This is is not the ClusterFuzz repo. That can be found here. This is a tool for reproducing crashes in Chrome that were found by ClusterFuzz.
The reproduce tool helps you to reproduce a crash locally that is found by ClusterFuzz infrastructure.
Currently the reproduce tool is supported on:
-
Plaforms: Linux and Android only.
- For reproducing crashes on Windows and Mac:
- For
libFuzzer
andAFL
testcases, please use the manual instructions here. - For others, please use the testcase report page to download the testcase first and
then use the command-line and environment options provided in the
crash stacktrace
section to run the testcase against the target (e.g. chrome, content_shell, d8, etc).
- For
- For reproducing crashes on Windows and Mac:
-
Sanitizers: ASan, LSan, TSan and UBSan only.
- For reproducing crashes found with MSan:
- Follow the same manual steps cited for Windows and Mac above.
- To run the target, please use the manual instructions provided here.
- For reproducing crashes found with MSan:
- gsutil
blackbox
andxdotool
; these can be installed withapt-get
.
ClusterFuzz tools is a single binary file built with Pex. Therefore, you can simply copy the binary and run it.
For Goobuntu:
- Run
prodaccess
. - Run
/google/data/ro/teams/clusterfuzz-tools/releases/clusterfuzz reproduce -h
.
For others:
- Download the latest stable version.
- Run
clusterfuzz-<version>.pex reproduce -h
.
See <binary> reproduce --help
. Run it using <binary> reproduce [testcase-id]
.
Here's the recommended workflow for fixing a bug:
- Run
<binary> reproduce [testcase-id]
. - Make a new branch and make a code change.
- Run against the code change with
<binary> reproduce [testcase-id] --current
. - If the crash doesn’t occur anymore, it means your code change fixes the crash.
Here are some other useful options:
-h, --help show this help message and exit
-c, --current Use the current tree; On the other hand, without
--current, the Chrome repository will be switched to
the commit specified in the testcase.
-b {download,chromium,standalone}, --build {download,chromium,standalone}
Select which type of build to run the testcase
against.
--disable-goma Disable GOMA when building binaries locally.
-j GOMA_THREADS, --goma-threads GOMA_THREADS
Manually specify the number of concurrent jobs for a
ninja build.
-l GOMA_LOAD, --goma-load GOMA_LOAD
Manually specify maximum load average for a ninja
build.
-i ITERATIONS, --iterations ITERATIONS
Specify the number of times to attempt reproduction.
-dx, --disable-xvfb Disable running testcases in a virtual frame buffer.
--target-args TARGET_ARGS
Additional arguments for the target (e.g. chrome).
--edit-mode Edit args.gn before building and target arguments
before running.
--skip-deps Skip installing dependencies: gclient sync, gclient
runhooks, install-build-deps.sh, and etc.
--enable-debug Build Chrome with full debug symbols by injecting
`sanitizer_keep_symbols = true` and `is_debug = true`
to args.gn. Ready to debug with GDB.