Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(204)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: test/fuzzer/README.md

Issue 2688133002: [fuzzer] Create a README for libfuzzer fuzzers. (Closed)
Patch Set: Created 3 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 # How to make a libFuzzer fuzzer in V8
2
3 This document describes how to make a new libfuzzer fuzzer for V8. A general int roduction to libfuzzer can be found at [here](https://chromium.googlesource.com/ chromium/src/+/master/testing/libfuzzer/README.md). In short, libFuzzer is an in -process coverage-driven evolutionary fuzzer. libFuzzer serves you with a sequen ce of byte arrays that you can use to test your code. libFuzzer tries to generat e this sequence of byte arrays in a way that maximizes test coverage.
Michael Achenbach 2017/02/10 15:46:03 nit: s/found at [here]/found [here]
ahaas 2017/02/13 08:36:13 Done in https://codereview.chromium.org/2692443002
4
5 **Warning**: By itself libFuzzer typically does not generate valid JavaScript co de.
6
7 ## Changes to V8
8
9 **tldr:** Do the same as https://codereview.chromium.org/2280623002 to introduce a new fuzzer to V8.
10 This is a step by step guide on how to make a new fuzzer in V8. In the example t he fuzzer is called `foo`.
11 1) Copy one of the existing fuzzer implementations in [test/fuzzer/](https://cs. chromium.org/chromium/src/v8/test/fuzzer/), e.g. `cp wasm.cc foo.cc`
12 * Copying an existing fuzzer is a good idea to get all the required setup, e. g. setting up the isolate
13 2) Create a directory called `foo` in [test/fuzzer/](https://cs.chromium.org/chr omium/src/v8/test/fuzzer/) which contains at least one file
14 * The file is used by the trybots to check whether the fuzzer actually compil es and runs
15 3) Copy the build rules of an existing fuzzer in [BUILD.gn](https://cs.chromium. org/chromium/src/v8/BUILD.gn), e.g. the build rules for the [wasm.cc](https://cs .chromium.org/chromium/src/v8/test/fuzzer/wasm.cc) fuzzer are `v8_source_set("wa sm_fuzzer")` and `v8_fuzzer("wasm_fuzzer")`. Note that the name has to be the na me of the
16 directory created in Step 2 + “_fuzzer” so that the scripts on the trybots work
17 4) Now you can already compile the fuzzer with `ninja -j 1000 -C out/tmp/v8_simp le_foo_fuzzer`
Michael Achenbach 2017/02/10 15:46:03 nit: Maybe also add a gn call to populate out/tmp
ahaas 2017/02/13 08:36:13 Done in https://codereview.chromium.org/2692443002
18 * Use this binary to reproduce issues found by cluster fuzz, e.g. `out/tmp/v8 _simple_foo_fuzzer testcase.foo`
19 5) Copy the build rules of an existing fuzzer in [test/fuzzer/fuzzer.gyp](https: //cs.chromium.org/chromium/src/v8/test/fuzzer/fuzzer.gyp), e.g. the build rules for the [wasm.cc](https://cs.chromium.org/chromium/src/v8/test/fuzzer/wasm.cc) f uzzer are `v8_simple_wasm_fuzzer` and `wasm_fuzzer_lib`
20 * This build rule is needed to compile with gyp
Michael Achenbach 2017/02/10 15:46:03 Regarding gyp deprecation: How about we abandon fu
ahaas 2017/02/13 08:36:13 I would support this idea, but are you sure that t
Michael Achenbach 2017/02/13 08:39:15 No one could ever be sure. But we could try? But r
21 6) Copy the binary name and the test directory name in [test/fuzzer/fuzzer.isola te](https://cs.chromium.org/chromium/src/v8/test/fuzzer/fuzzer.isolate)
22 7) Add the fuzzer to the FuzzerTestSuite in [test/fuzzer/testcfg.py](https://cs. chromium.org/chromium/src/v8/test/fuzzer/testcfg.py)
23 * This step is needed to run the fuzzer with the files created in Step 2 on t he trybots
24 8) Commit the changes described above to the V8 repository
25
26 ## Changes to Chromium
27 **tldr:** Do the same as https://codereview.chromium.org/2344823002 to add the n ew fuzzer to cluster fuzz.
28 1) Copy the build rules of an existing fuzzer in [testing/libfuzzer/fuzzers/BUIL D.gn](https://cs.chromium.org/chromium/src/testing/libfuzzer/fuzzers/BUILD.gn), e.g. the build rule for the [wasm.cc](https://cs.chromium.org/chromium/src/v8/te st/fuzzer/wasm.cc) fuzzer is {v8_wasm_fuzzer}. There is no need to set a diction ary , or a seed_corpus. See [chromium-fuzzing-getting-started](https://chromium. googlesource.com/chromium/src/+/master/testing/libfuzzer/getting_started.md) for more information.
29 2) Compile the fuzzer in chromium (for different configurations see: https://chr omium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md):
30 * `gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true is_debug=fals e enable_nacl=false'`
31 * `ninja -j 1000 -C out/libfuzzer/ v8_foo_fuzzer`
32 3) Run the fuzzer locally
33 * `mkdir /tmp/empty_corpus && out/libfuzzer/v8_foo_fuzzer /tmp/empty_corpus`
34
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698