Commit 5f00755c authored by Clemens Backes's avatar Clemens Backes Committed by V8 LUCI CQ

[flags] Disable hard-abort when fuzzing

Running the libfuzzer fuzzers locally (with an experimental flag turned
on) found crashes, but did not produce crash files because we were
generating a software interrupt ("trap") instead of properly aborting.
Disabling the "hard-abort" feature fixes that.

This will hopefully not flush out previously missed crashes. If so,
please do manually bisect across this CL, instead of assigning to me :)

Drive-by: Move more initialization logic from {InitializeFuzzerSupport}
to the {FuzzerSupport} constructor, where other similar work is
performed.

R=thibaudm@chromium.org, saelo@chromium.org

Bug: v8:13283
Change-Id: Id8d4e92f5ab6bb27676adeae6b3b1eb042b8ba3e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3892061Reviewed-by: 's avatarThibaud Michaud <thibaudm@chromium.org>
Reviewed-by: 's avatarSamuel Groß <saelo@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83208}
parent 647fea9c
...@@ -1685,6 +1685,7 @@ DEFINE_BOOL( ...@@ -1685,6 +1685,7 @@ DEFINE_BOOL(
trace_side_effect_free_debug_evaluate, false, trace_side_effect_free_debug_evaluate, false,
"print debug messages for side-effect-free debug-evaluate for testing") "print debug messages for side-effect-free debug-evaluate for testing")
DEFINE_BOOL(hard_abort, true, "abort by crashing") DEFINE_BOOL(hard_abort, true, "abort by crashing")
DEFINE_NEG_IMPLICATION(fuzzing, hard_abort)
DEFINE_BOOL(experimental_async_stack_tagging_api, true, DEFINE_BOOL(experimental_async_stack_tagging_api, true,
"enable experimental async stacks tagging API") "enable experimental async stacks tagging API")
......
...@@ -17,12 +17,25 @@ ...@@ -17,12 +17,25 @@
namespace v8_fuzzer { namespace v8_fuzzer {
FuzzerSupport::FuzzerSupport(int* argc, char*** argv) { FuzzerSupport::FuzzerSupport(int* argc, char*** argv) {
// Disable hard abort, which generates a trap instead of a proper abortion.
// Traps by default do not cause libfuzzer to generate a crash file.
i::FLAG_hard_abort = false;
i::FLAG_expose_gc = true; i::FLAG_expose_gc = true;
// Allow changing flags in fuzzers. // Allow changing flags in fuzzers.
// TODO(12887): Refactor fuzzers to not change flags after initialization. // TODO(12887): Refactor fuzzers to not change flags after initialization.
i::FLAG_freeze_flags_after_init = false; i::FLAG_freeze_flags_after_init = false;
#if V8_ENABLE_WEBASSEMBLY
if (V8_TRAP_HANDLER_SUPPORTED) {
constexpr bool kUseDefaultTrapHandler = true;
if (!v8::V8::EnableWebAssemblyTrapHandler(kUseDefaultTrapHandler)) {
FATAL("Could not register trap handler");
}
}
#endif // V8_ENABLE_WEBASSEMBLY
v8::V8::SetFlagsFromCommandLine(argc, *argv, true); v8::V8::SetFlagsFromCommandLine(argc, *argv, true);
v8::V8::InitializeICUDefaultLocation((*argv)[0]); v8::V8::InitializeICUDefaultLocation((*argv)[0]);
v8::V8::InitializeExternalStartupData((*argv)[0]); v8::V8::InitializeExternalStartupData((*argv)[0]);
...@@ -69,14 +82,6 @@ std::unique_ptr<FuzzerSupport> FuzzerSupport::fuzzer_support_; ...@@ -69,14 +82,6 @@ std::unique_ptr<FuzzerSupport> FuzzerSupport::fuzzer_support_;
// static // static
void FuzzerSupport::InitializeFuzzerSupport(int* argc, char*** argv) { void FuzzerSupport::InitializeFuzzerSupport(int* argc, char*** argv) {
#if V8_ENABLE_WEBASSEMBLY
if (V8_TRAP_HANDLER_SUPPORTED) {
constexpr bool kUseDefaultTrapHandler = true;
if (!v8::V8::EnableWebAssemblyTrapHandler(kUseDefaultTrapHandler)) {
FATAL("Could not register trap handler");
}
}
#endif // V8_ENABLE_WEBASSEMBLY
DCHECK_NULL(FuzzerSupport::fuzzer_support_); DCHECK_NULL(FuzzerSupport::fuzzer_support_);
FuzzerSupport::fuzzer_support_ = FuzzerSupport::fuzzer_support_ =
std::make_unique<v8_fuzzer::FuzzerSupport>(argc, argv); std::make_unique<v8_fuzzer::FuzzerSupport>(argc, argv);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment