1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
// Copyright 2025 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "testing/libfuzzer/tests/fuzz_target.h"
#include "base/base_paths.h"
#include "base/files/file_enumerator.h"
#include "base/files/file_util.h"
#include "base/path_service.h"
#include "base/process/launch.h"
#include "base/strings/strcat.h"
#include "base/strings/string_number_conversions.h"
#include "testing/libfuzzer/buildflags.h"
namespace fuzzing {
namespace {
base::FilePath BinaryPath(std::string_view file_name) {
base::FilePath out_dir;
base::PathService::Get(base::DIR_OUT_TEST_DATA_ROOT, &out_dir);
return out_dir.AppendASCII(file_name);
}
} // namespace
FuzzTarget::FuzzTarget(std::string_view fuzzer_name)
: fuzz_target_path_(BinaryPath(fuzzer_name)) {}
// static
std::optional<FuzzTarget> FuzzTarget::Make(std::string_view fuzzer_name) {
FuzzTarget target(fuzzer_name);
if (!target.temp_dir_.CreateUniqueTempDir()) {
return std::nullopt;
}
return target;
}
base::CommandLine FuzzTarget::LibfuzzerCommandLine(
const FuzzOptions& options) const {
base::CommandLine cmd(fuzz_target_path_);
cmd.AppendArg(base::StrCat({
"-max_total_time=",
base::NumberToString(options.timeout_secs),
}));
cmd.AppendArg(base::StrCat({
"-artifact_prefix=",
temp_dir_.GetPath().AppendASCII("crash-").MaybeAsASCII(),
}));
return cmd;
}
base::CommandLine FuzzTarget::CentipedeCommandLine(
const FuzzOptions& options) const {
base::CommandLine cmd(BinaryPath("centipede"));
cmd.AppendArg("--j=1");
cmd.AppendArg(base::StrCat({
"--binary=",
fuzz_target_path_.MaybeAsASCII(),
}));
cmd.AppendArg(base::StrCat({
"--stop_after=",
base::NumberToString(options.timeout_secs),
"s",
}));
cmd.AppendArg(base::StrCat({
"--workdir=",
temp_dir_.GetPath().MaybeAsASCII(),
}));
return cmd;
}
base::CommandLine FuzzTarget::FuzzCommandLine(
const FuzzOptions& options) const {
#if BUILDFLAG(USE_CENTIPEDE)
return CentipedeCommandLine(options);
#else
return LibfuzzerCommandLine(options);
#endif
}
bool FuzzTarget::Fuzz(const FuzzOptions& options) {
return base::GetAppOutputAndError(FuzzCommandLine(options), &output_);
}
base::FilePath FuzzTarget::CrashingInputsDir() const {
#if BUILDFLAG(USE_CENTIPEDE)
return CentipedeCrashingInputsDir();
#else
return LibfuzzerCrashingInputsDir();
#endif
}
base::FilePath FuzzTarget::LibfuzzerCrashingInputsDir() const {
return temp_dir_.GetPath();
}
base::FilePath FuzzTarget::CentipedeCrashingInputsDir() const {
return temp_dir_.GetPath().AppendASCII("crashes.000000");
}
std::vector<std::string> FuzzTarget::GetCrashingInputs() const {
constexpr bool kNotRecursive = false;
base::FileEnumerator e(CrashingInputsDir(), kNotRecursive,
base::FileEnumerator::FILES);
std::vector<std::string> inputs;
for (base::FilePath path = e.Next(); !path.empty(); path = e.Next()) {
std::string contents;
if (base::ReadFileToString(path, &contents)) {
inputs.push_back(std::move(contents));
} else {
// Add the error to the return value. Typically tests will check the
// values for equality, and this will surface the error.
inputs.push_back(base::StrCat({
"error: failed to read ",
path.MaybeAsASCII(),
}));
}
}
return inputs;
}
} // namespace fuzzing
|
