v8/test/fuzzilli
Liviu Rau b3477fdd01 [test] Refactor testrunner (4)
- Removed duplication and unnecessary indirection from all suites testcfgs.
 - Introduced a more comprehensive context to cover both command context and other platform specific concerns.
 - Propagated above context to TestLoader to allow for test counting command execution on all platforms.
 - Wrapped original pool with another class to give it a new interface and allow injecting different implementations in the future.
 - Consolidated progress indicators under a single processor in the pipeline.
 - Consolidated result retention requirements calculation outside of pipeline chain.
 - Refactored LoaderProc and got it under tests.
 - Added some more tests for the standard runner.
 - Extracted BuildConfig class.


Bug: v8:12785
Change-Id: I87be040e91f792a983662bb5a10d55b36a14ea7f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3701595
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Liviu Rau <liviurau@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81770}
2022-07-18 09:52:24 +00:00
..
test Integrate fuzzilli into v8 2020-06-03 09:53:24 +00:00
BUILD.gn Integrate fuzzilli into v8 2020-06-03 09:53:24 +00:00
fuzzilli.status Integrate fuzzilli into v8 2020-06-03 09:53:24 +00:00
libreprl.c Updated libreprl from Fuzzilli and improved Fuzzilli test 2020-09-14 14:52:06 +00:00
libreprl.h Updated libreprl from Fuzzilli and improved Fuzzilli test 2020-09-14 14:52:06 +00:00
main.cc Fix unhandled promise rejections in REPRL mode 2020-09-30 13:34:23 +00:00
README.md Fix unhandled promise rejections in REPRL mode 2020-09-30 13:34:23 +00:00
testcfg.py [test] Refactor testrunner (4) 2022-07-18 09:52:24 +00:00

Communication model of fuzzilli with V8

Source code

On a low level, Fuzzilli communicates with v8 through the REPRL protocol, implemented on the fuzzer side by the libreprl C library in Sources/libreprl/. The main way of using the library is through the following three functions:

reprl_create_context() this creates a new, empty REPRL context to be used by the following APIs.

reprl_initialize_context(ctx, argv, envp) this initializes the given context and sets the argv and envp vectors to use for the child processes.

reprl_execute(ctx, code) this executes the given code and returns the exit status. If necessary, a new child process is created for this. This involves creating pipes, forking itself, then setting filedescriptors, and using execve to execute the d8 binary. A child process can be reused for multiple executions, thus increasing fuzzing performance as the overhead of fork and execve are removed.

Coverage

Coverage information are being monitored through shared memory. On the side of v8 it is monitored through SanitizerCoverage module of Clang compiler ( https://clang.llvm.org/docs/SanitizerCoverage.html ) Through shared memory information about edges are shared with fuzzilli which implements counter for error and covered branches of the V8 code in Sources/libcoverage/coverage.c