jiangcuo/node
1
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2025-05-16 10:39:59 +00:00
Code Issues Actions 12 Packages Projects Releases Wiki Activity
a21af4bfb5
node/deps/v8/tools/clusterfuzz/js_fuzzer/README.md
Michaël Zasso c5ff019a4e
deps: update V8 to 8.9.255.19 
PR-URL: https://github.com/nodejs/node/pull/37330
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
2021-02-25 00:14:47 +01:00

123 lines
3.2 KiB
Markdown
Raw Blame History

# JS-Fuzzer
Javascript fuzzer for stand-alone shells like D8, Chakra, JSC or Spidermonkey.
Original author: Oliver Chang
# Building
This fuzzer may require versions of node that are newer than available on
ClusterFuzz, so we use [pkg](https://github.com/zeit/pkg) to create a self
contained binary) out of this.
## Prereqs
You need to intall nodejs and npm. Run `npm install` in this directory.
## Fuzzing DB
This fuzzer requires a fuzzing DB. To build one, get the latest `web_tests.zip`
from [gs://clusterfuzz-data/web_tests.zip](
https://storage.cloud.google.com/clusterfuzz-data/web_tests.zip) and unzip it
(note https://crbug.com/v8/10891 for making this data publicly available).
Then run:
```bash
$ mkdir db
$ node build_db.js -i /path/to/web_tests -o db chakra v8 spidermonkey WebKit/JSTests
```
This may take a while. Optionally test the fuzzing DB with:
```bash
$ node test_db.js -i db
```
## Building fuzzer
Then, to build the fuzzer,
```bash
$ ./node_modules/.bin/pkg -t node10-linux-x64 .
```
Replace "linux" with either "win" or "macos" for those platforms.
This builds a binary named `ochang_js_fuzzer` for Linux / macOS OR
`ochang_js_fuzzer.exe` for Windows.
## Packaging
Use `./package.sh`, `./package.sh win` or `./package.sh macos` to build and
create the `output.zip` archive or use these raw commands:
```bash
$ mkdir output
$ cd output
$ ln -s ../db db
$ ln -s ../ochang_js_fuzzer run
$ zip -r /path/output.zip *
```
**NOTE**: Add `.exe` to `ochang_js_fuzzer` and `run` filename above if archiving
for Windows platform.
# Development
Run the tests with:
```bash
$ npm test
```
When test expectations change, generate them with:
```bash
$ GENERATE=1 npm test
```
# Generating exceptional configurations
Tests that fail to parse or show very bad performance can be automatically
skipped or soft-skipped with the following script (takes >1h):
```bash
$ WEB_TESTS=/path/to/web_tests OUTPUT=/path/to/output/folder ./gen_exceptions.sh
```
# Experimenting (limited to differential fuzzing)
To locally evaluate the fuzzer, setup a work directory as follows:
```bash
$ workdir/
$ workdir/app_dir
$ workdir/fuzzer
$ workdir/input
$ workdir/output
```
The `app_dir` folder can be a symlink or should contain the bundled
version of `d8` with all files required for execution.
Copy the packaged `ochang_js_fuzzer` executable and the `db` folder
to the `fuzzer` directory or use a symlink.
The `input` directory is the root folder of the corpus, i.e. pointing
to the unzipped data of `gs://clusterfuzz-data/web_tests.zip`.
The `output` directory is expected to be empty. It'll contain all
output of the fuzzing session. Start the experiments with:
```bash
$ # Around ~40000 corresponds to 24h of fuzzing on a workstation.
$ NUM_RUNS = 40000
$ python tools/workbench.py $NUM_RUNS
```
You can check current stats with:
```bash
$ cat workdir/output/stats.json | python -m json.tool
```
When failures are found, you can forge minimization command lines with:
```bash
$ MINIMIZER_PATH = path/to/minimizer
$ python tools/minimize.py $MINIMIZER_PATH
```
The path should point to a local checkout of the [minimizer](https://chrome-internal.googlesource.com/chrome/tools/clusterfuzz/+/refs/heads/master/src/python/bot/minimizer/).
Reference in New Issue View Git Blame Copy Permalink