[wasm][fuzzer] Fuzz Liftoff debug code paths

Add a flag similar to the tiering mask to choose between regular baseline code or debug code in Liftoff. R=clemensb@chromium.org Bug: chromium:1183774 Change-Id: I0e87154e2e1cd57679ce0c57bb1e075a97691248 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2807603 Reviewed-by: Clemens Backes <clemensb@chromium.org> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org> Cr-Commit-Position: refs/heads/master@{#73833}
2021-04-06 17:42:44 +02:00 · 2021-04-06 17:42:44 +02:00 · 7a4cece4d6
commit 7a4cece4d6
parent b0b4e6cabb
3 changed files with 26 additions and 6 deletions
--- a/src/flags/flag-definitions.h
+++ b/src/flags/flag-definitions.h
@ -909,10 +909,14 @@ DEFINE_DEBUG_BOOL(trace_liftoff, false,
                  "trace Liftoff, the baseline compiler for WebAssembly")
 DEFINE_BOOL(trace_wasm_memory, false,
            "print all memory updates performed in wasm code")
-// Fuzzers use {wasm_tier_mask_for_testing} together with {liftoff} and
-// {no_wasm_tier_up} to force some functions to be compiled with Turbofan.
+// Fuzzers use {wasm_tier_mask_for_testing} and {wasm_debug_mask_for_testing}
+// together with {liftoff} and {no_wasm_tier_up} to force some functions to be
+// compiled with Turbofan or for debug.
 DEFINE_INT(wasm_tier_mask_for_testing, 0,
           "bitmask of functions to compile with TurboFan instead of Liftoff")
+DEFINE_INT(wasm_debug_mask_for_testing, 0,
+           "bitmask of functions to compile for debugging, only applies if the "
+           "tier is Liftoff")

 DEFINE_BOOL(validate_asm, true, "validate asm.js modules before compiling")
 // asm.js validation is disabled since it triggers wasm code generation.
--- a/src/wasm/function-compiler.cc
+++ b/src/wasm/function-compiler.cc
@ -14,6 +14,7 @@
 #include "src/utils/ostreams.h"
 #include "src/wasm/baseline/liftoff-compiler.h"
 #include "src/wasm/wasm-code-manager.h"
+#include "src/wasm/wasm-debug.h"
 #include "src/wasm/wasm-engine.h"

 namespace v8 {
@ -189,13 +190,24 @@ WasmCompilationResult WasmCompilationUnit::ExecuteFunctionCompilation(

    case ExecutionTier::kLiftoff:
      // The --wasm-tier-mask-for-testing flag can force functions to be
-      // compiled with TurboFan, see documentation.
+      // compiled with TurboFan, and the --wasm-debug-mask-for-testing can force
+      // them to be compiled for debugging, see documentation.
      if (V8_LIKELY(FLAG_wasm_tier_mask_for_testing == 0) ||
          func_index_ >= 32 ||
          ((FLAG_wasm_tier_mask_for_testing & (1 << func_index_)) == 0)) {
-        result = ExecuteLiftoffCompilation(wasm_engine->allocator(), env,
-                                           func_body, func_index_,
-                                           for_debugging_, counters, detected);
+        if (V8_LIKELY(func_index_ >= 32 || (FLAG_wasm_debug_mask_for_testing &
+                                            (1 << func_index_)) == 0)) {
+          result = ExecuteLiftoffCompilation(
+              wasm_engine->allocator(), env, func_body, func_index_,
+              for_debugging_, counters, detected);
+        } else {
+          // We don't use the debug side table, we only pass it to cover
+          // different code paths in Liftoff for testing.
+          std::unique_ptr<DebugSideTable> debug_sidetable;
+          result = ExecuteLiftoffCompilation(
+              wasm_engine->allocator(), env, func_body, func_index_,
+              kForDebugging, counters, detected, {}, &debug_sidetable);
+        }
        if (result.succeeded()) break;
      }

--- a/test/fuzzer/wasm-fuzzer-common.cc
+++ b/test/fuzzer/wasm-fuzzer-common.cc
@ -359,6 +359,8 @@ void WasmExecutionFuzzer::FuzzWasmModule(Vector<const uint8_t> data,
  // compiled with Turbofan and which one with Liftoff.
  uint8_t tier_mask = data.empty() ? 0 : data[0];
  if (!data.empty()) data += 1;
+  uint8_t debug_mask = data.empty() ? 0 : data[0];
+  if (!data.empty()) data += 1;
  if (!GenerateModule(i_isolate, &zone, data, &buffer, &num_args,
                      &interpreter_args, &compiler_args)) {
    return;
@ -377,6 +379,8 @@ void WasmExecutionFuzzer::FuzzWasmModule(Vector<const uint8_t> data,
    FlagScope<bool> liftoff(&FLAG_liftoff, true);
    FlagScope<bool> no_tier_up(&FLAG_wasm_tier_up, false);
    FlagScope<int> tier_mask_scope(&FLAG_wasm_tier_mask_for_testing, tier_mask);
+    FlagScope<int> debug_mask_scope(&FLAG_wasm_debug_mask_for_testing,
+                                    debug_mask);
    compiled_module = i_isolate->wasm_engine()->SyncCompile(
        i_isolate, enabled_features, &interpreter_thrower, wire_bytes);
  }