v8/test/fuzzer/wasm-section-fuzzers.cc

// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "test/fuzzer/wasm-section-fuzzers.h"

#include "include/v8.h"
#include "src/isolate.h"
#include "src/objects-inl.h"
#include "src/wasm/wasm-module-builder.h"
#include "src/wasm/wasm-module.h"
#include "src/zone/accounting-allocator.h"
#include "src/zone/zone.h"
#include "test/common/wasm/wasm-module-runner.h"
#include "test/fuzzer/fuzzer-support.h"

using namespace v8::internal::wasm;

static const char* kNameString = "name";
static const size_t kNameStringLength = 4;

int fuzz_wasm_section(SectionCode section, const uint8_t* data, size_t size) {
  v8_fuzzer::FuzzerSupport* support = v8_fuzzer::FuzzerSupport::Get();
  v8::Isolate* isolate = support->GetIsolate();
  v8::internal::Isolate* i_isolate =
      reinterpret_cast<v8::internal::Isolate*>(isolate);

  // Clear any pending exceptions from a prior run.
  if (i_isolate->has_pending_exception()) {
    i_isolate->clear_pending_exception();
  }

  v8::Isolate::Scope isolate_scope(isolate);
  v8::HandleScope handle_scope(isolate);
  v8::Context::Scope context_scope(support->GetContext());
  v8::TryCatch try_catch(isolate);

  v8::internal::AccountingAllocator allocator;
  v8::internal::Zone zone(&allocator, ZONE_NAME);

  ZoneBuffer buffer(&zone);
  buffer.write_u32(kWasmMagic);
  buffer.write_u32(kWasmVersion);
  if (section == kNameSectionCode) {
    buffer.write_u8(kUnknownSectionCode);
    buffer.write_size(size + kNameStringLength + 1);
    buffer.write_u8(kNameStringLength);
    buffer.write(reinterpret_cast<const uint8_t*>(kNameString),
                 kNameStringLength);
    buffer.write(data, size);
  } else {
    buffer.write_u8(section);
    buffer.write_size(size);
    buffer.write(data, size);
  }

  ErrorThrower thrower(i_isolate, "decoder");

  std::unique_ptr<const WasmModule> module(testing::DecodeWasmModuleForTesting(
      i_isolate, &thrower, buffer.begin(), buffer.end(), kWasmOrigin));

  return 0;
}
[wasm] Write fuzzers for single wasm sections. This CL adds fuzzers for the wasm module sections 'types', 'names', 'globals', 'imports', 'function signatures', 'memory', and 'data', one fuzzer per section. No fuzzers are added for the other sections because either there already exists a fuzzer (e.g. wasm-code), or there exist inter-section dependencies. To avoid introducing a bunch executables which would make compilation with make slow, I introduce a single executable 'v8_simple_wasm_section_fuzzer' which calls the fuzzers mentioned above. This executable is run by the trybots and ensures that the fuzzers actually compile. For debugging I introduce commandline parameters which allow to execute the specific fuzzers from 'v8_simple_wasm_section_fuzzer'. R=titzer@chromium.org, jochen@chromium.org, mstarzinger@chromium.org Review-Url: https://codereview.chromium.org/2336603002 Cr-Commit-Position: refs/heads/master@{#39413} 2016-09-14 11:17:11 +00:00			`// Copyright 2016 the V8 project authors. All rights reserved.`
			`// Use of this source code is governed by a BSD-style license that can be`
			`// found in the LICENSE file.`

			`#include "test/fuzzer/wasm-section-fuzzers.h"`

			`#include "include/v8.h"`
			`#include "src/isolate.h"`
[iwyu, wasm] Remove unallowed includes to objects-inl.h from wasm. R=mstarzinger@chromium.org BUG=v8:5294 Change-Id: If2cdb4d38829e69ddd8aecb99c99c3a03050f57c Reviewed-on: https://chromium-review.googlesource.com/441824 Commit-Queue: Marja Hölttä <marja@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#43158} 2017-02-13 09:52:26 +00:00			`#include "src/objects-inl.h"`
[wasm] Rename encoder.(cc,h) to wasm-module-builder.(cc,h) R=bradnelson@chromium.org,mtrofin@chromium.org,mstarzinger@chromium.org BUG= Review-Url: https://codereview.chromium.org/2383463002 Cr-Commit-Position: refs/heads/master@{#39861} 2016-09-29 11:29:05 +00:00			`#include "src/wasm/wasm-module-builder.h"`
[wasm] Write fuzzers for single wasm sections. This CL adds fuzzers for the wasm module sections 'types', 'names', 'globals', 'imports', 'function signatures', 'memory', and 'data', one fuzzer per section. No fuzzers are added for the other sections because either there already exists a fuzzer (e.g. wasm-code), or there exist inter-section dependencies. To avoid introducing a bunch executables which would make compilation with make slow, I introduce a single executable 'v8_simple_wasm_section_fuzzer' which calls the fuzzers mentioned above. This executable is run by the trybots and ensures that the fuzzers actually compile. For debugging I introduce commandline parameters which allow to execute the specific fuzzers from 'v8_simple_wasm_section_fuzzer'. R=titzer@chromium.org, jochen@chromium.org, mstarzinger@chromium.org Review-Url: https://codereview.chromium.org/2336603002 Cr-Commit-Position: refs/heads/master@{#39413} 2016-09-14 11:17:11 +00:00			`#include "src/wasm/wasm-module.h"`
Moved zones and zone related stuff in its own directory. This is some initial cleanup to keep /src clean. The AccountingAllocator is actually exclusively used by zones and this common subfolder makes that more clear. BUG=v8:5409 Review-Url: https://codereview.chromium.org/2344143003 Cr-Commit-Position: refs/heads/master@{#39558} 2016-09-20 16:07:25 +00:00			`#include "src/zone/accounting-allocator.h"`
			`#include "src/zone/zone.h"`
[wasm] Write fuzzers for single wasm sections. This CL adds fuzzers for the wasm module sections 'types', 'names', 'globals', 'imports', 'function signatures', 'memory', and 'data', one fuzzer per section. No fuzzers are added for the other sections because either there already exists a fuzzer (e.g. wasm-code), or there exist inter-section dependencies. To avoid introducing a bunch executables which would make compilation with make slow, I introduce a single executable 'v8_simple_wasm_section_fuzzer' which calls the fuzzers mentioned above. This executable is run by the trybots and ensures that the fuzzers actually compile. For debugging I introduce commandline parameters which allow to execute the specific fuzzers from 'v8_simple_wasm_section_fuzzer'. R=titzer@chromium.org, jochen@chromium.org, mstarzinger@chromium.org Review-Url: https://codereview.chromium.org/2336603002 Cr-Commit-Position: refs/heads/master@{#39413} 2016-09-14 11:17:11 +00:00			`#include "test/common/wasm/wasm-module-runner.h"`
			`#include "test/fuzzer/fuzzer-support.h"`

			`using namespace v8::internal::wasm;`

[wasm] Master CL for Binary 0xC changes. [0xC] Convert to stack machine semantics. [0xC] Use section codes instead of names. [0xC] Add elements section decoding. [0xC] Decoding of globals section. [0xC] Decoding of memory section. [0xC] Decoding of imports section. [0xC] Decoding of exports section. [0xC] Decoding of data section. [0xC] Remove CallImport bytecode. [0xC] Function bodies have an implicit block. [0xC] Remove the bottom label from loops. [0xC] Add signatures to blocks. [0xC] Remove arities from branches. Add tests for init expression decoding. Rework compilation of import wrappers and how they are patched. Rework function indices in debugging. Fix ASM->WASM builder for stack machine. Reorganize asm.js foreign functions due to import indices change. R=ahaas@chromium.org,rossberg@chromium.org,bradnelson@chromium.org BUG=chromium:575167 LOG=Y Committed: https://crrev.com/76eb976a67273b8c03c744f64ad850b0432554b9 Review-Url: https://codereview.chromium.org/2345593003 Cr-Original-Commit-Position: refs/heads/master@{#39678} Cr-Commit-Position: refs/heads/master@{#39795} 2016-09-27 20:46:10 +00:00			`static const char* kNameString = "name";`
			`static const size_t kNameStringLength = 4;`

[wasm] Implement extensible name section The format of the name section changed recently. It now contains subsections of different type (currently for function names or local variable names). This CL changes our internal wasm module builders (in JS and C++) to emit this new format, and changes the decoder to understand it. We currently only parse the function name section, and ignore names of local variables. I will later extend this to parse local variable names when needed for debugging. R=ahaas@chromium.org, rossberg@chromium.org BUG=v8:6222 Change-Id: I2627160c25c9209a3f09abe0b88941ec48b24434 Reviewed-on: https://chromium-review.googlesource.com/470247 Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Reviewed-by: Andreas Rossberg <rossberg@chromium.org> Cr-Commit-Position: refs/heads/master@{#44492} 2017-04-07 14:37:30 +00:00			`int fuzz_wasm_section(SectionCode section, const uint8_t* data, size_t size) {`
[wasm] Write fuzzers for single wasm sections. This CL adds fuzzers for the wasm module sections 'types', 'names', 'globals', 'imports', 'function signatures', 'memory', and 'data', one fuzzer per section. No fuzzers are added for the other sections because either there already exists a fuzzer (e.g. wasm-code), or there exist inter-section dependencies. To avoid introducing a bunch executables which would make compilation with make slow, I introduce a single executable 'v8_simple_wasm_section_fuzzer' which calls the fuzzers mentioned above. This executable is run by the trybots and ensures that the fuzzers actually compile. For debugging I introduce commandline parameters which allow to execute the specific fuzzers from 'v8_simple_wasm_section_fuzzer'. R=titzer@chromium.org, jochen@chromium.org, mstarzinger@chromium.org Review-Url: https://codereview.chromium.org/2336603002 Cr-Commit-Position: refs/heads/master@{#39413} 2016-09-14 11:17:11 +00:00			`v8_fuzzer::FuzzerSupport* support = v8_fuzzer::FuzzerSupport::Get();`
			`v8::Isolate* isolate = support->GetIsolate();`
			`v8::internal::Isolate* i_isolate =`
			`reinterpret_cast<v8::internal::Isolate*>(isolate);`

			`// Clear any pending exceptions from a prior run.`
			`if (i_isolate->has_pending_exception()) {`
			`i_isolate->clear_pending_exception();`
			`}`

			`v8::Isolate::Scope isolate_scope(isolate);`
			`v8::HandleScope handle_scope(isolate);`
			`v8::Context::Scope context_scope(support->GetContext());`
			`v8::TryCatch try_catch(isolate);`

Moved zones and zone related stuff in its own directory. This is some initial cleanup to keep /src clean. The AccountingAllocator is actually exclusively used by zones and this common subfolder makes that more clear. BUG=v8:5409 Review-Url: https://codereview.chromium.org/2344143003 Cr-Commit-Position: refs/heads/master@{#39558} 2016-09-20 16:07:25 +00:00			`v8::internal::AccountingAllocator allocator;`
Named all zones in the project This adds more useful information to the v8-heap-stats tool. BUG=v8:5489 Review-Url: https://codereview.chromium.org/2394213003 Cr-Commit-Position: refs/heads/master@{#40361} 2016-10-17 12:12:30 +00:00			`v8::internal::Zone zone(&allocator, ZONE_NAME);`
[wasm] Write fuzzers for single wasm sections. This CL adds fuzzers for the wasm module sections 'types', 'names', 'globals', 'imports', 'function signatures', 'memory', and 'data', one fuzzer per section. No fuzzers are added for the other sections because either there already exists a fuzzer (e.g. wasm-code), or there exist inter-section dependencies. To avoid introducing a bunch executables which would make compilation with make slow, I introduce a single executable 'v8_simple_wasm_section_fuzzer' which calls the fuzzers mentioned above. This executable is run by the trybots and ensures that the fuzzers actually compile. For debugging I introduce commandline parameters which allow to execute the specific fuzzers from 'v8_simple_wasm_section_fuzzer'. R=titzer@chromium.org, jochen@chromium.org, mstarzinger@chromium.org Review-Url: https://codereview.chromium.org/2336603002 Cr-Commit-Position: refs/heads/master@{#39413} 2016-09-14 11:17:11 +00:00
			`ZoneBuffer buffer(&zone);`
			`buffer.write_u32(kWasmMagic);`
			`buffer.write_u32(kWasmVersion);`
[wasm] Master CL for Binary 0xC changes. [0xC] Convert to stack machine semantics. [0xC] Use section codes instead of names. [0xC] Add elements section decoding. [0xC] Decoding of globals section. [0xC] Decoding of memory section. [0xC] Decoding of imports section. [0xC] Decoding of exports section. [0xC] Decoding of data section. [0xC] Remove CallImport bytecode. [0xC] Function bodies have an implicit block. [0xC] Remove the bottom label from loops. [0xC] Add signatures to blocks. [0xC] Remove arities from branches. Add tests for init expression decoding. Rework compilation of import wrappers and how they are patched. Rework function indices in debugging. Fix ASM->WASM builder for stack machine. Reorganize asm.js foreign functions due to import indices change. R=ahaas@chromium.org,rossberg@chromium.org,bradnelson@chromium.org BUG=chromium:575167 LOG=Y Committed: https://crrev.com/76eb976a67273b8c03c744f64ad850b0432554b9 Review-Url: https://codereview.chromium.org/2345593003 Cr-Original-Commit-Position: refs/heads/master@{#39678} Cr-Commit-Position: refs/heads/master@{#39795} 2016-09-27 20:46:10 +00:00			`if (section == kNameSectionCode) {`
			`buffer.write_u8(kUnknownSectionCode);`
			`buffer.write_size(size + kNameStringLength + 1);`
			`buffer.write_u8(kNameStringLength);`
			`buffer.write(reinterpret_cast<const uint8_t*>(kNameString),`
			`kNameStringLength);`
			`buffer.write(data, size);`
			`} else {`
			`buffer.write_u8(section);`
			`buffer.write_size(size);`
			`buffer.write(data, size);`
			`}`
[wasm] Write fuzzers for single wasm sections. This CL adds fuzzers for the wasm module sections 'types', 'names', 'globals', 'imports', 'function signatures', 'memory', and 'data', one fuzzer per section. No fuzzers are added for the other sections because either there already exists a fuzzer (e.g. wasm-code), or there exist inter-section dependencies. To avoid introducing a bunch executables which would make compilation with make slow, I introduce a single executable 'v8_simple_wasm_section_fuzzer' which calls the fuzzers mentioned above. This executable is run by the trybots and ensures that the fuzzers actually compile. For debugging I introduce commandline parameters which allow to execute the specific fuzzers from 'v8_simple_wasm_section_fuzzer'. R=titzer@chromium.org, jochen@chromium.org, mstarzinger@chromium.org Review-Url: https://codereview.chromium.org/2336603002 Cr-Commit-Position: refs/heads/master@{#39413} 2016-09-14 11:17:11 +00:00
			`ErrorThrower thrower(i_isolate, "decoder");`

			`std::unique_ptr<const WasmModule> module(testing::DecodeWasmModuleForTesting(`
[wasm] Use a Managed<WasmModule> to hold metadata about modules. This CL refactors the handling of metadata associated with WebAssembly modules to reduce the duplicate marshalling of data from the C++ world to the JavaScript world. It does this by wrapping the C++ WasmModule* object in a Foreign that is rooted from the on-heap WasmCompiledModule (which is itself just a FixedArray). Upon serialization, the C++ object is ignored and the original WASM wire bytes are serialized. Upon deserialization, the C++ object is reconstituted by reparsing the bytes. This is motivated by increasing complications in implementing the JS API, in particular WebAssembly.Table, which must perform signature canonicalization across instances. Additionally, this CL implements the proper base + offset initialization behavior for tables. R=rossberg@chromium.org,bradnelson@chromium.org,mtrofin@chromium.org,yangguo@chromium.org BUG=v8:5507, chromium:575167, chromium:657316 Review-Url: https://chromiumcodereview.appspot.com/2424623002 Cr-Commit-Position: refs/heads/master@{#40434} 2016-10-19 13:06:44 +00:00			`i_isolate, &thrower, buffer.begin(), buffer.end(), kWasmOrigin));`
[wasm] Write fuzzers for single wasm sections. This CL adds fuzzers for the wasm module sections 'types', 'names', 'globals', 'imports', 'function signatures', 'memory', and 'data', one fuzzer per section. No fuzzers are added for the other sections because either there already exists a fuzzer (e.g. wasm-code), or there exist inter-section dependencies. To avoid introducing a bunch executables which would make compilation with make slow, I introduce a single executable 'v8_simple_wasm_section_fuzzer' which calls the fuzzers mentioned above. This executable is run by the trybots and ensures that the fuzzers actually compile. For debugging I introduce commandline parameters which allow to execute the specific fuzzers from 'v8_simple_wasm_section_fuzzer'. R=titzer@chromium.org, jochen@chromium.org, mstarzinger@chromium.org Review-Url: https://codereview.chromium.org/2336603002 Cr-Commit-Position: refs/heads/master@{#39413} 2016-09-14 11:17:11 +00:00
			`return 0;`
			`}`