FuzzILLI源码-REPRL.swift

对FuzzILLI源码的REPRL.swift的粗略阅读

REPRL

// A script runner to execute JavaScript code in an instrumented JS engine.
    let runner = REPRL(executable: jsShellPath, processArguments: profile.processArguments, processEnvironment: profile.processEnv)

这是makefuzzer函数的第一句，创建了一个runner，这个是拿来执行插桩过的js引擎

相关文件都位于Sources\Fuzzilli\Execution

Execution.swift and ScriptRunner.swift

这两个文件比较简单，Execution.swift定义了一个枚举ExecutionOutcome，表示程序运行可能出现的结果，crashed、failed、succeed还有一个timeout，同时也定义了Execution这个protocol，Execution用来表示一个program的执行结果

ScriptRunner.swift就定义了一个ScriptRunner的protocol，带有run函数和setEnvironmentVariable函数，这两个方法估计是要被后面的类重写

REPRL.swift

REPRL类继承ScriptRunner，先来看看它的init函数：

public init(executable: String, processArguments: [String], processEnvironment: [String: String]) {
        self.processArguments = [executable] + processArguments
        super.init(name: "REPRL")

        for (key, value) in processEnvironment {
            env.append(key + "=" + value)
        }
    }

init函数初始化它的processArguments和env成员，从makefuzzer函数中看出，processArguments和processEnvironment都是从profile来的：

let runner = REPRL(executable: jsShellPath, processArguments: profile.processArguments, processEnvironment: profile.processEnv)

顺路瞅一瞅v8的profile：

let v8Profile = Profile(
    processArguments: ["--expose-gc",
                       // Uncomment to activate additional features that will be enabled in the future
                       //"--future",
                       "--allow-natives-syntax",
                       "--interrupt-budget=1024",
                       "--fuzzing"],

    processEnv: [:],
    // ... //
)

在来看看initialize函数：

override func initialize() {
    	// 调用libreprl库的reprl_create_context函数创建一个reprlContext
        reprlContext = libreprl.reprl_create_context()
        if reprlContext == nil {
            logger.fatal("Failed to create REPRL context")
        }
		// convertToCArray和后面的freeCArray都位于Sources\Fuzzilli\Util\CInterop.swift
    	// 应该就是为了能更好的和libreprl进行交互
        let argv = convertToCArray(processArguments)
        let envp = convertToCArray(env)
		
    	// 调用reprl_initialize_context初始化context
        if reprl_initialize_context(reprlContext, argv, envp, /* capture_stdout: */ fuzzer.config.enableDiagnostics ? 1 : 0, /* capture stderr: */ 1) != 0 {
            logger.fatal("Failed to initialize REPRL context: \(String(cString: reprl_get_last_error(reprlContext)))")
        }

        freeCArray(argv, numElems: processArguments.count)
        freeCArray(envp, numElems: env.count)
		
    	// 注册event，但是fuzzer实例shutdown的时候，调用reprl_destroy_context销毁前面创建的reprlContext
        fuzzer.registerEventListener(for: fuzzer.events.Shutdown) { _ in
            reprl_destroy_context(self.reprlContext)
        }
    }

接下来最重要的run函数：

public func run(_ script: String, withTimeout timeout: UInt32) -> Execution {
    	// 这个diagnostics的标志应该是为了更好的track fuzzer执行的情况
        // Log the current script into the buffer if diagnostics are enabled.
        if fuzzer.config.enableDiagnostics {
            self.scriptBuffer += script + "\n"
        }

        lastExecId += 1
		// REPRLExecution是对Execution的一个封装，表示program的执行结果
        let execution = REPRLExecution(from: self)
		// 文件太大了
        guard script.count <= REPRL_MAX_DATA_SIZE else {
            logger.error("Script too large to execute. Assuming timeout...")
            execution.outcome = .timedOut
            return execution
        }
    
		// 记录执行次数，如果到达了maxExecsBeforeRespawn，就把子进程kill掉，在起一个新的
        execsSinceReset += 1
        var freshInstance: Int32 = 0
        if execsSinceReset > maxExecsBeforeRespawn {
            freshInstance = 1
            execsSinceReset = 0
            if fuzzer.config.enableDiagnostics {
                scriptBuffer.removeAll(keepingCapacity: true)
            }
        }

        var execTime: UInt64 = 0        // In microseconds
        let timeout = UInt64(timeout) * 1000        // In microseconds
        var status: Int32 = 0
        script.withCString {
            // 调用libreprl库的reprl_execute函数来进行真正的执行
            status = reprl_execute(reprlContext, $0, UInt64(script.count), UInt64(timeout), &execTime, freshInstance)
            // If we fail, we retry after a short timeout and with a fresh instance. If we still fail, we give up trying
            // to execute this program. If we repeatedly fail to execute any program, we abort.
            if status < 0 {
                logger.warning("Script execution failed: \(String(cString: reprl_get_last_error(reprlContext))). Retrying in 1 second...")
                if fuzzer.config.enableDiagnostics {
                    fuzzer.dispatchEvent(fuzzer.events.DiagnosticsEvent, data: (name: "REPRLFail", content: scriptBuffer))
                }
                Thread.sleep(forTimeInterval: 1)
                status = reprl_execute(reprlContext, $0, UInt64(script.count), UInt64(timeout), &execTime, 1)
            }
        }
		// 失败太多次，直接about
        if status < 0 {
            logger.error("Script execution failed again: \(String(cString: reprl_get_last_error(reprlContext))). Giving up")
            // If we weren't able to successfully execute a script in the last N attempts, abort now...
            recentlyFailedExecutions += 1
            if recentlyFailedExecutions >= 10 {
                logger.fatal("Too many consecutive REPRL failures")
            }
            execution.outcome = .failed(1)
            return execution
        }
        recentlyFailedExecutions = 0
		// 更新执行结果
        if RIFEXITED(status) != 0 {
            let code = REXITSTATUS(status)
            if code == 0 {
                execution.outcome = .succeeded
            } else {
                execution.outcome = .failed(Int(code))
            }
        } else if RIFSIGNALED(status) != 0 {
            execution.outcome = .crashed(Int(RTERMSIG(status)))
        } else if RIFTIMEDOUT(status) != 0 {
            execution.outcome = .timedOut
        } else {
            fatalError("Unknown REPRL exit status \(status)")
        }
        execution.execTime = Double(execTime) / 1_000_000

        return execution
    }

从上面的函数中来看，其实最主要的操作还是由libreprl进行的，所以我们还需要跟进去看看；其中对libreprl库函数的调用顺序为：reprl_create_context->reprl_initialize_context->reprl_execute->reprl_destroy_context

libreprl

libreprl位于Sources\libreprl，只有一个头文件和两个平台的具体实现文件，我们一般都在linux上搞fuzz，所以还是只看libreprl.h和libreprl-posix.c就好

头文件定义了reprl_create_context，reprl_initialize_context，reprl_destroy_context，reprl_execute这几个比较重要的函数；

其中他们都会用到的一个关键结构体reprl_context：

#define REPRL_MAX_DATA_SIZE (16 << 20)
// define in Sources\libreprl\libreprl-posix.c
struct reprl_context {
    // Whether reprl_initialize has been successfully performed on this context.
    int initialized;

    // Read file descriptor of the control pipe. Only valid if a child process is running (i.e. pid is nonzero).
    int ctrl_in;
    // Write file descriptor of the control pipe. Only valid if a child process is running (i.e. pid is nonzero).
    int ctrl_out;

    // Data channel REPRL -> Child
    struct data_channel* data_in;
    // Data channel Child -> REPRL
    struct data_channel* data_out;
    
    // Optional data channel for the child's stdout and stderr.
    struct data_channel* child_stdout;
    struct data_channel* child_stderr;
    
    // PID of the child process. Will be zero if no child process is currently running.
    pid_t pid;

    // Arguments and environment for the child process.
    char** argv;
    char** envp;
    
    // A malloc'd string containing a description of the last error that occurred.
    char* last_error;
};

// A unidirectional communication channel for larger amounts of data, up to a maximum size (REPRL_MAX_DATA_SIZE).
// Implemented as a (RAM-backed) file for which the file descriptor is shared with the child process and which is mapped into our address space.
struct data_channel {
    // File descriptor of the underlying file. Directly shared with the child process.
    int fd;
    // Memory mapping of the file, always of size REPRL_MAX_DATA_SIZE.
    char* mapping;
};

reprl_create_context

// Well-known file descriptor numbers for reprl <-> child communication, child
// process side
#define REPRL_CHILD_CTRL_IN 100
#define REPRL_CHILD_CTRL_OUT 101
#define REPRL_CHILD_DATA_IN 102
#define REPRL_CHILD_DATA_OUT 103

struct reprl_context* reprl_create_context()
{
    // "Reserve" the well-known REPRL fds so no other fd collides with them.
    // This would cause various kinds of issues in reprl_spawn_child.
    // It would be enough to do this once per process in the case of multiple
    // REPRL instances, but it's probably not worth the implementation effort.
    int devnull = open("/dev/null", O_RDWR);
    dup2(devnull, REPRL_CHILD_CTRL_IN);
    dup2(devnull, REPRL_CHILD_CTRL_OUT);
    dup2(devnull, REPRL_CHILD_DATA_IN);
    dup2(devnull, REPRL_CHILD_DATA_OUT);
    close(devnull);

    return calloc(1, sizeof(struct reprl_context));
}

先把和子进程通信要用到的fd保留住，在分配所需空间

reprl_initialize_context

int reprl_initialize_context(struct reprl_context* ctx, const char** argv, const char** envp, int capture_stdout, int capture_stderr)
{
    if (ctx->initialized) {
        return reprl_error(ctx, "Context is already initialized");
    }
    
    // We need to ignore SIGPIPE since we could end up writing to a pipe after our child process has exited.
    signal(SIGPIPE, SIG_IGN);

    ctx->argv = copy_string_array(argv);
    ctx->envp = copy_string_array(envp);
    
    ctx->data_in = reprl_create_data_channel(ctx);
    ctx->data_out = reprl_create_data_channel(ctx);
    if (capture_stdout) {
        ctx->child_stdout = reprl_create_data_channel(ctx);
    }
    if (capture_stderr) {
        ctx->child_stderr = reprl_create_data_channel(ctx);
    }
    if (!ctx->data_in || !ctx->data_out || (capture_stdout && !ctx->child_stdout) || (capture_stderr && !ctx->child_stderr)) {
        // Proper error message will have been set by reprl_create_data_channel
        return -1;
    }
    
    ctx->initialized = 1;
    return 0;
}

初始化reprl_context，其中比较关键的就是它调用了reprl_create_data_channel函数来初始化data_channel：

static struct data_channel* reprl_create_data_channel(struct reprl_context* ctx)
{
#ifdef __linux__
    int fd = memfd_create("REPRL_DATA_CHANNEL", MFD_CLOEXEC);
#else
    char path[] = "/tmp/reprl_data_channel_XXXXXXXX";
    if (mktemp(path) < 0) {
        reprl_error(ctx, "Failed to create temporary filename for data channel: %s", strerror(errno));
        return NULL;
    }
    int fd = open(path, O_RDWR | O_CREAT| O_CLOEXEC);
    unlink(path);
#endif
    if (fd == -1 || ftruncate(fd, REPRL_MAX_DATA_SIZE) != 0) {
        reprl_error(ctx, "Failed to create data channel file: %s", strerror(errno));
        return NULL;
    }
    char* mapping = mmap(0, REPRL_MAX_DATA_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
    if (mapping == MAP_FAILED) {
        reprl_error(ctx, "Failed to mmap data channel file: %s", strerror(errno));
        return NULL;
    }
    
    struct data_channel* channel = malloc(sizeof(struct data_channel));
    channel->fd = fd;
    channel->mapping = mapping;
    return channel;
}

该函数先用memfd_create函数（memfd_create函数可以看man命令的解释）创建一个匿名文件，成功的话会返回这个文件的fd，在用ftruncate将其大小改为REPRL_MAX_DATA_SIZE，接着用mmap来申请内存，将fd和mmap申请的内存赋值给data_channel结构并返回。

capture_stdout和capture_stderr只有在用户设置了diagnostics标志才启用

reprl_execute

int reprl_execute(struct reprl_context* ctx, const char* script, uint64_t script_length, uint64_t timeout, uint64_t* execution_time, int fresh_instance)
{
    // 一些check
    if (!ctx->initialized) {
        return reprl_error(ctx, "REPRL context is not initialized");
    }
    if (script_length > REPRL_MAX_DATA_SIZE) {
        return reprl_error(ctx, "Script too large");
    }
	
    // 这个fresh_instance是从REPRL.swift传入的，当执行次数过多的时候，直接kill掉child
    // Terminate any existing instance if requested.
    if (fresh_instance && ctx->pid) {
        reprl_terminate_child(ctx);
    }

    // Reset file position so the child can simply read(2) and write(2) to these fds.
    lseek(ctx->data_out->fd, 0, SEEK_SET);
    lseek(ctx->data_in->fd, 0, SEEK_SET);
    if (ctx->child_stdout) {
        lseek(ctx->child_stdout->fd, 0, SEEK_SET);
    }
    if (ctx->child_stderr) {
        lseek(ctx->child_stderr->fd, 0, SEEK_SET);
    }
    
    // 如果还没有启动子进程，那就起一个
    // Spawn a new instance if necessary.
    if (!ctx->pid) {
        int r = reprl_spawn_child(ctx);
        if (r != 0) return r;
    }

    // Copy the script to the data channel.
    memcpy(ctx->data_out->mapping, script, script_length);
	
    // 通知子进程开始执行js代码，并检查是否执行成功
    // Tell child to execute the script.
    if (write(ctx->ctrl_out, "exec", 4) != 4 ||
        write(ctx->ctrl_out, &script_length, 8) != 8) {
        // These can fail if the child unexpectedly terminated between executions.
        // Check for that here to be able to provide a better error message.
        int status;
        if (waitpid(ctx->pid, &status, WNOHANG) == ctx->pid) {
            reprl_child_terminated(ctx);
            if (WIFEXITED(status)) {
                return reprl_error(ctx, "Child unexpectedly exited with status %i between executions", WEXITSTATUS(status));
            } else {
                return reprl_error(ctx, "Child unexpectedly terminated with signal %i between executions", WTERMSIG(status));
            }
        }
        return reprl_error(ctx, "Failed to send command to child process: %s", strerror(errno));
    }
	
    // 后续都是在检查等待子进程是否执行成功，并取得它的返回码
    // Wait for child to finish execution (or crash).
    int timeout_ms = timeout / 1000;
    uint64_t start_time = current_usecs();
    struct pollfd fds = {.fd = ctx->ctrl_in, .events = POLLIN, .revents = 0};
    int res = poll(&fds, 1, timeout_ms);
    *execution_time = current_usecs() - start_time;
    if (res == 0) {
        // Execution timed out. Kill child and return a timeout status.
        reprl_terminate_child(ctx);
        return 1 << 16;
    } else if (res != 1) {
        // An error occurred.
        // We expect all signal handlers to be installed with SA_RESTART, so receiving EINTR here is unexpected and thus also an error.
        return reprl_error(ctx, "Failed to poll: %s", strerror(errno));
    }
    
    // Poll succeeded, so there must be something to read now (either the status or EOF).
    int status;
    ssize_t rv = read(ctx->ctrl_in, &status, 4);
    if (rv < 0) {
        return reprl_error(ctx, "Failed to read from control pipe: %s", strerror(errno));
    } else if (rv != 4) {
        // Most likely, the child process crashed and closed the write end of the control pipe.
        // Unfortunately, there probably is nothing that guarantees that waitpid() will immediately succeed now,
        // and we also don't want to block here. So just retry waitpid() a few times...
        int success = 0;
        do {
            success = waitpid(ctx->pid, &status, WNOHANG) == ctx->pid;
            if (!success) usleep(10);
        } while (!success && current_usecs() - start_time < timeout);
        
        if (!success) {
            // Wait failed, so something weird must have happened. Maybe somehow the control pipe was closed without the child exiting?
            // Probably the best we can do is kill the child and return an error.
            reprl_terminate_child(ctx);
            return reprl_error(ctx, "Child in weird state after execution");
        }

        // Cleanup any state related to this child process.
        reprl_child_terminated(ctx);

        if (WIFEXITED(status)) {
            status = WEXITSTATUS(status) << 8;
        } else if (WIFSIGNALED(status)) {
            status = WTERMSIG(status);
        } else {
            // This shouldn't happen, since we don't specify WUNTRACED for waitpid...
            return reprl_error(ctx, "Waitpid returned unexpected child state %i", status);
        }
    }
    
    // The status must be a positive number, see the status encoding format below.
    // We also don't allow the child process to indicate a timeout. If we wanted,
    // we could treat it as an error if the upper bits are set.
    status &= 0xffff;

    return status;
}

其中一个reprl_spawn_child函数是用于启动子进程的，这个是关键函数，看看reprl是如何启动子进程的：

static int reprl_spawn_child(struct reprl_context* ctx)
{
    // This is also a good time to ensure the data channel backing files don't grow too large.
    ftruncate(ctx->data_in->fd, REPRL_MAX_DATA_SIZE);
    ftruncate(ctx->data_out->fd, REPRL_MAX_DATA_SIZE);
    if (ctx->child_stdout) ftruncate(ctx->child_stdout->fd, REPRL_MAX_DATA_SIZE);
    if (ctx->child_stderr) ftruncate(ctx->child_stderr->fd, REPRL_MAX_DATA_SIZE);
    
    int crpipe[2] = { 0, 0 };          // control pipe child -> reprl
    int cwpipe[2] = { 0, 0 };          // control pipe reprl -> child

    if (pipe(crpipe) != 0) {
        return reprl_error(ctx, "Could not create pipe for REPRL communication: %s", strerror(errno));
    }
    if (pipe(cwpipe) != 0) {
        close(crpipe[0]);
        close(crpipe[1]);
        return reprl_error(ctx, "Could not create pipe for REPRL communication: %s", strerror(errno));
    }

    ctx->ctrl_in = crpipe[0];
    ctx->ctrl_out = cwpipe[1];
    fcntl(ctx->ctrl_in, F_SETFD, FD_CLOEXEC);
    fcntl(ctx->ctrl_out, F_SETFD, FD_CLOEXEC);

#ifdef __linux__
    // Use vfork() on Linux as that considerably improves the fuzzer performance. See also https://github.com/googleprojectzero/fuzzilli/issues/174
    // Due to vfork, the code executed in the child process *must not* modify any memory apart from its stack, as it will share the page table of its parent.
    pid_t pid = vfork();
#else
    pid_t pid = fork();
#endif
    if (pid == 0) {
        if (dup2(cwpipe[0], REPRL_CHILD_CTRL_IN) < 0 ||
            dup2(crpipe[1], REPRL_CHILD_CTRL_OUT) < 0 ||
            dup2(ctx->data_out->fd, REPRL_CHILD_DATA_IN) < 0 ||
            dup2(ctx->data_in->fd, REPRL_CHILD_DATA_OUT) < 0) {
            fprintf(stderr, "dup2 failed in the child: %s\n", strerror(errno));
            _exit(-1);
        }

        // Unblock any blocked signals. It seems that libdispatch sometimes blocks delivery of certain signals.
        sigset_t newset;
        sigemptyset(&newset);
        if (sigprocmask(SIG_SETMASK, &newset, NULL) != 0) {
            fprintf(stderr, "sigprocmask failed in the child: %s\n", strerror(errno));
            _exit(-1);
        }

        close(cwpipe[0]);
        close(crpipe[1]);

        int devnull = open("/dev/null", O_RDWR);
        dup2(devnull, 0);
        if (ctx->child_stdout) dup2(ctx->child_stdout->fd, 1);
        else dup2(devnull, 1);
        if (ctx->child_stderr) dup2(ctx->child_stderr->fd, 2);
        else dup2(devnull, 2);
        close(devnull);
        
        // close all other FDs. We try to use FD_CLOEXEC everywhere, but let's be extra sure we don't leak any fds to the child.
        int tablesize = getdtablesize();
        for (int i = 3; i < tablesize; i++) {
            if (i == REPRL_CHILD_CTRL_IN || i == REPRL_CHILD_CTRL_OUT || i == REPRL_CHILD_DATA_IN || i == REPRL_CHILD_DATA_OUT) {
                continue;
            }
            close(i);
        }

        execve(ctx->argv[0], ctx->argv, ctx->envp);
        
        fprintf(stderr, "Failed to execute child process %s: %s\n", ctx->argv[0], strerror(errno));
        fflush(stderr);
        _exit(-1);
    }
    
    close(crpipe[1]);
    close(cwpipe[0]);
    
    if (pid < 0) {
        close(ctx->ctrl_in);
        close(ctx->ctrl_out);
        return reprl_error(ctx, "Failed to fork: %s", strerror(errno));
    }
    ctx->pid = pid;

    char helo[5] = { 0 };
    if (read(ctx->ctrl_in, helo, 4) != 4) {
        reprl_terminate_child(ctx);
        return reprl_error(ctx, "Did not receive HELO message from child: %s", strerror(errno));
    }
    
    if (strncmp(helo, "HELO", 4) != 0) {
        reprl_terminate_child(ctx);
        return reprl_error(ctx, "Received invalid HELO message from child: %s", helo);
    }
    
    if (write(ctx->ctrl_out, helo, 4) != 4) {
        reprl_terminate_child(ctx);
        return reprl_error(ctx, "Failed to send HELO reply message to child: %s", strerror(errno));
    }

    return 0;
}

总体下来就是调用pipe来启动和子进程间的通信（处理各种fd），接着父进程调用read在等待子进程的HELO message，在回应给子进程一个HELO message

V8_FUZZILLI

这是该回到子进程这边了，我这里选择的是v8，让我们来看看v8对fuzzilli的处理，在src/d8/d8.cc中：

#ifdef V8_FUZZILLI
#include "src/d8/cov.h"		// 计算覆盖率相关
#endif  // V8_FUZZILLI

#ifdef V8_FUZZILLI
// REPRL = read-eval-print-reset-loop
// These file descriptors are being opened when Fuzzilli uses fork & execve to
// run V8.
#define REPRL_CRFD 100  // Control read file decriptor
#define REPRL_CWFD 101  // Control write file decriptor
#define REPRL_DRFD 102  // Data read file decriptor
#define REPRL_DWFD 103  // Data write file decriptor
bool fuzzilli_reprl = true;
#else
bool fuzzilli_reprl = false;
#endif  // V8_FUZZILLI

在Shell::Initialize函数中：

void Shell::Initialize(Isolate* isolate, D8Console* console,
                       bool isOnMainThread) {
  // ... //

#ifdef V8_FUZZILLI
  // Let the parent process (Fuzzilli) know we are ready.
  if (options.fuzzilli_enable_builtins_coverage) {
    cov_init_builtins_edges(static_cast<uint32_t>(
        i::BasicBlockProfiler::Get()
            ->GetCoverageBitmap(reinterpret_cast<i::Isolate*>(isolate))
            .size()));
  }
  char helo[] = "HELO";
  if (write(REPRL_CWFD, helo, 4) != 4 || read(REPRL_CRFD, helo, 4) != 4) {
    fuzzilli_reprl = false;
  }

  if (memcmp(helo, "HELO", 4) != 0) {
    fprintf(stderr, "Invalid response from parent\n");
    _exit(-1);
  }
#endif  // V8_FUZZILLI

  debug::SetConsoleDelegate(isolate, console);
}

在这里会和父进程先进行HELO message的传递，SourceGroup::Execute函数会读取父进程的指令并开始执行js代码：

bool SourceGroup::Execute(Isolate* isolate) {
  bool success = true;
#ifdef V8_FUZZILLI
  if (fuzzilli_reprl) {
    HandleScope handle_scope(isolate);
    Local<String> file_name =
        String::NewFromUtf8(isolate, "fuzzcode.js", NewStringType::kNormal)
            .ToLocalChecked();

    size_t script_size;
    CHECK_EQ(read(REPRL_CRFD, &script_size, 8), 8);		// [2] 获取脚本长度
    char* buffer = new char[script_size + 1];
    char* ptr = buffer;
    size_t remaining = script_size;
    while (remaining > 0) {
      ssize_t rv = read(REPRL_DRFD, ptr, remaining);	// [3] 读取脚本
      CHECK_GE(rv, 0);
      remaining -= rv;
      ptr += rv;
    }
    buffer[script_size] = 0;

    Local<String> source =
        String::NewFromUtf8(isolate, buffer, NewStringType::kNormal)
            .ToLocalChecked();
    delete[] buffer;
    Shell::set_script_executed();
    if (!Shell::ExecuteString(isolate, source, file_name, Shell::kNoPrintResult,
                              Shell::kReportExceptions,
                              Shell::kNoProcessMessageQueue)) {
      return false;
    }
  }
#endif  // V8_FUZZILLI
   // ... //
}

// Shell::Main函数里：
#ifdef V8_FUZZILLI
      if (fuzzilli_reprl) {			
        unsigned action = 0;
        ssize_t nread = read(REPRL_CRFD, &action, 4);
        if (nread != 4 || action != 'cexe') {		// [1] 接收指令
          fprintf(stderr, "Unknown action: %u\n", action);
          _exit(-1);
        }
      }
#endif  // V8_FUZZILLI

上面的[1]，[2]，[3]都对应了reprl_execute函数里的：

// Copy the script to the data channel.
    memcpy(ctx->data_out->mapping, script, script_length);
	
    // 通知子进程开始执行js代码，并检查是否执行成功
    // Tell child to execute the script.
    if (write(ctx->ctrl_out, "exec", 4) != 4 ||
        write(ctx->ctrl_out, &script_length, 8) != 8) {
        // ... //
    }

最后v8会把代码执行的result通知给父进程：

// Shell::Main
#ifdef V8_FUZZILLI
      // Send result to parent (fuzzilli) and reset edge guards.
      if (fuzzilli_reprl) {
        int status = result << 8;
        std::vector<bool> bitmap;
        if (options.fuzzilli_enable_builtins_coverage) {
          bitmap = i::BasicBlockProfiler::Get()->GetCoverageBitmap(
              reinterpret_cast<i::Isolate*>(isolate));
          cov_update_builtins_basic_block_coverage(bitmap);
        }
        if (options.fuzzilli_coverage_statistics) {
          int tot = 0;
          for (bool b : bitmap) {
            if (b) tot++;
          }
          static int iteration_counter = 0;
          std::ofstream covlog("covlog.txt", std::ios::app);
          covlog << iteration_counter << "\t" << tot << "\t"
                 << sanitizer_cov_count_discovered_edges() << "\t"
                 << bitmap.size() << std::endl;
          iteration_counter++;
        }
        // In REPRL mode, stdout and stderr can be regular files, so they need
        // to be flushed after every execution
        fflush(stdout);
        fflush(stderr);
        CHECK_EQ(write(REPRL_CWFD, &status, 4), 4);		// <-- 通知父进程
        sanitizer_cov_reset_edgeguards();
        if (options.fuzzilli_enable_builtins_coverage) {
          i::BasicBlockProfiler::Get()->ResetCounts(
              reinterpret_cast<i::Isolate*>(isolate));
        }
      }
#endif  // V8_FUZZILLI
    } while (fuzzilli_reprl);
  }

在多看看v8在这里的逻辑：

int Shell::Main(int argc, char* argv[]){
    // ... //
// Fuzzilli REPRL = read-eval-print-loop
    do {
#ifdef V8_FUZZILLI
      if (fuzzilli_reprl) {
        unsigned action = 0;
        ssize_t nread = read(REPRL_CRFD, &action, 4);
        if (nread != 4 || action != 'cexe') {
          fprintf(stderr, "Unknown action: %u\n", action);
          _exit(-1);
        }
      }
#endif  // V8_FUZZILLI
	// ... //
        result = RunMain(isolate, last_run);
	// ... //
      
#ifdef V8_FUZZILLI
      // Send result to parent (fuzzilli) and reset edge guards.
      if (fuzzilli_reprl) {
        int status = result << 8;
        std::vector<bool> bitmap;
        if (options.fuzzilli_enable_builtins_coverage) {
          bitmap = i::BasicBlockProfiler::Get()->GetCoverageBitmap(
              reinterpret_cast<i::Isolate*>(isolate));
          cov_update_builtins_basic_block_coverage(bitmap);
        }
        // ... //
        // In REPRL mode, stdout and stderr can be regular files, so they need
        // to be flushed after every execution
        fflush(stdout);
        fflush(stderr);
        CHECK_EQ(write(REPRL_CWFD, &status, 4), 4);
        sanitizer_cov_reset_edgeguards();
        if (options.fuzzilli_enable_builtins_coverage) {
          i::BasicBlockProfiler::Get()->ResetCounts(
              reinterpret_cast<i::Isolate*>(isolate));
        }
      }
#endif  // V8_FUZZILLI
    } while (fuzzilli_reprl);
  // ... //
}

fuzzilli_reprl在宏V8_FUZZILLI定义了之后会被设置为true，所以这里就不停的接受fuzzer的”exec”指令，然后开始执行js代码，把result通知给父进程，在进行下一轮的等待

reprl_destroy_context

该函数就是释放前面申请的资源

参考链接

https://github.com/googleprojectzero/fuzzilli/blob/main/Docs/HowFuzzilliWorks.md