AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
ec06bb6ce5
v8/test/fuzzer
History
Dan Elphick ec06bb6ce5 Reland "[include] Split out v8.h" 
This is a reland of d1b27019d3

Fixes include:
Adding missing file to bazel build
Forward-declaring classing before friend-classing them to fix win/gcc
Add missing v8-isolate.h include for vtune builds

Original change's description:
> [include] Split out v8.h
>
> This moves every single class/function out of include/v8.h into a
> separate header in include/, which v8.h then includes so that
> externally nothing appears to have changed.
>
> Every include of v8.h from inside v8 has been changed to a more
> fine-grained include.
>
> Previously inline functions defined at the bottom of v8.h would call
> private non-inline functions in the V8 class. Since that class is now
> in v8-initialization.h and is rarely included (as that would create
> dependency cycles), this is not possible and so those methods have been
> moved out of the V8 class into the namespace v8::api_internal.
>
> None of the previous files in include/ now #include v8.h, which means
> if embedders were relying on this transitive dependency then it will
> give compile failures.
>
> v8-inspector.h does depend on v8-scripts.h for the time being to ensure
> that Chrome continue to compile but that change will be reverted once
> those transitive #includes in chrome are changed to include it directly.
>
> Full design:
> https://docs.google.com/document/d/1rTD--I8hCAr-Rho1WTumZzFKaDpEp0IJ8ejZtk4nJdA/edit?usp=sharing
>
> Bug: v8:11965
> Change-Id: I53b84b29581632710edc80eb11f819c2097a2877
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097448
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Dan Elphick <delphick@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76424}

Cq-Include-Trybots: luci.v8.try:v8_linux_vtunejit
Bug: v8:11965
Change-Id: I99f5d3a73bf8fe25b650adfaf9567dc4e44a09e6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3113629
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76460}
2021-08-24 13:08:55 +00:00
..
inspector [inspector] Handle isolate termination gracefully 2021-01-19 14:22:41 +00:00
json Add json fuzzer 2016-02-02 11:29:01 +00:00
multi_return [turbofan] Add fuzzer to test different signatures for multi-returns 2018-01-12 12:20:27 +00:00
parser Add a library suitable for libfuzzer with a small unit test runner shell 2016-01-26 10:39:03 +00:00
regexp [regexp] add fuzzer support for regexp parser and compiler. 2016-02-01 14:00:38 +00:00
regexp_builtins [regexp] Initial go at a builtins fuzzer 2018-01-18 11:02:57 +00:00
wasm [wasm] Install the exception constructor in InstallConditionalFeatures 2021-03-25 16:28:53 +00:00
wasm_async [wasm][fuzzer] Fix return value of interpreter 2020-08-13 10:08:53 +00:00
wasm_code [wasm] Create a new fuzzer for wasm code. 2016-08-29 13:56:00 +00:00
wasm_compile [wasm] Syntax- and Type-aware Fuzzer 2017-02-17 17:06:29 +00:00
BUILD.gn [no-wasm] Exclude more targets from build 2021-03-09 11:25:54 +00:00
DEPS Add a library suitable for libfuzzer with a small unit test runner shell 2016-01-26 10:39:03 +00:00
fuzzer-support.cc Reland "[include] Split out v8.h" 2021-08-24 13:08:55 +00:00
fuzzer-support.h Reland "[include] Split out v8.h" 2021-08-24 13:08:55 +00:00
fuzzer.cc [test/fuzzer] Fix cpplint complaints 2017-09-04 10:45:21 +00:00
fuzzer.status [test] Filter tests for third party heap 2021-04-27 10:17:33 +00:00
inspector-fuzzer.cc Reland "[include] Split out v8.h" 2021-08-24 13:08:55 +00:00
json.cc Reland "[include] Split out v8.h" 2021-08-24 13:08:55 +00:00
multi-return.cc [isolate][cleanup] Remove pointer to WasmEngine 2021-06-21 09:09:25 +00:00
parser.cc Reland "[include] Split out v8.h" 2021-08-24 13:08:55 +00:00
README.md [gyp] move build targets for tests to gypfiles. 2018-01-30 06:31:00 +00:00
regexp-builtins.cc Reland "[include] Split out v8.h" 2021-08-24 13:08:55 +00:00
regexp.cc Reland "[include] Split out v8.h" 2021-08-24 13:08:55 +00:00
testcfg.py [inspector][fuzzer] Add inspector fuzzer 2020-11-02 14:29:08 +00:00
wasm_corpus.tar.gz.sha1 [wasm] Update and run script to generate fuzzer corpus 2020-12-01 16:21:51 +00:00
wasm-async.cc Reland "[include] Split out v8.h" 2021-08-24 13:08:55 +00:00
wasm-code.cc [fuzzer] Add struct type and array type to fuzzed module 2021-07-19 10:59:15 +00:00
wasm-compile.cc Reland "[include] Split out v8.h" 2021-08-24 13:08:55 +00:00
wasm-fuzzer-common.cc Reland "[include] Split out v8.h" 2021-08-24 13:08:55 +00:00
wasm-fuzzer-common.h [fuzzer] Add struct type and array type to fuzzed module 2021-07-19 10:59:15 +00:00
wasm.cc Reland "[include] Split out v8.h" 2021-08-24 13:08:55 +00:00

README.md

How to make a libFuzzer fuzzer in V8

This document describes how to make a new libFuzzer fuzzer for V8. A general introduction to libFuzzer can be found here. In short, libFuzzer is an in-process coverage-driven evolutionary fuzzer. libFuzzer serves you with a sequence of byte arrays that you can use to test your code. libFuzzer tries to generate this sequence of byte arrays in a way that maximizes test coverage.

Warning: By itself libFuzzer typically does not generate valid JavaScript code.

Changes to V8

tldr: Do the same as https://codereview.chromium.org/2280623002 to introduce a new fuzzer to V8.

This is a step by step guide on how to make a new fuzzer in V8. In the example the fuzzer is called foo.

  1. Copy one of the existing fuzzer implementations in test/fuzzer/, e.g. cp wasm.cc foo.cc

    • Copying an existing fuzzer is a good idea to get all the required setup, e.g. setting up the isolate

  2. Create a directory called foo in test/fuzzer/ which contains at least one file

    • The file is used by the trybots to check whether the fuzzer actually compiles and runs

  3. Copy the build rules of an existing fuzzer in BUILD.gn, e.g. the build rules for the wasm.cc fuzzer are v8_source_set("wasm_fuzzer") and v8_fuzzer("wasm_fuzzer"). Note that the name has to be the name of the directory created in Step 2 + _fuzzer so that the scripts on the trybots work

  4. Now you can already compile the fuzzer, e.g. with ninja -j 1000 -C out/x64.debug/v8_simple_foo_fuzzer

    • Use this binary to reproduce issues found by cluster fuzz, e.g. out/x64.debug/v8_simple_foo_fuzzer testcase.foo

  5. Copy the binary name and the test directory name in test/fuzzer/fuzzer.isolate

  6. Add the fuzzer to the FuzzerTestSuite in test/fuzzer/testcfg.py

    • This step is needed to run the fuzzer with the files created in Step 2 on the trybots

  7. Commit the changes described above to the V8 repository

Changes to Chromium

tldr: Do the same as https://codereview.chromium.org/2344823002 to add the new fuzzer to cluster fuzz.

  1. Copy the build rules of an existing fuzzer in testing/libfuzzer/fuzzers/BUILD.gn, e.g. the build rule for the wasm.cc fuzzer is v8_wasm_fuzzer. There is no need to set a dictionary , or a seed_corpus. See chromium-fuzzing-getting-started for more information.

  2. Compile the fuzzer in chromium (for different configurations see: https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md):

    • gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true is_debug=false enable_nacl=false'

    • ninja -j 1000 -C out/libfuzzer/ v8_foo_fuzzer

  3. Run the fuzzer locally

    • mkdir /tmp/empty_corpus && out/libfuzzer/v8_foo_fuzzer /tmp/empty_corpus