This document describes how to make a new libFuzzer fuzzer for V8. A general introduction to libFuzzer can be found here. In short, libFuzzer is an in-process coverage-driven evolutionary fuzzer. libFuzzer serves you with a sequence of byte arrays that you can use to test your code. libFuzzer tries to generate this sequence of byte arrays in a way that maximizes test coverage.
Warning: By itself libFuzzer typically does not generate valid JavaScript code.
tldr: Do the same as https://codereview.chromium.org/2280623002 to introduce a new fuzzer to V8.
This is a step by step guide on how to make a new fuzzer in V8. In the example the fuzzer is called foo
.
Copy one of the existing fuzzer implementations in test/fuzzer/, e.g. cp wasm.cc foo.cc
Create a directory called foo
in test/fuzzer/ which contains at least one file
Copy the build rules of an existing fuzzer in BUILD.gn, e.g. the build rules for the wasm.cc fuzzer are v8_source_set("wasm_fuzzer")
and v8_fuzzer("wasm_fuzzer")
. Note that the name has to be the name of the directory created in Step 2 + _fuzzer
so that the scripts on the trybots work
Now you can already compile the fuzzer, e.g. with ninja -j 1000 -C out/x64.debug/v8_simple_foo_fuzzer
out/x64.debug/v8_simple_foo_fuzzer testcase.foo
Copy the build rules of an existing fuzzer in test/fuzzer/fuzzer.gyp, e.g. the build rules for the wasm.cc fuzzer are v8_simple_wasm_fuzzer
and wasm_fuzzer_lib
Copy the binary name and the test directory name in test/fuzzer/fuzzer.isolate
Add the fuzzer to the FuzzerTestSuite in test/fuzzer/testcfg.py
Commit the changes described above to the V8 repository
tldr: Do the same as https://codereview.chromium.org/2344823002 to add the new fuzzer to cluster fuzz.
Copy the build rules of an existing fuzzer in testing/libfuzzer/fuzzers/BUILD.gn, e.g. the build rule for the wasm.cc fuzzer is v8_wasm_fuzzer
. There is no need to set a dictionary
, or a seed_corpus
. See chromium-fuzzing-getting-started for more information.
Compile the fuzzer in chromium (for different configurations see: https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md):
gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true is_debug=false enable_nacl=false'
ninja -j 1000 -C out/libfuzzer/ v8_foo_fuzzer
Run the fuzzer locally
mkdir /tmp/empty_corpus && out/libfuzzer/v8_foo_fuzzer /tmp/empty_corpus