From f7d169c6009c66497331bbd2bf6d14f8baf50445 Mon Sep 17 00:00:00 2001
From: Clemens Backes <clemensb@chromium.org>
Date: Tue, 18 Aug 2020 10:14:25 +0200
Subject: [PATCH] Reland "[wasm][fuzzer] Fix exception detection"

This is a reland of 899cb34868c06443c164da98b27134d5e11c128e.
The new fuzzer regression test is skipped in jitless.

Original change's description:
> [wasm][fuzzer] Fix exception detection
>
> Exceptions were detected by checking for a pending exception on the
> isolate, but {CallWasmFunctionForTesting} was clearing any pending
> exception before returning.
> This CL fixes that by explicitly passing back a boolean which is set if
> an exception occurred during execution.
>
> R=ahaas@chromium.org
>
> Bug: chromium:1115280
> Change-Id: Ife71ceef0751d18e0870335b9520c2bf77e351cc
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2352787
> Reviewed-by: Andreas Haas <ahaas@chromium.org>
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#69404}

Bug: chromium:1115280
Change-Id: I9bb7300d423c53214e51e61233b0a6b09a21fd97
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2361464
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69446}
---
 test/common/wasm/wasm-module-runner.cc |   4 +++-
 test/common/wasm/wasm-module-runner.h  |   6 ++++--
 test/fuzzer/fuzzer.status              |   1 +
 test/fuzzer/wasm-fuzzer-common.cc      |  10 ++++------
 test/fuzzer/wasm/regress-1115280.wasm  | Bin 0 -> 35 bytes
 5 files changed, 12 insertions(+), 9 deletions(-)
 create mode 100644 test/fuzzer/wasm/regress-1115280.wasm

diff --git a/test/common/wasm/wasm-module-runner.cc b/test/common/wasm/wasm-module-runner.cc
index 8e6de864a4..2d1fbeaed8 100644
--- a/test/common/wasm/wasm-module-runner.cc
+++ b/test/common/wasm/wasm-module-runner.cc
@@ -172,7 +172,8 @@ MaybeHandle<WasmExportedFunction> GetExportedFunction(
 int32_t CallWasmFunctionForTesting(Isolate* isolate,
                                    Handle<WasmInstanceObject> instance,
                                    const char* name, int argc,
-                                   Handle<Object> argv[]) {
+                                   Handle<Object> argv[], bool* exception) {
+  if (exception) *exception = false;
   MaybeHandle<WasmExportedFunction> maybe_export =
       GetExportedFunction(isolate, instance, name);
   Handle<WasmExportedFunction> main_export;
@@ -189,6 +190,7 @@ int32_t CallWasmFunctionForTesting(Isolate* isolate,
   if (retval.is_null()) {
     DCHECK(isolate->has_pending_exception());
     isolate->clear_pending_exception();
+    if (exception) *exception = true;
     return -1;
   }
   Handle<Object> result = retval.ToHandleChecked();
diff --git a/test/common/wasm/wasm-module-runner.h b/test/common/wasm/wasm-module-runner.h
index a7852c4512..8b5657d89d 100644
--- a/test/common/wasm/wasm-module-runner.h
+++ b/test/common/wasm/wasm-module-runner.h
@@ -31,11 +31,13 @@ MaybeHandle<WasmExportedFunction> GetExportedFunction(
 
 // Call an exported wasm function by name. Returns -1 if the export does not
 // exist or throws an error. Errors are cleared from the isolate before
-// returning.
+// returning. {exception} is set to to true if an exception happened during
+// execution of the wasm function.
 int32_t CallWasmFunctionForTesting(Isolate* isolate,
                                    Handle<WasmInstanceObject> instance,
                                    const char* name, int argc,
-                                   Handle<Object> argv[]);
+                                   Handle<Object> argv[],
+                                   bool* exception = nullptr);
 
 // Decode, verify, and run the function labeled "main" in the
 // given encoded module. The module should have no imports.
diff --git a/test/fuzzer/fuzzer.status b/test/fuzzer/fuzzer.status
index 0a08dfa2e9..f865018cc5 100644
--- a/test/fuzzer/fuzzer.status
+++ b/test/fuzzer/fuzzer.status
@@ -8,6 +8,7 @@
 ['lite_mode or variant == jitless', {
   # TODO(v8:7777): Re-enable once wasm is supported in jitless mode.
   'multi_return/*': [SKIP],
+  'wasm/*': [SKIP],
   'wasm_async/*': [SKIP],
   'wasm_code/*': [SKIP],
   'wasm_compile/*': [SKIP],
diff --git a/test/fuzzer/wasm-fuzzer-common.cc b/test/fuzzer/wasm-fuzzer-common.cc
index f8ba1ed9ec..a5197010eb 100644
--- a/test/fuzzer/wasm-fuzzer-common.cc
+++ b/test/fuzzer/wasm-fuzzer-common.cc
@@ -82,21 +82,19 @@ void InterpretAndExecuteModule(i::Isolate* isolate,
               .ToHandle(&instance));
   }
 
+  bool exception = false;
   int32_t result_compiled = testing::CallWasmFunctionForTesting(
-      isolate, instance, "main", 0, nullptr);
-  if (interpreter_result.trapped() != isolate->has_pending_exception()) {
+      isolate, instance, "main", 0, nullptr, &exception);
+  if (interpreter_result.trapped() != exception) {
     const char* exception_text[] = {"no exception", "exception"};
     FATAL("interpreter: %s; compiled: %s",
           exception_text[interpreter_result.trapped()],
-          exception_text[isolate->has_pending_exception()]);
+          exception_text[exception]);
   }
 
   if (interpreter_result.finished()) {
     CHECK_EQ(interpreter_result.result(), result_compiled);
   }
-
-  // Cleanup any pending exception.
-  isolate->clear_pending_exception();
 }
 
 namespace {
diff --git a/test/fuzzer/wasm/regress-1115280.wasm b/test/fuzzer/wasm/regress-1115280.wasm
new file mode 100644
index 0000000000000000000000000000000000000000..3aacaf2c4bff8e6bbba1e3e4a3731cdd9bb1b5cc
GIT binary patch
literal 35
qcmZQbEY4+QU|?WmVN76PU}j=uVCP_D$xY16V_@K7Wn^Yx;06FlPXmSk

literal 0
HcmV?d00001