diff options
Diffstat (limited to 'docs/fuzzing.md')
| -rw-r--r-- | docs/fuzzing.md | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/docs/fuzzing.md b/docs/fuzzing.md new file mode 100644 index 00000000..427165b7 --- /dev/null +++ b/docs/fuzzing.md @@ -0,0 +1,19 @@ +# Building and running fuzzers + +In order to build fuzzers, you need the GN arg `use_libfuzzer=true`. It's also +recommended to build with `is_asan=true` to catch additional problems. Building +and running then might look like: +```bash + gn gen out/libfuzzer --args="use_libfuzzer=true is_asan=true is_debug=false" + ninja -C out/libfuzzer some_fuzz_target + out/libfuzzer/some_fuzz_target <args> <corpus_dir> [additional corpus dirs] +``` + +The arguments to the fuzzer binary should be whatever is listed in the GN target +description (e.g. `-max_len=1500`). These arguments may be automatically +scraped by Chromium's ClusterFuzz tool when it runs fuzzers, but they are not +built into the target. You can also look at the file +`out/libfuzzer/some_fuzz_target.options` for what arguments should be used. The +`corpus_dir` is listed as `seed_corpus` in the GN definition of the fuzzer +target. + |