AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
8fce4f1e0c
v8/test/fuzzer/wasm-async.cc

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

91 lines
2.7 KiB
C++
Raw Normal View History

[wasm] Add a fuzzer for async compilation The new fuzzer takes the fuzzer input as module bytes and compiles them with WebAssembly asynchronous compilation. R=mtrofin@chromium.org Change-Id: I9740edec68e26c04d011d85c68521e340be13c4c Reviewed-on: https://chromium-review.googlesource.com/506156 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Mircea Trofin <mtrofin@chromium.org> Cr-Commit-Position: refs/heads/master@{#45912}
2017-06-13 14:41:54 +00:00
// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include <limits.h>
#include <stddef.h>
#include <stdint.h>
#include "include/v8-context.h"
#include "include/v8-exception.h"
#include "include/v8-isolate.h"
[wasm] Move SyncCompile* and AsyncCompile* methods to WasmEngine This is a further step to separate the implementation of the JavaScript API from the internals of the WASM implementation. Now, wasm-js.cc only needs to interact with the WASM engine and is (almost) independent of module-decoder.h and module-compiler.h. Also, move SyncCompileAndInstantiate() into wasm-module-runner.cc. Bug: v8:7316 R=clemensh@chromium.org, mstarzinger@chromium.org Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng Change-Id: I7765af54ac16f53a5ff88c17a22c5d36bacaf926 Reviewed-on: https://chromium-review.googlesource.com/870871 Commit-Queue: Ben Titzer <titzer@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#50679}
2018-01-18 10:52:52 +00:00
#include "include/v8-local-handle.h"
[wasm] Add a fuzzer for async compilation The new fuzzer takes the fuzzer input as module bytes and compiles them with WebAssembly asynchronous compilation. R=mtrofin@chromium.org Change-Id: I9740edec68e26c04d011d85c68521e340be13c4c Reviewed-on: https://chromium-review.googlesource.com/506156 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Mircea Trofin <mtrofin@chromium.org> Cr-Commit-Position: refs/heads/master@{#45912}
2017-06-13 14:41:54 +00:00
#include "src/execution/isolate-inl.h"
[wasm] Move SyncCompile* and AsyncCompile* methods to WasmEngine This is a further step to separate the implementation of the JavaScript API from the internals of the WASM implementation. Now, wasm-js.cc only needs to interact with the WASM engine and is (almost) independent of module-decoder.h and module-compiler.h. Also, move SyncCompileAndInstantiate() into wasm-module-runner.cc. Bug: v8:7316 R=clemensh@chromium.org, mstarzinger@chromium.org Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng Change-Id: I7765af54ac16f53a5ff88c17a22c5d36bacaf926 Reviewed-on: https://chromium-review.googlesource.com/870871 Commit-Queue: Ben Titzer <titzer@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#50679}
2018-01-18 10:52:52 +00:00
#include "src/wasm/wasm-engine.h"
[wasm] Add a fuzzer for async compilation The new fuzzer takes the fuzzer input as module bytes and compiles them with WebAssembly asynchronous compilation. R=mtrofin@chromium.org Change-Id: I9740edec68e26c04d011d85c68521e340be13c4c Reviewed-on: https://chromium-review.googlesource.com/506156 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Mircea Trofin <mtrofin@chromium.org> Cr-Commit-Position: refs/heads/master@{#45912}
2017-06-13 14:41:54 +00:00
#include "src/wasm/wasm-module.h"
#include "test/common/wasm/wasm-module-runner.h"
#include "test/fuzzer/fuzzer-support.h"
[wasm] Avoid executing infinite loops in the wasm fuzzers The wasm-async fuzzer uses the bytes provided by the fuzzer engine directly as wasm module bytes, compiles them with async compilation, and then tries to execute the "main" function of the module. This "main" can have an infinite loop which causes a timeout in the fuzzer. With this CL the "main" function is first executed with the interpreter. If the execution in the interpreter finishes within 16k steps, which means that there is no infinite loop, also the compiled code is executed. I added the raw fuzzer input as a test case because in this case I really want to test the fuzzer and not V8. R=clemensh@chromium.org Bug: chromium:761784 Change-Id: Id1fe5da0da8670ec821ab9979fdb9454dbde1162 Reviewed-on: https://chromium-review.googlesource.com/651046 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#47874}
2017-09-07 09:48:34 +00:00
#include "test/fuzzer/wasm-fuzzer-common.h"
[wasm] Add a fuzzer for async compilation The new fuzzer takes the fuzzer input as module bytes and compiles them with WebAssembly asynchronous compilation. R=mtrofin@chromium.org Change-Id: I9740edec68e26c04d011d85c68521e340be13c4c Reviewed-on: https://chromium-review.googlesource.com/506156 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Mircea Trofin <mtrofin@chromium.org> Cr-Commit-Position: refs/heads/master@{#45912}
2017-06-13 14:41:54 +00:00
[wasm][fuzzer] Use a consistent namespace Most wasm fuzzers live in the v8::internal::wasm::fuzzer namespace. Thus also move the wasm-fuzzer there. Additionally - use the C++20 syntax for declaring the namespace, - skip unneeded full or partial classifications on types, and - remove a redundant HandleScope. R=ahaas@chromium.org Bug: v8:13496 Change-Id: I31d948af449efd9708aa6b27f35e8f3c9280a3f9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030579 Commit-Queue: Clemens Backes <clemensb@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/main@{#84300}
2022-11-16 12:55:33 +00:00
namespace v8::internal {
[wasm] [fuzzer] Avoid 'using namespace' This violates the style guide, and causes problems for jumbo builds. R=ahaas@chromium.org CC=mostynb@opera.com Bug: chromium:746958 Change-Id: Ic583c41b94bfd9ecdb31a9ccadb2e842861fe7f4 Reviewed-on: https://chromium-review.googlesource.com/647710 Reviewed-by: Ben Titzer <titzer@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#47774}
2017-09-01 13:20:46 +00:00
class WasmModuleObject;
[wasm][fuzzer] Use a consistent namespace Most wasm fuzzers live in the v8::internal::wasm::fuzzer namespace. Thus also move the wasm-fuzzer there. Additionally - use the C++20 syntax for declaring the namespace, - skip unneeded full or partial classifications on types, and - remove a redundant HandleScope. R=ahaas@chromium.org Bug: v8:13496 Change-Id: I31d948af449efd9708aa6b27f35e8f3c9280a3f9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030579 Commit-Queue: Clemens Backes <clemensb@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/main@{#84300}
2022-11-16 12:55:33 +00:00
}
[wasm] Add a fuzzer for async compilation The new fuzzer takes the fuzzer input as module bytes and compiles them with WebAssembly asynchronous compilation. R=mtrofin@chromium.org Change-Id: I9740edec68e26c04d011d85c68521e340be13c4c Reviewed-on: https://chromium-review.googlesource.com/506156 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Mircea Trofin <mtrofin@chromium.org> Cr-Commit-Position: refs/heads/master@{#45912}
2017-06-13 14:41:54 +00:00
[wasm][fuzzer] Use a consistent namespace Most wasm fuzzers live in the v8::internal::wasm::fuzzer namespace. Thus also move the wasm-fuzzer there. Additionally - use the C++20 syntax for declaring the namespace, - skip unneeded full or partial classifications on types, and - remove a redundant HandleScope. R=ahaas@chromium.org Bug: v8:13496 Change-Id: I31d948af449efd9708aa6b27f35e8f3c9280a3f9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030579 Commit-Queue: Clemens Backes <clemensb@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/main@{#84300}
2022-11-16 12:55:33 +00:00
namespace v8::internal::wasm::fuzzer {
add gn jumbo build support To speed up compilation times, jumbo allows files to be compiled together. This is a well known method ("unity builds") to both compile faster and create a poor man's "full program optimization". We are only interested in compile times. Background: https://chromium.googlesource.com/chromium/src/+/master/docs/jumbo.md Note that jumbo builds are not enabled by default. To try this out, add use_jumbo_build=true to your GN args. BUG=chromium:746958 Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel Change-Id: Ieb9fdccb6c135e9806dbed91c09a29aa8b8bee11 Reviewed-on: https://chromium-review.googlesource.com/579090 Commit-Queue: Mostyn Bramley-Moore <mostynb@opera.com> Reviewed-by: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Reviewed-by: Marja Hölttä <marja@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#47239}
2017-08-09 08:11:21 +00:00
[wasm][fuzzer] Use a consistent namespace Most wasm fuzzers live in the v8::internal::wasm::fuzzer namespace. Thus also move the wasm-fuzzer there. Additionally - use the C++20 syntax for declaring the namespace, - skip unneeded full or partial classifications on types, and - remove a redundant HandleScope. R=ahaas@chromium.org Bug: v8:13496 Change-Id: I31d948af449efd9708aa6b27f35e8f3c9280a3f9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030579 Commit-Queue: Clemens Backes <clemensb@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/main@{#84300}
2022-11-16 12:55:33 +00:00
class AsyncFuzzerResolver : public CompilationResultResolver {
[wasm] Reimplement WebAssembly.instantiate without desugaring At the moment, WebAssembly.instantiate(bytes) is implemented by desugaring it to WebAssembly.compile(bytes).then(WebAssembly.instantiate). The problem is that the {then} in this snippet is observable. With this CL I introduce a CompilationResultResolver which allows to do the desugaring internally and thereby make the {then} unobservable. Unfortunately the result of WebAssembly.instantiate(bytes) is different than the result of WebAssembly.instantiate(module). Therefore I also introduced an InstantiationResultResolver for symmetry with WebAssembly.compile. R=mstarzinger@chromium.org Bug: chromium:837417 Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng Change-Id: I2d98e03d65f2ada19041d5a9e2df5da91b24ccca Reviewed-on: https://chromium-review.googlesource.com/1059783 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#53347}
2018-05-24 21:22:27 +00:00
public:
[wasm][fuzzer] Use a consistent namespace Most wasm fuzzers live in the v8::internal::wasm::fuzzer namespace. Thus also move the wasm-fuzzer there. Additionally - use the C++20 syntax for declaring the namespace, - skip unneeded full or partial classifications on types, and - remove a redundant HandleScope. R=ahaas@chromium.org Bug: v8:13496 Change-Id: I31d948af449efd9708aa6b27f35e8f3c9280a3f9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030579 Commit-Queue: Clemens Backes <clemensb@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/main@{#84300}
2022-11-16 12:55:33 +00:00
AsyncFuzzerResolver(Isolate* isolate, bool* done)
[wasm] Reimplement WebAssembly.instantiate without desugaring At the moment, WebAssembly.instantiate(bytes) is implemented by desugaring it to WebAssembly.compile(bytes).then(WebAssembly.instantiate). The problem is that the {then} in this snippet is observable. With this CL I introduce a CompilationResultResolver which allows to do the desugaring internally and thereby make the {then} unobservable. Unfortunately the result of WebAssembly.instantiate(bytes) is different than the result of WebAssembly.instantiate(module). Therefore I also introduced an InstantiationResultResolver for symmetry with WebAssembly.compile. R=mstarzinger@chromium.org Bug: chromium:837417 Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng Change-Id: I2d98e03d65f2ada19041d5a9e2df5da91b24ccca Reviewed-on: https://chromium-review.googlesource.com/1059783 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#53347}
2018-05-24 21:22:27 +00:00
: isolate_(isolate), done_(done) {}
[wasm][fuzzer] Use a consistent namespace Most wasm fuzzers live in the v8::internal::wasm::fuzzer namespace. Thus also move the wasm-fuzzer there. Additionally - use the C++20 syntax for declaring the namespace, - skip unneeded full or partial classifications on types, and - remove a redundant HandleScope. R=ahaas@chromium.org Bug: v8:13496 Change-Id: I31d948af449efd9708aa6b27f35e8f3c9280a3f9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030579 Commit-Queue: Clemens Backes <clemensb@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/main@{#84300}
2022-11-16 12:55:33 +00:00
void OnCompilationSucceeded(Handle<WasmModuleObject> module) override {
[wasm] Reimplement WebAssembly.instantiate without desugaring At the moment, WebAssembly.instantiate(bytes) is implemented by desugaring it to WebAssembly.compile(bytes).then(WebAssembly.instantiate). The problem is that the {then} in this snippet is observable. With this CL I introduce a CompilationResultResolver which allows to do the desugaring internally and thereby make the {then} unobservable. Unfortunately the result of WebAssembly.instantiate(bytes) is different than the result of WebAssembly.instantiate(module). Therefore I also introduced an InstantiationResultResolver for symmetry with WebAssembly.compile. R=mstarzinger@chromium.org Bug: chromium:837417 Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng Change-Id: I2d98e03d65f2ada19041d5a9e2df5da91b24ccca Reviewed-on: https://chromium-review.googlesource.com/1059783 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#53347}
2018-05-24 21:22:27 +00:00
*done_ = true;
[wasm] Switch wasm-async fuzzer to Liftoff for reference The fuzzers based on {WasmExecutionFuzzer} (wasm-code, wasm-compile) were already switched over in https://crrev.com/c/4042288. The wasm-async and wasm fuzzers were still testing against the interpreter, even though WasmGC opcodes are enabled, which leads to crashes due to incomplete interpreter support. This CL now switches those remaining fuzzers to "liftoff as reference" mode, and removes support for testing against the interpreter. As Liftoff code runs a lot faster than the interpreter, we bump the limit for the number of executed instructions from 16k to 1M. R=jkummerow@chromium.org Bug: chromium:1387316, chromium:1393379, v8:13496 Change-Id: Id3e6177cc89b49e69d03515f10eedaf0872bde82 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4078983 Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/main@{#84644}
2022-12-05 11:59:26 +00:00
ExecuteAgainstReference(isolate_, module,
kDefaultMaxFuzzerExecutedInstructions);
[wasm] Reimplement WebAssembly.instantiate without desugaring At the moment, WebAssembly.instantiate(bytes) is implemented by desugaring it to WebAssembly.compile(bytes).then(WebAssembly.instantiate). The problem is that the {then} in this snippet is observable. With this CL I introduce a CompilationResultResolver which allows to do the desugaring internally and thereby make the {then} unobservable. Unfortunately the result of WebAssembly.instantiate(bytes) is different than the result of WebAssembly.instantiate(module). Therefore I also introduced an InstantiationResultResolver for symmetry with WebAssembly.compile. R=mstarzinger@chromium.org Bug: chromium:837417 Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng Change-Id: I2d98e03d65f2ada19041d5a9e2df5da91b24ccca Reviewed-on: https://chromium-review.googlesource.com/1059783 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#53347}
2018-05-24 21:22:27 +00:00
}
[wasm] Add a fuzzer for async compilation The new fuzzer takes the fuzzer input as module bytes and compiles them with WebAssembly asynchronous compilation. R=mtrofin@chromium.org Change-Id: I9740edec68e26c04d011d85c68521e340be13c4c Reviewed-on: https://chromium-review.googlesource.com/506156 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Mircea Trofin <mtrofin@chromium.org> Cr-Commit-Position: refs/heads/master@{#45912}
2017-06-13 14:41:54 +00:00
[wasm][fuzzer] Use a consistent namespace Most wasm fuzzers live in the v8::internal::wasm::fuzzer namespace. Thus also move the wasm-fuzzer there. Additionally - use the C++20 syntax for declaring the namespace, - skip unneeded full or partial classifications on types, and - remove a redundant HandleScope. R=ahaas@chromium.org Bug: v8:13496 Change-Id: I31d948af449efd9708aa6b27f35e8f3c9280a3f9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030579 Commit-Queue: Clemens Backes <clemensb@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/main@{#84300}
2022-11-16 12:55:33 +00:00
void OnCompilationFailed(Handle<Object> error_reason) override {
[wasm] Reimplement WebAssembly.instantiate without desugaring At the moment, WebAssembly.instantiate(bytes) is implemented by desugaring it to WebAssembly.compile(bytes).then(WebAssembly.instantiate). The problem is that the {then} in this snippet is observable. With this CL I introduce a CompilationResultResolver which allows to do the desugaring internally and thereby make the {then} unobservable. Unfortunately the result of WebAssembly.instantiate(bytes) is different than the result of WebAssembly.instantiate(module). Therefore I also introduced an InstantiationResultResolver for symmetry with WebAssembly.compile. R=mstarzinger@chromium.org Bug: chromium:837417 Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng Change-Id: I2d98e03d65f2ada19041d5a9e2df5da91b24ccca Reviewed-on: https://chromium-review.googlesource.com/1059783 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#53347}
2018-05-24 21:22:27 +00:00
*done_ = true;
}
[wasm] Add a fuzzer for async compilation The new fuzzer takes the fuzzer input as module bytes and compiles them with WebAssembly asynchronous compilation. R=mtrofin@chromium.org Change-Id: I9740edec68e26c04d011d85c68521e340be13c4c Reviewed-on: https://chromium-review.googlesource.com/506156 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Mircea Trofin <mtrofin@chromium.org> Cr-Commit-Position: refs/heads/master@{#45912}
2017-06-13 14:41:54 +00:00
[wasm] Reimplement WebAssembly.instantiate without desugaring At the moment, WebAssembly.instantiate(bytes) is implemented by desugaring it to WebAssembly.compile(bytes).then(WebAssembly.instantiate). The problem is that the {then} in this snippet is observable. With this CL I introduce a CompilationResultResolver which allows to do the desugaring internally and thereby make the {then} unobservable. Unfortunately the result of WebAssembly.instantiate(bytes) is different than the result of WebAssembly.instantiate(module). Therefore I also introduced an InstantiationResultResolver for symmetry with WebAssembly.compile. R=mstarzinger@chromium.org Bug: chromium:837417 Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng Change-Id: I2d98e03d65f2ada19041d5a9e2df5da91b24ccca Reviewed-on: https://chromium-review.googlesource.com/1059783 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#53347}
2018-05-24 21:22:27 +00:00
private:
[wasm][fuzzer] Use a consistent namespace Most wasm fuzzers live in the v8::internal::wasm::fuzzer namespace. Thus also move the wasm-fuzzer there. Additionally - use the C++20 syntax for declaring the namespace, - skip unneeded full or partial classifications on types, and - remove a redundant HandleScope. R=ahaas@chromium.org Bug: v8:13496 Change-Id: I31d948af449efd9708aa6b27f35e8f3c9280a3f9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030579 Commit-Queue: Clemens Backes <clemensb@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/main@{#84300}
2022-11-16 12:55:33 +00:00
Isolate* isolate_;
[wasm] Reimplement WebAssembly.instantiate without desugaring At the moment, WebAssembly.instantiate(bytes) is implemented by desugaring it to WebAssembly.compile(bytes).then(WebAssembly.instantiate). The problem is that the {then} in this snippet is observable. With this CL I introduce a CompilationResultResolver which allows to do the desugaring internally and thereby make the {then} unobservable. Unfortunately the result of WebAssembly.instantiate(bytes) is different than the result of WebAssembly.instantiate(module). Therefore I also introduced an InstantiationResultResolver for symmetry with WebAssembly.compile. R=mstarzinger@chromium.org Bug: chromium:837417 Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng Change-Id: I2d98e03d65f2ada19041d5a9e2df5da91b24ccca Reviewed-on: https://chromium-review.googlesource.com/1059783 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#53347}
2018-05-24 21:22:27 +00:00
bool* done_;
};
[wasm] Add a fuzzer for async compilation The new fuzzer takes the fuzzer input as module bytes and compiles them with WebAssembly asynchronous compilation. R=mtrofin@chromium.org Change-Id: I9740edec68e26c04d011d85c68521e340be13c4c Reviewed-on: https://chromium-review.googlesource.com/506156 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Mircea Trofin <mtrofin@chromium.org> Cr-Commit-Position: refs/heads/master@{#45912}
2017-06-13 14:41:54 +00:00
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
[api] Add callback to set up conditional features Origin trials allow webpages to use experimental features even though the features are not yet enabled by default. These features will then get enabled per execution context: it is possible that the feature is enabled in one execution context but disabled in another execution context. In V8 we check for origin trials by calling a callback provided by the embedder that takes the context as a parameter and returns whether a feature is enabled in this context or not. This approach fails when a feature changes the context itself, e.g. by extending the global object. In that case the context is not available yet to check for the origin trial. To solve the problem this CL adds a new API function that can be called by the embedder to notify V8 that context with the origin trial information is finished. After that V8 can read the origin trial information from the context and extend e.g. the global object with the origin trial features. Additionally to the API this CL also adds code to enable the WebAssembly.Exception constructor conditionally, depending on whether it has been enabled by an origin trial or not. The Blink-side change: https://crrev.com/c/2775573 R=ulan@chromium.org, jkummerow@chromium.org Change-Id: Ic05c4a89eb3e0e31469e49da8767d630c43b2e00 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2773287 Reviewed-by: Andreas Haas <ahaas@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#73597}
2021-03-23 08:02:32 +00:00
v8_fuzzer::FuzzerSupport* support = v8_fuzzer::FuzzerSupport::Get();
v8::Isolate* isolate = support->GetIsolate();
[wasm][fuzzer] Fix data race when setting flags Fuzzers are executed in their own process, so instead of resetting flags after execution, we can just keep the flag values. This CL introduces a shared function to enable all staged features, without ever resetting the value. This fixes a data race. R=ahaas@chromium.org Bug: v8:10979 Change-Id: I82ea35b887841850edd8b394a3644cf8df1e3bf8 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2449969 Commit-Queue: Clemens Backes <clemensb@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#70320}
2020-10-05 14:50:59 +00:00
// Set some more flags.
[wasm] Use v8_flags for accessing flag values Avoid the deprecated FLAG_* syntax, access flag values via the {v8_flags} struct instead. R=jkummerow@chromium.org Bug: v8:12887 Change-Id: Ieccf35730f69bcefa3740227f15e05686080d122 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3843517 Auto-Submit: Clemens Backes <clemensb@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/main@{#82774}
2022-08-29 10:33:33 +00:00
v8_flags.wasm_async_compilation = true;
v8_flags.wasm_max_mem_pages = 32;
v8_flags.wasm_max_table_size = 100;
[wasm][fuzzer] Enable trap handlers On x64, trap handlers are enabled as part of the default configuration. However, each embedder has to enable trap handlers explicitly, and in the wasm fuzzers, trap handlers were not enabled. This CL enables trap handlers now in all wasm fuzzers. Drive-by change: enable all staged wasm features in the wasm-async fuzzer. R=clemensb@chromium.org Change-Id: Ib7c2addb092551b5554a2b74830e5b67db077909 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2362957 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#69500}
2020-08-20 11:28:04 +00:00
[wasm][fuzzer] Use a consistent namespace Most wasm fuzzers live in the v8::internal::wasm::fuzzer namespace. Thus also move the wasm-fuzzer there. Additionally - use the C++20 syntax for declaring the namespace, - skip unneeded full or partial classifications on types, and - remove a redundant HandleScope. R=ahaas@chromium.org Bug: v8:13496 Change-Id: I31d948af449efd9708aa6b27f35e8f3c9280a3f9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030579 Commit-Queue: Clemens Backes <clemensb@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/main@{#84300}
2022-11-16 12:55:33 +00:00
Isolate* i_isolate = reinterpret_cast<Isolate*>(isolate);
[wasm] Add a fuzzer for async compilation The new fuzzer takes the fuzzer input as module bytes and compiles them with WebAssembly asynchronous compilation. R=mtrofin@chromium.org Change-Id: I9740edec68e26c04d011d85c68521e340be13c4c Reviewed-on: https://chromium-review.googlesource.com/506156 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Mircea Trofin <mtrofin@chromium.org> Cr-Commit-Position: refs/heads/master@{#45912}
2017-06-13 14:41:54 +00:00
// Clear any pending exceptions from a prior run.
if (i_isolate->has_pending_exception()) {
i_isolate->clear_pending_exception();
}
v8::Isolate::Scope isolate_scope(isolate);
v8::HandleScope handle_scope(isolate);
v8::Context::Scope context_scope(support->GetContext());
[api] Add callback to set up conditional features Origin trials allow webpages to use experimental features even though the features are not yet enabled by default. These features will then get enabled per execution context: it is possible that the feature is enabled in one execution context but disabled in another execution context. In V8 we check for origin trials by calling a callback provided by the embedder that takes the context as a parameter and returns whether a feature is enabled in this context or not. This approach fails when a feature changes the context itself, e.g. by extending the global object. In that case the context is not available yet to check for the origin trial. To solve the problem this CL adds a new API function that can be called by the embedder to notify V8 that context with the origin trial information is finished. After that V8 can read the origin trial information from the context and extend e.g. the global object with the origin trial features. Additionally to the API this CL also adds code to enable the WebAssembly.Exception constructor conditionally, depending on whether it has been enabled by an origin trial or not. The Blink-side change: https://crrev.com/c/2775573 R=ulan@chromium.org, jkummerow@chromium.org Change-Id: Ic05c4a89eb3e0e31469e49da8767d630c43b2e00 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2773287 Reviewed-by: Andreas Haas <ahaas@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#73597}
2021-03-23 08:02:32 +00:00
[wasm] Enable wasm-gc for fuzzers This will make our generic fuzzers (wasm-fuzzer, wasm-code-fuzzer, wasm-async-fuzzer, ...) fuzz wasm-gc opcodes. We were already fuzzing specific instructions in the wasm-compile fuzzer, but were missing fuzzer coverage for corner cases and instructions not supported by that fuzzer. R=jkummerow@chromium.org CC=manoskouk@chromium.org Bug: v8:13496 Change-Id: Iccca96e32a64d20c11bc425fb5b1e9a1e3aa7486 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030986 Commit-Queue: Clemens Backes <clemensb@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/main@{#84310}
2022-11-16 17:01:23 +00:00
// We explicitly enable staged/experimental WebAssembly features here to
// increase fuzzer coverage. For libfuzzer fuzzers it is not possible that the
// fuzzer enables the flag by itself.
EnableExperimentalWasmFeatures(isolate);
[api] Add callback to set up conditional features Origin trials allow webpages to use experimental features even though the features are not yet enabled by default. These features will then get enabled per execution context: it is possible that the feature is enabled in one execution context but disabled in another execution context. In V8 we check for origin trials by calling a callback provided by the embedder that takes the context as a parameter and returns whether a feature is enabled in this context or not. This approach fails when a feature changes the context itself, e.g. by extending the global object. In that case the context is not available yet to check for the origin trial. To solve the problem this CL adds a new API function that can be called by the embedder to notify V8 that context with the origin trial information is finished. After that V8 can read the origin trial information from the context and extend e.g. the global object with the origin trial features. Additionally to the API this CL also adds code to enable the WebAssembly.Exception constructor conditionally, depending on whether it has been enabled by an origin trial or not. The Blink-side change: https://crrev.com/c/2775573 R=ulan@chromium.org, jkummerow@chromium.org Change-Id: Ic05c4a89eb3e0e31469e49da8767d630c43b2e00 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2773287 Reviewed-by: Andreas Haas <ahaas@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#73597}
2021-03-23 08:02:32 +00:00
[wasm] [fuzzer] Avoid 'using namespace' This violates the style guide, and causes problems for jumbo builds. R=ahaas@chromium.org CC=mostynb@opera.com Bug: chromium:746958 Change-Id: Ic583c41b94bfd9ecdb31a9ccadb2e842861fe7f4 Reviewed-on: https://chromium-review.googlesource.com/647710 Reviewed-by: Ben Titzer <titzer@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#47774}
2017-09-01 13:20:46 +00:00
TryCatch try_catch(isolate);
testing::SetupIsolateForWasmModule(i_isolate);
[wasm] Add a fuzzer for async compilation The new fuzzer takes the fuzzer input as module bytes and compiles them with WebAssembly asynchronous compilation. R=mtrofin@chromium.org Change-Id: I9740edec68e26c04d011d85c68521e340be13c4c Reviewed-on: https://chromium-review.googlesource.com/506156 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Mircea Trofin <mtrofin@chromium.org> Cr-Commit-Position: refs/heads/master@{#45912}
2017-06-13 14:41:54 +00:00
[wasm] Reimplement WebAssembly.instantiate without desugaring At the moment, WebAssembly.instantiate(bytes) is implemented by desugaring it to WebAssembly.compile(bytes).then(WebAssembly.instantiate). The problem is that the {then} in this snippet is observable. With this CL I introduce a CompilationResultResolver which allows to do the desugaring internally and thereby make the {then} unobservable. Unfortunately the result of WebAssembly.instantiate(bytes) is different than the result of WebAssembly.instantiate(module). Therefore I also introduced an InstantiationResultResolver for symmetry with WebAssembly.compile. R=mstarzinger@chromium.org Bug: chromium:837417 Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng Change-Id: I2d98e03d65f2ada19041d5a9e2df5da91b24ccca Reviewed-on: https://chromium-review.googlesource.com/1059783 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#53347}
2018-05-24 21:22:27 +00:00
bool done = false;
[wasm][fuzzer] Use a consistent namespace Most wasm fuzzers live in the v8::internal::wasm::fuzzer namespace. Thus also move the wasm-fuzzer there. Additionally - use the C++20 syntax for declaring the namespace, - skip unneeded full or partial classifications on types, and - remove a redundant HandleScope. R=ahaas@chromium.org Bug: v8:13496 Change-Id: I31d948af449efd9708aa6b27f35e8f3c9280a3f9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030579 Commit-Queue: Clemens Backes <clemensb@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/main@{#84300}
2022-11-16 12:55:33 +00:00
auto enabled_features = WasmFeatures::FromIsolate(i_isolate);
[wasm] Fix error message for async instantiation This fixes the error message generated for compile errors during asynchronous instantiation. It shows "WebAssembly.instantiate()" now instead of "WebAssembly.compile()". R=mstarzinger@chromium.org Bug: v8:9266 Change-Id: Ieae478d1c4f6843fbc17e15debb6c49f72059d99 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617940 Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#61654}
2019-05-20 11:14:29 +00:00
constexpr const char* kAPIMethodName = "WasmAsyncFuzzer.compile";
[isolate][cleanup] Remove pointer to WasmEngine The WasmEngine is shared across the whole process, so there is no need to store it in every Isolate. Instead, we can just get it from everywhere on any thread using {wasm::GetWasmEngine()}, which is a simple read of a global. R=jkummerow@chromium.org Bug: v8:11879 Change-Id: I13afb8ca3d116aa14bfaec5a4bbd6d71faa9aa17 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2969825 Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Maya Lekova <mslekova@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#75265}
2021-06-18 14:29:39 +00:00
GetWasmEngine()->AsyncCompile(
[wasm] Add WasmFeatures to enable/detect features This CL introduces a set of configuration options implemented as a struct of booleans that together comprise the set of enabled or detected features. The configuration options replace command-line flags that were checked deep in the implementation. As such, it is necessary to plumb them through multiple levels of abstraction. R=ahaas@chromium.org CC=mstarzinger@chromium.org BUG=chromium:868844 Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng Change-Id: I1b82f5826e4fd263f68e8cafcd923bac5818a637 Reviewed-on: https://chromium-review.googlesource.com/1163670 Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Ben Titzer <titzer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55018}
2018-08-08 14:54:44 +00:00
i_isolate, enabled_features,
Reland "[wasm] Implement the new API for WebAssembly.instantiateStreaming" The problem was that in AsyncCompileJob::FinishModule we allocate a handle, but when this function is called from streaming compilation, then there was no HandleScope around AsyncCompileJob::FinishModule. This issue was fixed in another CL, https://crrev.com/c/1172357. This CL is just a rebase of the original CL. Original change's description: > [wasm] Implement the new API for WebAssembly.instantiateStreaming > This is the second V8 CL to refactor WebAssembly.instantiateStreaming to > make it spec compliant again. The design doc where the whole change is > discussed is available in the tracking bug. The tracking bug also > references prototype implementations of the whole change, which includes > the changes in this CL. R=starzinger@chromium.org Bug: chromium:860637 Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng Change-Id: Ib0cb25488654d2b325b4f529d33b76b846c64436 Reviewed-on: https://chromium-review.googlesource.com/1172429 Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#55106}
2018-08-13 13:35:54 +00:00
std::make_shared<AsyncFuzzerResolver>(i_isolate, &done),
[wasm] Fix error message for async instantiation This fixes the error message generated for compile errors during asynchronous instantiation. It shows "WebAssembly.instantiate()" now instead of "WebAssembly.compile()". R=mstarzinger@chromium.org Bug: v8:9266 Change-Id: Ieae478d1c4f6843fbc17e15debb6c49f72059d99 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617940 Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#61654}
2019-05-20 11:14:29 +00:00
ModuleWireBytes(data, data + size), false, kAPIMethodName);
[wasm] Add a fuzzer for async compilation The new fuzzer takes the fuzzer input as module bytes and compiles them with WebAssembly asynchronous compilation. R=mtrofin@chromium.org Change-Id: I9740edec68e26c04d011d85c68521e340be13c4c Reviewed-on: https://chromium-review.googlesource.com/506156 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Mircea Trofin <mtrofin@chromium.org> Cr-Commit-Position: refs/heads/master@{#45912}
2017-06-13 14:41:54 +00:00
// Wait for the promise to resolve.
[wasm] Reimplement WebAssembly.instantiate without desugaring At the moment, WebAssembly.instantiate(bytes) is implemented by desugaring it to WebAssembly.compile(bytes).then(WebAssembly.instantiate). The problem is that the {then} in this snippet is observable. With this CL I introduce a CompilationResultResolver which allows to do the desugaring internally and thereby make the {then} unobservable. Unfortunately the result of WebAssembly.instantiate(bytes) is different than the result of WebAssembly.instantiate(module). Therefore I also introduced an InstantiationResultResolver for symmetry with WebAssembly.compile. R=mstarzinger@chromium.org Bug: chromium:837417 Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng Change-Id: I2d98e03d65f2ada19041d5a9e2df5da91b24ccca Reviewed-on: https://chromium-review.googlesource.com/1059783 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#53347}
2018-05-24 21:22:27 +00:00
while (!done) {
[wasm] [fuzzer] Avoid 'using namespace' This violates the style guide, and causes problems for jumbo builds. R=ahaas@chromium.org CC=mostynb@opera.com Bug: chromium:746958 Change-Id: Ic583c41b94bfd9ecdb31a9ccadb2e842861fe7f4 Reviewed-on: https://chromium-review.googlesource.com/647710 Reviewed-by: Ben Titzer <titzer@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#47774}
2017-09-01 13:20:46 +00:00
support->PumpMessageLoop(platform::MessageLoopBehavior::kWaitForWork);
[weakrefs] Call Isolate::ClearKeptObjects() as part of microtask checkpoint In the spec, WeakRefs that are dereferenced are kept alive until there's no JS on the stack, and then the host is expected to call ClearKeptObjects to clear those strong references [1]. HTML calls ClearKeptObjects at the end of a PerformMicrotaskCheckpoint [2]. In V8, leaving this up to the embedder is error prone in the same way the deprecated FinalizationGroup callback APIs were error prone: it depends on the embedder doing the right thing. This CL moves the call to ClearKeptObjects to be after running of microtasks within V8. However, the Isolate::ClearKeptObjects API should not be removed or deprecated in case an embedder uses an entirely custom MicrotaskQueue implementation and invokes MicrotaskQueue::PerformCheckpoint manually. [1] https://tc39.es/proposal-weakrefs/#sec-clear-kept-objects [2] https://github.com/whatwg/html/pull/4571 Bug: v8:8179 Change-Id: Ie243804157b56241ca69ed8fad300e839a0c9f75 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2055967 Commit-Queue: Shu-yu Guo <syg@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Cr-Commit-Position: refs/heads/master@{#66327}
2020-02-19 01:22:49 +00:00
isolate->PerformMicrotaskCheckpoint();
[wasm] Add a fuzzer for async compilation The new fuzzer takes the fuzzer input as module bytes and compiles them with WebAssembly asynchronous compilation. R=mtrofin@chromium.org Change-Id: I9740edec68e26c04d011d85c68521e340be13c4c Reviewed-on: https://chromium-review.googlesource.com/506156 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Mircea Trofin <mtrofin@chromium.org> Cr-Commit-Position: refs/heads/master@{#45912}
2017-06-13 14:41:54 +00:00
}
return 0;
}
[wasm] [fuzzer] Avoid 'using namespace' This violates the style guide, and causes problems for jumbo builds. R=ahaas@chromium.org CC=mostynb@opera.com Bug: chromium:746958 Change-Id: Ic583c41b94bfd9ecdb31a9ccadb2e842861fe7f4 Reviewed-on: https://chromium-review.googlesource.com/647710 Reviewed-by: Ben Titzer <titzer@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#47774}
2017-09-01 13:20:46 +00:00
[wasm][fuzzer] Use a consistent namespace Most wasm fuzzers live in the v8::internal::wasm::fuzzer namespace. Thus also move the wasm-fuzzer there. Additionally - use the C++20 syntax for declaring the namespace, - skip unneeded full or partial classifications on types, and - remove a redundant HandleScope. R=ahaas@chromium.org Bug: v8:13496 Change-Id: I31d948af449efd9708aa6b27f35e8f3c9280a3f9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4030579 Commit-Queue: Clemens Backes <clemensb@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/main@{#84300}
2022-11-16 12:55:33 +00:00
} // namespace v8::internal::wasm::fuzzer
Reference in New Issue Copy Permalink