agents/skills/fuzzing/SKILL.md
Ensure the output directory is configured:
gn gen out/fuzz --args='enable_fuzztest_fuzz=true is_debug=false is_asan=true \
is_component_build=false use_remoteexec=true'
Add to *_unittest.cc alongside existing tests:
#include "third_party/fuzztest/src/fuzztest/fuzztest.h"
#include "third_party/googletest/src/googletest/include/gtest/gtest.h"
// 1. Define the property function. Use a descriptive name that reflects
// the property being tested (e.g., "ParseFooDoesNotCrash" or "RoundTripIsLossless").
void MyPropertyFunctionDoesNotCrash(int i, const std::string& s) {
// Call code under test. Focus on functions parsing untrusted input, complex
// state machines, or data processing.
bool result = MyComponent::DoSomething(i, s);
// Add test assertions about invariants (e.g. "roundtrip equality", "valid
// output structure"). Sanitizers like ASAN catch crashes.
EXPECT_TRUE(result);
}
// 2. Register with FUZZ_TEST macro
FUZZ_TEST(MyComponentFuzzTest, MyPropertyFunctionDoesNotCrash)
.WithDomains(
fuzztest::InRange(0, 100),
fuzztest::Arbitrary<std::string>()
);
For complex types:
GURL(string)), accept the primitive and construct it inside your test
function.fuzztest::Constructor or fuzztest::Map to
build valid objects.
auto ArbitraryFoo() {
return fuzztest::Constructor<Foo>(fuzztest::InRange(0, 10));
}
You MUST register the test in the fuzztests list (in alphabetical order)
of the executable test target.
Case A: File is in a test() target
test("my_component_unittests") {
sources = [ "my_component_unittest.cc" ]
# Format: SuiteName.TestName
fuzztests = [
"MyComponentFuzzTest.MyPropertyFunctionDoesNotCrash",
]
# No dependency changes are needed here. The build system
# automatically adds FuzzTest dependencies for targets
# with a `fuzztests` list.
}
Case B: File is in a source_set(): Add //third_party/fuzztest:fuzztest
to deps.
source_set("tests") {
sources = [ "my_component_unittest.cc" ]
deps = [
"//third_party/fuzztest:fuzztest",
# ...
]
}
Find the executable test() target that depends on this source_set():
gn refs out/fuzz //path/to:source_set --testonly=true --type=executable --all
Then, ensure it lists the fuzz test in its fuzztests variable (in alphabetical
order).
The task is incomplete until you successfully execute this sequence:
Find the executable test() target that contains your test file:
gn refs out/fuzz //path/to/my_component_unittest.cc --type=executable --all
Build the identified target (e.g. unit_tests or browser_tests):
autoninja --quiet -C out/fuzz <target_name>
Note: If the build fails with an include not allowed by DEPS error, see the
Common Issues & Fixes section below.
./out/fuzz/<target_name> \
--gtest_filter="MyComponentFuzzTest.MyPropertyFunctionDoesNotCrash"
./out/fuzz/<target_name> \
--fuzz="MyComponentFuzzTest.MyPropertyFunctionDoesNotCrash" --fuzz_for=10s
testing/libfuzzer/getting_started.mdthird_party/fuzztest/src/doc/fuzz-test-macro.mdthird_party/fuzztest/src/doc/domains-reference.mdthird_party/fuzztest/src/doc/fixtures.mdSymptom: Build fails with an error like:
ERROR: include not allowed by DEPS: third_party/fuzztest/...
Fix: You must allow the fuzztest include in the nearest DEPS file
(usually in the same directory as your test or a parent directory). Add
+third_party/fuzztest to specific_include_rules for your test files:
specific_include_rules = {
".*_unittest\\.cc": [
"+third_party/fuzztest",
],
}