From 5f00755c81b8ac0337190bc311dd7704c72b9068 Mon Sep 17 00:00:00 2001 From: Clemens Backes Date: Wed, 14 Sep 2022 17:18:48 +0200 Subject: [PATCH] [flags] Disable hard-abort when fuzzing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Running the libfuzzer fuzzers locally (with an experimental flag turned on) found crashes, but did not produce crash files because we were generating a software interrupt ("trap") instead of properly aborting. Disabling the "hard-abort" feature fixes that. This will hopefully not flush out previously missed crashes. If so, please do manually bisect across this CL, instead of assigning to me :) Drive-by: Move more initialization logic from {InitializeFuzzerSupport} to the {FuzzerSupport} constructor, where other similar work is performed. R=thibaudm@chromium.org, saelo@chromium.org Bug: v8:13283 Change-Id: Id8d4e92f5ab6bb27676adeae6b3b1eb042b8ba3e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892061 Reviewed-by: Thibaud Michaud Reviewed-by: Samuel Groß Commit-Queue: Clemens Backes Cr-Commit-Position: refs/heads/main@{#83208} --- src/flags/flag-definitions.h | 1 + test/fuzzer/fuzzer-support.cc | 21 +++++++++++++-------- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/src/flags/flag-definitions.h b/src/flags/flag-definitions.h index 16f796d43d..c8d72c9964 100644 --- a/src/flags/flag-definitions.h +++ b/src/flags/flag-definitions.h @@ -1685,6 +1685,7 @@ DEFINE_BOOL( trace_side_effect_free_debug_evaluate, false, "print debug messages for side-effect-free debug-evaluate for testing") DEFINE_BOOL(hard_abort, true, "abort by crashing") +DEFINE_NEG_IMPLICATION(fuzzing, hard_abort) DEFINE_BOOL(experimental_async_stack_tagging_api, true, "enable experimental async stacks tagging API") diff --git a/test/fuzzer/fuzzer-support.cc b/test/fuzzer/fuzzer-support.cc index 7f80d83c93..2116039a38 100644 --- a/test/fuzzer/fuzzer-support.cc +++ b/test/fuzzer/fuzzer-support.cc @@ -17,12 +17,25 @@ namespace v8_fuzzer { FuzzerSupport::FuzzerSupport(int* argc, char*** argv) { + // Disable hard abort, which generates a trap instead of a proper abortion. + // Traps by default do not cause libfuzzer to generate a crash file. + i::FLAG_hard_abort = false; + i::FLAG_expose_gc = true; // Allow changing flags in fuzzers. // TODO(12887): Refactor fuzzers to not change flags after initialization. i::FLAG_freeze_flags_after_init = false; +#if V8_ENABLE_WEBASSEMBLY + if (V8_TRAP_HANDLER_SUPPORTED) { + constexpr bool kUseDefaultTrapHandler = true; + if (!v8::V8::EnableWebAssemblyTrapHandler(kUseDefaultTrapHandler)) { + FATAL("Could not register trap handler"); + } + } +#endif // V8_ENABLE_WEBASSEMBLY + v8::V8::SetFlagsFromCommandLine(argc, *argv, true); v8::V8::InitializeICUDefaultLocation((*argv)[0]); v8::V8::InitializeExternalStartupData((*argv)[0]); @@ -69,14 +82,6 @@ std::unique_ptr FuzzerSupport::fuzzer_support_; // static void FuzzerSupport::InitializeFuzzerSupport(int* argc, char*** argv) { -#if V8_ENABLE_WEBASSEMBLY - if (V8_TRAP_HANDLER_SUPPORTED) { - constexpr bool kUseDefaultTrapHandler = true; - if (!v8::V8::EnableWebAssemblyTrapHandler(kUseDefaultTrapHandler)) { - FATAL("Could not register trap handler"); - } - } -#endif // V8_ENABLE_WEBASSEMBLY DCHECK_NULL(FuzzerSupport::fuzzer_support_); FuzzerSupport::fuzzer_support_ = std::make_unique(argc, argv);