Fuzzing is an automated software testing technique that provides invalid, unexpected, or random data as inputs to a program to find bugs.
Why fuzz? Fuzzing finds thousands of security and stability issues before they reach users (see go/fuzzing-success). For more information about the benefits of fuzzing, see go/why-fuzz.
Where to fuzz? Fuzz code that parses, decodes, or manipulates input from untrusted sources, such as the web.
In Chromium, you can create and submit fuzz targets that run continuously at scale on ClusterFuzz. Prefer FuzzTest for all new fuzz targets. Use libFuzzer only to maintain existing targets.
FuzzTest integrates with the gtest framework and tests code that accepts structured, typed inputs, such as int, std::string, std::vector, or custom classes.
libFuzzer tests APIs that consume raw byte buffers, such as image decoders and JSON or XML parsers.
Getting Started with libprotobuf-mutator (LPM) - Fuzz code that expects a protobuf, has multiple inputs, or is defined by a grammar.
Fuzzing mojo interfaces - A guide for using LPM to fuzz Mojo interfaces.
Fuzzing in Chrome OS - Writing fuzzers for the non-browser parts of Chrome OS.
Fuzzing browsertests - For fuzzing multiple Chrome subsystems that require a full browser environment.
libFuzzer Integration Details - The specifics of how libFuzzer integrates with Chromium and ClusterFuzz.
libfuzzer Technical References - A detailed reference for build arguments (GN), sanitizer configurations, platform support, and ClusterFuzz options.
Blackbox fuzzing - Fuzz large, slow, or non-deterministic targets without coverage guidance. To learn how to generate and view a code coverage report for your blackbox fuzzer, see Local Code Coverage for blackbox fuzzers
If you have questions or encounter issues,
chrome-fuzzing-core@google.com or