[code coverage] Add fuzzer target.

This change adds a single fuzzer target to the continuous code coverage
bot and the matching trybot.

R=stgao,liaoyuke,jbudorick,mmoroz

Change-Id: Iab4af3dbfcfbce608b42a3089913f30d6753382d
Reviewed-on: https://chromium-review.googlesource.com/c/1364690
Commit-Queue: Roberto Carrillo <robertocn@chromium.org>
Reviewed-by: Shuotao Gao <stgao@chromium.org>
Reviewed-by: John Budorick <jbudorick@chromium.org>
Reviewed-by: Yuke Liao <liaoyuke@chromium.org>
Reviewed-by: Max Moroz <mmoroz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#615486}

testing/buildbot/chromium.fyi.json

@@ -7124,6 +7124,14 @@
       }
     ],
     "isolated_scripts": [
+      {
+        "isolate_coverage_data": true,
+        "isolate_name": "blink_json_parser_fuzzer",
+        "name": "blink_json_parser_fuzzer",
+        "swarming": {
+          "can_use_on_swarming_builders": false
+        }
+      },
       {
         "args": [
           "--additional-driver-flag=--no-sandbox",

testing/buildbot/gn_isolate_map.pyl

@@ -197,6 +197,19 @@
     "label": "//third_party/blink/renderer/platform/heap:blink_heap_unittests",
     "type": "console_test_launcher",
   },
+  "blink_json_parser_fuzzer": {
+    "label": "//third_party/blink/renderer/platform:blink_json_parser_fuzzer",
+    "type": "script",
+    "script": "//tools/code_coverage/run_fuzz_target.py",
+    "args": [
+      "--fuzzer",
+      "./blink_json_parser_fuzzer",
+      "--output-dir",
+      "${ISOLATED_OUTDIR}",
+      "--timeout",
+      "3600",
+    ],
+  },
   "blink_platform_unittests": {
     "label": "//third_party/blink/renderer/platform:blink_platform_unittests",
     "type": "console_test_launcher",

testing/buildbot/test_suites.pyl

@@ -569,6 +569,15 @@
     },
 
     'chromium_code_coverage_isolated_scripts': {
+      'blink_json_parser_fuzzer': {
+        'swarming': {
+          # Fuzzer targets are temporarily to be run locally on the builder
+          # rather than on swarming avoid placing the corpus on the public
+          # isolate or making a swarming job depend on external data.
+          # see crbug.com/910235
+          'can_use_on_swarming_builders': False,
+        },
+      },
       'webkit_layout_tests': {
         'args': [
           '--additional-driver-flag=--no-sandbox',
@@ -582,7 +591,6 @@
       },
     },
 
-
     'chromium_gtests': {
       'angle_unittests': {},
       'base_unittests': {},

testing/buildbot/tryserver.chromium.linux.json

@@ -681,6 +681,14 @@
       }
     ],
     "isolated_scripts": [
+      {
+        "isolate_coverage_data": true,
+        "isolate_name": "blink_json_parser_fuzzer",
+        "name": "blink_json_parser_fuzzer",
+        "swarming": {
+          "can_use_on_swarming_builders": false
+        }
+      },
       {
         "args": [
           "--additional-driver-flag=--no-sandbox",

testing/libfuzzer/BUILD.gn

@@ -23,6 +23,16 @@ source_set("libfuzzer_main") {
   } else {
     sources += [ "unittest_main.cc" ]
   }
+  if (use_clang_coverage) {
+    # For purposes of code coverage calculation, fuzzer targets are run through
+    # a wrapper script in this directory, which handles corpus retrieval and
+    # appropriate parameter passing to run the target in an isolate. This
+    # directive makes this script and its dependencies to be included in the
+    # target's isolate.
+    data = [
+      "//tools/code_coverage/",
+    ]
+  }
 }
 
 # A config used by all fuzzer_tests.

tools/code_coverage/run_fuzz_target.py

@@ -5,6 +5,7 @@
 """Run a single fuzz target built with code coverage instrumentation."""
 
 import argparse
+import json
 import os
 import shutil
 import signal
@@ -137,6 +138,21 @@ def _ParseCommandArguments():
       required=True,
       help='Timeout value for running a single fuzz target.')
 
+  # Ignored. Used to comply with isolated script contract, see chromium_tests
+  # and swarming recipe modules for more details.
+  arg_parser.add_argument(
+      '--isolated-script-test-output',
+      type=str,
+      required=False,
+      help=argparse.SUPPRESS)
+
+  # Ditto.
+  arg_parser.add_argument(
+      '--isolated-script-test-perf-output',
+      type=str,
+      required=False,
+      help=argparse.SUPPRESS)
+
   if len(sys.argv) == 1:
     arg_parser.print_help()
     sys.exit(1)
@@ -212,8 +228,27 @@ def Main():
   args = _ParseCommandArguments()
   fuzzer_name = os.path.splitext(os.path.basename(args.fuzzer))[0]
   corpus_dir = _PrepareCorpus(fuzzer_name, args.output_dir)
+  start_time = time.time()
   _RunFuzzTarget(args.fuzzer, fuzzer_name, args.output_dir, corpus_dir,
                  args.timeout)
+  if args.isolated_script_test_output:
+    # TODO(crbug.com/913827): Actually comply with the isolated script contract
+    # on src/testing/scripts/common.
+    with open(args.isolated_script_test_output, 'w') as f:
+      json.dump({
+          fuzzer_name: {
+              'expected': 'PASS',
+              'actual': 'PASS',
+          },
+          "interrupted": False,
+          "path_delimiter": ".",
+          "version": 3,
+          "seconds_since_epoch": start_time,
+          "num_failures_by_type": {
+              "FAIL": 0,
+              "PASS": 1
+          },
+      }, f)
 
   return 0
 

tools/mb/mb_config.pyl

@@ -1123,12 +1123,12 @@
     ],
 
     'clang_code_coverage': [
-      'release_bot', 'clang', 'use_clang_coverage', 'no_symbols',
+      'release_bot', 'clang', 'use_clang_coverage', 'no_symbols', 'libfuzzer',
     ],
 
     'clang_code_coverage_trybot': [
       'gpu_tests', 'use_dummy_lastchange', 'release_trybot', 'clang', 'use_clang_coverage', 'no_symbols',
-      'partial_clang_instrumentation'
+      'libfuzzer', 'partial_clang_instrumentation'
     ],
 
     'clang_release_bot_minimal_symbols_x86': [