b1d09bf6c5
Bug: v8:7335 Change-Id: I6610bba00ff558de5826934c326fc2873c91a1a3 Reviewed-on: https://chromium-review.googlesource.com/890742 Reviewed-by: Michael Achenbach <machenbach@chromium.org> Commit-Queue: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/master@{#50944}
84 lines
3.4 KiB
Markdown
84 lines
3.4 KiB
Markdown
# How to make a libFuzzer fuzzer in V8
|
|
|
|
This document describes how to make a new libFuzzer fuzzer for V8. A general
|
|
introduction to libFuzzer can be found
|
|
[here](https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/README.md).
|
|
In short, libFuzzer is an in-process coverage-driven evolutionary fuzzer.
|
|
libFuzzer serves you with a sequence of byte arrays that you can use to test
|
|
your code. libFuzzer tries to generate this sequence of byte arrays in a way
|
|
that maximizes test coverage.
|
|
|
|
**Warning**: By itself libFuzzer typically does not generate valid JavaScript code.
|
|
|
|
## Changes to V8
|
|
|
|
**tldr:** Do the same as https://codereview.chromium.org/2280623002 to introduce
|
|
a new fuzzer to V8.
|
|
|
|
This is a step by step guide on how to make a new fuzzer in V8. In the example
|
|
the fuzzer is called `foo`.
|
|
|
|
1. Copy one of the existing fuzzer implementations in
|
|
[test/fuzzer/](https://cs.chromium.org/chromium/src/v8/test/fuzzer/), e.g. `cp wasm.cc foo.cc`
|
|
|
|
* Copying an existing fuzzer is a good idea to get all the required setup,
|
|
e.g. setting up the isolate
|
|
|
|
2. Create a directory called `foo` in
|
|
[test/fuzzer/](https://cs.chromium.org/chromium/src/v8/test/fuzzer/) which
|
|
contains at least one file
|
|
|
|
* The file is used by the trybots to check whether the fuzzer actually
|
|
compiles and runs
|
|
|
|
3. Copy the build rules of an existing fuzzer in
|
|
[BUILD.gn](https://cs.chromium.org/chromium/src/v8/BUILD.gn), e.g. the build
|
|
rules for the
|
|
[wasm.cc](https://cs.chromium.org/chromium/src/v8/test/fuzzer/wasm.cc) fuzzer
|
|
are `v8_source_set("wasm_fuzzer")` and `v8_fuzzer("wasm_fuzzer")`. Note that
|
|
the name has to be the name of the directory created in Step 2 + `_fuzzer` so
|
|
that the scripts on the trybots work
|
|
|
|
4. Now you can already compile the fuzzer, e.g. with `ninja -j 1000 -C
|
|
out/x64.debug/v8_simple_foo_fuzzer`
|
|
|
|
* Use this binary to reproduce issues found by cluster fuzz, e.g.
|
|
`out/x64.debug/v8_simple_foo_fuzzer testcase.foo`
|
|
|
|
5. Copy the binary name and the test directory name in
|
|
[test/fuzzer/fuzzer.isolate](https://cs.chromium.org/chromium/src/v8/test/fuzzer/fuzzer.isolate)
|
|
|
|
6. Add the fuzzer to the FuzzerTestSuite in
|
|
[test/fuzzer/testcfg.py](https://cs.chromium.org/chromium/src/v8/test/fuzzer/testcfg.py)
|
|
|
|
* This step is needed to run the fuzzer with the files created in Step 2 on
|
|
the trybots
|
|
|
|
8. Commit the changes described above to the V8 repository
|
|
|
|
## Changes to Chromium
|
|
|
|
**tldr:** Do the same as https://codereview.chromium.org/2344823002 to add the
|
|
new fuzzer to cluster fuzz.
|
|
|
|
1. Copy the build rules of an existing fuzzer in
|
|
[testing/libfuzzer/fuzzers/BUILD.gn](https://cs.chromium.org/chromium/src/testing/libfuzzer/fuzzers/BUILD.gn),
|
|
e.g. the build rule for the
|
|
[wasm.cc](https://cs.chromium.org/chromium/src/v8/test/fuzzer/wasm.cc) fuzzer
|
|
is `v8_wasm_fuzzer`. There is no need to set a `dictionary` , or a `seed_corpus`.
|
|
See
|
|
[chromium-fuzzing-getting-started](https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/getting_started.md)
|
|
for more information.
|
|
|
|
2. Compile the fuzzer in chromium (for different configurations see:
|
|
https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md):
|
|
|
|
* `gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true is_debug=false enable_nacl=false'`
|
|
|
|
* `ninja -j 1000 -C out/libfuzzer/ v8_foo_fuzzer`
|
|
|
|
3. Run the fuzzer locally
|
|
|
|
* `mkdir /tmp/empty_corpus && out/libfuzzer/v8_foo_fuzzer /tmp/empty_corpus`
|
|
|