[v8] Allow argument randomization for V8SandboxProfile

Liedtke · V8-internal LUCI CQ · commit 5966bb0aac67 · 2025-11-05T04:57:20.000-08:00
This makes the V8SandboxProfile more powerful by reusing the argument randomization of the regular V8Profile. It also adds more arguments to the default set: --expose-externalize-string: seems to be unused, doesn't hurt --wasm-test-streaming: Needed for d8 streaming APIs Staged features: --future --harmony --experimental-fuzzing --js-staging --wasm-staging --experimental-wasm-rab-integration Fast API: --wasm-fast-api --expose-fast-api Change-Id: Ied92d69ad21b5ef1de4fab90fb2c07b7023ea078 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8741396 Reviewed-by: Samuel Groß <saelo@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
diff --git a/Sources/FuzzilliCli/Profiles/V8CommonProfile.swift b/Sources/FuzzilliCli/Profiles/V8CommonProfile.swift
@@ -651,7 +651,10 @@ public let FastApiCallFuzzer = ProgramTemplate("FastApiCallFuzzer") { b in
     b.build(n: 10)
 }
 
-public func v8ProcessArgs(randomize: Bool) -> [String] {
+// Configure V8 invocation arguments. `forSandbox` is used by the V8SandboxProfile. As the sandbox
+// fuzzer does not crash on regular assertions, most validation flags do not make sense in that
+// configuraiton.
+public func v8ProcessArgs(randomize: Bool, forSandbox: Bool) -> [String] {
     var args = [
         "--expose-gc",
         "--expose-externalize-string",
@@ -699,7 +702,7 @@ public func v8ProcessArgs(randomize: Bool) -> [String] {
     // Note that this flag only affects WebAssembly.
     if probability(0.5) {
         args.append("--no-liftoff")
-        if probability(0.3) {
+        if probability(0.3) && !forSandbox {
             args.append("--wasm-assert-types")
         }
     }
@@ -807,21 +810,27 @@ public func v8ProcessArgs(randomize: Bool) -> [String] {
     //
     // Sometimes enable additional verification/stressing logic (which may be fairly expensive).
     //
-    if probability(0.1) {
-        args.append("--verify-heap")
-    }
-    if probability(0.1) {
-        args.append("--turbo-verify")
-    }
-    if probability(0.1) {
-        args.append("--turbo-verify-allocation")
-    }
-    if probability(0.1) {
-        args.append("--assert-types")
-    }
-    if probability(0.1) {
-        args.append("--turboshaft-assert-types")
+    if !forSandbox {
+        if probability(0.1) {
+            args.append("--verify-heap")
+        }
+        if probability(0.1) {
+            args.append("--turbo-verify")
+        }
+        if probability(0.1) {
+            args.append("--turbo-verify-allocation")
+        }
+        if probability(0.1) {
+            args.append("--assert-types")
+        }
+        if probability(0.1) {
+            args.append("--turboshaft-assert-types")
+        }
+        if probability(0.2) {
+            args.append("--turboshaft-verify-load-elimination")
+        }
     }
+
     if probability(0.1) {
         args.append("--deopt-every-n-times=\(chooseUniform(from: [100, 250, 500, 1000, 2500, 5000, 10000]))")
     }
@@ -831,9 +840,6 @@ public func v8ProcessArgs(randomize: Bool) -> [String] {
     if probability(0.1) {
         args.append("--optimize-on-next-call-optimizes-to-maglev")
     }
-    if probability(0.2) {
-        args.append("--turboshaft-verify-load-elimination")
-    }
 
     //
     // A gc-stress session with some fairly expensive flags.
diff --git a/Sources/FuzzilliCli/Profiles/V8Profile.swift b/Sources/FuzzilliCli/Profiles/V8Profile.swift
@@ -15,7 +15,9 @@
 import Fuzzilli
 
 let v8Profile = Profile(
-    processArgs: v8ProcessArgs,
+    processArgs: {randomize in
+      v8ProcessArgs(randomize: randomize, forSandbox: false)
+    },
 
     // We typically fuzz without any sanitizer instrumentation, but if any sanitizers are active, "abort_on_error=1" must probably be set so that sanitizer errors can be detected.
     processEnv: [:],
diff --git a/Sources/FuzzilliCli/Profiles/V8SandboxProfile.swift b/Sources/FuzzilliCli/Profiles/V8SandboxProfile.swift
@@ -53,18 +53,7 @@ fileprivate struct SandboxFuzzingPostProcessor: FuzzingPostProcessor {
 
 let v8SandboxProfile = Profile(
     processArgs: { randomize in
-        var args = [
-            "--expose-gc",
-            "--omit-quit",
-            "--allow-natives-syntax",
-            "--fuzzing",
-            "--jit-fuzzing",
-            "--sandbox-fuzzing",
-            // This is so that we get an ASan splat directly in the reproducer file.
-            "--disable-in-process-stack-traces"
-        ]
-
-        return args
+        v8ProcessArgs(randomize: randomize, forSandbox: true)
     },
 
     // ASan options.
