2016-10-26 16:40:37 +00:00
|
|
|
# Reproducing oss-fuzz issues
|
|
|
|
|
|
|
|
You've been CC'ed on an oss-fuzz issue, now what? Before attempting a fix you should be able to reliably reproduce an issue.
|
2016-10-27 03:48:30 +00:00
|
|
|
|
|
|
|
|
|
|
|
The process is much simpler if you have Docker installed ([how?](installing_docker.md), [why?](faq.md#why-do-you-use-docker)), but
|
2016-10-26 16:40:37 +00:00
|
|
|
is entirely possible to do without.
|
|
|
|
|
2016-10-26 22:11:18 +00:00
|
|
|
## Docker
|
2016-10-26 16:40:37 +00:00
|
|
|
|
2016-10-26 22:11:50 +00:00
|
|
|
If you have docker installed, follow these steps:
|
2016-10-26 16:40:37 +00:00
|
|
|
|
2016-10-26 18:04:46 +00:00
|
|
|
- *Download testcase.* Each issue has a minimized testcase link. Download the testcase to a file.
|
2016-10-27 03:46:20 +00:00
|
|
|
- *Reproduce from nightly sources:*
|
2016-10-26 18:04:46 +00:00
|
|
|
|
2016-10-26 21:59:27 +00:00
|
|
|
<pre>
|
2016-10-27 03:41:40 +00:00
|
|
|
docker run --rm -v <b><i>$testcase_file</i></b>:/testcase -t ossfuzz/<b><i>$target</i></b> reproduce <b><i>$fuzzer</i></b>
|
2016-10-26 21:59:27 +00:00
|
|
|
</pre>
|
2016-10-26 18:04:46 +00:00
|
|
|
|
2016-10-26 18:51:01 +00:00
|
|
|
It builds the fuzzer from nightly sources (in the image) and runs it with testcase input.
|
2016-10-26 21:13:17 +00:00
|
|
|
E.g. for libxml2 it will be:
|
|
|
|
|
2016-10-26 22:10:58 +00:00
|
|
|
<pre>
|
2016-10-27 03:40:55 +00:00
|
|
|
docker run --rm -ti -v <b><i>~/Downloads/testcase</i></b>:/testcase ossfuzz/<b><i>libxml2</i></b> reproduce <b><i>libxml2_xml_read_memory_fuzzer</i></b>
|
2016-10-26 22:10:58 +00:00
|
|
|
</pre>
|
2016-10-27 03:46:20 +00:00
|
|
|
- *Reproduce from local sources:*
|
2016-10-26 18:04:46 +00:00
|
|
|
|
2016-10-27 03:40:55 +00:00
|
|
|
<pre>
|
2016-10-27 03:44:11 +00:00
|
|
|
docker run --rm -v <b><i>$target_checkout_dir</i></b>:/src/<b><i>$target</i></b> \
|
|
|
|
-v <b><i>$reproducer_file</i></b>:/testcase -t ossfuzz/<b><i>$target</i></b> reproduce <b><i>$fuzzer</i></b>
|
2016-10-27 03:40:55 +00:00
|
|
|
</pre>
|
2016-10-26 18:04:46 +00:00
|
|
|
|
2016-10-27 03:48:12 +00:00
|
|
|
This is essentially the previous command that additonally mounts local sources into the running container.
|
2016-11-02 19:43:54 +00:00
|
|
|
- *Fix the issue.* Use the previous command to verify you fixed the issue locally.
|
|
|
|
[Use gdb](debugging.md#debugging-fuzzers-with-gdb) if needed.
|
2016-10-27 03:45:52 +00:00
|
|
|
- *Submit the fix.* ClusterFuzz will automatically pick up the changes, recheck the testcase
|
2016-10-26 18:04:46 +00:00
|
|
|
and will close the issue.
|
2016-10-26 18:09:34 +00:00
|
|
|
|
|
|
|
## Manual
|
|
|
|
|
2016-10-26 18:51:16 +00:00
|
|
|
Manual process is fully documented on main [libFuzzer page](http://llvm.org/docs/LibFuzzer.html).
|
2016-10-26 18:09:34 +00:00
|
|
|
To manully reproduce the issue you have to:
|
2016-10-26 18:49:07 +00:00
|
|
|
- fetch the toolchain: http://llvm.org/docs/LibFuzzer.html#versions
|
|
|
|
- build the target with toolchain and sanitizer: http://llvm.org/docs/LibFuzzer.html#building
|
|
|
|
- build the fuzzer from target-related code in [targets/](../targets/)
|
2016-10-26 18:48:51 +00:00
|
|
|
- run the fuzzer on downloaded testcase
|
|
|
|
- develop a fix and submit it upstream
|
|
|
|
|
2016-10-27 03:45:52 +00:00
|
|
|
ClusterFuzz will automatically pick up the changes, recheck the testcase and will close the issue.
|
2016-10-26 18:48:51 +00:00
|
|
|
|