[flags] Disable hard-abort when fuzzing

Running the libfuzzer fuzzers locally (with an experimental flag turned on) found crashes, but did not produce crash files because we were generating a software interrupt ("trap") instead of properly aborting. Disabling the "hard-abort" feature fixes that. This will hopefully not flush out previously missed crashes. If so, please do manually bisect across this CL, instead of assigning to me :) Drive-by: Move more initialization logic from {InitializeFuzzerSupport} to the {FuzzerSupport} constructor, where other similar work is performed. R=thibaudm@chromium.org, saelo@chromium.org Bug: v8:13283 Change-Id: Id8d4e92f5ab6bb27676adeae6b3b1eb042b8ba3e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892061 Reviewed-by: Thibaud Michaud <thibaudm@chromium.org> Reviewed-by: Samuel Groß <saelo@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/main@{#83208}
2022-09-14 17:18:48 +02:00 · 2022-09-14 17:18:48 +02:00 · 5f00755c81
commit 5f00755c81
parent 647fea9c1b
2 changed files with 14 additions and 8 deletions
--- a/src/flags/flag-definitions.h
+++ b/src/flags/flag-definitions.h
@ -1685,6 +1685,7 @@ DEFINE_BOOL(
    trace_side_effect_free_debug_evaluate, false,
    "print debug messages for side-effect-free debug-evaluate for testing")
 DEFINE_BOOL(hard_abort, true, "abort by crashing")
+DEFINE_NEG_IMPLICATION(fuzzing, hard_abort)

 DEFINE_BOOL(experimental_async_stack_tagging_api, true,
            "enable experimental async stacks tagging API")
--- a/test/fuzzer/fuzzer-support.cc
+++ b/test/fuzzer/fuzzer-support.cc
@ -17,12 +17,25 @@
 namespace v8_fuzzer {

 FuzzerSupport::FuzzerSupport(int* argc, char*** argv) {
+  // Disable hard abort, which generates a trap instead of a proper abortion.
+  // Traps by default do not cause libfuzzer to generate a crash file.
+  i::FLAG_hard_abort = false;
+
  i::FLAG_expose_gc = true;

  // Allow changing flags in fuzzers.
  // TODO(12887): Refactor fuzzers to not change flags after initialization.
  i::FLAG_freeze_flags_after_init = false;

+#if V8_ENABLE_WEBASSEMBLY
+  if (V8_TRAP_HANDLER_SUPPORTED) {
+    constexpr bool kUseDefaultTrapHandler = true;
+    if (!v8::V8::EnableWebAssemblyTrapHandler(kUseDefaultTrapHandler)) {
+      FATAL("Could not register trap handler");
+    }
+  }
+#endif  // V8_ENABLE_WEBASSEMBLY
+
  v8::V8::SetFlagsFromCommandLine(argc, *argv, true);
  v8::V8::InitializeICUDefaultLocation((*argv)[0]);
  v8::V8::InitializeExternalStartupData((*argv)[0]);
@ -69,14 +82,6 @@ std::unique_ptr<FuzzerSupport> FuzzerSupport::fuzzer_support_;

 // static
 void FuzzerSupport::InitializeFuzzerSupport(int* argc, char*** argv) {
-#if V8_ENABLE_WEBASSEMBLY
-  if (V8_TRAP_HANDLER_SUPPORTED) {
-    constexpr bool kUseDefaultTrapHandler = true;
-    if (!v8::V8::EnableWebAssemblyTrapHandler(kUseDefaultTrapHandler)) {
-      FATAL("Could not register trap handler");
-    }
-  }
-#endif  // V8_ENABLE_WEBASSEMBLY
  DCHECK_NULL(FuzzerSupport::fuzzer_support_);
  FuzzerSupport::fuzzer_support_ =
      std::make_unique<v8_fuzzer::FuzzerSupport>(argc, argv);