Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(232)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: test/fuzzer/README.md

Issue 2692443002: [fuzzer] Format README.md (Closed)
Patch Set: Another small fix Created 3 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 # How to make a libFuzzer fuzzer in V8 1 # How to make a libFuzzer fuzzer in V8
2 2
3 This document describes how to make a new libfuzzer fuzzer for V8. A general int roduction to libfuzzer can be found at [here](https://chromium.googlesource.com/ chromium/src/+/master/testing/libfuzzer/README.md). In short, libFuzzer is an in -process coverage-driven evolutionary fuzzer. libFuzzer serves you with a sequen ce of byte arrays that you can use to test your code. libFuzzer tries to generat e this sequence of byte arrays in a way that maximizes test coverage. 3 This document describes how to make a new libFuzzer fuzzer for V8. A general
4 introduction to libFuzzer can be found
5 [here](https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer /README.md).
6 In short, libFuzzer is an in-process coverage-driven evolutionary fuzzer.
7 libFuzzer serves you with a sequence of byte arrays that you can use to test
8 your code. libFuzzer tries to generate this sequence of byte arrays in a way
9 that maximizes test coverage.
4 10
5 **Warning**: By itself libFuzzer typically does not generate valid JavaScript co de. 11 **Warning**: By itself libFuzzer typically does not generate valid JavaScript co de.
6 12
7 ## Changes to V8 13 ## Changes to V8
8 14
9 **tldr:** Do the same as https://codereview.chromium.org/2280623002 to introduce a new fuzzer to V8. 15 **tldr:** Do the same as https://codereview.chromium.org/2280623002 to introduce
10 This is a step by step guide on how to make a new fuzzer in V8. In the example t he fuzzer is called `foo`. 16 a new fuzzer to V8.
11 1) Copy one of the existing fuzzer implementations in [test/fuzzer/](https://cs. chromium.org/chromium/src/v8/test/fuzzer/), e.g. `cp wasm.cc foo.cc` 17
12 * Copying an existing fuzzer is a good idea to get all the required setup, e. g. setting up the isolate 18 This is a step by step guide on how to make a new fuzzer in V8. In the example
13 2) Create a directory called `foo` in [test/fuzzer/](https://cs.chromium.org/chr omium/src/v8/test/fuzzer/) which contains at least one file 19 the fuzzer is called `foo`.
14 * The file is used by the trybots to check whether the fuzzer actually compil es and runs 20
15 3) Copy the build rules of an existing fuzzer in [BUILD.gn](https://cs.chromium. org/chromium/src/v8/BUILD.gn), e.g. the build rules for the [wasm.cc](https://cs .chromium.org/chromium/src/v8/test/fuzzer/wasm.cc) fuzzer are `v8_source_set("wa sm_fuzzer")` and `v8_fuzzer("wasm_fuzzer")`. Note that the name has to be the na me of the 21 1. Copy one of the existing fuzzer implementations in
16 directory created in Step 2 + “_fuzzer” so that the scripts on the trybots work 22 [test/fuzzer/](https://cs.chromium.org/chromium/src/v8/test/fuzzer/), e.g. `c p wasm.cc foo.cc`
17 4) Now you can already compile the fuzzer with `ninja -j 1000 -C out/tmp/v8_simp le_foo_fuzzer` 23
18 * Use this binary to reproduce issues found by cluster fuzz, e.g. `out/tmp/v8 _simple_foo_fuzzer testcase.foo` 24 * Copying an existing fuzzer is a good idea to get all the required setup,
19 5) Copy the build rules of an existing fuzzer in [test/fuzzer/fuzzer.gyp](https: //cs.chromium.org/chromium/src/v8/test/fuzzer/fuzzer.gyp), e.g. the build rules for the [wasm.cc](https://cs.chromium.org/chromium/src/v8/test/fuzzer/wasm.cc) f uzzer are `v8_simple_wasm_fuzzer` and `wasm_fuzzer_lib` 25 e.g. setting up the isolate
26
27 2. Create a directory called `foo` in
28 [test/fuzzer/](https://cs.chromium.org/chromium/src/v8/test/fuzzer/) which
29 contains at least one file
30
31 * The file is used by the trybots to check whether the fuzzer actually
32 compiles and runs
33
34 3. Copy the build rules of an existing fuzzer in
35 [BUILD.gn](https://cs.chromium.org/chromium/src/v8/BUILD.gn), e.g. the build
36 rules for the
37 [wasm.cc](https://cs.chromium.org/chromium/src/v8/test/fuzzer/wasm.cc) fuzzer
38 are `v8_source_set("wasm_fuzzer")` and `v8_fuzzer("wasm_fuzzer")`. Note that
39 the name has to be the name of the directory created in Step 2 + `_fuzzer` so
40 that the scripts on the trybots work
41
42 4. Now you can already compile the fuzzer, e.g. with `ninja -j 1000 -C
43 out/x64.debug/v8_simple_foo_fuzzer`
44
45 * Use this binary to reproduce issues found by cluster fuzz, e.g.
46 `out/x64.debug/v8_simple_foo_fuzzer testcase.foo`
47
48 5. Copy the build rules of an existing fuzzer in
49 [test/fuzzer/fuzzer.gyp](https://cs.chromium.org/chromium/src/v8/test/fuzzer/ fuzzer.gyp),
50 e.g. the build rules for the
51 [wasm.cc](https://cs.chromium.org/chromium/src/v8/test/fuzzer/wasm.cc) fuzzer
52 are `v8_simple_wasm_fuzzer` and `wasm_fuzzer_lib`
53
20 * This build rule is needed to compile with gyp 54 * This build rule is needed to compile with gyp
21 6) Copy the binary name and the test directory name in [test/fuzzer/fuzzer.isola te](https://cs.chromium.org/chromium/src/v8/test/fuzzer/fuzzer.isolate) 55
22 7) Add the fuzzer to the FuzzerTestSuite in [test/fuzzer/testcfg.py](https://cs. chromium.org/chromium/src/v8/test/fuzzer/testcfg.py) 56 6. Copy the binary name and the test directory name in
23 * This step is needed to run the fuzzer with the files created in Step 2 on t he trybots 57 [test/fuzzer/fuzzer.isolate](https://cs.chromium.org/chromium/src/v8/test/fuz zer/fuzzer.isolate)
24 8) Commit the changes described above to the V8 repository 58
59 7. Add the fuzzer to the FuzzerTestSuite in
60 [test/fuzzer/testcfg.py](https://cs.chromium.org/chromium/src/v8/test/fuzzer/ testcfg.py)
61
62 * This step is needed to run the fuzzer with the files created in Step 2 on
63 the trybots
64
65 8. Commit the changes described above to the V8 repository
25 66
26 ## Changes to Chromium 67 ## Changes to Chromium
27 **tldr:** Do the same as https://codereview.chromium.org/2344823002 to add the n ew fuzzer to cluster fuzz. 68
28 1) Copy the build rules of an existing fuzzer in [testing/libfuzzer/fuzzers/BUIL D.gn](https://cs.chromium.org/chromium/src/testing/libfuzzer/fuzzers/BUILD.gn), e.g. the build rule for the [wasm.cc](https://cs.chromium.org/chromium/src/v8/te st/fuzzer/wasm.cc) fuzzer is {v8_wasm_fuzzer}. There is no need to set a diction ary , or a seed_corpus. See [chromium-fuzzing-getting-started](https://chromium. googlesource.com/chromium/src/+/master/testing/libfuzzer/getting_started.md) for more information. 69 **tldr:** Do the same as https://codereview.chromium.org/2344823002 to add the
29 2) Compile the fuzzer in chromium (for different configurations see: https://chr omium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md): 70 new fuzzer to cluster fuzz.
71
72 1. Copy the build rules of an existing fuzzer in
73 [testing/libfuzzer/fuzzers/BUILD.gn](https://cs.chromium.org/chromium/src/tes ting/libfuzzer/fuzzers/BUILD.gn),
74 e.g. the build rule for the
75 [wasm.cc](https://cs.chromium.org/chromium/src/v8/test/fuzzer/wasm.cc) fuzzer
76 is `v8_wasm_fuzzer`. There is no need to set a `dictionary` , or a `seed_corp us`.
77 See
78 [chromium-fuzzing-getting-started](https://chromium.googlesource.com/chromium /src/+/master/testing/libfuzzer/getting_started.md)
79 for more information.
80
81 2. Compile the fuzzer in chromium (for different configurations see:
82 https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/rep roducing.md):
83
30 * `gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true is_debug=fals e enable_nacl=false'` 84 * `gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true is_debug=fals e enable_nacl=false'`
85
31 * `ninja -j 1000 -C out/libfuzzer/ v8_foo_fuzzer` 86 * `ninja -j 1000 -C out/libfuzzer/ v8_foo_fuzzer`
32 3) Run the fuzzer locally 87
88 3. Run the fuzzer locally
89
33 * `mkdir /tmp/empty_corpus && out/libfuzzer/v8_foo_fuzzer /tmp/empty_corpus` 90 * `mkdir /tmp/empty_corpus && out/libfuzzer/v8_foo_fuzzer /tmp/empty_corpus`
34 91
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698