v8/test/fuzzer
Clemens Backes 5f00755c81 [flags] Disable hard-abort when fuzzing
Running the libfuzzer fuzzers locally (with an experimental flag turned
on) found crashes, but did not produce crash files because we were
generating a software interrupt ("trap") instead of properly aborting.
Disabling the "hard-abort" feature fixes that.

This will hopefully not flush out previously missed crashes. If so,
please do manually bisect across this CL, instead of assigning to me :)

Drive-by: Move more initialization logic from {InitializeFuzzerSupport}
to the {FuzzerSupport} constructor, where other similar work is
performed.

R=thibaudm@chromium.org, saelo@chromium.org

Bug: v8:13283
Change-Id: Id8d4e92f5ab6bb27676adeae6b3b1eb042b8ba3e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892061
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Samuel Groß <saelo@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83208}
2022-09-15 09:48:48 +00:00
..
inspector [inspector-test] Gracefully handle termination. 2022-03-21 12:36:59 +00:00
json
multi_return
parser
regexp
regexp_builtins
wasm [wasm] Install the exception constructor in InstallConditionalFeatures 2021-03-25 16:28:53 +00:00
wasm_async [wasm][fuzzer] Fix return value of interpreter 2020-08-13 10:08:53 +00:00
wasm_code
wasm_compile
wasm_streaming [wasm] Limit module size in streaming decoder 2022-07-08 09:43:41 +00:00
BUILD.gn [no-wasm] Exclude more targets from build 2021-03-09 11:25:54 +00:00
DEPS
fuzzer-support.cc [flags] Disable hard-abort when fuzzing 2022-09-15 09:48:48 +00:00
fuzzer-support.h Reland "[include] Split out v8.h" 2021-08-24 13:08:55 +00:00
fuzzer.cc
fuzzer.status [debug] Cleanup properly when microtask execution is terminated. 2022-02-18 08:49:05 +00:00
inspector-fuzzer.cc [test] Remove some unused includes (2) 2022-07-19 08:55:55 +00:00
json.cc Reland "[include] Split out v8.h" 2021-08-24 13:08:55 +00:00
multi-return.cc [test] Remove some unused includes (2) 2022-07-19 08:55:55 +00:00
parser.cc [test] Remove some unused includes (2) 2022-07-19 08:55:55 +00:00
README.md
regexp-builtins.cc [regexp] Add v-Flag for Unicode Sets 2022-09-06 17:51:56 +00:00
regexp.cc [test] Remove some unused includes (2) 2022-07-19 08:55:55 +00:00
testcfg.py [test] Refactor testrunner (4) 2022-07-18 09:52:24 +00:00
wasm_corpus.tar.gz.sha1 [wasm] Update fuzzer corpus 2022-01-12 16:47:30 +00:00
wasm-async.cc [wasm] Use v8_flags for accessing flag values 2022-08-29 12:43:46 +00:00
wasm-code.cc [test] Remove some unused includes (2) 2022-07-19 08:55:55 +00:00
wasm-compile.cc [wasm-gc][fuzzer] Fix call_ref with immediate 2022-09-02 08:07:32 +00:00
wasm-fuzzer-common.cc [wasm] Use v8_flags for accessing flag values 2022-08-29 12:43:46 +00:00
wasm-fuzzer-common.h [test] Remove some unused includes (2) 2022-07-19 08:55:55 +00:00
wasm-streaming.cc [wasm] Use v8_flags for accessing flag values 2022-08-29 12:43:46 +00:00
wasm.cc [wasm] Use v8_flags for accessing flag values 2022-08-29 12:43:46 +00:00

How to make a libFuzzer fuzzer in V8

This document describes how to make a new libFuzzer fuzzer for V8. A general introduction to libFuzzer can be found here. In short, libFuzzer is an in-process coverage-driven evolutionary fuzzer. libFuzzer serves you with a sequence of byte arrays that you can use to test your code. libFuzzer tries to generate this sequence of byte arrays in a way that maximizes test coverage.

Warning: By itself libFuzzer typically does not generate valid JavaScript code.

Changes to V8

tldr: Do the same as https://codereview.chromium.org/2280623002 to introduce a new fuzzer to V8.

This is a step by step guide on how to make a new fuzzer in V8. In the example the fuzzer is called foo.

  1. Copy one of the existing fuzzer implementations in test/fuzzer/, e.g. cp wasm.cc foo.cc

    • Copying an existing fuzzer is a good idea to get all the required setup, e.g. setting up the isolate
  2. Create a directory called foo in test/fuzzer/ which contains at least one file

    • The file is used by the trybots to check whether the fuzzer actually compiles and runs
  3. Copy the build rules of an existing fuzzer in BUILD.gn, e.g. the build rules for the wasm.cc fuzzer are v8_source_set("wasm_fuzzer") and v8_fuzzer("wasm_fuzzer"). Note that the name has to be the name of the directory created in Step 2 + _fuzzer so that the scripts on the trybots work

  4. Now you can already compile the fuzzer, e.g. with ninja -j 1000 -C out/x64.debug/v8_simple_foo_fuzzer

    • Use this binary to reproduce issues found by cluster fuzz, e.g. out/x64.debug/v8_simple_foo_fuzzer testcase.foo
  5. Copy the binary name and the test directory name in test/fuzzer/fuzzer.isolate

  6. Add the fuzzer to the FuzzerTestSuite in test/fuzzer/testcfg.py

    • This step is needed to run the fuzzer with the files created in Step 2 on the trybots
  7. Commit the changes described above to the V8 repository

Changes to Chromium

tldr: Do the same as https://codereview.chromium.org/2344823002 to add the new fuzzer to cluster fuzz.

  1. Copy the build rules of an existing fuzzer in testing/libfuzzer/fuzzers/BUILD.gn, e.g. the build rule for the wasm.cc fuzzer is v8_wasm_fuzzer. There is no need to set a dictionary , or a seed_corpus. See chromium-fuzzing-getting-started for more information.

  2. Compile the fuzzer in chromium (for different configurations see: https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md):

    • gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true is_debug=false enable_nacl=false'

    • ninja -j 1000 -C out/libfuzzer/ v8_foo_fuzzer

  3. Run the fuzzer locally

    • mkdir /tmp/empty_corpus && out/libfuzzer/v8_foo_fuzzer /tmp/empty_corpus