[libFuzzer][Windows] Add docs on reproducing crashes

Add docs on reproducing libFuzzer crashes on Windows. Make it clearer that reproduce tool is not for Windows. Fix a command to work on cmd.exe Bug: 901836 Change-Id: Iabc5f8a2973053659addbb27d326ccb07c7910e2 Reviewed-on: https://chromium-review.googlesource.com/c/1318629 Commit-Queue: Jonathan Metzman <metzman@chromium.org> Reviewed-by: Max Moroz <mmoroz@chromium.org> Cr-Commit-Position: refs/heads/master@{#605526}

[libFuzzer][Windows] Add docs on reproducing crashes
Add docs on reproducing libFuzzer crashes on Windows. Make it clearer that reproduce tool is not for Windows. Fix a command to work on cmd.exe Bug: 901836 Change-Id: Iabc5f8a2973053659addbb27d326ccb07c7910e2 Reviewed-on: https://chromium-review.googlesource.com/c/1318629 Commit-Queue: Jonathan Metzman <metzman@chromium.org> Reviewed-by: Max Moroz <mmoroz@chromium.org> Cr-Commit-Position: refs/heads/master@{#605526}
df04d745 · Jonathan Metzman · Commit Bot · 0573cab6 · df04d745 · df04d745
Commit df04d745 authored Nov 06, 2018 by Jonathan Metzman Committed by Commit Bot Nov 06, 2018
4 changed files
--- a/testing/libfuzzer/README.md
+++ b/testing/libfuzzer/README.md
@@ -36,8 +36,10 @@ code that requires multiple mutated inputs, or to generate inputs defined by a
 grammar.
 * [ClusterFuzz Integration] describes integration between ClusterFuzz and
 libFuzzer.
-* [Reproducing] contains information on how to reproduce bugs reported by
-  ClusterFuzz.
+* [Reproducing on Windows] describes how to reproduce bugs found by libFuzzer
+  and reported by ClusterFuzz.
+* [Reproducing on Linux and Mac] describes how to reproduce bugs reported by
+  ClusterFuzz on Linux and Mac.
 * [Reference] contains detailed references for different integration parts.

 ## Trophies
@@ -61,6 +63,7 @@ libFuzzer.
 [Guide to libprotobuf-mutator]: libprotobuf-mutator.md
 [ClusterFuzz Integration]: clusterfuzz.md
 [Reproducing]: https://github.com/google/clusterfuzz-tools
+[Reproducing on Windows]: reproducing_on_windows.md
 [Reference]: reference.md
 [ClusterFuzz Bugs]: https://bugs.chromium.org/p/chromium/issues/list?can=1&q=label:Stability-LibFuzzer%20label:ClusterFuzz&sort=-modified&colspec=ID%20Pri%20M%20Stars%20ReleaseBlock%20Component%20Status%20Owner%20Summary%20OS%20Modified
 [Pdfium Bugs]: https://bugs.chromium.org/p/pdfium/issues/list?can=1&q=libfuzzer&colspec=ID+Type+Status+Priority+Milestone+Owner+Summary&cells=tiles

--- a/testing/libfuzzer/getting_started.md
+++ b/testing/libfuzzer/getting_started.md
@@ -115,8 +115,8 @@ Alternatively, you can set `external_symbolizer_path` option via
 `ASAN_OPTIONS` env variable:

 ```bash
-$ ASAN_OPTIONS=external_symbolizer_path=/my/local/llvm/build/llvm-symbolizer \
-    ./fuzzer ./crash-input
+ASAN_OPTIONS=external_symbolizer_path=/my/local/llvm/build/llvm-symbolizer \
+  ./fuzzer ./crash-input
 ```

 The same approach works with other sanitizers (e.g. `MSAN_OPTIONS`,

--- a/testing/libfuzzer/reference.md
+++ b/testing/libfuzzer/reference.md
@@ -36,7 +36,7 @@ running:
 |Linux MSan \[[*](#MSan)\] | `tools/mb/mb.py gen -m chromium.fyi -b 'Libfuzzer Upload Linux MSan' out/Directory` |
 |Linux UBSan \[[*](#UBSan)\]| `tools/mb/mb.py gen -m chromium.fyi -b 'Libfuzzer Upload Linux UBSan' out/Directory` |
 |Mac ASan | `tools/mb/mb.py gen -m chromium.fyi -b 'Libfuzzer Upload Mac ASan' out/Directory` |
-|Windows ASan | `tools/mb/mb.py gen -m chromium.fyi -b 'Libfuzzer Upload Windows ASan' out/Directory` |
+|Windows ASan | `tools/mb/mb.py gen -m chromium.fyi -b "Libfuzzer Upload Windows ASan" out/Directory` |


 ### Linux

--- a/testing/libfuzzer/reproducing_on_windows.md
+++ b/testing/libfuzzer/reproducing_on_windows.md
+# Reproducing Crashes on Windows
+
+Since the [ClusterFuzz Reproduce Tool] does not work on Windows, you will need
+to reproduce crashes found by ClusterFuzz manually. Luckily, this process is
+usually very simple. Below are the steps (assuming use of cmd.exe):
+
+1. Download the test case from ClusterFuzz (if you are CCed on an issue filed by
+   ClusterFuzz, a link to it is next to "Reproducer testcase" in the
+   bug description). For the rest of this walkthrough, we call the path of this
+   file: `$TESTCASE_PATH`.
+
+2. Generate gn build configuration for fuzzers:
+
+```
+python tools\mb\mb.py gen -m chromium.fyi -b "Libfuzzer Upload Windows ASan" out\libfuzzer
+```
+
+3. Build the fuzzer:
+
+```
+autoninja -C .\out\libfuzzer\ $FUZZER_NAME
+```
+
+4. Set the `ASAN_OPTIONS` environment variable to be the same as ClusterFuzz.
+Note that this may not be necessary.
+Here is an example value of `ASAN_OPTIONS` that is similar to its value on
+ClusterFuzz:
+
+```
+> set ASAN_OPTIONS=redzone=256:print_summary=1:handle_sigill=1:strict_string_check=1:allocator_release_to_os_interval_ms=500:print_suppressions=0:strict_memcmp=1:allow_user_segv_handler=0:use_sigaltstack=1:handle_sigfpe=1:handle_sigbus=1:detect_stack_use_after_return=0:alloc_dealloc_mismatch=0:detect_leaks=0:print_scariness=1:allocator_may_return_null=1:handle_abort=1:check_malloc_usable_size=0:detect_container_overflow=0:quarantine_size_mb=256:detect_odr_violation=0:symbolize=1:handle_segv=1:fast_unwind_on_fatal=1
+```
+
+5. Run the fuzzer:
+
+```
+.\out\libfuzzer\$FUZZER_NAME -runs=100 $TESTCASE_PATH
+```
+
+Send an email to fuzzing@chromium.org if you run into any issues.
+
+[ClusterFuzz Reproduce Tool]: https://github.com/google/clusterfuzz-tools