# Building the ART Fuzzer

There are two ways to run one of the existing fuzzers: on host or on device.
The building and running takes place in the full Android platform
tree (aosp-main-with-phones). For host there's the possibility of using a
smaller AOSP Android manifest (master-art). The latter is faster to build,
because it only has the sources and dependencies required for the module.

In the following tutorial we use the class verification fuzzer. We set a shell
variable with the fuzzer's name for convenience. Their names can be found in
the Android.bp file, under the cc_fuzz build rules.

```
FUZZER_NAME=libart_verify_classes_fuzzer
```

## Common steps for host and device

1. Navigate to the root directory of the android repository.

2. From the console, set up the development environment.

    ```
    source build/envsetup.sh
    ```

3. Build the fuzzer for host/device

    The command is composed of:

    ```
    lunch <product>-trunk_staging-<variant>
    SANITIZE_HOST=address make ${FUZZER_NAME}
    ```

    For host you can use any valid lunch target, for example:

    ```
    lunch silvermont-trunk_staging-eng
    ```

    For device, you have to select your target according to the device
    you are using it to run the fuzzer.

    ```
    lunch aosp_husky-trunk_staging-userdebug
    ```

## Host

4. Run the fuzzer

    In this example we assume an x86_64 host architecture:

    ```
    out/host/linux-x86/fuzz/x86_64/${FUZZER_NAME}/${FUZZER_NAME} \
    out/host/linux-x86/fuzz/x86_64/${FUZZER_NAME}/corpus
    ```

    The first part of the command is the path to the fuzzer's binary, followed by the
    corpus. See [llvm.org/docs/LibFuzzer](https://llvm.org/docs/LibFuzzer.html#options)
    for more valid flags. For example, you can add the flag `-print_pcs=1` which makes
    it more verbose.

## Device

4. Add the fuzzer's files on the device

    ```
    adb root
    adb sync data
    ```

5. Run the fuzzer

    Any supported architecture can be used. For example, for arm64:

    ```
    adb shell /data/fuzz/arm64/${FUZZER_NAME}/${FUZZER_NAME} \
    /data/fuzz/arm64/${FUZZER_NAME}/corpus
    ```

    The first part of the command is the path to the fuzzer's binary and the next
    one is the corpus.

## Corpus

The fuzzer uses a corpus as a starting point in order to generate new inputs
representing DEX files. Our current corpus contains a mix of hand-created DEX
files, regression tests, and DEX files from our test suite. Also, when the fuzzer
generates a new input and it proves that it offers more code coverage,
it is added to the existing corpus as a DEX file.

If you want to run with the initial corpus, it needs to be removed and built again.

For host, assuming an x86_64 host architecture:

```
rm -rf out/host/linux-x86/fuzz/x86_64/${FUZZER_NAME}/corpus
SANITIZE_HOST=address make ${FUZZER_NAME}
```

For device, you also need to sync the data. For example, for arm64:

```
adb shell rm -rf /data/fuzz/arm64/${FUZZER_NAME}/corpus
SANITIZE_HOST=address make ${FUZZER_NAME}
adb sync data
```