v8/test/fuzzilli/README.md

# Communication model of fuzzilli with V8

## Source code

On low level fuzzilli communicates with v8 through Swift C API library in `Sources/libreprl/libreprl.c`

`reprl_spawn_child` fucntions spawns child process. It does that by creating pipes, forking itself, then setting filedescriptors, and then transforming itself using `execve` into v8 process. Afterwords it checks for receiving 4 byte string and it sends the exact same string back.

`fetch_output` fetches the output from the child and returns its size and pointer to data.

`execute script`
writes `exec`, and size of script, into the command write pipe and sends script through data write pipe

## Coverage

Coverage information are being monitored through shared memory. On the side of v8 it is monitored through SanitizerCoverage module of Clang compiler ( https://clang.llvm.org/docs/SanitizerCoverage.html ) Through shared memory information about edges are shared with fuzzilli which implements counter for error and covered branches of the V8 code in Sources/libcoverage/coverage.c
Integrate fuzzilli into v8 Fuzzilli is open source fuzzer by Samuel Groß (saelo@google.com) that can be used to find bugs in v8 javascript engine. As we want to automate fuzzing for current versions of v8, we want to merge fuzzilli toolkit into v8 code, so that fuzzer can automatically update to the newest version. So far Fuzzilli has been maintained at https://github.com/googleprojectzero/fuzzilli . Bug tracker Id: https://bugs.chromium.org/p/v8/issues/detail?id=10571 Change-Id: I83ddc7e8bb31664c19e4044395bb9044a1c12031 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2201760 Reviewed-by: Tamer Tas <tmrts@chromium.org> Reviewed-by: Michael Achenbach <machenbach@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Reviewed-by: Michael Stanton <mvstanton@chromium.org> Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Commit-Queue: Michael Stanton <mvstanton@chromium.org> Cr-Commit-Position: refs/heads/master@{#68132} 2020-06-02 10:14:03 +00:00			`# Communication model of fuzzilli with V8`

			`## Source code`

			On low level fuzzilli communicates with v8 through Swift C API library in `Sources/libreprl/libreprl.c`

			`reprl_spawn_child` fucntions spawns child process. It does that by creating pipes, forking itself, then setting filedescriptors, and then transforming itself using `execve` into v8 process. Afterwords it checks for receiving 4 byte string and it sends the exact same string back.

			`fetch_output` fetches the output from the child and returns its size and pointer to data.

			`execute script`
			writes `exec`, and size of script, into the command write pipe and sends script through data write pipe

			`## Coverage`

			`Coverage information are being monitored through shared memory. On the side of v8 it is monitored through SanitizerCoverage module of Clang compiler ( https://clang.llvm.org/docs/SanitizerCoverage.html ) Through shared memory information about edges are shared with fuzzilli which implements counter for error and covered branches of the V8 code in Sources/libcoverage/coverage.c`