Samuel Groß (Gerrit)

unread,

Jan 30, 2026, 5:36:09 AM (5 days ago) Jan 30

to Matthias Liedtke, V8 LUCI CQ, v8-re...@googlegroups.com

Attention needed from Matthias Liedtke

Samuel Groß added 1 comment

Patchset-level comments

File-level comment, Patchset 1 (Latest):

Samuel Groß . resolved

PTAL! This is in preparation for upstreaming my pkey-based sandbox fuzzer.

Re. the drive-by change: I noticed that certain build configurations seem to immediately segfault because the instrumentation runs but shmem is still nullptr. This check fixes that and is also what's recommended by the official documentation (https://clang.llvm.org/docs/SanitizerCoverage.html#tracing-pcs-with-guards)

Open in Gerrit

Related details

Attention is currently required from:

Matthias Liedtke

Submit Requirements:

Code-Owners
Code-Review
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

open

diffy

Samuel Groß (Gerrit)

unread,

Jan 30, 2026, 5:39:22 AM (5 days ago) Jan 30

to Matthias Liedtke, V8 LUCI CQ, v8-re...@googlegroups.com

Attention needed from Matthias Liedtke

Samuel Groß added 1 comment

Patchset-level comments

File-level comment, Patchset 1 (Latest):

Samuel Groß . resolved

PTAL! This is in preparation for upstreaming my pkey-based sandbox fuzzer.
Re. the drive-by change: I noticed that certain build configurations seem to immediately segfault because the instrumentation runs but shmem is still nullptr. This check fixes that and is also what's recommended by the official documentation (https://clang.llvm.org/docs/SanitizerCoverage.html#tracing-pcs-with-guards)

Samuel Groß

I also did some quick benchmarking locally and the additional rdpkru doesn't seem to matter (it's a pretty fast instruction as it just reads a cpu register).

Open in Gerrit

Related details

Attention is currently required from:

Matthias Liedtke

Submit Requirements:

Code-Owners
Code-Review
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

open

diffy

Samuel Groß (Gerrit)

unread,

Jan 30, 2026, 5:40:04 AM (5 days ago) Jan 30

to Michael Lippautz, Matthias Liedtke, V8 LUCI CQ, v8-re...@googlegroups.com

Attention needed from Matthias Liedtke and Michael Lippautz

Samuel Groß added 1 comment

Patchset-level comments

File-level comment, Patchset 1 (Latest):

Samuel Groß . resolved

+Michael to stamp the d8.cc change

Open in Gerrit

Related details

Attention is currently required from:

Matthias Liedtke
Michael Lippautz

Submit Requirements:

Code-Owners
Code-Review
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

open

diffy

Matthias Liedtke (Gerrit)

unread,

Feb 2, 2026, 7:21:52 PM (2 days ago) Feb 2

to Samuel Groß, Clemens Backes, Michael Lippautz, V8 LUCI CQ, v8-re...@googlegroups.com

Attention needed from Clemens Backes, Michael Lippautz and Samuel Groß

Matthias Liedtke added 1 comment

File src/fuzzilli/cov.cc

Line 157, Patchset 1 (Latest):__sanitizer_cov_trace_pc_guard(uint32_t* guard) {

Matthias Liedtke . unresolved

AFAIK, due to the fact that this is executed on each control-flow edge in the C++ binary, this is highly critical for performance.
Wasn't there some concerns on PKEY-modifying operations for V8 production? If yes, then this should probably have huge slowdowns when running Fuzzilli on PKEY-enabled hardware?

Also CC'ing @clem...@chromium.org who just investigated an incredibly slow test case when running it with Fuzzilli's coverage instrumentation a few days ago.

Open in Gerrit

Related details

Attention is currently required from:

Clemens Backes
Michael Lippautz
Samuel Groß

Submit Requirements:

Code-Owners
Code-Review

No-Unresolved-Comments

Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

open

diffy

Samuel Groß (Gerrit)

unread,

Feb 3, 2026, 3:29:43 AM (yesterday) Feb 3

to Clemens Backes, Michael Lippautz, Matthias Liedtke, V8 LUCI CQ, v8-re...@googlegroups.com

Attention needed from Clemens Backes, Matthias Liedtke and Michael Lippautz

Samuel Groß added 1 comment

File src/fuzzilli/cov.cc

Line 157, Patchset 1 (Latest):__sanitizer_cov_trace_pc_guard(uint32_t* guard) {

Matthias Liedtke . unresolved

AFAIK, due to the fact that this is executed on each control-flow edge in the C++ binary, this is highly critical for performance.
Wasn't there some concerns on PKEY-modifying operations for V8 production? If yes, then this should probably have huge slowdowns when running Fuzzilli on PKEY-enabled hardware?
Also CC'ing @clem...@chromium.org who just investigated an incredibly slow test case when running it with Fuzzilli's coverage instrumentation a few days ago.

Samuel Groß

Well so
(1) this only runs on builds that have V8_ENABLE_SANDBOX_HARDWARE_SUPPORT (and V8_FUZZILLI) enabled, which none of our fuzzer builds have
(2) this is only a RDPKRU on the common path, which is the fast instruction (4-6 CPU cycles or so, faster than a non-L1-cached read/write). I did some simple local benchmarking and couldn't spot a perf. difference

Open in Gerrit

Related details

Attention is currently required from:

Clemens Backes
Matthias Liedtke
Michael Lippautz

Submit Requirements:

Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

open

diffy

Samuel Groß (Gerrit)

unread,

Feb 3, 2026, 6:43:39 AM (22 hours ago) Feb 3

to Clemens Backes, Michael Lippautz, Matthias Liedtke, V8 LUCI CQ, v8-re...@googlegroups.com

Attention needed from Clemens Backes, Matthias Liedtke and Michael Lippautz

Samuel Groß added 1 comment

File src/fuzzilli/cov.cc

Line 157, Patchset 1 (Latest):__sanitizer_cov_trace_pc_guard(uint32_t* guard) {

Matthias Liedtke . unresolved

AFAIK, due to the fact that this is executed on each control-flow edge in the C++ binary, this is highly critical for performance.
Wasn't there some concerns on PKEY-modifying operations for V8 production? If yes, then this should probably have huge slowdowns when running Fuzzilli on PKEY-enabled hardware?
Also CC'ing @clem...@chromium.org who just investigated an incredibly slow test case when running it with Fuzzilli's coverage instrumentation a few days ago.

Samuel Groß

Well so
(1) this only runs on builds that have V8_ENABLE_SANDBOX_HARDWARE_SUPPORT (and V8_FUZZILLI) enabled, which none of our fuzzer builds have
(2) this is only a RDPKRU on the common path, which is the fast instruction (4-6 CPU cycles or so, faster than a non-L1-cached read/write). I did some simple local benchmarking and couldn't spot a perf. difference

Samuel Groß

I ran some proper benchmarks now (Jetstream3):

========== Before this CL ==========
--- Run 1 ---
Stdlib: 0.083
MainRun: 0.007
First: 3.374
Worst: 8.238
Average: 12.563
Startup: 4.100
Runtime: 0.760
Total Score: 5.535

--- Run 2 ---
Stdlib: 0.082
MainRun: 0.007
First: 3.302
Worst: 7.953
Average: 12.255
Startup: 3.709
Runtime: 0.749
Total Score: 5.367

========== After this CL ==========
--- Run 1 ---
Stdlib: 0.084
MainRun: 0.007
First: 3.393
Worst: 8.134
Average: 12.446
Startup: 4.252
Runtime: 0.759
Total Score: 5.521

--- Run 2 ---
Stdlib: 0.084
MainRun: 0.007
First: 3.348
Worst: 8.167
Average: 12.623
Startup: 4.398
Runtime: 0.749
Total Score: 5.535

So I don't think it matters for performance.

unsatisfied_requirement

open

diffy

Clemens Backes (Gerrit)

unread,

Feb 3, 2026, 7:36:40 AM (21 hours ago) Feb 3

to Samuel Groß, Michael Lippautz, Matthias Liedtke, V8 LUCI CQ, v8-re...@googlegroups.com

Attention needed from Matthias Liedtke, Michael Lippautz and Samuel Groß

Clemens Backes added 1 comment

File src/fuzzilli/cov.cc

Clemens Backes

Ack, it doesn't look very expensive to me.

What was slow was the combination of no-inline and fuzzilli (in particular this tracing callback). With inlining we already see a great reduction in calls to this callback, so that problem is solved. Making it slightly slower shouldn't be a problem.

Open in Gerrit

Related details

Attention is currently required from:

Matthias Liedtke
Michael Lippautz
Samuel Groß

Submit Requirements:

Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

open

diffy

Matthias Liedtke (Gerrit)

unread,

Feb 3, 2026, 11:35:26 AM (17 hours ago) Feb 3

to Samuel Groß, Clemens Backes, Michael Lippautz, V8 LUCI CQ, v8-re...@googlegroups.com

Attention needed from Clemens Backes, Michael Lippautz and Samuel Groß

Matthias Liedtke voted and added 1 comment

Votes added by Matthias Liedtke

Code-Review

+1

1 comment

File src/fuzzilli/cov.cc

Line 157, Patchset 1 (Latest):__sanitizer_cov_trace_pc_guard(uint32_t* guard) {

Matthias Liedtke . resolved

Matthias Liedtke

Thanks for checking the performance impact! LGTM

Open in Gerrit

Related details

Attention is currently required from:

Clemens Backes
Michael Lippautz
Samuel Groß

Submit Requirements:

Code-Owners

Code-Review
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Michael Lippautz (Gerrit)

unread,

Feb 3, 2026, 11:57:28 AM (16 hours ago) Feb 3

to Samuel Groß, Matthias Liedtke, Clemens Backes, V8 LUCI CQ, v8-re...@googlegroups.com

Attention needed from Clemens Backes and Samuel Groß

Michael Lippautz voted Code-Review+1

Code-Review

+1

Open in Gerrit

Related details

Attention is currently required from:

Clemens Backes
Samuel Groß

Submit Requirements:

Code-Owners

Code-Review
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

open

diffy

Samuel Groß (Gerrit)

unread,

3:22 AM (1 hour ago) 3:22 AM

to Michael Lippautz, Matthias Liedtke, Clemens Backes, V8 LUCI CQ, v8-re...@googlegroups.com

Attention needed from Clemens Backes

Samuel Groß voted Commit-Queue+2

Commit-Queue

+2

Open in Gerrit

Related details

Attention is currently required from:

Clemens Backes

Submit Requirements:

Code-Owners
Code-Review
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

open

diffy

V8 LUCI CQ (Gerrit)

unread,

4:15 AM (5 minutes ago) 4:15 AM

to Samuel Groß, Michael Lippautz, Matthias Liedtke, Clemens Backes, v8-re...@googlegroups.com

V8 LUCI CQ submitted the change

Change information

Commit message:

[fuzzilli] Redesign handling of coverage feedback and pkey sandboxing

When hardware sandboxing is enabled, sandboxed code can only write to
in-sandbox data. In combination with coverage feedback (for fuzzer
builds), this becomes a problem as the coverage bitmap needs to be
written. Previously, we tagged the coverage bitmap with a custom pkey
that is writable for both sandboxed and privileged code. However, this
does not work for signal handlers, as they run with access to only the
default pkey. As such, with this CL we now take a different approach: we
leave the coverage bitmap tagged with the default pkey but check if we
have access to that pkey in __sanitizer_cov_trace_pc_guard, and if not,
temporarily grant us access. This adds some overhead when running in
sandboxed execution mode, but currently we don't have any C++ code (that
would be instrumented) running in that mode (we only have a few builtins
that are invoked in sandboxed mode but then immediately ExitSandbox()).

Drive-By: bail out from __sanitizer_cov_trace_pc_guard if the index is
zero. See the comment for more details.

Bug: 350324877

Change-Id: Ib3aa439b503013f087621628366915151de9ff8b

Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7535235

Commit-Queue: Samuel Groß <sa...@chromium.org>

Reviewed-by: Michael Lippautz <mlip...@chromium.org>

Reviewed-by: Matthias Liedtke <mlie...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#105073}

Files:

M src/d8/d8.cc
M src/fuzzilli/cov.cc
M src/fuzzilli/cov.h

Change size: M

Delta: 3 files changed, 70 insertions(+), 33 deletions(-)

Branch: refs/heads/main

Submit Requirements:

Code-Review: +1 by Matthias Liedtke, +1 by Michael Lippautz

Open in Gerrit

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

open

diffy

satisfied_requirement

Reply all

Reply to author

Forward

[fuzzilli] Redesign handling of coverage feedback and pkey sandboxing [v8/v8 : main]

Samuel Groß (Gerrit)

Samuel Groß added 1 comment

Related details

Samuel Groß (Gerrit)

Samuel Groß added 1 comment

Related details

Samuel Groß (Gerrit)

Samuel Groß added 1 comment

Related details

Matthias Liedtke (Gerrit)

Matthias Liedtke added 1 comment

Related details

Samuel Groß (Gerrit)

Samuel Groß added 1 comment

Related details

Samuel Groß (Gerrit)

Samuel Groß added 1 comment

Clemens Backes (Gerrit)

Clemens Backes added 1 comment

Related details

Matthias Liedtke (Gerrit)

Matthias Liedtke voted and added 1 comment

Votes added by Matthias Liedtke

1 comment

Related details

Michael Lippautz (Gerrit)

Michael Lippautz voted Code-Review+1

Related details

Samuel Groß (Gerrit)

Samuel Groß voted Commit-Queue+2

Related details

V8 LUCI CQ (Gerrit)

V8 LUCI CQ submitted the change

Change information