# Copyright 2015 The Chromium Authors # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. # LibFuzzer is a LLVM tool for coverage-guided fuzz testing. # See http://www.chromium.org/developers/testing/libfuzzer # # To enable libfuzzer, 'use_libfuzzer' GN option should be set to true. # Or equivalent 'use_afl' or 'use_centipede' options for those engines. import("//build/config/features.gni") import("//build/config/sanitizers/sanitizers.gni") # Temporary target for legacy reasons. Some third party repos explicitly # refer to libfuzzer_main though they should refer to fuzzer_engine_main # instead, and so do some infrastructure repos. We should migrate them # all to point to :fuzzing_engine_main instead. # TODO: remove this target once they've all migrated. source_set("libfuzzer_main") { deps = [ ":fuzzing_engine" ] testonly = true sources = [] if (use_libfuzzer) { deps += [ "//third_party/libFuzzer:libfuzzer_main" ] if (is_ios) { deps += [ "//testing/libfuzzer/fuzzer_support_ios:fuzzing_engine_main_ios" ] } } else if (use_afl) { deps += [ "//third_party/libFuzzer:afl_driver" ] } else if (use_centipede) { deps += [ "//third_party/fuzztest:centipede_runner_main" ] data_deps = [ # Centipede based fuzzers require the centipede runner in order to fuzz. "//third_party/fuzztest:centipede", ] } else { sources += [ "unittest_main.cc" ] } } if (fuzzing_engine_supports_custom_main) { # Depend on this if you want to use LLVMFuzzerRunDriver from within an existing # executable group("fuzzing_engine_no_main") { deps = [ ":fuzzing_engine" ] testonly = true if (use_libfuzzer) { deps += [ "//third_party/libFuzzer:libfuzzer" ] } else if (use_centipede) { deps += [ "//third_party/fuzztest:centipede_runner_no_main" ] data_deps = [ # Centipede based fuzzers require the centipede runner in order to fuzz. "//third_party/fuzztest:centipede", ] } } } # The currently selected fuzzing engine, providing a main() function. # Fuzzers should depend upon this. group("fuzzing_engine_main") { deps = [ ":libfuzzer_main" ] testonly = true } # Any fuzzer using any fuzzing engine. This will be used by infra scripts # to identify fuzzers which should be built and made available to ClusterFuzz. group("fuzzing_engine") { if (use_clang_coverage) { # For purposes of code coverage calculation, fuzzer targets are run through # a wrapper script in this directory, which handles corpus retrieval and # appropriate parameter passing to run the target in an isolate. This # directive makes this script and its dependencies to be included in the # target's isolate. data = [ "//tools/code_coverage/" ] } } # A config used by all fuzzer_tests. config("fuzzer_test_config") { if (use_libfuzzer && is_mac) { ldflags = [ "-Wl,-U,_LLVMFuzzerCustomMutator", "-Wl,-U,_LLVMFuzzerInitialize", ] } } # Noop config used to tag fuzzer tests excluded from clusterfuzz. # Libfuzzer build bot uses this to filter out targets while # building an archive for clusterfuzz. config("no_clusterfuzz") { } # Since most iOS code doesn't compile in other platforms, and not all fuzzers # compile in iOS, a clusterfuzz job is set up to run only selected iOS fuzzers. # This is a noop config to tag fuzzer tests to be built for the job. iOS # Libfuzzer build bot uses this to filter targets while building an archive for # the job. config("build_for_ios_clusterfuzz_job") { } # noop to tag seed corpus rules. source_set("seed_corpus") { } if (use_fuzzing_engine) { pool("fuzzer_owners_pool") { depth = 1 } } if (build_with_chromium && use_blink) { source_set("renderer_fuzzing") { testonly = true sources = [ "renderer_fuzzing/renderer_fuzzing.cc", "renderer_fuzzing/renderer_fuzzing.h", ] deps = [ "//base", "//third_party/blink/public:blink", ] } } # A wrapper that knows how to execute a single fuzztest within a binary # containing many fuzztests. source_set("individual_fuzztest_wrapper") { sources = [ "//testing/libfuzzer/fuzztest_wrapper.cpp" ] deps = [ "//base" ] }