AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
5da083ab0f
v8/test/fuzzer
History
Clemens Backes 852f43cd70 [wasm] Make opcode properties constexpr 
This allows the compiler to eliminate more unneeded branches. Since all
functions just do a lookup in a static table (either directly, or via
compiling a switch to such a lookup), they are also good candidates for
inlining, which is made possible by this change.

One DCHECK is removed instead of pulling in the inl header, which would
require more refactoring since the check is in a non-inl header.

R=thibaudm@chromium.org
TBR=jkummerow@chromium.org

Bug: v8:10576
Change-Id: If0fd25fd62c5f30b896fc67a5458a5ae475a6351
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2259944
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68508}
2020-06-24 11:58:22 +00:00
..
json
multi_return [turbofan] Add fuzzer to test different signatures for multi-returns 2018-01-12 12:20:27 +00:00
parser
regexp
regexp_builtins [regexp] Initial go at a builtins fuzzer 2018-01-18 11:02:57 +00:00
wasm
wasm_async
wasm_code
wasm_compile
BUILD.gn [fuzzer] Remove the wasm section fuzzers 2019-01-11 15:18:47 +00:00
DEPS
fuzzer-support.cc Replace base::make_unique by std::make_unique 2019-09-10 11:21:51 +00:00
fuzzer-support.h [iwyu] Add missing includes of <memory> for std::unique_ptr 2019-09-13 17:13:36 +00:00
fuzzer.cc
fuzzer.status [snapshot] Clear reconstructable data prior to d8 stress_snapshot run 2020-05-06 07:11:22 +00:00
json.cc [fuzzer] Fix OOM in v8_json_parser_fuzzer due to unnecessary long input. 2018-07-17 14:25:27 +00:00
multi-return.cc [wasm] Turn ValueType from an enum to a class 2020-03-12 17:03:16 +00:00
parser.cc [compiler] Fix double error reporting for parser errors 2020-06-10 08:36:41 +00:00
README.md [gyp] move build targets for tests to gypfiles. 2018-01-30 06:31:00 +00:00
regexp-builtins.cc [api] Create v8::String::NewFromLiteral that returns Local<String> 2020-03-09 12:02:07 +00:00
regexp.cc [regexp] Further narrow public API and restrict includes to regexp.h 2019-06-18 12:23:16 +00:00
testcfg.py Reland "Reland "[test] refactor testsuite configuration"" 2019-02-06 09:02:09 +00:00
wasm_corpus.tar.gz.sha1
wasm-async.cc [weakrefs] Call Isolate::ClearKeptObjects() as part of microtask checkpoint 2020-02-19 02:25:34 +00:00
wasm-code.cc [wasm] Move interpreter to test directory 2020-06-23 08:48:14 +00:00
wasm-compile.cc [wasm] Make opcode properties constexpr 2020-06-24 11:58:22 +00:00
wasm-fuzzer-common.cc [wasm-gc] Change ValueType representation to account for new types 2020-06-18 12:04:08 +00:00
wasm-fuzzer-common.h [wasm] Move interpreter to test directory 2020-06-23 08:48:14 +00:00
wasm.cc [wasm] Bring memory limits up to spec 2020-02-24 11:00:16 +00:00

README.md

How to make a libFuzzer fuzzer in V8

This document describes how to make a new libFuzzer fuzzer for V8. A general introduction to libFuzzer can be found here. In short, libFuzzer is an in-process coverage-driven evolutionary fuzzer. libFuzzer serves you with a sequence of byte arrays that you can use to test your code. libFuzzer tries to generate this sequence of byte arrays in a way that maximizes test coverage.

Warning: By itself libFuzzer typically does not generate valid JavaScript code.

Changes to V8

tldr: Do the same as https://codereview.chromium.org/2280623002 to introduce a new fuzzer to V8.

This is a step by step guide on how to make a new fuzzer in V8. In the example the fuzzer is called foo.

  1. Copy one of the existing fuzzer implementations in test/fuzzer/, e.g. cp wasm.cc foo.cc

    • Copying an existing fuzzer is a good idea to get all the required setup, e.g. setting up the isolate

  2. Create a directory called foo in test/fuzzer/ which contains at least one file

    • The file is used by the trybots to check whether the fuzzer actually compiles and runs

  3. Copy the build rules of an existing fuzzer in BUILD.gn, e.g. the build rules for the wasm.cc fuzzer are v8_source_set("wasm_fuzzer") and v8_fuzzer("wasm_fuzzer"). Note that the name has to be the name of the directory created in Step 2 + _fuzzer so that the scripts on the trybots work

  4. Now you can already compile the fuzzer, e.g. with ninja -j 1000 -C out/x64.debug/v8_simple_foo_fuzzer

    • Use this binary to reproduce issues found by cluster fuzz, e.g. out/x64.debug/v8_simple_foo_fuzzer testcase.foo

  5. Copy the binary name and the test directory name in test/fuzzer/fuzzer.isolate

  6. Add the fuzzer to the FuzzerTestSuite in test/fuzzer/testcfg.py

    • This step is needed to run the fuzzer with the files created in Step 2 on the trybots

  7. Commit the changes described above to the V8 repository

Changes to Chromium

tldr: Do the same as https://codereview.chromium.org/2344823002 to add the new fuzzer to cluster fuzz.

  1. Copy the build rules of an existing fuzzer in testing/libfuzzer/fuzzers/BUILD.gn, e.g. the build rule for the wasm.cc fuzzer is v8_wasm_fuzzer. There is no need to set a dictionary , or a seed_corpus. See chromium-fuzzing-getting-started for more information.

  2. Compile the fuzzer in chromium (for different configurations see: https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md):

    • gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true is_debug=false enable_nacl=false'

    • ninja -j 1000 -C out/libfuzzer/ v8_foo_fuzzer

  3. Run the fuzzer locally

    • mkdir /tmp/empty_corpus && out/libfuzzer/v8_foo_fuzzer /tmp/empty_corpus