From 3864e1f2da21f4d4640a850c15108a4afd2f9185 Mon Sep 17 00:00:00 2001 From: Michael Achenbach Date: Wed, 17 Jun 2020 18:56:54 +0200 Subject: [PATCH] [fuzzing] Use --fuzzing flag for allowed runtime functions This subsumes the old behavior of --allow-natives-for-fuzzing under --fuzzing as well. Both flags are used in a redundant way in fuzz configs. Only --allow-natives-for-fuzzing wasn't specified as a required argument, leading to the bug below. We still need the flag --allow-natives-for-differential-fuzzing to allow different functions when using differential fuzzing. Bug: chromium:1094866 Change-Id: I398791779e58ed4d80e896c1cfea343848159212 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2246568 Commit-Queue: Michael Achenbach Reviewed-by: Georg Neis Reviewed-by: Jakob Gruber Cr-Commit-Position: refs/heads/master@{#68401} --- src/flags/flag-definitions.h | 6 +----- src/parsing/parser.cc | 6 +++--- src/runtime/runtime.cc | 2 +- test/mjsunit/call-intrinsic-fuzzing.js | 2 +- test/mjsunit/regress/regress-crbug-754177.js | 2 +- 5 files changed, 7 insertions(+), 11 deletions(-) diff --git a/src/flags/flag-definitions.h b/src/flags/flag-definitions.h index 72e403756a..d1988bc9ff 100644 --- a/src/flags/flag-definitions.h +++ b/src/flags/flag-definitions.h @@ -1270,15 +1270,11 @@ DEFINE_IMPLICATION(trace_maps, log_code) // parser.cc DEFINE_BOOL(allow_natives_syntax, false, "allow natives syntax") -DEFINE_BOOL(allow_natives_for_fuzzing, false, - "allow only natives explicitly whitelisted for fuzzers") DEFINE_BOOL(allow_natives_for_differential_fuzzing, false, "allow only natives explicitly whitelisted for differential " "fuzzers") DEFINE_IMPLICATION(allow_natives_for_differential_fuzzing, allow_natives_syntax) -DEFINE_IMPLICATION(allow_natives_for_fuzzing, allow_natives_syntax) -DEFINE_IMPLICATION(allow_natives_for_differential_fuzzing, - allow_natives_for_fuzzing) +DEFINE_IMPLICATION(allow_natives_for_differential_fuzzing, fuzzing) DEFINE_BOOL(parse_only, false, "only parse the sources") // simulator-arm.cc, simulator-arm64.cc and simulator-mips.cc diff --git a/src/parsing/parser.cc b/src/parsing/parser.cc index 63b8b9c6f9..b660b682a2 100644 --- a/src/parsing/parser.cc +++ b/src/parsing/parser.cc @@ -357,8 +357,8 @@ Expression* Parser::NewV8Intrinsic(const AstRawString* name, const Runtime::Function* function = Runtime::FunctionForName(name->raw_data(), name->length()); - // Be more premissive when fuzzing. Intrinsics are not supported. - if (FLAG_allow_natives_for_fuzzing) { + // Be more permissive when fuzzing. Intrinsics are not supported. + if (FLAG_fuzzing) { return NewV8RuntimeFunctionForFuzzing(function, args, pos); } @@ -392,7 +392,7 @@ Expression* Parser::NewV8Intrinsic(const AstRawString* name, Expression* Parser::NewV8RuntimeFunctionForFuzzing( const Runtime::Function* function, const ScopedPtrList& args, int pos) { - CHECK(FLAG_allow_natives_for_fuzzing); + CHECK(FLAG_fuzzing); // Intrinsics are not supported for fuzzing. Only allow whitelisted runtime // functions. Also prevent later errors due to too few arguments and just diff --git a/src/runtime/runtime.cc b/src/runtime/runtime.cc index bd6853de8e..162b1bca09 100644 --- a/src/runtime/runtime.cc +++ b/src/runtime/runtime.cc @@ -193,7 +193,7 @@ bool Runtime::MayAllocate(FunctionId id) { } bool Runtime::IsWhitelistedForFuzzing(FunctionId id) { - CHECK(FLAG_allow_natives_for_fuzzing); + CHECK(FLAG_fuzzing); switch (id) { // Runtime functions whitelisted for all fuzzers. Only add functions that // help increase coverage. diff --git a/test/mjsunit/call-intrinsic-fuzzing.js b/test/mjsunit/call-intrinsic-fuzzing.js index f76dd42d71..9d33f742a2 100644 --- a/test/mjsunit/call-intrinsic-fuzzing.js +++ b/test/mjsunit/call-intrinsic-fuzzing.js @@ -2,7 +2,7 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -// Flags: --allow-natives-for-fuzzing --fuzzing +// Flags: --allow-natives-syntax --fuzzing // Test whitelisted/blacklisted intrinsics in the context of fuzzing. diff --git a/test/mjsunit/regress/regress-crbug-754177.js b/test/mjsunit/regress/regress-crbug-754177.js index 74685366d4..b4f1cea2de 100644 --- a/test/mjsunit/regress/regress-crbug-754177.js +++ b/test/mjsunit/regress/regress-crbug-754177.js @@ -9,7 +9,7 @@ %NeverOptimizeFunction(true); %NeverOptimizeFunction(1); %NeverOptimizeFunction({}); -assertThrows("%NeverOptimizeFunction()", SyntaxError); +%NeverOptimizeFunction(); %PrepareFunctionForOptimization(print); %OptimizeFunctionOnNextCall(print);