AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[wasm] Remove the wasm-asmjs fuzzer

Browse Source 
The fuzzer has already been removed from chromium. In addition I removed
code which was only used by this fuzzer.

BUG=chromium:734550
R=clemensh@chromium.org
CC=mstarzinger@chromium.org

Change-Id: I2ff4614e4d64131412ead759318e5c38e38f5d3d
Reviewed-on: https://chromium-review.googlesource.com/542816
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46078}
This commit is contained in:
Andreas Haas 2017-06-21 11:24:03 +02:00 committed by Commit Bot
parent 811643b49b
commit 6828887b85
15 changed files with 25 additions and 158 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -49,8 +49,6 @@
/test/benchmarks/data
/test/fuzzer/wasm_corpus
/test/fuzzer/wasm_corpus.tar.gz
/test/fuzzer/wasm_asmjs_corpus
/test/fuzzer/wasm_asmjs_corpus.tar.gz
/test/mozilla/data
/test/promises-aplus/promises-tests
/test/promises-aplus/promises-tests.tar.gz

21
BUILD.gn
View File

@ -2782,7 +2782,6 @@ group("v8_fuzzers") {
":v8_simple_json_fuzzer",
":v8_simple_parser_fuzzer",
":v8_simple_regexp_fuzzer",
":v8_simple_wasm_asmjs_fuzzer",
":v8_simple_wasm_async_fuzzer",
":v8_simple_wasm_call_fuzzer",
":v8_simple_wasm_code_fuzzer",
@ -3115,26 +3114,6 @@ v8_source_set("wasm_fuzzer") {
v8_fuzzer("wasm_fuzzer") {
}
v8_source_set("wasm_asmjs_fuzzer") {
sources = [
"test/fuzzer/wasm-asmjs.cc",
]
deps = [
":fuzzer_support",
":lib_wasm_fuzzer_common",
":wasm_module_runner",
]
configs = [
":external_config",
":internal_config_base",
]
}
v8_fuzzer("wasm_asmjs_fuzzer") {
}
v8_source_set("wasm_async_fuzzer") {
sources = [
"test/fuzzer/wasm-async.cc",

1
test/BUILD.gn
View File

@ -128,7 +128,6 @@ v8_isolate_run("fuzzer") {
"..:v8_simple_json_fuzzer",
"..:v8_simple_parser_fuzzer",
"..:v8_simple_regexp_fuzzer",
"..:v8_simple_wasm_asmjs_fuzzer",
"..:v8_simple_wasm_fuzzer",
]

26
test/cctest/wasm/test-run-wasm-module.cc
View File

@ -287,8 +287,7 @@ class WasmSerializationTest {
Handle<Object> params[1] = {
Handle<Object>(Smi::FromInt(41), current_isolate())};
int32_t result = testing::CallWasmFunctionForTesting(
current_isolate(), instance, &thrower, kFunctionName, 1, params,
ModuleOrigin::kWasmOrigin);
current_isolate(), instance, &thrower, kFunctionName, 1, params);
CHECK(result == 42);
}
@ -707,8 +706,7 @@ TEST(TestInterruptLoop) {
InterruptThread thread(isolate, memory_array);
thread.Start();
testing::RunWasmModuleForTesting(isolate, instance, 0, nullptr,
ModuleOrigin::kWasmOrigin);
testing::RunWasmModuleForTesting(isolate, instance, 0, nullptr);
int32_t val = memory_array[InterruptThread::interrupt_location_];
CHECK_EQ(InterruptThread::interrupt_value_,
ReadLittleEndianValue<int32_t>(&val));
@ -790,15 +788,14 @@ TEST(Run_WasmModule_GrowMemOobFixedIndex) {
for (uint32_t i = 1; i < 5; i++) {
Handle<Object> params[1] = {Handle<Object>(Smi::FromInt(i), isolate)};
v8::TryCatch try_catch(reinterpret_cast<v8::Isolate*>(isolate));
testing::RunWasmModuleForTesting(isolate, instance, 1, params,
ModuleOrigin::kWasmOrigin);
testing::RunWasmModuleForTesting(isolate, instance, 1, params);
CHECK(try_catch.HasCaught());
isolate->clear_pending_exception();
}
Handle<Object> params[1] = {Handle<Object>(Smi::FromInt(1), isolate)};
int32_t result = testing::RunWasmModuleForTesting(
isolate, instance, 1, params, ModuleOrigin::kWasmOrigin);
int32_t result =
testing::RunWasmModuleForTesting(isolate, instance, 1, params);
CHECK(result == 0xaced);
}
Cleanup();
@ -840,8 +837,7 @@ TEST(Run_WasmModule_GrowMemOobVariableIndex) {
Handle<Object> params[1] = {
Handle<Object>(Smi::FromInt((16 + i) * kPageSize - 3), isolate)};
v8::TryCatch try_catch(reinterpret_cast<v8::Isolate*>(isolate));
testing::RunWasmModuleForTesting(isolate, instance, 1, params,
ModuleOrigin::kWasmOrigin);
testing::RunWasmModuleForTesting(isolate, instance, 1, params);
CHECK(try_catch.HasCaught());
isolate->clear_pending_exception();
}
@ -849,16 +845,15 @@ TEST(Run_WasmModule_GrowMemOobVariableIndex) {
for (int i = 1; i < 5; i++) {
Handle<Object> params[1] = {
Handle<Object>(Smi::FromInt((20 + i) * kPageSize - 4), isolate)};
int32_t result = testing::RunWasmModuleForTesting(
isolate, instance, 1, params, ModuleOrigin::kWasmOrigin);
int32_t result =
testing::RunWasmModuleForTesting(isolate, instance, 1, params);
CHECK(result == 0xaced);
}
v8::TryCatch try_catch(reinterpret_cast<v8::Isolate*>(isolate));
Handle<Object> params[1] = {
Handle<Object>(Smi::FromInt(25 * kPageSize), isolate)};
testing::RunWasmModuleForTesting(isolate, instance, 1, params,
ModuleOrigin::kWasmOrigin);
testing::RunWasmModuleForTesting(isolate, instance, 1, params);
CHECK(try_catch.HasCaught());
isolate->clear_pending_exception();
}
@ -1119,8 +1114,7 @@ TEST(Run_WasmModule_Buffer_Externalized_GrowMem) {
// Externalize should make no difference without the JS API as in this case
// the buffer is not detached.
v8::Utils::ToLocal(memory)->Externalize();
result = testing::RunWasmModuleForTesting(isolate, instance, 0, nullptr,
ModuleOrigin::kWasmOrigin);
result = testing::RunWasmModuleForTesting(isolate, instance, 0, nullptr);
CHECK_EQ(kExpectedValue, result);
// Free the buffer as the tracker does not know about it.
const v8::ArrayBuffer::Allocator::AllocationMode allocation_mode =

26
test/common/wasm/wasm-module-runner.cc
View File

@ -43,12 +43,10 @@ std::unique_ptr<WasmModule> DecodeWasmModuleForTesting(
}
int32_t RunWasmModuleForTesting(Isolate* isolate, Handle<JSObject> instance,
int argc, Handle<Object> argv[],
ModuleOrigin origin) {
int argc, Handle<Object> argv[]) {
ErrorThrower thrower(isolate, "RunWasmModule");
const char* f_name = origin == ModuleOrigin::kAsmJsOrigin ? "caller" : "main";
return CallWasmFunctionForTesting(isolate, instance, &thrower, f_name, argc,
argv, origin);
return CallWasmFunctionForTesting(isolate, instance, &thrower, "main", argc,
argv);
}
int32_t CompileAndRunWasmModule(Isolate* isolate, const byte* module_start,
@ -61,7 +59,7 @@ int32_t CompileAndRunWasmModule(Isolate* isolate, const byte* module_start,
return -1;
}
return RunWasmModuleForTesting(isolate, instance.ToHandleChecked(), 0,
nullptr, kWasmOrigin);
nullptr);
}
int32_t CompileAndRunAsmWasmModule(Isolate* isolate, const byte* module_start,
@ -81,7 +79,7 @@ int32_t CompileAndRunAsmWasmModule(Isolate* isolate, const byte* module_start,
if (instance.is_null()) return -1;
return RunWasmModuleForTesting(isolate, instance.ToHandleChecked(), 0,
nullptr, kAsmJsOrigin);
nullptr);
}
int32_t InterpretWasmModule(Isolate* isolate,
Handle<WasmInstanceObject> instance,
@ -115,16 +113,12 @@ int32_t InterpretWasmModule(Isolate* isolate,
int32_t CallWasmFunctionForTesting(Isolate* isolate, Handle<JSObject> instance,
ErrorThrower* thrower, const char* name,
int argc, Handle<Object> argv[],
ModuleOrigin origin) {
int argc, Handle<Object> argv[]) {
Handle<JSObject> exports_object;
if (origin == ModuleOrigin::kAsmJsOrigin) {
exports_object = instance;
} else {
Handle<Name> exports = isolate->factory()->InternalizeUtf8String("exports");
exports_object = Handle<JSObject>::cast(
JSObject::GetProperty(instance, exports).ToHandleChecked());
}
Handle<Name> exports = isolate->factory()->InternalizeUtf8String("exports");
exports_object = Handle<JSObject>::cast(
JSObject::GetProperty(instance, exports).ToHandleChecked());
Handle<Name> main_name = isolate->factory()->NewStringFromAsciiChecked(name);
PropertyDescriptor desc;
Maybe<bool> property_found = JSReceiver::GetOwnPropertyDescriptor(

11
test/common/wasm/wasm-module-runner.h
View File

@ -29,19 +29,13 @@ std::unique_ptr<WasmModule> DecodeWasmModuleForTesting(
int32_t CallWasmFunctionForTesting(Isolate* isolate, Handle<JSObject> instance,
ErrorThrower* thrower, const char* name,
int argc, Handle<Object> argv[],
ModuleOrigin origin);
int argc, Handle<Object> argv[]);
// Decode, verify, and run the function labeled "main" in the
// given encoded module. The module should have no imports.
int32_t CompileAndRunWasmModule(Isolate* isolate, const byte* module_start,
const byte* module_end);
// Decode, verify, and run the function labeled "main" in the given encoded
// module, originating from asm.js. The module should have no imports.
int32_t CompileAndRunAsmWasmModule(Isolate* isolate, const byte* module_start,
const byte* module_end);
// Interprets the given module, starting at the function specified by
// {function_index}. The return type of the function has to be int32. The module
// should not have any imports or exports
@ -52,8 +46,7 @@ int32_t InterpretWasmModule(Isolate* isolate,
// Runs the module instance with arguments.
int32_t RunWasmModuleForTesting(Isolate* isolate, Handle<JSObject> instance,
int argc, Handle<Object> argv[],
ModuleOrigin origin);
int argc, Handle<Object> argv[]);
// Install function map, module symbol for testing
void SetupIsolateForWasmModule(Isolate* isolate);

30
test/fuzzer/fuzzer.gyp
View File

@ -118,35 +118,6 @@
'../common/wasm/wasm-module-runner.h',
],
},
{
'target_name': 'v8_simple_wasm_asmjs_fuzzer',
'type': 'executable',
'dependencies': [
'wasm_asmjs_fuzzer_lib',
],
'include_dirs': [
'../..',
],
'sources': [
'fuzzer.cc',
],
},
{
'target_name': 'wasm_asmjs_fuzzer_lib',
'type': 'static_library',
'dependencies': [
'../../src/v8.gyp:v8_libplatform',
'fuzzer_support',
],
'include_dirs': [
'../..',
],
'sources': [ ### gcmole(all) ###
'wasm-asmjs.cc',
'../common/wasm/wasm-module-runner.cc',
'../common/wasm/wasm-module-runner.h',
],
},
{
'target_name': 'v8_simple_wasm_async_fuzzer',
'type': 'executable',
@ -525,7 +496,6 @@
'v8_simple_parser_fuzzer',
'v8_simple_regexp_fuzzer',
'v8_simple_wasm_fuzzer',
'v8_simple_wasm_asmjs_fuzzer',
],
'includes': [
'../../gypfiles/isolate.gypi',

2
test/fuzzer/fuzzer.isolate
View File

@ -9,7 +9,6 @@
'<(PRODUCT_DIR)/v8_simple_parser_fuzzer<(EXECUTABLE_SUFFIX)',
'<(PRODUCT_DIR)/v8_simple_regexp_fuzzer<(EXECUTABLE_SUFFIX)',
'<(PRODUCT_DIR)/v8_simple_wasm_fuzzer<(EXECUTABLE_SUFFIX)',
'<(PRODUCT_DIR)/v8_simple_wasm_asmjs_fuzzer<(EXECUTABLE_SUFFIX)',
'<(PRODUCT_DIR)/v8_simple_wasm_async_fuzzer<(EXECUTABLE_SUFFIX)',
'<(PRODUCT_DIR)/v8_simple_wasm_call_fuzzer<(EXECUTABLE_SUFFIX)',
'<(PRODUCT_DIR)/v8_simple_wasm_code_fuzzer<(EXECUTABLE_SUFFIX)',
@ -27,7 +26,6 @@
'./parser/',
'./regexp/',
'./wasm/',
'./wasm_asmjs/',
'./wasm_async/',
'./wasm_call/',
'./wasm_code/',

2
test/fuzzer/testcfg.py
View File

@ -18,7 +18,7 @@ class FuzzerVariantGenerator(testsuite.VariantGenerator):
class FuzzerTestSuite(testsuite.TestSuite):
SUB_TESTS = ( 'json', 'parser', 'regexp', 'wasm', 'wasm_asmjs', 'wasm_async',
SUB_TESTS = ( 'json', 'parser', 'regexp', 'wasm', 'wasm_async',
'wasm_call', 'wasm_code', 'wasm_compile', 'wasm_data_section',
'wasm_function_sigs_section', 'wasm_globals_section',
'wasm_imports_section', 'wasm_memory_section', 'wasm_names_section',

43
test/fuzzer/wasm-asmjs.cc
View File

@ -1,43 +0,0 @@
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include <limits.h>
#include <stddef.h>
#include <stdint.h>
#include "include/v8.h"
#include "src/factory.h"
#include "src/isolate-inl.h"
#include "src/isolate.h"
#include "src/objects-inl.h"
#include "src/objects.h"
#include "src/wasm/wasm-module.h"
#include "test/common/wasm/flag-utils.h"
#include "test/common/wasm/wasm-module-runner.h"
#include "test/fuzzer/fuzzer-support.h"
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
v8::internal::FlagScope<uint32_t> max_mem_flag_scope(
&v8::internal::FLAG_wasm_max_mem_pages, 32);
v8::internal::FlagScope<uint32_t> max_table_size_scope(
&v8::internal::FLAG_wasm_max_table_size, 100);
v8_fuzzer::FuzzerSupport* support = v8_fuzzer::FuzzerSupport::Get();
v8::Isolate* isolate = support->GetIsolate();
v8::internal::Isolate* i_isolate =
reinterpret_cast<v8::internal::Isolate*>(isolate);
// Clear any pending exceptions from a prior run.
if (i_isolate->has_pending_exception()) {
i_isolate->clear_pending_exception();
}
v8::Isolate::Scope isolate_scope(isolate);
v8::HandleScope handle_scope(isolate);
v8::Context::Scope context_scope(support->GetContext());
v8::TryCatch try_catch(isolate);
v8::internal::wasm::testing::SetupIsolateForWasmModule(i_isolate);
v8::internal::wasm::testing::CompileAndRunAsmWasmModule(i_isolate, data,
data + size);
return 0;
}

2
test/fuzzer/wasm-async.cc
View File

@ -71,7 +71,7 @@ void InstantiateCallback(const v8::FunctionCallbackInfo<v8::Value>& args) {
if (!maybe_instance.ToHandle(&instance)) {
return;
}
RunWasmModuleForTesting(i_isolate, instance, 0, nullptr, kWasmOrigin);
RunWasmModuleForTesting(i_isolate, instance, 0, nullptr);
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {

2
test/fuzzer/wasm-fuzzer-common.cc
View File

@ -172,7 +172,7 @@ int WasmExecutionFuzzer::FuzzWasmModule(
DCHECK(!compiler_thrower.error());
result_compiled = testing::CallWasmFunctionForTesting(
i_isolate, compiled_instance.ToHandleChecked(), &compiler_thrower,
"main", num_args, compiler_args.get(), ModuleOrigin::kWasmOrigin);
"main", num_args, compiler_args.get());
}
// The WebAssembly spec allows the sign bit of NaN to be non-deterministic.

0
test/fuzzer/wasm_asmjs/foo
View File

1
test/fuzzer/wasm_asmjs_corpus.tar.gz.sha1
View File

@ -1 +0,0 @@
cf1777646f8d4557504442e9bd59e908519ffec8

14
tools/wasm/update-wasm-fuzzers.sh
View File

@ -10,20 +10,11 @@ TOOLS_WASM_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
cd ${TOOLS_WASM_DIR}/../..
rm -rf test/fuzzer/wasm_corpus
rm -rf test/fuzzer/wasm_asmjs_corpus
tools/dev/gm.py x64.release all
mkdir -p test/fuzzer/wasm_corpus
mkdir -p test/fuzzer/wasm_asmjs_corpus
# asm.js
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64 \
--mode=release --no-presubmit --extra-flags="--dump-wasm-module \
--dump-wasm-module-path=./test/fuzzer/wasm_asmjs_corpus/" mjsunit/wasm/asm*
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64 \
--mode=release --no-presubmit --extra-flags="--dump-wasm-module \
--dump-wasm-module-path=./test/fuzzer/wasm_asmjs_corpus/" mjsunit/asm/*
# wasm
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64 \
--mode=release --no-presubmit --extra-flags="--dump-wasm-module \
@ -45,12 +36,7 @@ for x in $(find ./test/fuzzer/wasm_corpus/ -type f -size +20k)
do
rm $x
done
for x in $(find ./test/fuzzer/wasm_asmjs_corpus/ -type f -size +20k)
do
rm $x
done
# Upload changes.
cd test/fuzzer
upload_to_google_storage.py -a -b v8-wasm-fuzzer wasm_corpus
upload_to_google_storage.py -a -b v8-wasm-asmjs-fuzzer wasm_asmjs_corpus