AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

Adding Wasm + Wasm-asm variant fuzzer.

Browse Source 
Fixing a memory leak in CompileAndRunModule.

BUG= https://code.google.com/p/v8/issues/detail?id=4203
TEST=wasm-fuzzer
R=jochen@chromium.org,jarin@chromium.org,kcc@chromium.org,machenbach@chromium.org,titzer@chromium.org
LOG=N

Review URL: https://codereview.chromium.org/1738943004

Cr-Commit-Position: refs/heads/master@{#34415}
This commit is contained in:
bradnelson 2016-03-01 16:53:19 -08:00 committed by Commit bot
parent 657538dee3
commit cb028ac0e4
9 changed files with 162 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
BUILD.gn
View File

@ -2044,3 +2044,41 @@ source_set("regexp_fuzzer") {
":toolchain",
]
}
source_set("wasm_fuzzer") {
sources = [
"test/fuzzer/wasm.cc",
]
deps = [
":fuzzer_support",
]
configs -= [ "//build/config/compiler:chromium_code" ]
configs += [ "//build/config/compiler:no_chromium_code" ]
configs += [
":internal_config",
":libplatform_config",
":features",
":toolchain",
]
}
source_set("wasm_asmjs_fuzzer") {
sources = [
"test/fuzzer/wasm-asmjs.cc",
]
deps = [
":fuzzer_support",
]
configs -= [ "//build/config/compiler:chromium_code" ]
configs += [ "//build/config/compiler:no_chromium_code" ]
configs += [
":internal_config",
":libplatform_config",
":features",
":toolchain",
]
}

3
src/wasm/wasm-module.cc
View File

@ -515,6 +515,9 @@ int32_t CompileAndRunWasmModule(Isolate* isolate, const byte* module_start,
ModuleResult result = DecodeWasmModule(isolate, &zone, module_start,
module_end, false, kWasmOrigin);
if (result.failed()) {
if (result.val) {
delete result.val;
}
// Module verification failed. throw.
std::ostringstream str;
str << "WASM.compileRun() failed: " << result;

52
test/fuzzer/fuzzer.gyp
View File

@ -86,6 +86,58 @@
'regexp.cc',
],
},
{
'target_name': 'wasm_fuzzer',
'type': 'executable',
'dependencies': [
'wasm_fuzzer_lib',
],
'include_dirs': [
'../..',
],
'sources': [
'fuzzer.cc',
],
},
{
'target_name': 'wasm_fuzzer_lib',
'type': 'static_library',
'dependencies': [
'fuzzer_support',
],
'include_dirs': [
'../..',
],
'sources': [ ### gcmole(all) ###
'wasm.cc',
],
},
{
'target_name': 'wasm_asmjs_fuzzer',
'type': 'executable',
'dependencies': [
'wasm_asmjs_fuzzer_lib',
],
'include_dirs': [
'../..',
],
'sources': [
'fuzzer.cc',
],
},
{
'target_name': 'wasm_asmjs_fuzzer_lib',
'type': 'static_library',
'dependencies': [
'fuzzer_support',
],
'include_dirs': [
'../..',
],
'sources': [ ### gcmole(all) ###
'wasm-asmjs.cc',
],
},
{
'target_name': 'fuzzer_support',
'type': 'static_library',

4
test/fuzzer/fuzzer.isolate
View File

@ -8,11 +8,15 @@
'<(PRODUCT_DIR)/json_fuzzer<(EXECUTABLE_SUFFIX)',
'<(PRODUCT_DIR)/parser_fuzzer<(EXECUTABLE_SUFFIX)',
'<(PRODUCT_DIR)/regexp_fuzzer<(EXECUTABLE_SUFFIX)',
'<(PRODUCT_DIR)/wasm_fuzzer<(EXECUTABLE_SUFFIX)',
'<(PRODUCT_DIR)/wasm_asmjs_fuzzer<(EXECUTABLE_SUFFIX)',
'./fuzzer.status',
'./testcfg.py',
'./json/',
'./parser/',
'./regexp/',
'./wasm/',
'./wasm_asmjs/',
],
},
'includes': [

2
test/fuzzer/testcfg.py
View File

@ -18,7 +18,7 @@ class FuzzerVariantGenerator(testsuite.VariantGenerator):
class FuzzerTestSuite(testsuite.TestSuite):
SUB_TESTS = ( 'json', 'parser', 'regexp', )
SUB_TESTS = ( 'json', 'parser', 'regexp', 'wasm', 'wasm_asmjs', )
def __init__(self, name, root):
super(FuzzerTestSuite, self).__init__(name, root)

32
test/fuzzer/wasm-asmjs.cc Normal file
View File

@ -0,0 +1,32 @@
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include <limits.h>
#include <stddef.h>
#include <stdint.h>
#include "include/v8.h"
#include "src/factory.h"
#include "src/isolate.h"
#include "src/objects-inl.h"
#include "src/objects.h"
#include "src/wasm/wasm-js.h"
#include "src/wasm/wasm-module.h"
#include "test/fuzzer/fuzzer-support.h"
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
v8_fuzzer::FuzzerSupport* support = v8_fuzzer::FuzzerSupport::Get();
v8::Isolate* isolate = support->GetIsolate();
v8::internal::Isolate* i_isolate =
reinterpret_cast<v8::internal::Isolate*>(isolate);
v8::Isolate::Scope isolate_scope(isolate);
v8::HandleScope handle_scope(isolate);
v8::Context::Scope context_scope(support->GetContext());
v8::TryCatch try_catch(isolate);
v8::internal::WasmJs::InstallWasmFunctionMap(i_isolate,
i_isolate->native_context());
v8::internal::wasm::CompileAndRunWasmModule(i_isolate, data, data + size,
true);
return 0;
}

32
test/fuzzer/wasm.cc Normal file
View File

@ -0,0 +1,32 @@
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include <limits.h>
#include <stddef.h>
#include <stdint.h>
#include "include/v8.h"
#include "src/factory.h"
#include "src/isolate.h"
#include "src/objects-inl.h"
#include "src/objects.h"
#include "src/wasm/wasm-js.h"
#include "src/wasm/wasm-module.h"
#include "test/fuzzer/fuzzer-support.h"
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
v8_fuzzer::FuzzerSupport* support = v8_fuzzer::FuzzerSupport::Get();
v8::Isolate* isolate = support->GetIsolate();
v8::internal::Isolate* i_isolate =
reinterpret_cast<v8::internal::Isolate*>(isolate);
v8::Isolate::Scope isolate_scope(isolate);
v8::HandleScope handle_scope(isolate);
v8::Context::Scope context_scope(support->GetContext());
v8::TryCatch try_catch(isolate);
v8::internal::WasmJs::InstallWasmFunctionMap(i_isolate,
i_isolate->native_context());
v8::internal::wasm::CompileAndRunWasmModule(i_isolate, data, data + size,
false);
return 0;
}

BIN
test/fuzzer/wasm/foo.wasm Normal file
View File

Binary file not shown.

BIN
test/fuzzer/wasm_asmjs/foo.wasm Normal file
View File

Binary file not shown.