V8 patches

.dockerignore

@@ -1,49 +1,23 @@
-# Git
 .git
 .gitignore
-
-# Build artifacts
-.build/
-*.xcodeproj
-*.xcworkspace
-
-# Swift Package Manager
-.swiftpm/
-Package.resolved
-
-# Documentation
-Docs/
-*.md
-!README.md
-
-# Tests
-Tests/
-
-# Docker files (except the one we're using)
-Cloud/Docker/
-Cloud/GCE/
-Cloud/Triage/
-
-# V8 source (will be built in container)
-v8/
-
-# Temporary files
-*.tmp
 *.log
-.DS_Store
-Thumbs.db
-
-# IDE files
+*.err
+logs/
+corpus/
+.venv/
+__pycache__/
+*.pyc
+*.pyo
+*.pyd
+.Python
+build/
+dist/
+*.egg-info/
 .vscode/
 .idea/
 *.swp
 *.swo
-
-# OS files
+*~
 .DS_Store
-.DS_Store?
-._*
-.Spotlight-V100
-.Trashes
-ehthumbs.db
-Thumbs.db
+.build/
+Package.resolved

Sources/Agentic_System/rises-the-fog.py

@@ -46,15 +46,16 @@ def __init__(self):
         # self.ebg = EBG(self.model, api_key=self.openai_api_key, anthropic_api_key=self.anthropic_api_key)
 
 
-def run():
+def run(force_logging: bool = False):
 
     site.addsitedir(Path(__file__).parent.parent)
     #smolagent-fork
 
-
     parser = argparse.ArgumentParser(description="Rise the FoG agentic system")
     parser.add_argument("--debug", action="store_true", help="Enable debug logging to fog logs")
     args = parser.parse_args()
+    #force logging 
+    args.debug = force_logging
 
     if args.debug:
         log_dir = Path(__file__).parent / 'agents' / 'fog_logs'

Sources/setup.py

@@ -1,45 +1,65 @@
-# import Agentic_System.rises_the_fog as fog
 import subprocess
 import os
+import sys
+from pathlib import Path
+from concurrent.futures import ThreadPoolExecutor
+import importlib.util
+import rises_the_fog as fog
 
-# fog.run()
-
-def revert_to_original():
-    script_dir = os.path.dirname(os.path.abspath(__file__))
-    a = os.path.join(script_dir, "Agentic_System/orginals/ProgramTemplateWeights.swift")
-    b = os.path.join(script_dir, "Fuzzilli/CodeGen/ProgramTemplateWeights.swift")
-    os.rename(a, b)
-    a = os.path.join(script_dir, "Agentic_System/orginals/ProgramTemplates.swift")
-    b = os.path.join(script_dir, "Fuzzilli/CodeGen/ProgramTemplates.swift")
-    os.rename(a, b)
-
-
-def write_sql(reuslt: bool):
-    if reuslt:
-        with open("sql.sql", "r") as f:
-            sql = f.read()
-    else:
-        with open("sql.sql", "r") as f:
-            sql = f.read()
-
-    return sql
-
-result = subprocess.run(["swift", "build"], capture_output=True, text=True)
-if result.returncode == 0:
-    write_sql(True)
-    print("Build templates succeeded")
-else:
-    write_sql(False)
-    revert_to_original()
-    print("Build templates failed")
-    print(result.stdout)
-    print(result.stderr)
-    r2 = subprocess.run(["swift", "build"], capture_output=True, text=True)
-    if r2.returncode == 0:
-        print("Build reverted succeeded")
-    else:
-        print("safety revert failed")
-        print(r2.stdout)
-        print(r2.stderr)
-        exit(1)
+# script_dir = Path(__file__).parent
+# print(script_dir)
+# fog_module_path = script_dir /  "rises-the-fog.py"
+# spec = importlib.util.spec_from_file_location("rises_the_fog", fog_module_path)
+# fog = importlib.util.module_from_spec(spec)
+# spec.loader.exec_module(fog)
+
+#export V8_PATH=/usr/share/vrigatoni/v8_2/v8/out/
+#export D8_PATH=/usr/share/vrigatoni/v8_2/v8/out/fuzzbuild/d8
+#export FUZZILLI_TOOL_BIN=/mnt/vdb/fuzzillai/.build/x86_64-unknown-linux-gnu/debug/FuzzILTool
+#export FUZZILLI_PATH=/mnt/vdb/fuzzilla
+
+with ThreadPoolExecutor(max_workers=16) as executor:
+    futures = [executor.submit(fog.run, force_logging=True) for _ in range(16)]
+    for i, future in enumerate(futures):
+        print(f"started: {i}")
+        future.result()
+
+# def revert_to_original():
+#     script_dir = os.path.dirname(os.path.abspath(__file__))
+#     a = os.path.join(script_dir, "Agentic_System/orginals/ProgramTemplateWeights.swift")
+#     b = os.path.join(script_dir, "Fuzzilli/CodeGen/ProgramTemplateWeights.swift")
+#     os.rename(a, b)
+#     a = os.path.join(script_dir, "Agentic_System/orginals/ProgramTemplates.swift")
+#     b = os.path.join(script_dir, "Fuzzilli/CodeGen/ProgramTemplates.swift")
+#     os.rename(a, b)
+
+
+# def write_sql(reuslt: bool):
+#     if reuslt:
+#         with open("sql.sql", "r") as f:
+#             sql = f.read()
+#     else:
+#         with open("sql.sql", "r") as f:
+#             sql = f.read()
+
+#     return sql
+
+# result = subprocess.run(["swift", "build"], capture_output=True, text=True)
+# if result.returncode == 0:
+#     write_sql(True)
+#     print("Build templates succeeded")
+# else:
+#     write_sql(False)
+#     revert_to_original()
+#     print("Build templates failed")
+#     print(result.stdout)
+#     print(result.stderr)
+#     r2 = subprocess.run(["swift", "build"], capture_output=True, text=True)
+#     if r2.returncode == 0:
+#         print("Build reverted succeeded")
+#     else:
+#         print("safety revert failed")
+#         print(r2.stdout)
+#         print(r2.stderr)
+#         exit(1)
 

docker-compose.master.yml

@@ -21,12 +21,12 @@ services:
       retries: 5
     restart: unless-stopped
     networks:
-      - fuzzing-network
+      - fuzzilli-network
 
 volumes:
   postgres_master_data:
 
 networks:
-  fuzzing-network:
+  fuzzilli-network:
     driver: bridge
 

v8_patch/cov-cc.diff

@@ -0,0 +1,177 @@
+diff --git a/src/fuzzilli/cov.cc b/src/fuzzilli/cov.cc
+index bf8b6925993..c5e049a516f 100644
+--- a/src/fuzzilli/cov.cc
++++ b/src/fuzzilli/cov.cc
+@@ -1,9 +1,16 @@
+ // Copyright 2020 the V8 project authors. All rights reserved.
+-// Use of this source code is governed by a BSD-style license that can be
+-// found in the LICENSE file.
++// Use of this source code is governed by a BSD-style license that can
++// be found in the LICENSE file.
+
+ #include "src/fuzzilli/cov.h"
+
++// Include V8 headers first to avoid macro conflicts
++#include "src/base/platform/memory.h"
++#include "src/objects/feedback-vector.h"
++#include "src/sandbox/hardware-support.h"
++
++// Include system headers after V8 headers
++#include <cstddef>
+ #include <fcntl.h>
+ #include <inttypes.h>
+ #include <stdio.h>
+@@ -14,14 +21,31 @@
+ #include <sys/wait.h>
+ #include <unistd.h>
+
+-#include "src/base/platform/memory.h"
+-#include "src/sandbox/hardware-support.h"
+-
+-#define SHM_SIZE 0x100000
++#define SHM_SIZE 0x202000
+ #define MAX_EDGES ((SHM_SIZE - 4) * 8)
++#define MAX_FEEDBACK_NEXUS 100000
++
++
++struct FeedbackNexusData {
++  uint32_t vector_address;        // Address of FeedbackVector in V8 heap
++  uint32_t ic_state;             // InlineCacheState
++};
++
++struct optimization_turbofan_data {
++    uint32_t flags; // Flags used for optimization passes in PipelineImpl::OptimizeTurbofanGraph
++    //uint32_t address_code;
++    //uint32_t address_shared_info;
++    //uint8_t bailout_reason;
++    //bool is_osr;
++};
+
+ struct shmem_data {
+   uint32_t num_edges;
++  uint32_t feedback_nexus_count; 
++  uint32_t max_feedback_nexus;
++  uint32_t turbofan_flags;
++  uint64_t turbofan_optimization_bits;
++  FeedbackNexusData feedback_nexus_data[MAX_FEEDBACK_NEXUS];
+   unsigned char edges[];
+ };
+
+@@ -83,6 +107,12 @@ extern "C" void __sanitizer_cov_trace_pc_guard_init(uint32_t* start,
+
+   shmem->num_edges = static_cast<uint32_t>(stop - start);
+   builtins_start = 1 + shmem->num_edges;
++  
++  // Initialize feedback nexus fields
++  shmem->feedback_nexus_count = 0;
++  shmem->max_feedback_nexus = MAX_FEEDBACK_NEXUS;
++  memset(shmem->feedback_nexus_data, 0, sizeof(FeedbackNexusData) * MAX_FEEDBACK_NEXUS);
++  
+   fprintf(stderr,
+           "[COV] edge counters initialized. Shared memory: %s with %u edges\n",
+           shm_key, shmem->num_edges);
+@@ -115,12 +145,15 @@ void sanitizer_cov_prepare_for_hardware_sandbox() {
+ #endif
+
+ uint32_t sanitizer_cov_count_discovered_edges() {
++  // Calculate offset to edges array (after feedback nexus data)
++  unsigned char* edges_ptr = (unsigned char*)shmem + offsetof(struct shmem_data, edges);
++  
+   uint32_t on_edges_counter = 0;
+   for (uint32_t i = 1; i < builtins_start; ++i) {
+     const uint32_t byteIndex = i >> 3;  // Divide by 8 using a shift operation
+     const uint32_t bitIndex = i & 7;  // Modulo 8 using a bitwise AND operation
+
+-    if (shmem->edges[byteIndex] & (1 << bitIndex)) {
++    if (edges_ptr[byteIndex] & (1 << bitIndex)) {
+       ++on_edges_counter;
+     }
+   }
+@@ -128,14 +161,26 @@ uint32_t sanitizer_cov_count_discovered_edges() {
+ }
+
+ extern "C" void __sanitizer_cov_trace_pc_guard(uint32_t* guard) {
+-  // There's a small race condition here: if this function executes in two
+-  // threads for the same edge at the same time, the first thread might disable
+-  // the edge (by setting the guard to zero) before the second thread fetches
+-  // the guard value (and thus the index). However, our instrumentation ignores
+-  // the first edge (see libcoverage.c) and so the race is unproblematic.
++  /*
++  	// There's a small race condition here: if this function executes in two
++  	// threads for the same edge at the same time, the first thread might disable
++  	// the edge (by setting the guard to zero) before the second thread fetches
++  	// the guard value (and thus the index). However, our instrumentation ignores
++  	// the first edge (see libcoverage.c) and so the race is unproblematic.
++  	uint32_t index = *guard;
++  	shmem->edges[index / 8] |= 1 << (index % 8);
++  	*guard = 0;
++  */
++  if (!guard || *guard == 0) return;  // guard already cleared — possible race
+   uint32_t index = *guard;
+-  shmem->edges[index / 8] |= 1 << (index % 8);
+   *guard = 0;
++
++  // Check again in case another thread zeroed it just now (race hit)
++  if (index == 0) return;
++
++  // Calculate offset to edges array (after feedback nexus data)
++  unsigned char* edges_ptr = (unsigned char*)shmem + offsetof(struct shmem_data, edges);
++  edges_ptr[index / 8] |= 1 << (index % 8);
+ }
+
+ void cov_init_builtins_edges(uint32_t num_edges) {
+@@ -161,12 +206,53 @@ void cov_update_builtins_basic_block_coverage(
+     fprintf(stderr, "[COV] Error: Size of builtins cov map changed.\n");
+     exit(-1);
+   }
++  
++  // Calculate offset to edges array (after feedback nexus data)
++  unsigned char* edges_ptr = (unsigned char*)shmem + offsetof(struct shmem_data, edges);
++  
+   for (uint32_t i = 0; i < cov_map.size(); ++i) {
+     if (cov_map[i]) {
+       const uint32_t byteIndex = (i + builtins_start) >> 3;
+       const uint32_t bitIndex = (i + builtins_start) & 7;
+
+-      shmem->edges[byteIndex] |= (1 << bitIndex);
++      edges_ptr[byteIndex] |= (1 << bitIndex);
+     }
+   }
+ }
++
++
++void cov_serialize_feedback_nexus(v8::internal::FeedbackNexus* nexus, FeedbackNexusData* data) {
++  if (!nexus || !data) return;
++  data->vector_address = static_cast<uint32_t>(reinterpret_cast<uintptr_t>(nexus->vector().ptr()));
++  data->ic_state = static_cast<uint32_t>(nexus->ic_state());
++}
++
++void cov_add_feedback_nexus(v8::internal::FeedbackNexus* nexus) {
++  if (!shmem || !nexus) return;
++  
++  // Check if we have space
++  if (shmem->feedback_nexus_count >= MAX_FEEDBACK_NEXUS) {
++    fprintf(stderr, "[COV] Warning: Feedback nexus buffer full, dropping entry\n");
++    return;
++  }
++  cov_serialize_feedback_nexus(nexus, 
++      &shmem->feedback_nexus_data[shmem->feedback_nexus_count]);
++  shmem->feedback_nexus_count++;
++
++  // printf("[COV] Added feedback nexus: %p\n", nexus);
++  // printf("[COV] Feedback nexus count: %d\n", shmem->feedback_nexus_count);
++  // printf("[COV] Feedback nexus data: %p\n", shmem->feedback_nexus_data);
++  // printf("[COV] Feedback nexus data: %p\n", shmem->feedback_nexus_data[shmem->feedback_nexus_count]);
++  // printf("[COV] Feedback nexus data: %p\n", shmem->feedback_nexus_data[shmem->feedback_nexus_count].vector_address);
++  // printf("[COV] Feedback nexus data: %p\n", shmem->feedback_nexus_data[shmem->feedback_nexus_count].ic_state);
++}
++
++void cov_set_turbofan_optimization_bits(uint64_t bit) {
++  if (!shmem) return;
++  shmem->turbofan_optimization_bits |= bit;
++}
++
++void cov_set_maglev_optimization_bits(uint64_t /*bit*/) {
++  // No-op: maglev bitmap is not exported in shmem layout.
++}
++// }  // namespace v8