AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
d1b27019d3
v8/test/fuzzer/wasm.cc

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

78 lines
2.7 KiB
C++
Raw Normal View History

Adding Wasm + Wasm-asm variant fuzzer. Fixing a memory leak in CompileAndRunModule. BUG= https://code.google.com/p/v8/issues/detail?id=4203 TEST=wasm-fuzzer R=jochen@chromium.org,jarin@chromium.org,kcc@chromium.org,machenbach@chromium.org,titzer@chromium.org LOG=N Review URL: https://codereview.chromium.org/1738943004 Cr-Commit-Position: refs/heads/master@{#34415}
2016-03-02 00:53:19 +00:00
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include <limits.h>
#include <stddef.h>
#include <stdint.h>
[include] Split out v8.h This moves every single class/function out of include/v8.h into a separate header in include/, which v8.h then includes so that externally nothing appears to have changed. Every include of v8.h from inside v8 has been changed to a more fine-grained include. Previously inline functions defined at the bottom of v8.h would call private non-inline functions in the V8 class. Since that class is now in v8-initialization.h and is rarely included (as that would create dependency cycles), this is not possible and so those methods have been moved out of the V8 class into the namespace v8::api_internal. None of the previous files in include/ now #include v8.h, which means if embedders were relying on this transitive dependency then it will give compile failures. v8-inspector.h does depend on v8-scripts.h for the time being to ensure that Chrome continue to compile but that change will be reverted once those transitive #includes in chrome are changed to include it directly. Full design: https://docs.google.com/document/d/1rTD--I8hCAr-Rho1WTumZzFKaDpEp0IJ8ejZtk4nJdA/edit?usp=sharing Bug: v8:11965 Change-Id: I53b84b29581632710edc80eb11f819c2097a2877 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097448 Reviewed-by: Yang Guo <yangguo@chromium.org> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Dan Elphick <delphick@chromium.org> Cr-Commit-Position: refs/heads/main@{#76424}
2021-08-20 14:54:26 +00:00
#include "include/libplatform/libplatform.h"
#include "include/v8-context.h"
#include "include/v8-exception.h"
#include "include/v8-isolate.h"
#include "include/v8-local-handle.h"
Move relevant files to src/execution Bug: v8:9247 Change-Id: I79e0553e8a0d6dac2aa16b94a6c0e05b6ccde4a1 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1621934 Commit-Queue: Yang Guo <yangguo@chromium.org> Reviewed-by: Yang Guo <yangguo@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#61725}
2019-05-22 07:55:37 +00:00
#include "src/execution/isolate-inl.h"
Reland: [cleanup] Refactor the Factory There is no good reason to have the meat of most objects' initialization logic in heap.cc, all wrapped by the CALL_HEAP_FUNCTION macro. Instead, this CL changes the protocol between Heap and Factory to be AllocateRaw, and all object initialization work after (possibly retried) successful raw allocation happens in the Factory. This saves about 20KB of binary size on x64. Original review: https://chromium-review.googlesource.com/c/v8/v8/+/959533 Originally landed as r52416 / f9a2e24bbc65c2dcb09a94ff62ad663cacef0f96 Cq-Include-Trybots: luci.v8.try:v8_linux_noi18n_rel_ng Change-Id: Id072cbe6b3ed30afd339c7e502844b99ca12a647 Reviewed-on: https://chromium-review.googlesource.com/1000540 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Hannes Payer <hpayer@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#52492}
2018-04-09 19:11:22 +00:00
#include "src/heap/factory.h"
Move more relevant files to src/objects TBR=bmeurer@chromium.org,leszeks@chromium.org Bug: v8:9247 Change-Id: I8d14d0192ea8c705f8274e8e61a162531826edb6 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1624220 Reviewed-by: Yang Guo <yangguo@chromium.org> Reviewed-by: Hannes Payer <hpayer@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#61769}
2019-05-23 08:51:46 +00:00
#include "src/objects/objects-inl.h"
[wasm] Move SyncCompile* and AsyncCompile* methods to WasmEngine This is a further step to separate the implementation of the JavaScript API from the internals of the WASM implementation. Now, wasm-js.cc only needs to interact with the WASM engine and is (almost) independent of module-decoder.h and module-compiler.h. Also, move SyncCompileAndInstantiate() into wasm-module-runner.cc. Bug: v8:7316 R=clemensh@chromium.org, mstarzinger@chromium.org Cq-Include-Trybots: master.tryserver.chromium.linux:linux_chromium_rel_ng Change-Id: I7765af54ac16f53a5ff88c17a22c5d36bacaf926 Reviewed-on: https://chromium-review.googlesource.com/870871 Commit-Queue: Ben Titzer <titzer@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#50679}
2018-01-18 10:52:52 +00:00
#include "src/wasm/wasm-engine.h"
[wasm] Fix enabling staged wasm features in libfuzzer fuzzers In https://crrev.com/c/1768581 I only enabled the --wasm-staging flag, but that is useless without the implications defined in flag-definitions.h. With this CL I now just set each flag one by one. R=clemensh@chromium.org Bug: v8:9601 Change-Id: Ie0e16f9516aa32b8c958cf58c8c9d4d6cb6f3b22 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1781060 Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#63516}
2019-09-03 07:56:24 +00:00
#include "src/wasm/wasm-feature-flags.h"
Adding Wasm + Wasm-asm variant fuzzer. Fixing a memory leak in CompileAndRunModule. BUG= https://code.google.com/p/v8/issues/detail?id=4203 TEST=wasm-fuzzer R=jochen@chromium.org,jarin@chromium.org,kcc@chromium.org,machenbach@chromium.org,titzer@chromium.org LOG=N Review URL: https://codereview.chromium.org/1738943004 Cr-Commit-Position: refs/heads/master@{#34415}
2016-03-02 00:53:19 +00:00
#include "src/wasm/wasm-module.h"
[cleanup] Templatize the EnableFlagScope The EnableFlagScope is useful also for non-boolean flags. With the template we can use if for example in the wasm fuzzers to reduce the maximum memory size of a wasm module. In addition I put the EnableFlagScope into the v8::internal namespace, and I fixed a small typo. BUG=v8:6474 R=clemensh@chromium.org Change-Id: Iae5d5c058c334cd0f9e09d20adfd229fc2d6c585 Reviewed-on: https://chromium-review.googlesource.com/531005 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#45862}
2017-06-12 13:32:13 +00:00
#include "test/common/wasm/flag-utils.h"
[wasm] Move the wasm-module-runner from test/cctest to test/common The wasm-module-runner is used both in cctests and in fuzzers. As discussed offline, it is weird to include cctest header files in fuzzers, so I introduce a new test/common directory which contains the common files. R=titzer@chromium.org, jochen@chromium.org Review-Url: https://codereview.chromium.org/2335193002 Cr-Commit-Position: refs/heads/master@{#39411}
2016-09-14 10:31:23 +00:00
#include "test/common/wasm/wasm-module-runner.h"
Adding Wasm + Wasm-asm variant fuzzer. Fixing a memory leak in CompileAndRunModule. BUG= https://code.google.com/p/v8/issues/detail?id=4203 TEST=wasm-fuzzer R=jochen@chromium.org,jarin@chromium.org,kcc@chromium.org,machenbach@chromium.org,titzer@chromium.org LOG=N Review URL: https://codereview.chromium.org/1738943004 Cr-Commit-Position: refs/heads/master@{#34415}
2016-03-02 00:53:19 +00:00
#include "test/fuzzer/fuzzer-support.h"
[wasm] Avoid executing infinite loops in the wasm fuzzers The wasm-async fuzzer uses the bytes provided by the fuzzer engine directly as wasm module bytes, compiles them with async compilation, and then tries to execute the "main" function of the module. This "main" can have an infinite loop which causes a timeout in the fuzzer. With this CL the "main" function is first executed with the interpreter. If the execution in the interpreter finishes within 16k steps, which means that there is no infinite loop, also the compiled code is executed. I added the raw fuzzer input as a test case because in this case I really want to test the fuzzer and not V8. R=clemensh@chromium.org Bug: chromium:761784 Change-Id: Id1fe5da0da8670ec821ab9979fdb9454dbde1162 Reviewed-on: https://chromium-review.googlesource.com/651046 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#47874}
2017-09-07 09:48:34 +00:00
#include "test/fuzzer/wasm-fuzzer-common.h"
namespace i = v8::internal;
Adding Wasm + Wasm-asm variant fuzzer. Fixing a memory leak in CompileAndRunModule. BUG= https://code.google.com/p/v8/issues/detail?id=4203 TEST=wasm-fuzzer R=jochen@chromium.org,jarin@chromium.org,kcc@chromium.org,machenbach@chromium.org,titzer@chromium.org LOG=N Review URL: https://codereview.chromium.org/1738943004 Cr-Commit-Position: refs/heads/master@{#34415}
2016-03-02 00:53:19 +00:00
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
[api] Add callback to set up conditional features Origin trials allow webpages to use experimental features even though the features are not yet enabled by default. These features will then get enabled per execution context: it is possible that the feature is enabled in one execution context but disabled in another execution context. In V8 we check for origin trials by calling a callback provided by the embedder that takes the context as a parameter and returns whether a feature is enabled in this context or not. This approach fails when a feature changes the context itself, e.g. by extending the global object. In that case the context is not available yet to check for the origin trial. To solve the problem this CL adds a new API function that can be called by the embedder to notify V8 that context with the origin trial information is finished. After that V8 can read the origin trial information from the context and extend e.g. the global object with the origin trial features. Additionally to the API this CL also adds code to enable the WebAssembly.Exception constructor conditionally, depending on whether it has been enabled by an origin trial or not. The Blink-side change: https://crrev.com/c/2775573 R=ulan@chromium.org, jkummerow@chromium.org Change-Id: Ic05c4a89eb3e0e31469e49da8767d630c43b2e00 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2773287 Reviewed-by: Andreas Haas <ahaas@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#73597}
2021-03-23 08:02:32 +00:00
v8_fuzzer::FuzzerSupport* support = v8_fuzzer::FuzzerSupport::Get();
v8::Isolate* isolate = support->GetIsolate();
[wasm] Enable --wasm-staging in libfuzzer fuzzers As described in https://docs.google.com/document/d/1hB8mpWmzmtaxZ8PuJEkAWLwFqXTjrw7mJ3Ge9W1dB4E, we want to enable --wasm-staging for libfuzzer fuzzers to increase test coverage of new feature implementations. As discussed in https://docs.google.com/a/chromium.org/document/d/1hB8mpWmzmtaxZ8PuJEkAWLwFqXTjrw7mJ3Ge9W1dB4E/edit?disco=AAAADPrjhdA, this has to be done in our implementations manually. R=thibaudm@chromium.org Bug: v8:9601 Change-Id: Iab35af75bb71b6fca697ab7e4ac37b04e1d6da35 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768581 Reviewed-by: Thibaud Michaud <thibaudm@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#63392}
2019-08-23 15:32:23 +00:00
// We reduce the maximum memory size and table size of WebAssembly instances
// to avoid OOMs in the fuzzer.
[wasm][fuzzer] Fix data race when setting flags Fuzzers are executed in their own process, so instead of resetting flags after execution, we can just keep the flag values. This CL introduces a shared function to enable all staged features, without ever resetting the value. This fixes a data race. R=ahaas@chromium.org Bug: v8:10979 Change-Id: I82ea35b887841850edd8b394a3644cf8df1e3bf8 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2449969 Commit-Queue: Clemens Backes <clemensb@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#70320}
2020-10-05 14:50:59 +00:00
i::FLAG_wasm_max_mem_pages = 32;
i::FLAG_wasm_max_table_size = 100;
[wasm] Avoid executing infinite loops in the wasm fuzzers The wasm-async fuzzer uses the bytes provided by the fuzzer engine directly as wasm module bytes, compiles them with async compilation, and then tries to execute the "main" function of the module. This "main" can have an infinite loop which causes a timeout in the fuzzer. With this CL the "main" function is first executed with the interpreter. If the execution in the interpreter finishes within 16k steps, which means that there is no infinite loop, also the compiled code is executed. I added the raw fuzzer input as a test case because in this case I really want to test the fuzzer and not V8. R=clemensh@chromium.org Bug: chromium:761784 Change-Id: Id1fe5da0da8670ec821ab9979fdb9454dbde1162 Reviewed-on: https://chromium-review.googlesource.com/651046 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#47874}
2017-09-07 09:48:34 +00:00
i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(isolate);
Reset isolate exceptions in libfuzzer wasm tests. BUG= https://code.google.com/p/v8/issues/detail?id=4203 TEST=wasm-fuzzer R=titzer@chromium.org,kcc@chromium.org LOG=N Review URL: https://codereview.chromium.org/1760033002 Cr-Commit-Position: refs/heads/master@{#34451}
2016-03-03 00:04:52 +00:00
// Clear any pending exceptions from a prior run.
if (i_isolate->has_pending_exception()) {
i_isolate->clear_pending_exception();
}
Adding Wasm + Wasm-asm variant fuzzer. Fixing a memory leak in CompileAndRunModule. BUG= https://code.google.com/p/v8/issues/detail?id=4203 TEST=wasm-fuzzer R=jochen@chromium.org,jarin@chromium.org,kcc@chromium.org,machenbach@chromium.org,titzer@chromium.org LOG=N Review URL: https://codereview.chromium.org/1738943004 Cr-Commit-Position: refs/heads/master@{#34415}
2016-03-02 00:53:19 +00:00
v8::Isolate::Scope isolate_scope(isolate);
v8::HandleScope handle_scope(isolate);
v8::Context::Scope context_scope(support->GetContext());
[api] Add callback to set up conditional features Origin trials allow webpages to use experimental features even though the features are not yet enabled by default. These features will then get enabled per execution context: it is possible that the feature is enabled in one execution context but disabled in another execution context. In V8 we check for origin trials by calling a callback provided by the embedder that takes the context as a parameter and returns whether a feature is enabled in this context or not. This approach fails when a feature changes the context itself, e.g. by extending the global object. In that case the context is not available yet to check for the origin trial. To solve the problem this CL adds a new API function that can be called by the embedder to notify V8 that context with the origin trial information is finished. After that V8 can read the origin trial information from the context and extend e.g. the global object with the origin trial features. Additionally to the API this CL also adds code to enable the WebAssembly.Exception constructor conditionally, depending on whether it has been enabled by an origin trial or not. The Blink-side change: https://crrev.com/c/2775573 R=ulan@chromium.org, jkummerow@chromium.org Change-Id: Ic05c4a89eb3e0e31469e49da8767d630c43b2e00 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2773287 Reviewed-by: Andreas Haas <ahaas@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#73597}
2021-03-23 08:02:32 +00:00
// We explicitly enable staged WebAssembly features here to increase fuzzer
// coverage. For libfuzzer fuzzers it is not possible that the fuzzer enables
// the flag by itself.
i::wasm::fuzzer::OneTimeEnableStagedWasmFeatures(isolate);
Adding Wasm + Wasm-asm variant fuzzer. Fixing a memory leak in CompileAndRunModule. BUG= https://code.google.com/p/v8/issues/detail?id=4203 TEST=wasm-fuzzer R=jochen@chromium.org,jarin@chromium.org,kcc@chromium.org,machenbach@chromium.org,titzer@chromium.org LOG=N Review URL: https://codereview.chromium.org/1738943004 Cr-Commit-Position: refs/heads/master@{#34415}
2016-03-02 00:53:19 +00:00
v8::TryCatch try_catch(isolate);
[wasm] Avoid executing infinite loops in the wasm fuzzers The wasm-async fuzzer uses the bytes provided by the fuzzer engine directly as wasm module bytes, compiles them with async compilation, and then tries to execute the "main" function of the module. This "main" can have an infinite loop which causes a timeout in the fuzzer. With this CL the "main" function is first executed with the interpreter. If the execution in the interpreter finishes within 16k steps, which means that there is no infinite loop, also the compiled code is executed. I added the raw fuzzer input as a test case because in this case I really want to test the fuzzer and not V8. R=clemensh@chromium.org Bug: chromium:761784 Change-Id: Id1fe5da0da8670ec821ab9979fdb9454dbde1162 Reviewed-on: https://chromium-review.googlesource.com/651046 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#47874}
2017-09-07 09:48:34 +00:00
i::wasm::testing::SetupIsolateForWasmModule(i_isolate);
[wasm] wasm-fuzzer: Add ability to generate test case Other fuzzers already have this ability. This CL adds it to the fuzzer. The input has to be valid bytes, otherwise we cannot generate the text representation. R=titzer@chromium.org CC=gdeepti@chromium.org Change-Id: If1ba8accc707bee3b042e93f4201949f0233c90e Reviewed-on: https://chromium-review.googlesource.com/1109794 Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Reviewed-by: Ben Titzer <titzer@chromium.org> Cr-Commit-Position: refs/heads/master@{#53926}
2018-06-21 12:09:36 +00:00
i::wasm::ModuleWireBytes wire_bytes(data, data + size);
[wasm] Avoid executing infinite loops in the wasm fuzzers The wasm-async fuzzer uses the bytes provided by the fuzzer engine directly as wasm module bytes, compiles them with async compilation, and then tries to execute the "main" function of the module. This "main" can have an infinite loop which causes a timeout in the fuzzer. With this CL the "main" function is first executed with the interpreter. If the execution in the interpreter finishes within 16k steps, which means that there is no infinite loop, also the compiled code is executed. I added the raw fuzzer input as a test case because in this case I really want to test the fuzzer and not V8. R=clemensh@chromium.org Bug: chromium:761784 Change-Id: Id1fe5da0da8670ec821ab9979fdb9454dbde1162 Reviewed-on: https://chromium-review.googlesource.com/651046 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#47874}
2017-09-07 09:48:34 +00:00
i::HandleScope scope(i_isolate);
i::wasm::ErrorThrower thrower(i_isolate, "wasm fuzzer");
i::Handle<i::WasmModuleObject> module_object;
[wasm] Refactor WasmFeatures Make WasmFeatures a proper class which uses an EnumSet under the hood. This way, it inherits all behaviour of EnumSet like comparison, merge, etc. Accesses change from being simple field access into the struct to actually bit tests in the EnumSet. R=mstarzinger@chromium.org Bug: v8:10019 Change-Id: I768f92b90ac0294156f4482defba5ce00bc70165 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1934334 Commit-Queue: Clemens Backes <clemensb@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#65184}
2019-11-26 16:25:14 +00:00
auto enabled_features = i::wasm::WasmFeatures::FromIsolate(i_isolate);
[wasm] Add WasmFeatures to enable/detect features This CL introduces a set of configuration options implemented as a struct of booleans that together comprise the set of enabled or detected features. The configuration options replace command-line flags that were checked deep in the implementation. As such, it is necessary to plumb them through multiple levels of abstraction. R=ahaas@chromium.org CC=mstarzinger@chromium.org BUG=chromium:868844 Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng Change-Id: I1b82f5826e4fd263f68e8cafcd923bac5818a637 Reviewed-on: https://chromium-review.googlesource.com/1163670 Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Ben Titzer <titzer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55018}
2018-08-08 14:54:44 +00:00
bool compiles =
[isolate][cleanup] Remove pointer to WasmEngine The WasmEngine is shared across the whole process, so there is no need to store it in every Isolate. Instead, we can just get it from everywhere on any thread using {wasm::GetWasmEngine()}, which is a simple read of a global. R=jkummerow@chromium.org Bug: v8:11879 Change-Id: I13afb8ca3d116aa14bfaec5a4bbd6d71faa9aa17 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2969825 Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Maya Lekova <mslekova@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#75265}
2021-06-18 14:29:39 +00:00
i::wasm::GetWasmEngine()
[wasm] Add WasmFeatures to enable/detect features This CL introduces a set of configuration options implemented as a struct of booleans that together comprise the set of enabled or detected features. The configuration options replace command-line flags that were checked deep in the implementation. As such, it is necessary to plumb them through multiple levels of abstraction. R=ahaas@chromium.org CC=mstarzinger@chromium.org BUG=chromium:868844 Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng Change-Id: I1b82f5826e4fd263f68e8cafcd923bac5818a637 Reviewed-on: https://chromium-review.googlesource.com/1163670 Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Ben Titzer <titzer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55018}
2018-08-08 14:54:44 +00:00
->SyncCompile(i_isolate, enabled_features, &thrower, wire_bytes)
.ToHandle(&module_object);
[wasm] wasm-fuzzer: Add ability to generate test case Other fuzzers already have this ability. This CL adds it to the fuzzer. The input has to be valid bytes, otherwise we cannot generate the text representation. R=titzer@chromium.org CC=gdeepti@chromium.org Change-Id: If1ba8accc707bee3b042e93f4201949f0233c90e Reviewed-on: https://chromium-review.googlesource.com/1109794 Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Reviewed-by: Ben Titzer <titzer@chromium.org> Cr-Commit-Position: refs/heads/master@{#53926}
2018-06-21 12:09:36 +00:00
if (i::FLAG_wasm_fuzzer_gen_test) {
i::wasm::fuzzer::GenerateTestCase(i_isolate, wire_bytes, compiles);
}
if (compiles) {
[wasm] Avoid executing infinite loops in the wasm fuzzers The wasm-async fuzzer uses the bytes provided by the fuzzer engine directly as wasm module bytes, compiles them with async compilation, and then tries to execute the "main" function of the module. This "main" can have an infinite loop which causes a timeout in the fuzzer. With this CL the "main" function is first executed with the interpreter. If the execution in the interpreter finishes within 16k steps, which means that there is no infinite loop, also the compiled code is executed. I added the raw fuzzer input as a test case because in this case I really want to test the fuzzer and not V8. R=clemensh@chromium.org Bug: chromium:761784 Change-Id: Id1fe5da0da8670ec821ab9979fdb9454dbde1162 Reviewed-on: https://chromium-review.googlesource.com/651046 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#47874}
2017-09-07 09:48:34 +00:00
i::wasm::fuzzer::InterpretAndExecuteModule(i_isolate, module_object);
}
[wasm][fuzzer] Run micro tasks after each fuzzer execution This asserts that we run e.g. GC finalization tasks. Without that, we might run ouf of memory. R=ahaas@chromium.org Bug: chromium:938739 Change-Id: Ic80074f877183bcabb3353fbeff94842a534efab Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1526007 Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#60266}
2019-03-15 13:32:37 +00:00
// Pump the message loop and run micro tasks, e.g. GC finalization tasks.
support->PumpMessageLoop(v8::platform::MessageLoopBehavior::kDoNotWait);
[weakrefs] Call Isolate::ClearKeptObjects() as part of microtask checkpoint In the spec, WeakRefs that are dereferenced are kept alive until there's no JS on the stack, and then the host is expected to call ClearKeptObjects to clear those strong references [1]. HTML calls ClearKeptObjects at the end of a PerformMicrotaskCheckpoint [2]. In V8, leaving this up to the embedder is error prone in the same way the deprecated FinalizationGroup callback APIs were error prone: it depends on the embedder doing the right thing. This CL moves the call to ClearKeptObjects to be after running of microtasks within V8. However, the Isolate::ClearKeptObjects API should not be removed or deprecated in case an embedder uses an entirely custom MicrotaskQueue implementation and invokes MicrotaskQueue::PerformCheckpoint manually. [1] https://tc39.es/proposal-weakrefs/#sec-clear-kept-objects [2] https://github.com/whatwg/html/pull/4571 Bug: v8:8179 Change-Id: Ie243804157b56241ca69ed8fad300e839a0c9f75 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2055967 Commit-Queue: Shu-yu Guo <syg@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Cr-Commit-Position: refs/heads/master@{#66327}
2020-02-19 01:22:49 +00:00
isolate->PerformMicrotaskCheckpoint();
Adding Wasm + Wasm-asm variant fuzzer. Fixing a memory leak in CompileAndRunModule. BUG= https://code.google.com/p/v8/issues/detail?id=4203 TEST=wasm-fuzzer R=jochen@chromium.org,jarin@chromium.org,kcc@chromium.org,machenbach@chromium.org,titzer@chromium.org LOG=N Review URL: https://codereview.chromium.org/1738943004 Cr-Commit-Position: refs/heads/master@{#34415}
2016-03-02 00:53:19 +00:00
return 0;
}
Reference in New Issue Copy Permalink