Debug builds are broken; only Release mode works.

	### Replaying ipcdumps

	* `tools/ipc_fuzzer/scripts/play_testcase.py path/to/testcase.ipcdump`
	* more help: `tools/ipc_fuzzer/scripts/play_testcase.py -h`

	### Listing messages in ipcdump

	* `out/<Build>/ipc_message_util --dump path/to/testcase.ipcdump`

	### Updating fuzzers in ClusterFuzz

	* `tools/ipc_fuzzer/scripts/cf_package_builder.py`
	* upload `ipc_fuzzer_mut.zip` and `ipc_fuzzer_gen.zip` under build directory
	to ClusterFuzz

	### Contributing FuzzTraits

	* add them to `tools/ipc_fuzzer/fuzzer/fuzzer.cc`
	* thanks!

	## Components

	### ipcdump logger

	* add `enable_ipc_fuzzer = true` to `args.gn`
	* build `chrome` and `ipc_message_dump` targets
	* run chrome with
	`--no-sandbox --ipc-dump-directory=/path/to/ipcdump/directory`
	* ipcdumps will be created in this directory for each renderer using the
	format `_pid_.ipcdump`

	### ipcdump replay

	Lives under `ipc_fuzzer/replay`. The renderer is replaced with
	`ipc_fuzzer_replay` using `--renderer-cmd-prefix`. This is done automatically
	with the `ipc_fuzzer/play_testcase.py` convenience script.

	### ipcdump mutator / generator

	Lives under `ipc_fuzzer/fuzzer`. This is the code that runs on ClusterFuzz. It
	uses `FuzzTraits<Type>` to mutate ipcdumps or generate them out of thin air.

	## Problems, questions, suggestions

	Send them to mbarbella@chromium.org.