New Contributor

[Jovon Itwaru]

👋🏾 there! i'm a security engineer and i'd like to learn more about v8 and start contributing to the project. what do you need help with? i have the following (1) time to learn + contribute to code/docs/reviews and (2) several years of security engineering experience.

i'd love to help out and i looked at a few issues at https://github.com/v8/v8.dev/issues. does anything jump out to you that needs help?

--

Jovon Itwaru

[Ali Raein]

Hi Jovon. Hope all is well. I was about to write the same email as yours. Thought I check the responses here first. Has anyone reached out to you? I'm new here. Any help would be much appreciated. Thanks,

- Ali Raein

[Jakob Kummerow]

Hi, both of you, and welcome to V8! If you can help, that is certainly appreciated.

That said, V8 has a notoriously steep learning curve, even for those who work on it full-time, and even more so for anyone who wants to contribute part-time or as a hobby. Probably related to that, the vast majority of folks who send "hi, I'm new here, can anyone tell me where to start?" mails to this list are never heard from again; which in turn disincentivizes those with more experience from spending their precious time on trying to help newcomers -- especially considering that work time is an extremely limited resource. You'll probably have to prove your commitment before you can expect anyone to spend hours mentoring you. In the meantime, maybe you can support each other on your ramp-up journey?

Regarding https://github.com/v8/v8.dev/issues: that's the mostly-unused tracker for issues with the v8.dev site. The actual V8 issue tracker is, for now, at https://bugs.chromium.org/p/v8/issues/list (but I think it'll migrate to issues.chromium.org soon). So if you're looking for bugs to work on, look there.

One direction you can explore that may be more rewarding is projects that treat V8 as opaque (i.e. don't require much knowledge about its internals at first), such as fuzzing it (either JS or Wasm). You might even win bug bounties for successful finds. If you have other ideas on how to improve test coverage (e.g. by adding more tests for code paths that aren't covered well, or cleaning up useless tests, or speeding up existing tests without reducing their usefulness so that the saved time can be spent on additional tests, etc), and time to work on them, that would also be useful.

Good luck, and have fun!

--

[Jovon Itwaru]

hey Jakob, thank you so much for your response!

I think it makes a lot of sense; I know we’re all limited on time. I myself have a full-time job and a family. I spent a few hours yesterday looking through how timedate gets formatted with respect to one of the internationalization issues. if anything else, it was a good way to get the v8 build set up and start peeking through the code flow. one of the challenges is that I don’t really know how to submit a CL. obviously I’m not a owner so I can’t take ownership of an issue but I *would* like to contribute. I just don’t know how to get the component owner to assign the ticket to themselves and then allow me to work on the ticket , is there a defined way to do that? I’ve tried to reach out to the component owners and I am still awaiting a response. 

it’s interesting you bring up vulnerabilities. I have a security engineering background and work on seceng full-time at my day job, so I’m always interested in fuzzing and finding security vulns. web assembly has always interested me so maybe I can take some time fuzzing through that. however, I imagine that internally you have lots of coverage using your fuzzing (AFL) tools?

in order to demonstrate commitment, would it be worth creating a PR and emailing the patch to the component owners directly?

—

Jovon

[Jovon Itwaru]

hey Jakob, thank you so much for your response!

I think it makes a lot of sense; I know we’re all limited on time. I myself have a full-time job and a family. I spent a few hours yesterday looking through how timedate gets formatted with respect to one of the internationalization issues. if anything else, it was a good way to get the v8 build set up and start peeking through the code flow. one of the challenges is that I don’t really know how to submit a CL. obviously I’m not a owner so I can’t take ownership of an issue but I *would* like to contribute. I just don’t know how to get the component owner to assign the ticket to themselves and then allow me to work on the ticket , is there a defined way to do that? I’ve tried to reach out to the component owners and I am still awaiting a response. 

it’s interesting you bring up vulnerabilities. I have a security engineering background and work on seceng full-time at my day job, so I’m always interested in fuzzing and finding security vulns. web assembly has always interested me so maybe I can take some time fuzzing through that. however, I imagine that internally you have lots of coverage using your fuzzing (afl) tools?

in order to demonstrate commitment, would it be worth creating a PR and emailing the patch to the component owners directly?

—

Jovon

--
--
v8-dev mailing list
v8-...@googlegroups.com
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to v8-dev+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/v8-dev/CAKSzg3Sd7dpQFBjoJ0o8eVMP_U08roHDuNNJKXRfbs1owdgz0w%40mail.gmail.com.

[Jakob Kummerow]

On Tue, Feb 6, 2024 at 1:52 PM Jovon Itwaru <jovon....@gmail.com> wrote:

hey Jakob, thank you so much for your response!

I think it makes a lot of sense; I know we’re all limited on time. I myself have a full-time job and a family. I spent a few hours yesterday looking through how timedate gets formatted with respect to one of the internationalization issues. if anything else, it was a good way to get the v8 build set up and start peeking through the code flow. one of the challenges is that I don’t really know how to submit a CL.

https://v8.dev/docs/contribute

You may also want to read more of what you find on v8.dev/docs (and perhaps also v8.dev/blog for additional background on certain features/mechanisms).

 

obviously I’m not a owner so I can’t take ownership of an issue but I *would* like to contribute. I just don’t know how to get the component owner to assign the ticket to themselves and then allow me to work on the ticket , is there a defined way to do that? I’ve tried to reach out to the component owners and I am still awaiting a response. 

Pragmatically, you can just reply to the bug to say that you're working on it. We don't need to be formal about assignments, we just (in everyone's interest) want to avoid having two people independently work on the same bug, wasting effort.

 

it’s interesting you bring up vulnerabilities. I have a security engineering background and work on seceng full-time at my day job, so I’m always interested in fuzzing and finding security vulns. web assembly has always interested me so maybe I can take some time fuzzing through that. however, I imagine that internally you have lots of coverage using your fuzzing (afl) tools?

We do have fuzzers, and we also have empirical evidence that they're not finding everything :)

Obviously, I cannot tell you exactly what a fuzzer would have to do differently in order to find more issues; if I knew that for sure, I would just write such a fuzzer myself.

 

in order to demonstrate commitment, would it be worth creating a PR and emailing the patch to the component owners directly?

Following the Gerrit-based workflow linked above is much better than emailing patches.

(In case you're not familiar with Gerrit: you need to both select reviewers (e.g. someone from the OWNERS of the directory you're primarily changing), and send out a message asking for review, otherwise the selected reviewers won't get notified. If you run into any trouble, feel free to post a link to the CL here.)