[flags] Disable hard-abort when fuzzing

Running the libfuzzer fuzzers locally (with an experimental flag turned
on) found crashes, but did not produce crash files because we were
generating a software interrupt ("trap") instead of properly aborting.
Disabling the "hard-abort" feature fixes that.

This will hopefully not flush out previously missed crashes. If so,
please do manually bisect across this CL, instead of assigning to me :)

Drive-by: Move more initialization logic from {InitializeFuzzerSupport}
to the {FuzzerSupport} constructor, where other similar work is
performed.

R=thibaudm@chromium.org, saelo@chromium.org

Bug: v8:13283
Change-Id: Id8d4e92f5ab6bb27676adeae6b3b1eb042b8ba3e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892061
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Samuel Groß <saelo@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83208}
This commit is contained in:
Clemens Backes 2022-09-14 17:18:48 +02:00 committed by V8 LUCI CQ
parent 647fea9c1b
commit 5f00755c81
2 changed files with 14 additions and 8 deletions

View File

@ -1685,6 +1685,7 @@ DEFINE_BOOL(
trace_side_effect_free_debug_evaluate, false,
"print debug messages for side-effect-free debug-evaluate for testing")
DEFINE_BOOL(hard_abort, true, "abort by crashing")
DEFINE_NEG_IMPLICATION(fuzzing, hard_abort)
DEFINE_BOOL(experimental_async_stack_tagging_api, true,
"enable experimental async stacks tagging API")

View File

@ -17,12 +17,25 @@
namespace v8_fuzzer {
FuzzerSupport::FuzzerSupport(int* argc, char*** argv) {
// Disable hard abort, which generates a trap instead of a proper abortion.
// Traps by default do not cause libfuzzer to generate a crash file.
i::FLAG_hard_abort = false;
i::FLAG_expose_gc = true;
// Allow changing flags in fuzzers.
// TODO(12887): Refactor fuzzers to not change flags after initialization.
i::FLAG_freeze_flags_after_init = false;
#if V8_ENABLE_WEBASSEMBLY
if (V8_TRAP_HANDLER_SUPPORTED) {
constexpr bool kUseDefaultTrapHandler = true;
if (!v8::V8::EnableWebAssemblyTrapHandler(kUseDefaultTrapHandler)) {
FATAL("Could not register trap handler");
}
}
#endif // V8_ENABLE_WEBASSEMBLY
v8::V8::SetFlagsFromCommandLine(argc, *argv, true);
v8::V8::InitializeICUDefaultLocation((*argv)[0]);
v8::V8::InitializeExternalStartupData((*argv)[0]);
@ -69,14 +82,6 @@ std::unique_ptr<FuzzerSupport> FuzzerSupport::fuzzer_support_;
// static
void FuzzerSupport::InitializeFuzzerSupport(int* argc, char*** argv) {
#if V8_ENABLE_WEBASSEMBLY
if (V8_TRAP_HANDLER_SUPPORTED) {
constexpr bool kUseDefaultTrapHandler = true;
if (!v8::V8::EnableWebAssemblyTrapHandler(kUseDefaultTrapHandler)) {
FATAL("Could not register trap handler");
}
}
#endif // V8_ENABLE_WEBASSEMBLY
DCHECK_NULL(FuzzerSupport::fuzzer_support_);
FuzzerSupport::fuzzer_support_ =
std::make_unique<v8_fuzzer::FuzzerSupport>(argc, argv);