v8/test/fuzzer
Andreas Haas 2f92e9eb6b [wasm] Cleanup the wasm fuzzer corpus files.
In a recent CL I moved the corpus of the wasm fuzzer and of the
wasm-asmjs fuzzer to a different directory
(wasm_corpus and wasm_asmjs_corpus) so that the corpus is not executed
on the try-bots. With this CL I remove the old corpus from the
.gitignore file.

In addition I removed the hooks for wasm_corpus and
wasm_asmjs_corpus from the V8 DEPS file, because in a V8 checkout
they are not used anyway.

I also added code to the test runner to delete all *.wasm files
from the directories test/fuzzer/wasm and test/fuzzer/wasm_asmjs.
This code should be removed in a week, but it will help my coworkers
to cleanup their V8 checkout.



R=bradnelson@chromium.org
CC=machenbach@chromium.org

Change-Id: I9fdf9d77b71b133f84f7e744763d65fdf127d624
Reviewed-on: https://chromium-review.googlesource.com/505614
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45417}
2017-05-19 09:21:16 +00:00
..
json
parser
regexp
wasm [wasm] Cleanup the wasm fuzzer corpus files. 2017-05-19 09:21:16 +00:00
wasm_asmjs [wasm] Cleanup the wasm fuzzer corpus files. 2017-05-19 09:21:16 +00:00
wasm_call [wasm] Add a new fuzzer which can also test wasm function calls. 2016-10-24 11:15:00 +00:00
wasm_code [wasm] Create a new fuzzer for wasm code. 2016-08-29 13:56:00 +00:00
wasm_compile [wasm] Syntax- and Type-aware Fuzzer 2017-02-17 17:06:29 +00:00
wasm_data_section [wasm] Write fuzzers for single wasm sections. 2016-09-14 11:17:53 +00:00
wasm_function_sigs_section [wasm] Write fuzzers for single wasm sections. 2016-09-14 11:17:53 +00:00
wasm_globals_section [wasm] Write fuzzers for single wasm sections. 2016-09-14 11:17:53 +00:00
wasm_imports_section [wasm] Write fuzzers for single wasm sections. 2016-09-14 11:17:53 +00:00
wasm_memory_section [wasm] Write fuzzers for single wasm sections. 2016-09-14 11:17:53 +00:00
wasm_names_section [wasm] Write fuzzers for single wasm sections. 2016-09-14 11:17:53 +00:00
wasm_types_section [wasm] Write fuzzers for single wasm sections. 2016-09-14 11:17:53 +00:00
DEPS
fuzzer-support.cc [cleanup] Make ArrayList functions const. 2017-04-04 12:06:56 +00:00
fuzzer-support.h [cleanup] Make ArrayList functions const. 2017-04-04 12:06:56 +00:00
fuzzer.cc [wasm] Fix -Wsign-compare warnings. 2016-11-10 12:51:05 +00:00
fuzzer.gyp [cleanup][wasm][fuzzer] Share code among the different fuzzers. 2017-05-08 09:58:26 +00:00
fuzzer.isolate [wasm] Syntax- and Type-aware Fuzzer 2017-02-17 17:06:29 +00:00
fuzzer.status
json.cc Add GC request to libFuzzers in attempt to avoid parasitic coverage. 2016-04-28 13:32:28 +00:00
parser.cc [fuzzer] Add input validation in the beginning of the parser fuzz target. 2017-05-17 10:36:10 +00:00
README.md [fuzzer] Format README.md 2017-02-13 08:42:26 +00:00
regexp.cc [regexp fuzzer] Let the fuzzer input select the regexp flag. 2016-11-22 12:59:38 +00:00
testcfg.py [wasm] Cleanup the wasm fuzzer corpus files. 2017-05-19 09:21:16 +00:00
wasm_asmjs_corpus.tar.gz.sha1 [wasm] Move the wasm fuzzer corpus to a different directory 2017-04-28 23:29:41 +00:00
wasm_corpus.tar.gz.sha1 [wasm] Move the wasm fuzzer corpus to a different directory 2017-04-28 23:29:41 +00:00
wasm-asmjs.cc [wasm] Change the constant kV8MaxWasmTableSize to a command line flag. 2017-01-24 10:12:22 +00:00
wasm-call.cc [asm.js] Maintain global order of exported functions. 2017-05-12 12:11:06 +00:00
wasm-code.cc [asm.js] Maintain global order of exported functions. 2017-05-12 12:11:06 +00:00
wasm-compile.cc [asm.js] Maintain global order of exported functions. 2017-05-12 12:11:06 +00:00
wasm-data-section.cc [cleanup][wasm][fuzzer] Share code among the different fuzzers. 2017-05-08 09:58:26 +00:00
wasm-function-sigs-section.cc [cleanup][wasm][fuzzer] Share code among the different fuzzers. 2017-05-08 09:58:26 +00:00
wasm-fuzzer-common.cc [cleanup][wasm][fuzzer] Share code among the different fuzzers. 2017-05-08 09:58:26 +00:00
wasm-fuzzer-common.h [cleanup][wasm][fuzzer] Share code among the different fuzzers. 2017-05-08 09:58:26 +00:00
wasm-globals-section.cc [cleanup][wasm][fuzzer] Share code among the different fuzzers. 2017-05-08 09:58:26 +00:00
wasm-imports-section.cc [cleanup][wasm][fuzzer] Share code among the different fuzzers. 2017-05-08 09:58:26 +00:00
wasm-memory-section.cc [cleanup][wasm][fuzzer] Share code among the different fuzzers. 2017-05-08 09:58:26 +00:00
wasm-names-section.cc [cleanup][wasm][fuzzer] Share code among the different fuzzers. 2017-05-08 09:58:26 +00:00
wasm-types-section.cc [cleanup][wasm][fuzzer] Share code among the different fuzzers. 2017-05-08 09:58:26 +00:00
wasm.cc [wasm] Change the constant kV8MaxWasmTableSize to a command line flag. 2017-01-24 10:12:22 +00:00

How to make a libFuzzer fuzzer in V8

This document describes how to make a new libFuzzer fuzzer for V8. A general introduction to libFuzzer can be found here. In short, libFuzzer is an in-process coverage-driven evolutionary fuzzer. libFuzzer serves you with a sequence of byte arrays that you can use to test your code. libFuzzer tries to generate this sequence of byte arrays in a way that maximizes test coverage.

Warning: By itself libFuzzer typically does not generate valid JavaScript code.

Changes to V8

tldr: Do the same as https://codereview.chromium.org/2280623002 to introduce a new fuzzer to V8.

This is a step by step guide on how to make a new fuzzer in V8. In the example the fuzzer is called foo.

  1. Copy one of the existing fuzzer implementations in test/fuzzer/, e.g. cp wasm.cc foo.cc

    • Copying an existing fuzzer is a good idea to get all the required setup, e.g. setting up the isolate
  2. Create a directory called foo in test/fuzzer/ which contains at least one file

    • The file is used by the trybots to check whether the fuzzer actually compiles and runs
  3. Copy the build rules of an existing fuzzer in BUILD.gn, e.g. the build rules for the wasm.cc fuzzer are v8_source_set("wasm_fuzzer") and v8_fuzzer("wasm_fuzzer"). Note that the name has to be the name of the directory created in Step 2 + _fuzzer so that the scripts on the trybots work

  4. Now you can already compile the fuzzer, e.g. with ninja -j 1000 -C out/x64.debug/v8_simple_foo_fuzzer

    • Use this binary to reproduce issues found by cluster fuzz, e.g. out/x64.debug/v8_simple_foo_fuzzer testcase.foo
  5. Copy the build rules of an existing fuzzer in test/fuzzer/fuzzer.gyp, e.g. the build rules for the wasm.cc fuzzer are v8_simple_wasm_fuzzer and wasm_fuzzer_lib

    • This build rule is needed to compile with gyp
  6. Copy the binary name and the test directory name in test/fuzzer/fuzzer.isolate

  7. Add the fuzzer to the FuzzerTestSuite in test/fuzzer/testcfg.py

    • This step is needed to run the fuzzer with the files created in Step 2 on the trybots
  8. Commit the changes described above to the V8 repository

Changes to Chromium

tldr: Do the same as https://codereview.chromium.org/2344823002 to add the new fuzzer to cluster fuzz.

  1. Copy the build rules of an existing fuzzer in testing/libfuzzer/fuzzers/BUILD.gn, e.g. the build rule for the wasm.cc fuzzer is v8_wasm_fuzzer. There is no need to set a dictionary , or a seed_corpus. See chromium-fuzzing-getting-started for more information.

  2. Compile the fuzzer in chromium (for different configurations see: https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md):

    • gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true is_debug=false enable_nacl=false'

    • ninja -j 1000 -C out/libfuzzer/ v8_foo_fuzzer

  3. Run the fuzzer locally

    • mkdir /tmp/empty_corpus && out/libfuzzer/v8_foo_fuzzer /tmp/empty_corpus