v8/tools/clusterfuzz/js_fuzzer
Michael Achenbach 0ffc1ba5fc [js-fuzzer] Make db more robust to failing code fragments.
Until now, the cross-over mutator would choke on several expressions
from DB and bail out (just wastes some time). We also have a script,
test_db.js to test on how many expressions it is going to bail out.

With this change, we already omit adding such expressions to the
DB in the first place. As a result, the test_db script now returns
zero failing expressions (while all other expressions remain).

Regression tests that now no longer apply are removed, instead a
test is added that ensures that a failing expression isn't added
to the DB.

No-Try: true
Bug: chromium:1044942
Change-Id: I14a4fe802c99114cf3a8f71188273475a7cb9c13
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3129340
Reviewed-by: Liviu Rau <liviurau@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76598}
2021-08-31 11:28:21 +00:00
..
generated Open source js-fuzzer 2020-07-31 11:34:39 +00:00
mutators [js-fuzzer] Make db more robust to failing code fragments. 2021-08-31 11:28:21 +00:00
resources [sparkplug] Add always_sparkplug variant 2021-03-19 09:52:50 +00:00
test [js-fuzzer] Make db more robust to failing code fragments. 2021-08-31 11:28:21 +00:00
test_data [js-fuzzer] Make db more robust to failing code fragments. 2021-08-31 11:28:21 +00:00
tools [js-fuzzer] Slightly improve error messages 2020-11-17 17:55:08 +00:00
.eslintrc.js Open source js-fuzzer 2020-07-31 11:34:39 +00:00
.gitignore Open source js-fuzzer 2020-07-31 11:34:39 +00:00
build_db.js [js-fuzzer] Make db more robust to failing code fragments. 2021-08-31 11:28:21 +00:00
corpus.js Open source js-fuzzer 2020-07-31 11:34:39 +00:00
db.js [js-fuzzer] Make db more robust to failing code fragments. 2021-08-31 11:28:21 +00:00
differential_script_mutator.js Open source js-fuzzer 2020-07-31 11:34:39 +00:00
DIR_METADATA Add DIR_METADATA files to v8. 2020-10-20 22:12:28 +00:00
exceptions.js [js-fuzzer] Remove logic to block runtime functions in fuzzer 2021-08-30 07:43:32 +00:00
foozzie_launcher.py Open source js-fuzzer 2020-07-31 11:34:39 +00:00
gen_exceptions.js Open source js-fuzzer 2020-07-31 11:34:39 +00:00
gen_exceptions.sh Open source js-fuzzer 2020-07-31 11:34:39 +00:00
OWNERS Add DIR_METADATA files to v8. 2020-10-20 22:12:28 +00:00
package-lock.json Open source js-fuzzer 2020-07-31 11:34:39 +00:00
package.json Open source js-fuzzer 2020-07-31 11:34:39 +00:00
package.sh Open source js-fuzzer 2020-07-31 11:34:39 +00:00
random.js Open source js-fuzzer 2020-07-31 11:34:39 +00:00
README.md [js-fuzzer][doc] Add a better download URL 2020-11-19 13:06:29 +00:00
run.js [js-fuzzer] Extend supported executables 2020-11-16 13:04:35 +00:00
script_mutator.js Open source js-fuzzer 2020-07-31 11:34:39 +00:00
source_helpers.js [js-fuzzer] Make db more robust to failing code fragments. 2021-08-31 11:28:21 +00:00
test_db.js [js-fuzzer] Make db more robust to failing code fragments. 2021-08-31 11:28:21 +00:00

JS-Fuzzer

Javascript fuzzer for stand-alone shells like D8, Chakra, JSC or Spidermonkey.

Original author: Oliver Chang

Building

This fuzzer may require versions of node that are newer than available on ClusterFuzz, so we use pkg to create a self contained binary) out of this.

Prereqs

You need to intall nodejs and npm. Run npm install in this directory.

Fuzzing DB

This fuzzer requires a fuzzing DB. To build one, get the latest web_tests.zip from gs://clusterfuzz-data/web_tests.zip and unzip it (note https://crbug.com/v8/10891 for making this data publicly available). Then run:

$ mkdir db
$ node build_db.js -i /path/to/web_tests -o db chakra v8 spidermonkey WebKit/JSTests

This may take a while. Optionally test the fuzzing DB with:

$ node test_db.js -i db

Building fuzzer

Then, to build the fuzzer,

$ ./node_modules/.bin/pkg -t node10-linux-x64 .

Replace "linux" with either "win" or "macos" for those platforms.

This builds a binary named ochang_js_fuzzer for Linux / macOS OR ochang_js_fuzzer.exe for Windows.

Packaging

Use ./package.sh, ./package.sh win or ./package.sh macos to build and create the output.zip archive or use these raw commands:

$ mkdir output
$ cd output
$ ln -s ../db db
$ ln -s ../ochang_js_fuzzer run
$ zip -r /path/output.zip *

NOTE: Add .exe to ochang_js_fuzzer and run filename above if archiving for Windows platform.

Development

Run the tests with:

$ npm test

When test expectations change, generate them with:

$ GENERATE=1 npm test

Generating exceptional configurations

Tests that fail to parse or show very bad performance can be automatically skipped or soft-skipped with the following script (takes >1h):

$ WEB_TESTS=/path/to/web_tests OUTPUT=/path/to/output/folder ./gen_exceptions.sh

Experimenting (limited to differential fuzzing)

To locally evaluate the fuzzer, setup a work directory as follows:

$ workdir/
$ workdir/app_dir
$ workdir/fuzzer
$ workdir/input
$ workdir/output

The app_dir folder can be a symlink or should contain the bundled version of d8 with all files required for execution. Copy the packaged ochang_js_fuzzer executable and the db folder to the fuzzer directory or use a symlink. The input directory is the root folder of the corpus, i.e. pointing to the unzipped data of gs://clusterfuzz-data/web_tests.zip. The output directory is expected to be empty. It'll contain all output of the fuzzing session. Start the experiments with:

$ # Around ~40000 corresponds to 24h of fuzzing on a workstation.
$ NUM_RUNS = 40000
$ python tools/workbench.py $NUM_RUNS

You can check current stats with:

$ cat workdir/output/stats.json | python -m json.tool

When failures are found, you can forge minimization command lines with:

$ MINIMIZER_PATH = path/to/minimizer
$ python tools/minimize.py $MINIMIZER_PATH

The path should point to a local checkout of the minimizer.