AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
16d9298a9c
v8/test/fuzzer
History
Andreas Haas 16d9298a9c [api] Add callback to set up conditional features 
Origin trials allow webpages to use experimental features even though
the features are not yet enabled by default. These features will then
get enabled per execution context: it is possible that the feature is
enabled in one execution context but disabled in another execution
context. In V8 we check for origin trials by calling a callback provided
by the embedder that takes the context as a parameter and returns
whether a feature is enabled in this context or not.

This approach fails when a feature changes the context itself, e.g. by
extending the global object. In that case the context is not available
yet to check for the origin trial.

To solve the problem this CL adds a new API function that can be called
by the embedder to notify V8 that context with the origin trial
information is finished. After that V8 can read the origin trial
information from the context and extend e.g. the global object with the
origin trial features.

Additionally to the API this CL also adds code to enable the
WebAssembly.Exception constructor conditionally, depending on whether
it has been enabled by an origin trial or not.

The Blink-side change: https://crrev.com/c/2775573

R=ulan@chromium.org, jkummerow@chromium.org

Change-Id: Ic05c4a89eb3e0e31469e49da8767d630c43b2e00
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2773287
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73597}
2021-03-23 09:03:34 +00:00
..
inspector [inspector] Handle isolate termination gracefully 2021-01-19 14:22:41 +00:00
json Add json fuzzer 2016-02-02 11:29:01 +00:00
multi_return [turbofan] Add fuzzer to test different signatures for multi-returns 2018-01-12 12:20:27 +00:00
parser Add a library suitable for libfuzzer with a small unit test runner shell 2016-01-26 10:39:03 +00:00
regexp [regexp] add fuzzer support for regexp parser and compiler. 2016-02-01 14:00:38 +00:00
regexp_builtins [regexp] Initial go at a builtins fuzzer 2018-01-18 11:02:57 +00:00
wasm [wasm][fuzzer] Support functions returning i64 2020-09-15 17:23:22 +00:00
wasm_async [wasm][fuzzer] Fix return value of interpreter 2020-08-13 10:08:53 +00:00
wasm_code [wasm] Create a new fuzzer for wasm code. 2016-08-29 13:56:00 +00:00
wasm_compile [wasm] Syntax- and Type-aware Fuzzer 2017-02-17 17:06:29 +00:00
BUILD.gn [no-wasm] Exclude more targets from build 2021-03-09 11:25:54 +00:00
DEPS Add a library suitable for libfuzzer with a small unit test runner shell 2016-01-26 10:39:03 +00:00
fuzzer-support.cc Reland "[no-wasm] Exclude src/wasm from compilation" 2021-03-11 14:29:26 +00:00
fuzzer-support.h [iwyu] Add missing includes of <memory> for std::unique_ptr 2019-09-13 17:13:36 +00:00
fuzzer.cc [test/fuzzer] Fix cpplint complaints 2017-09-04 10:45:21 +00:00
fuzzer.status [no-wasm] Remove wasm tests and fuzzers 2021-02-26 12:53:12 +00:00
inspector-fuzzer.cc [inspector][fuzzer] Remove unnecessary output 2021-03-23 08:28:44 +00:00
json.cc [fuzzer] Fix OOM in v8_json_parser_fuzzer due to unnecessary long input. 2018-07-17 14:25:27 +00:00
multi-return.cc Reland "Reland "[deoptimizer] Change deopt entries into builtins"" 2020-10-21 06:01:38 +00:00
parser.cc [compiler] Fix double error reporting for parser errors 2020-06-10 08:36:41 +00:00
README.md [gyp] move build targets for tests to gypfiles. 2018-01-30 06:31:00 +00:00
regexp-builtins.cc [regexp] Implement the /d flag for RegExp indices 2021-01-26 04:14:10 +00:00
regexp.cc [regexp] Further narrow public API and restrict includes to regexp.h 2019-06-18 12:23:16 +00:00
testcfg.py [inspector][fuzzer] Add inspector fuzzer 2020-11-02 14:29:08 +00:00
wasm_corpus.tar.gz.sha1 [wasm] Update and run script to generate fuzzer corpus 2020-12-01 16:21:51 +00:00
wasm-async.cc [api] Add callback to set up conditional features 2021-03-23 09:03:34 +00:00
wasm-code.cc [wasm] Move interpreter to test directory 2020-06-23 08:48:14 +00:00
wasm-compile.cc [wasm] Rename kWasmStmt -> kWasmVoid 2021-03-22 07:58:18 +00:00
wasm-fuzzer-common.cc [api] Add callback to set up conditional features 2021-03-23 09:03:34 +00:00
wasm-fuzzer-common.h [api] Add callback to set up conditional features 2021-03-23 09:03:34 +00:00
wasm.cc [api] Add callback to set up conditional features 2021-03-23 09:03:34 +00:00

README.md

How to make a libFuzzer fuzzer in V8

This document describes how to make a new libFuzzer fuzzer for V8. A general introduction to libFuzzer can be found here. In short, libFuzzer is an in-process coverage-driven evolutionary fuzzer. libFuzzer serves you with a sequence of byte arrays that you can use to test your code. libFuzzer tries to generate this sequence of byte arrays in a way that maximizes test coverage.

Warning: By itself libFuzzer typically does not generate valid JavaScript code.

Changes to V8

tldr: Do the same as https://codereview.chromium.org/2280623002 to introduce a new fuzzer to V8.

This is a step by step guide on how to make a new fuzzer in V8. In the example the fuzzer is called foo.

  1. Copy one of the existing fuzzer implementations in test/fuzzer/, e.g. cp wasm.cc foo.cc

    • Copying an existing fuzzer is a good idea to get all the required setup, e.g. setting up the isolate

  2. Create a directory called foo in test/fuzzer/ which contains at least one file

    • The file is used by the trybots to check whether the fuzzer actually compiles and runs

  3. Copy the build rules of an existing fuzzer in BUILD.gn, e.g. the build rules for the wasm.cc fuzzer are v8_source_set("wasm_fuzzer") and v8_fuzzer("wasm_fuzzer"). Note that the name has to be the name of the directory created in Step 2 + _fuzzer so that the scripts on the trybots work

  4. Now you can already compile the fuzzer, e.g. with ninja -j 1000 -C out/x64.debug/v8_simple_foo_fuzzer

    • Use this binary to reproduce issues found by cluster fuzz, e.g. out/x64.debug/v8_simple_foo_fuzzer testcase.foo

  5. Copy the binary name and the test directory name in test/fuzzer/fuzzer.isolate

  6. Add the fuzzer to the FuzzerTestSuite in test/fuzzer/testcfg.py

    • This step is needed to run the fuzzer with the files created in Step 2 on the trybots

  7. Commit the changes described above to the V8 repository

Changes to Chromium

tldr: Do the same as https://codereview.chromium.org/2344823002 to add the new fuzzer to cluster fuzz.

  1. Copy the build rules of an existing fuzzer in testing/libfuzzer/fuzzers/BUILD.gn, e.g. the build rule for the wasm.cc fuzzer is v8_wasm_fuzzer. There is no need to set a dictionary , or a seed_corpus. See chromium-fuzzing-getting-started for more information.

  2. Compile the fuzzer in chromium (for different configurations see: https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md):

    • gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true is_debug=false enable_nacl=false'

    • ninja -j 1000 -C out/libfuzzer/ v8_foo_fuzzer

  3. Run the fuzzer locally

    • mkdir /tmp/empty_corpus && out/libfuzzer/v8_foo_fuzzer /tmp/empty_corpus