Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(2)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: test/fuzzer/README.md

Issue 2693863002: Revert of [fuzzer] Format README.md (Closed)
Patch Set: Created 3 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 # How to make a libFuzzer fuzzer in V8 1 # How to make a libFuzzer fuzzer in V8
2 2
3 This document describes how to make a new libFuzzer fuzzer for V8. A general 3 This document describes how to make a new libfuzzer fuzzer for V8. A general int roduction to libfuzzer can be found at [here](https://chromium.googlesource.com/ chromium/src/+/master/testing/libfuzzer/README.md). In short, libFuzzer is an in -process coverage-driven evolutionary fuzzer. libFuzzer serves you with a sequen ce of byte arrays that you can use to test your code. libFuzzer tries to generat e this sequence of byte arrays in a way that maximizes test coverage.
4 introduction to libFuzzer can be found
5 [here](https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer /README.md).
6 In short, libFuzzer is an in-process coverage-driven evolutionary fuzzer.
7 libFuzzer serves you with a sequence of byte arrays that you can use to test
8 your code. libFuzzer tries to generate this sequence of byte arrays in a way
9 that maximizes test coverage.
10 4
11 **Warning**: By itself libFuzzer typically does not generate valid JavaScript co de. 5 **Warning**: By itself libFuzzer typically does not generate valid JavaScript co de.
12 6
13 ## Changes to V8 7 ## Changes to V8
14 8
15 **tldr:** Do the same as https://codereview.chromium.org/2280623002 to introduce 9 **tldr:** Do the same as https://codereview.chromium.org/2280623002 to introduce a new fuzzer to V8.
16 a new fuzzer to V8. 10 This is a step by step guide on how to make a new fuzzer in V8. In the example t he fuzzer is called `foo`.
17 11 1) Copy one of the existing fuzzer implementations in [test/fuzzer/](https://cs. chromium.org/chromium/src/v8/test/fuzzer/), e.g. `cp wasm.cc foo.cc`
18 This is a step by step guide on how to make a new fuzzer in V8. In the example 12 * Copying an existing fuzzer is a good idea to get all the required setup, e. g. setting up the isolate
19 the fuzzer is called `foo`. 13 2) Create a directory called `foo` in [test/fuzzer/](https://cs.chromium.org/chr omium/src/v8/test/fuzzer/) which contains at least one file
20 14 * The file is used by the trybots to check whether the fuzzer actually compil es and runs
21 1. Copy one of the existing fuzzer implementations in 15 3) Copy the build rules of an existing fuzzer in [BUILD.gn](https://cs.chromium. org/chromium/src/v8/BUILD.gn), e.g. the build rules for the [wasm.cc](https://cs .chromium.org/chromium/src/v8/test/fuzzer/wasm.cc) fuzzer are `v8_source_set("wa sm_fuzzer")` and `v8_fuzzer("wasm_fuzzer")`. Note that the name has to be the na me of the
22 [test/fuzzer/](https://cs.chromium.org/chromium/src/v8/test/fuzzer/), e.g. `c p wasm.cc foo.cc` 16 directory created in Step 2 + “_fuzzer” so that the scripts on the trybots work
23 17 4) Now you can already compile the fuzzer with `ninja -j 1000 -C out/tmp/v8_simp le_foo_fuzzer`
24 * Copying an existing fuzzer is a good idea to get all the required setup, 18 * Use this binary to reproduce issues found by cluster fuzz, e.g. `out/tmp/v8 _simple_foo_fuzzer testcase.foo`
25 e.g. setting up the isolate 19 5) Copy the build rules of an existing fuzzer in [test/fuzzer/fuzzer.gyp](https: //cs.chromium.org/chromium/src/v8/test/fuzzer/fuzzer.gyp), e.g. the build rules for the [wasm.cc](https://cs.chromium.org/chromium/src/v8/test/fuzzer/wasm.cc) f uzzer are `v8_simple_wasm_fuzzer` and `wasm_fuzzer_lib`
26
27 2. Create a directory called `foo` in
28 [test/fuzzer/](https://cs.chromium.org/chromium/src/v8/test/fuzzer/) which
29 contains at least one file
30
31 * The file is used by the trybots to check whether the fuzzer actually
32 compiles and runs
33
34 3. Copy the build rules of an existing fuzzer in
35 [BUILD.gn](https://cs.chromium.org/chromium/src/v8/BUILD.gn), e.g. the build
36 rules for the
37 [wasm.cc](https://cs.chromium.org/chromium/src/v8/test/fuzzer/wasm.cc) fuzzer
38 are `v8_source_set("wasm_fuzzer")` and `v8_fuzzer("wasm_fuzzer")`. Note that
39 the name has to be the name of the directory created in Step 2 + `_fuzzer` so
40 that the scripts on the trybots work
41
42 4. Now you can already compile the fuzzer with `ninja -j 1000 -C out/x64.debug/v 8_simple_foo_fuzzer`
43
44 * Use this binary to reproduce issues found by cluster fuzz, e.g.
45 `out/tmp/v8_simple_foo_fuzzer testcase.foo`
46
47 5. Copy the build rules of an existing fuzzer in
48 [test/fuzzer/fuzzer.gyp](https://cs.chromium.org/chromium/src/v8/test/fuzzer/ fuzzer.gyp),
49 e.g. the build rules for the
50 [wasm.cc](https://cs.chromium.org/chromium/src/v8/test/fuzzer/wasm.cc) fuzzer
51 are `v8_simple_wasm_fuzzer` and `wasm_fuzzer_lib`
52
53 * This build rule is needed to compile with gyp 20 * This build rule is needed to compile with gyp
54 21 6) Copy the binary name and the test directory name in [test/fuzzer/fuzzer.isola te](https://cs.chromium.org/chromium/src/v8/test/fuzzer/fuzzer.isolate)
55 6. Copy the binary name and the test directory name in 22 7) Add the fuzzer to the FuzzerTestSuite in [test/fuzzer/testcfg.py](https://cs. chromium.org/chromium/src/v8/test/fuzzer/testcfg.py)
56 [test/fuzzer/fuzzer.isolate](https://cs.chromium.org/chromium/src/v8/test/fuz zer/fuzzer.isolate) 23 * This step is needed to run the fuzzer with the files created in Step 2 on t he trybots
57 24 8) Commit the changes described above to the V8 repository
58 7. Add the fuzzer to the FuzzerTestSuite in
59 [test/fuzzer/testcfg.py](https://cs.chromium.org/chromium/src/v8/test/fuzzer/ testcfg.py)
60
61 * This step is needed to run the fuzzer with the files created in Step 2 on
62 the trybots
63
64 8. Commit the changes described above to the V8 repository
65 25
66 ## Changes to Chromium 26 ## Changes to Chromium
67 27 **tldr:** Do the same as https://codereview.chromium.org/2344823002 to add the n ew fuzzer to cluster fuzz.
68 **tldr:** Do the same as https://codereview.chromium.org/2344823002 to add the 28 1) Copy the build rules of an existing fuzzer in [testing/libfuzzer/fuzzers/BUIL D.gn](https://cs.chromium.org/chromium/src/testing/libfuzzer/fuzzers/BUILD.gn), e.g. the build rule for the [wasm.cc](https://cs.chromium.org/chromium/src/v8/te st/fuzzer/wasm.cc) fuzzer is {v8_wasm_fuzzer}. There is no need to set a diction ary , or a seed_corpus. See [chromium-fuzzing-getting-started](https://chromium. googlesource.com/chromium/src/+/master/testing/libfuzzer/getting_started.md) for more information.
69 new fuzzer to cluster fuzz. 29 2) Compile the fuzzer in chromium (for different configurations see: https://chr omium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md):
70
71 1. Copy the build rules of an existing fuzzer in
72 [testing/libfuzzer/fuzzers/BUILD.gn](https://cs.chromium.org/chromium/src/tes ting/libfuzzer/fuzzers/BUILD.gn),
73 e.g. the build rule for the
74 [wasm.cc](https://cs.chromium.org/chromium/src/v8/test/fuzzer/wasm.cc) fuzzer
75 is `v8_wasm_fuzzer`. There is no need to set a `dictionary` , or a `seed_corp us`.
76 See
77 [chromium-fuzzing-getting-started](https://chromium.googlesource.com/chromium /src/+/master/testing/libfuzzer/getting_started.md)
78 for more information.
79
80 2. Compile the fuzzer in chromium (for different configurations see:
81 https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/rep roducing.md):
82
83 * `gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true is_debug=fals e enable_nacl=false'` 30 * `gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true is_debug=fals e enable_nacl=false'`
84
85 * `ninja -j 1000 -C out/libfuzzer/ v8_foo_fuzzer` 31 * `ninja -j 1000 -C out/libfuzzer/ v8_foo_fuzzer`
86 32 3) Run the fuzzer locally
87 3. Run the fuzzer locally
88
89 * `mkdir /tmp/empty_corpus && out/libfuzzer/v8_foo_fuzzer /tmp/empty_corpus` 33 * `mkdir /tmp/empty_corpus && out/libfuzzer/v8_foo_fuzzer /tmp/empty_corpus`
90 34
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698