2016-01-26 10:38:37 +00:00
|
|
|
// Copyright 2016 the V8 project authors. All rights reserved.
|
|
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
|
|
// found in the LICENSE file.
|
|
|
|
|
|
|
|
#include "test/fuzzer/fuzzer-support.h"
|
|
|
|
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <string.h>
|
|
|
|
|
|
|
|
#include "include/libplatform/libplatform.h"
|
2021-08-23 13:01:06 +00:00
|
|
|
#include "include/v8-context.h"
|
|
|
|
#include "include/v8-initialization.h"
|
2019-05-24 13:51:59 +00:00
|
|
|
#include "src/flags/flags.h"
|
2020-09-01 10:37:26 +00:00
|
|
|
#include "src/trap-handler/trap-handler.h"
|
2016-04-28 13:32:17 +00:00
|
|
|
|
2016-01-26 10:38:37 +00:00
|
|
|
namespace v8_fuzzer {
|
|
|
|
|
|
|
|
FuzzerSupport::FuzzerSupport(int* argc, char*** argv) {
|
2022-06-15 10:38:52 +00:00
|
|
|
i::FLAG_expose_gc = true;
|
|
|
|
|
|
|
|
// Allow changing flags in fuzzers.
|
|
|
|
// TODO(12887): Refactor fuzzers to not change flags after initialization.
|
|
|
|
i::FLAG_freeze_flags_after_init = false;
|
|
|
|
|
2016-01-26 10:38:37 +00:00
|
|
|
v8::V8::SetFlagsFromCommandLine(argc, *argv, true);
|
2016-06-08 12:09:25 +00:00
|
|
|
v8::V8::InitializeICUDefaultLocation((*argv)[0]);
|
2016-01-26 10:38:37 +00:00
|
|
|
v8::V8::InitializeExternalStartupData((*argv)[0]);
|
2017-11-13 13:16:49 +00:00
|
|
|
platform_ = v8::platform::NewDefaultPlatform();
|
|
|
|
v8::V8::InitializePlatform(platform_.get());
|
2016-01-26 10:38:37 +00:00
|
|
|
v8::V8::Initialize();
|
|
|
|
|
2016-06-29 07:39:45 +00:00
|
|
|
allocator_ = v8::ArrayBuffer::Allocator::NewDefaultAllocator();
|
2016-01-26 10:38:37 +00:00
|
|
|
v8::Isolate::CreateParams create_params;
|
|
|
|
create_params.array_buffer_allocator = allocator_;
|
2021-07-26 11:16:47 +00:00
|
|
|
create_params.allow_atomics_wait = false;
|
2016-01-26 10:38:37 +00:00
|
|
|
isolate_ = v8::Isolate::New(create_params);
|
|
|
|
|
|
|
|
{
|
|
|
|
v8::Isolate::Scope isolate_scope(isolate_);
|
|
|
|
v8::HandleScope handle_scope(isolate_);
|
|
|
|
context_.Reset(isolate_, v8::Context::New(isolate_));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
FuzzerSupport::~FuzzerSupport() {
|
|
|
|
{
|
|
|
|
v8::Isolate::Scope isolate_scope(isolate_);
|
2017-09-04 10:05:10 +00:00
|
|
|
while (PumpMessageLoop()) {
|
|
|
|
// empty
|
|
|
|
}
|
2016-01-26 10:38:37 +00:00
|
|
|
|
|
|
|
v8::HandleScope handle_scope(isolate_);
|
|
|
|
context_.Reset();
|
|
|
|
}
|
|
|
|
|
2016-05-06 12:52:19 +00:00
|
|
|
isolate_->LowMemoryNotification();
|
2016-01-26 10:38:37 +00:00
|
|
|
isolate_->Dispose();
|
|
|
|
isolate_ = nullptr;
|
|
|
|
|
|
|
|
delete allocator_;
|
|
|
|
allocator_ = nullptr;
|
|
|
|
|
|
|
|
v8::V8::Dispose();
|
2021-11-30 13:38:10 +00:00
|
|
|
v8::V8::DisposePlatform();
|
2016-01-26 10:38:37 +00:00
|
|
|
}
|
|
|
|
|
2017-11-28 10:48:12 +00:00
|
|
|
std::unique_ptr<FuzzerSupport> FuzzerSupport::fuzzer_support_;
|
|
|
|
|
2016-01-26 10:38:37 +00:00
|
|
|
// static
|
2017-11-28 10:48:12 +00:00
|
|
|
void FuzzerSupport::InitializeFuzzerSupport(int* argc, char*** argv) {
|
Reland "[no-wasm] Exclude src/wasm from compilation"
This is a reland of 80f5dfda0147d6b078ae6c9d0eb947bd012bf72d. A condition
in pipeline.cc was inverted, which lead to a CSA verifier error.
Original change's description:
> [no-wasm] Exclude src/wasm from compilation
>
> This is the biggest chunk, including
> - all of src/wasm,
> - torque file for wasm objects,
> - torque file for wasm builtins,
> - wasm builtins,
> - wasm runtime functions,
> - int64 lowering,
> - simd scala lowering,
> - WasmGraphBuilder (TF graph construction for wasm),
> - wasm frame types,
> - wasm interrupts,
> - the JSWasmCall opcode,
> - wasm backing store allocation.
>
> Those components are all recursively entangled, so I found no way to
> split this change up further.
>
> Some includes that were recursively included by wasm headers needed to
> be added explicitly now.
>
> backing-store-unittest.cc is renamed to wasm-backing-store-unittest.cc
> because it only tests wasm backing stores. This file is excluded from
> no-wasm builds then.
>
> R=jkummerow@chromium.org, jgruber@chromium.org, mlippautz@chromium.org, petermarshall@chromium.org
>
> Bug: v8:11238
> Change-Id: I7558f2d12d2dd6c65128c4de7b79173668c80b2b
> Cq-Include-Trybots: luci.v8.try:v8_linux64_no_wasm_compile_rel
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2742955
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#73344}
TBR=jgruber@chromium.org
Bug: v8:11238
Change-Id: I20bd2847a59c68738b5a336cd42582b7b1499585
Cq-Include-Trybots: luci.v8.try:v8_linux64_no_wasm_compile_rel
Cq-Include-Trybots: luci.v8.try:v8_linux_verify_csa_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_verify_csa_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2752867
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73348}
2021-03-11 13:42:01 +00:00
|
|
|
#if V8_ENABLE_WEBASSEMBLY
|
2021-06-25 17:33:56 +00:00
|
|
|
if (V8_TRAP_HANDLER_SUPPORTED) {
|
2020-09-01 10:37:26 +00:00
|
|
|
constexpr bool kUseDefaultTrapHandler = true;
|
|
|
|
if (!v8::V8::EnableWebAssemblyTrapHandler(kUseDefaultTrapHandler)) {
|
|
|
|
FATAL("Could not register trap handler");
|
|
|
|
}
|
|
|
|
}
|
Reland "[no-wasm] Exclude src/wasm from compilation"
This is a reland of 80f5dfda0147d6b078ae6c9d0eb947bd012bf72d. A condition
in pipeline.cc was inverted, which lead to a CSA verifier error.
Original change's description:
> [no-wasm] Exclude src/wasm from compilation
>
> This is the biggest chunk, including
> - all of src/wasm,
> - torque file for wasm objects,
> - torque file for wasm builtins,
> - wasm builtins,
> - wasm runtime functions,
> - int64 lowering,
> - simd scala lowering,
> - WasmGraphBuilder (TF graph construction for wasm),
> - wasm frame types,
> - wasm interrupts,
> - the JSWasmCall opcode,
> - wasm backing store allocation.
>
> Those components are all recursively entangled, so I found no way to
> split this change up further.
>
> Some includes that were recursively included by wasm headers needed to
> be added explicitly now.
>
> backing-store-unittest.cc is renamed to wasm-backing-store-unittest.cc
> because it only tests wasm backing stores. This file is excluded from
> no-wasm builds then.
>
> R=jkummerow@chromium.org, jgruber@chromium.org, mlippautz@chromium.org, petermarshall@chromium.org
>
> Bug: v8:11238
> Change-Id: I7558f2d12d2dd6c65128c4de7b79173668c80b2b
> Cq-Include-Trybots: luci.v8.try:v8_linux64_no_wasm_compile_rel
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2742955
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#73344}
TBR=jgruber@chromium.org
Bug: v8:11238
Change-Id: I20bd2847a59c68738b5a336cd42582b7b1499585
Cq-Include-Trybots: luci.v8.try:v8_linux64_no_wasm_compile_rel
Cq-Include-Trybots: luci.v8.try:v8_linux_verify_csa_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_verify_csa_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2752867
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73348}
2021-03-11 13:42:01 +00:00
|
|
|
#endif // V8_ENABLE_WEBASSEMBLY
|
2017-11-28 10:48:12 +00:00
|
|
|
DCHECK_NULL(FuzzerSupport::fuzzer_support_);
|
|
|
|
FuzzerSupport::fuzzer_support_ =
|
2019-09-10 10:12:00 +00:00
|
|
|
std::make_unique<v8_fuzzer::FuzzerSupport>(argc, argv);
|
2017-11-28 10:48:12 +00:00
|
|
|
}
|
2016-01-26 10:38:37 +00:00
|
|
|
|
2017-11-28 10:48:12 +00:00
|
|
|
// static
|
|
|
|
FuzzerSupport* FuzzerSupport::Get() {
|
|
|
|
DCHECK_NOT_NULL(FuzzerSupport::fuzzer_support_);
|
|
|
|
return FuzzerSupport::fuzzer_support_.get();
|
|
|
|
}
|
2016-01-26 10:38:37 +00:00
|
|
|
|
|
|
|
v8::Local<v8::Context> FuzzerSupport::GetContext() {
|
|
|
|
v8::Isolate::Scope isolate_scope(isolate_);
|
|
|
|
v8::EscapableHandleScope handle_scope(isolate_);
|
|
|
|
v8::Local<v8::Context> context =
|
|
|
|
v8::Local<v8::Context>::New(isolate_, context_);
|
|
|
|
return handle_scope.Escape(context);
|
|
|
|
}
|
|
|
|
|
2017-06-13 14:41:54 +00:00
|
|
|
bool FuzzerSupport::PumpMessageLoop(
|
|
|
|
v8::platform::MessageLoopBehavior behavior) {
|
2017-11-13 13:16:49 +00:00
|
|
|
return v8::platform::PumpMessageLoop(platform_.get(), isolate_, behavior);
|
2017-06-13 14:41:54 +00:00
|
|
|
}
|
|
|
|
|
2016-01-26 10:38:37 +00:00
|
|
|
} // namespace v8_fuzzer
|
|
|
|
|
2017-12-19 19:06:00 +00:00
|
|
|
// Explicitly specify some attributes to avoid issues with the linker dead-
|
|
|
|
// stripping the following function on macOS, as it is not called directly
|
|
|
|
// by fuzz target. LibFuzzer runtime uses dlsym() to resolve that function.
|
2022-02-17 10:40:49 +00:00
|
|
|
#if V8_OS_DARWIN
|
2017-12-19 19:06:00 +00:00
|
|
|
__attribute__((used)) __attribute__((visibility("default")))
|
2022-02-17 10:40:49 +00:00
|
|
|
#endif // V8_OS_DARWIN
|
2017-12-19 19:06:00 +00:00
|
|
|
extern "C" int
|
|
|
|
LLVMFuzzerInitialize(int* argc, char*** argv) {
|
2017-11-28 10:48:12 +00:00
|
|
|
v8_fuzzer::FuzzerSupport::InitializeFuzzerSupport(argc, argv);
|
2016-01-26 10:38:37 +00:00
|
|
|
return 0;
|
|
|
|
}
|