Source code
Revision control
Copy as Markdown
Other Tools
# Fuzzing in WebRTC
## Intro
WebRTC currently uses libfuzzer for fuzz testing however FuzzTest is a new
approach which we have not yet looked into but we will in the future.
Before continuing, read the [libfuzzer][libfuzzer-getting-started]
and [FuzzTest][fuzztest-getting-started] getting started docs to get familar.
You will also need to download libfuzzer specific libraries, which are not
downloaded by default. The easiest way to do this is to set the `checkout_fuzzer`
custom variable in your .gclient file then run gclient runhooks.
```
"custom_vars": {
"checkout_fuzzer": True,
},
```
## Compiling locally
To build the fuzzers residing in the [test/fuzzers][fuzzers] directory, use
```
$ gn gen out/fuzzers --args='enable_rust=true enable_rust_cxx=true optimize_for_fuzzing=true use_fuzztest_wrapper=true use_libfuzzer=true'
```
Depending on the fuzzer additional arguments like `is_asan`, `is_msan` or
`is_ubsan_security` might be required.
See the [GN][gn-doc] documentation for all available options. There are also
more platform specific tips on the [Android][webrtc-android-development] and
[iOS][webrtc-ios-development] instructions.
## Add new fuzzers
Create a new `.cc` file in the [test/fuzzers][fuzzers] directory, use existing
files as a guide.
Add a new `webrtc_fuzzers_test` build rule in the [test/fuzzers/BUILD.gn][BUILD.gn],
use existing rules as a guide.
Ensure it compiles and executes locally then add it to a gerrit CL and upload
it for review, e.g.
```
$ autoninja -C out/fuzzers test/fuzzers:h264_depacketizer_fuzzer
```
It can then be executed like so:
```
$ out/fuzzers/bin/run_h264_depacketizer_fuzzer
```
## Running fuzzers automatically
All fuzzer tests in the [test/fuzzers/BUILD.gn][BUILD.gn] file are compiled per
CL on the [libfuzzer bot][libfuzzer-bot]. This is only to verify that it
compiles, this bot does not do any fuzz testing.
When WebRTC is [rolled][webrtc-autoroller] into to Chromium, the libfuzz bots
in the [chromium.fuzz][chromium-fuzz] will compile it, zip it and then upload
You can verify that the fuzz test is being executed by:
- Navigate to a bot in the [chromium.fuzz][chromium-fuzz] libfuzzer waterfall, e.g. [ Libfuzzer Upload Linux ASan bot/linux bot][linux-bot].
- Click on the latest `build#` link.
- Search for `//third_party/webrtc/test/fuzzers` in the `raw_io.output_text_refs_` file in the `calculate_all_fuzzers` step.
- Verify that the new fuzzer (as it's named in the `webrtc_fuzzers_test` build rule) is present.
- Also verify that it's _NOT_ in the `no_clusterfuzz` file in the `calculate_no_clusterfuzz` step. If it is, file a bug at https://bugs.webrtc.org.
and assigned based on [test/fuzzers/OWNERS][OWNERS] file or the commit history.
if your account is CC'ed on the reported bug.
## Additional reading
[Libfuzzer in Chromium][libfuzzer-chromium]
[libfuzzer-chromium]: https://chromium.googlesource.com/chromium/src/+/HEAD/testing/libfuzzer/README.md
[libfuzzer-bot]: https://ci.chromium.org/ui/p/webrtc/builders/luci.webrtc.ci/Linux64%20Release%20%28Libfuzzer%29
[libfuzzer-getting-started]: https://chromium.googlesource.com/chromium/src/+/main/testing/libfuzzer/getting_started_with_libfuzzer.md
[fuzztest-getting-started]: https://chromium.googlesource.com/chromium/src/+/main/testing/libfuzzer/getting_started.md