v8/test/fuzzilli
Samuel Groß d46723aefd Updated libreprl from Fuzzilli and improved Fuzzilli test
The test now verifies that JavaScript programs can be executed
over the REPRL interface, that runtime exceptions can be detected,
and that the engine's state is properly reset between executions.

Change-Id: Ic8032c07e222307cbb4d332e7eaec61936a10ccd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2396082
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Commit-Queue: Samuel Groß <saelo@google.com>
Cr-Commit-Position: refs/heads/master@{#69883}
2020-09-14 14:52:06 +00:00
..
test
BUILD.gn
fuzzilli.status
libreprl.c
libreprl.h
main.cc
README.md
testcfg.py

Communication model of fuzzilli with V8

Source code

On low level fuzzilli communicates with v8 through Swift C API library in Sources/libreprl/libreprl.c

reprl_spawn_child fucntions spawns child process. It does that by creating pipes, forking itself, then setting filedescriptors, and then transforming itself using execve into v8 process. Afterwords it checks for receiving 4 byte string and it sends the exact same string back.

fetch_output fetches the output from the child and returns its size and pointer to data.

execute script writes exec, and size of script, into the command write pipe and sends script through data write pipe

Coverage

Coverage information are being monitored through shared memory. On the side of v8 it is monitored through SanitizerCoverage module of Clang compiler ( https://clang.llvm.org/docs/SanitizerCoverage.html ) Through shared memory information about edges are shared with fuzzilli which implements counter for error and covered branches of the V8 code in Sources/libcoverage/coverage.c