Because there can be fewer function signatures than there are
functions a new ForceAddSignature function was added which does
not deduplicate.
Bug: v8:11954
Change-Id: Ib028de47962dd1e797ead1b1f05a4e6815029487
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3186431
Commit-Queue: Maria Tîmbur <mtimbur@google.com>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77126}
Don't really have a good name for this inner TryCatch.
Bug: v8:12244
Change-Id: I4c1353bcd98e78e49d0354e285249302a8ee0dd8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3183522
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77097}
Generate arbitrary struct and array types based on
the fuzzer random input stream.
They replace the hard-coded types.
Generated types include nested reference types and recursive types.
Bug: v8:11954
Change-Id: I2e40697f2ace3eb818360213e8a4dd40037e580e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3173683
Commit-Queue: Maria Tîmbur <mtimbur@google.com>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77010}
Make GetValueType to generate only function signatures
to avoid default values in new_object.
Bug: v8:11954
Change-Id: Ia6ebdde0a9c10c56afef29d6db3b3266816210e3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3158222
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Rakhim Khismet <khismet@google.com>
Cr-Commit-Position: refs/heads/main@{#76934}
We add support for array.get, array.set and array.len operation to the fuzzed module.
Bug: v8:11954
Change-Id: Ic8fd89ec7f7f31e70a40bad831567e50ae49f668
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3168624
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Maria Tîmbur <mtimbur@google.com>
Cr-Commit-Position: refs/heads/main@{#76931}
Per https://github.com/WebAssembly/gc/issues/234, this implements
"nominal" type definitions with explicit supertypes, and statically
typed RTT-less instructions for allocation and testing/casting.
This should be fully backwards compatible with existing Wasm modules.
Spec: https://bit.ly/3cWcm6Q ("version 4")
Bug: v8:7748
Change-Id: Id5a1399b368fdfad22036cfd66f1bef593e640f7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3144916
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76844}
We add call_ref and return_call_ref to the fuzzed module.
We alter call function to generate call_ref in it.
Bug: v8:11954
Change-Id: I972b8e053d7eab758ac343d48f0c4631ef24b22b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3148011
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Rakhim Khismet <khismet@google.com>
Cr-Commit-Position: refs/heads/main@{#76748}
We add table operations to the fuzzed module.
GetTableType function is added in WasmModuleBuilder.
Alter alternatives array in GenerateOptRef to generate
less default values.
Bug: v8:11954
Change-Id: I433a6fac0ab10307aeede505b7d0c1d625d27477
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3137493
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Rakhim Khismet <khismet@google.com>
Cr-Commit-Position: refs/heads/main@{#76697}
This is needed so tables are available for table operations.
Bug: v8:11954
Change-Id: If0cbb07ddf0852d2e2515aca3e1f54168c2e0ab8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3135576
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76625}
WasmModuleBuilder is a class that is used to build Wasm modules in the
asm.js parser, in the fuzzer, as well as some tests. When it comes to
Wasm tables, WasmModuleBuilder currently supports only basic tables
(before the reftypes proposal) using an ad-hoc indirect-function index
vector.
This CL adds proper support for element sections and tables that use
them in the full potential of the reftypes extension. The new
functionality will only be used in the fuzzer and potentially some tests
in the future. Along this, we drop some functionality from
WasmModuleBuilder that was only used in tests and is redundant with the
new architecture.
Additionally, we remove tables other than externref and funcref from the
fuzzer (which were not supported properly or used anyway). We will
reintroduce them at a later time.
Bug: v8:11954
Change-Id: I0a4f6e7b63b6e3d9f7da03b5202fbf14d8678332
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3122162
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76597}
template specialisations must be defined
outside of class body to prevent the following compilation error:
error: explicit specialization in non-namespace scope
Change-Id: Ic4b74a28cd21d96991ad784fbd3c598668ffc476
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3129881
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Milad Fa <mfarazma@redhat.com>
Cr-Commit-Position: refs/heads/main@{#76591}
The wasm-compile fuzzer sometimes needs to generate a boolean flag from
the input bytes. Since the general {DataRange::get} method results in
undefined behaviour if instantiated with the {bool} type, we are getting
an 8-bit value instead and looking at the least significant bit only.
This CL improves this situation by implementing a template
specialization for {bool} which uses the same trick, and uses that
instead of hand-coding the modulo operation at the call sites.
R=manoskouk@chromium.org
Bug: v8:11879
Change-Id: I6f9ce02dd8d9cd0998b83e081e4c6ca773e6cb53
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3129429
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76588}
Given ref.func, we might need to wrap any function in the program, as
opposed to imported functions only.
Change-Id: I79942ef2dabf3b6da2d26b49167db6caff53745e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3122160
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76533}
We add br.on_null, ref.as_non_null and ref.eq to the fuzzed module.
They are called when liftoff is used. ref.is_null has been changed,
according to comments from the last CL. GetRefType has been removed.
Bug: v8:11954
Change-Id: If93f6e9911cbcd3001ab45da02ebc037af8bdc54
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3122171
Commit-Queue: Rakhim Khismet <khismet@google.com>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76531}
In a follow-up CL, the backing stores will, when the sandbox is enabled,
be referenced from V8 objects through offsets rather than raw pointers.
For that to work, all backing stores must be located inside the virtual
memory cage. This CL prepares for that.
Bug: chromium:1218005
Change-Id: Ibb989626ed7094bd4f02ca15464539f4e2bda90f
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3114136
Commit-Queue: Samuel Groß <saelo@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76486}
The v8::internal::IsolateData class in test/inspector/isolate-data.h
collides with v8::internal::IsolateData defined in
src/execution/isolate-data.h. In some circumstances, this can lead to
compilation or runtime issues. To fix that, this CL renames the class in
test/inspector to InspectorIsolateData.
Change-Id: I4b62b2a9d141169480c5a0591c1bcb2f275f87f4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3116248
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76481}
This is a reland of d1b27019d3
Fixes include:
Adding missing file to bazel build
Forward-declaring classing before friend-classing them to fix win/gcc
Add missing v8-isolate.h include for vtune builds
Original change's description:
> [include] Split out v8.h
>
> This moves every single class/function out of include/v8.h into a
> separate header in include/, which v8.h then includes so that
> externally nothing appears to have changed.
>
> Every include of v8.h from inside v8 has been changed to a more
> fine-grained include.
>
> Previously inline functions defined at the bottom of v8.h would call
> private non-inline functions in the V8 class. Since that class is now
> in v8-initialization.h and is rarely included (as that would create
> dependency cycles), this is not possible and so those methods have been
> moved out of the V8 class into the namespace v8::api_internal.
>
> None of the previous files in include/ now #include v8.h, which means
> if embedders were relying on this transitive dependency then it will
> give compile failures.
>
> v8-inspector.h does depend on v8-scripts.h for the time being to ensure
> that Chrome continue to compile but that change will be reverted once
> those transitive #includes in chrome are changed to include it directly.
>
> Full design:
> https://docs.google.com/document/d/1rTD--I8hCAr-Rho1WTumZzFKaDpEp0IJ8ejZtk4nJdA/edit?usp=sharing
>
> Bug: v8:11965
> Change-Id: I53b84b29581632710edc80eb11f819c2097a2877
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097448
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Dan Elphick <delphick@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76424}
Cq-Include-Trybots: luci.v8.try:v8_linux_vtunejit
Bug: v8:11965
Change-Id: I99f5d3a73bf8fe25b650adfaf9567dc4e44a09e6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3113629
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Simon Zünd <szuend@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76460}
We add ref.func and ref.is_null to the fuzzed module.
ref.is_null returns i32, so it is added to i32 generator.
ref.func is added to GenerateOptRef.
GetRefType function is added to generate reftypes.
Bug: v8:11954
Change-Id: Ia1add950bed573a02b6bec1cba401273d401919e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3106925
Commit-Queue: Rakhim Khismet <khismet@google.com>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76431}
Abstract reference types in the fuzzer have only generated trivial
values. This CL adds the capability for them to generate values of their
subtypes in addition.
Drive-by: Fix emission of multiple tables in wasm-fuzzer-common.
Bug: v8:11954
Change-Id: Id434109c9ae6c1e1b799414c90f18180b8895755
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3109672
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76430}
This reverts commit d1b27019d3.
Reason for revert: Broke vtune build, tsan build and possibly others
Original change's description:
> [include] Split out v8.h
>
> This moves every single class/function out of include/v8.h into a
> separate header in include/, which v8.h then includes so that
> externally nothing appears to have changed.
>
> Every include of v8.h from inside v8 has been changed to a more
> fine-grained include.
>
> Previously inline functions defined at the bottom of v8.h would call
> private non-inline functions in the V8 class. Since that class is now
> in v8-initialization.h and is rarely included (as that would create
> dependency cycles), this is not possible and so those methods have been
> moved out of the V8 class into the namespace v8::api_internal.
>
> None of the previous files in include/ now #include v8.h, which means
> if embedders were relying on this transitive dependency then it will
> give compile failures.
>
> v8-inspector.h does depend on v8-scripts.h for the time being to ensure
> that Chrome continue to compile but that change will be reverted once
> those transitive #includes in chrome are changed to include it directly.
>
> Full design:
> https://docs.google.com/document/d/1rTD--I8hCAr-Rho1WTumZzFKaDpEp0IJ8ejZtk4nJdA/edit?usp=sharing
>
> Bug: v8:11965
> Change-Id: I53b84b29581632710edc80eb11f819c2097a2877
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097448
> Reviewed-by: Yang Guo <yangguo@chromium.org>
> Reviewed-by: Camillo Bruni <cbruni@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Leszek Swirski <leszeks@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Dan Elphick <delphick@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76424}
Bug: v8:11965
Change-Id: Id57313ae992e720c8b19abc975cd69729e1344aa
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3113627
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Owners-Override: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76428}
This moves every single class/function out of include/v8.h into a
separate header in include/, which v8.h then includes so that
externally nothing appears to have changed.
Every include of v8.h from inside v8 has been changed to a more
fine-grained include.
Previously inline functions defined at the bottom of v8.h would call
private non-inline functions in the V8 class. Since that class is now
in v8-initialization.h and is rarely included (as that would create
dependency cycles), this is not possible and so those methods have been
moved out of the V8 class into the namespace v8::api_internal.
None of the previous files in include/ now #include v8.h, which means
if embedders were relying on this transitive dependency then it will
give compile failures.
v8-inspector.h does depend on v8-scripts.h for the time being to ensure
that Chrome continue to compile but that change will be reverted once
those transitive #includes in chrome are changed to include it directly.
Full design:
https://docs.google.com/document/d/1rTD--I8hCAr-Rho1WTumZzFKaDpEp0IJ8ejZtk4nJdA/edit?usp=sharing
Bug: v8:11965
Change-Id: I53b84b29581632710edc80eb11f819c2097a2877
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097448
Reviewed-by: Yang Guo <yangguo@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76424}
We add multiple tables to the fuzzed module.
We only can use externref or function references
for tables.
Bug: v8:11954
Change-Id: Ibb7b34203169a3ca97514b87273fa4ea0f6ca99a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3093145
Commit-Queue: Rakhim Khismet <khismet@google.com>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76288}
We add support for struct.get operation to the fuzzed module.
struct_get alternative is added to Generators
(i32, i64, f32, f64).
Bug: v8:11954
Change-Id: I85c03bb6ba896bff399eb1382fa42b0795ef65ed
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3081613
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Rakhim Khismet <khismet@google.com>
Cr-Commit-Position: refs/heads/master@{#76191}
Following up on https://crrev.com/c/3067319 (V8 call site) and
https://crrev.com/c/3080920 (Blink override), we can now safely remove
the formatAccessorsAsProperties() predicate in the inspector API. V8 now
consistently applies the logic to all "inherited", native accessor
properties (which means both Blink IDL attributes and V8 builtins).
Bug: chromium:1076820, chromium:1199247
Change-Id: I156ee43eb87ffd7b1ba69900fe11283f37241dda
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3080568
Auto-Submit: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Kim-Anh Tran <kimanh@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76187}
We add support for struct and arraytypes in wasm-fuzzer-common.
Also, we add addStruct and addArray while generating tests.
Other OptRef types like eqref/anyref have been supported.
Adding struct and arraytypes in wasm-compile has been placed
at the beginning in order to generate them in addSignature.
Bug: v8:11954
Change-Id: Ibe468dd4df70ad40367196c88353b28b7654f086
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3074463
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Rakhim Khismet <khismet@google.com>
Cr-Commit-Position: refs/heads/master@{#76137}
Generate the test case before compilation, so that we can generate it
even if compilation crashes.
We can only do this when require_valid is true. Otherwise the test case
depends on whether the module compiles or not.
R=ahaas@chromium.org
CC=khismet@google.com
Bug: v8:11954
Change-Id: I944e867cc7ca631bff749bd67c4b8baff1df1fa9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3074476
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76123}
The number of arguments for the LiftoffCompiler has grown significantly
since its initial implementation, and it becomes hard to keep track of
all options at the call sites.
This CL refactors all optional parameters into a {LiftoffOptions} struct
which has a factory-like interface.
This will allow us to add more options in the future, e.g. for dynamic
tiering.
R=thibaudm@chromium.org
Change-Id: I66697bb2f99b676a84c158304cc3a285e1b077d0
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3069148
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76098}
We add new alternative "new_object" in order to
emit new struct and array types. We check whether
heaptype is struct or array type so we could emit
"NewDefault" or "NewWithRtt". The additional methods
(IsArray/StructType, GetArray/StructType) was added to WasmModuleBuilder.
Bug: v8:11954
Change-Id: I7a0e73edfbaa49beb1efd60b0f1b9916dc50df22
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3056459
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Rakhim Khismet <khismet@google.com>
Cr-Commit-Position: refs/heads/master@{#75966}
It is very unlikely that atomic.wait does anything useful in the fuzzer,
and will most likely just timeout the fuzzer. That's why it's better to
just disallow atomic.wait on the fuzzer.
R=thibaudm@chromium.org
Bug: chromium:1229074
Change-Id: I57aaff013964fa4c0e6ab411789e53a9013cabd2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3053584
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75920}
We add additional num_types and liftoff parameters
for GetValueType to be able to generate user-def reftypes.
num_types is the number of types in the program and
liftoff checks if we could add reftypes or not.
The additional method (NumTypes) was added to WasmModuleBuilder and
additional field (liftoff) to WasmGenerator constructor.
Bug: v8:11954
Change-Id: I4904a41043264c65d5cba5b22129184d6a486bfe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3041426
Commit-Queue: Rakhim Khismet <khismet@google.com>
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75840}
We add a struct type and array type to the fuzzed module.
Since the interpreter does not support wasm-gc,
we only do so if liftoff is used as a reference implementation.
Also, adding liftoff parameter to all GenerateModule definitions.
Bug: v8:11954
Change-Id: Ia8d2d7a8e1e12d375605f15d1393dd64f426607d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3024160
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Rakhim Khismet <khismet@google.com>
Cr-Commit-Position: refs/heads/master@{#75782}
Instantiation was inside a DCHECK and therefore did not happen in
non-debug modes. Turn the DCHECK into a CHECK.
R=clemensb@chromium.org
Bug: chromium:1227685
Change-Id: I13240109326a2c94576f6651963543187d96ad3e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3017806
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75673}
Reset the instance before the test run, to ensure it runs with the
same initial state as the reference run.
R=clemensb@chromium.org
Bug: chromium:1227591
Change-Id: Ie78b4b84e3df37ab8955c240f1d41e2f5e89a5de
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3015572
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75658}
Add an option to use Liftoff instead of the interpreter as the reference
tier for fuzzing. The tier to use is chosen based on the input data
before generating the module. This way, the module can use features
depending on what is available in the reference tier, and we still get a
chance to find correctness issues that would only be detected by the
interpreter.
R=clemensb@chromium.org
Bug: v8:11856
Change-Id: I2e9878345355a37caec5fdb338dda42a84e8e63a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3008645
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75633}
The number of arguments and their values were generated and passed by
the individual fuzzers, but were unused by the caller. Instead, default
arguments are generated in {MakeDefaultInterpreterArguments} and
{MakeDefaultArguments}.
Thus this CL removes the dead parameters and assignments.
R=ahaas@chromium.org
Change-Id: I5ca5b06a0848c2a89e70ed739f44bc2161fcb2bb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3003464
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75560}
Changes:
- Use a lightweight WasmElemSegment::Entry struct to store element
segment entries in a WasmModule.
- Also, restructure LoadElemSegmentImpl to handle all types of
global.get entries correctly.
- Simplify InitializeIndirectFunctionTables and make it handle all types
of entries correctly.
- In the above two cases, reject WasmJSFunctions for now.
Bug: v8:11895
Change-Id: Ie714f8c7f1af8959486138d2ad49bc622a89276d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2991248
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75513}
This is a reland of 071a1acf32
Changes compared to original:
Expect SIMD test to fail if SIMD is not supported.
Original change's description:
> [wasm] Refactor initializer expression handling
>
> Design doc: https://bit.ly/3xPxWUe
>
> This CL introduces two main changes:
> - Initializer expressions are now decoded by WasmFullDecoder. With
> wasm-gc, initializer expressions are no longer just constants, and
> require complex decoding (including stack tracking). This resulted in
> extensive code duplication.
> - Initializer expressions are not stored explicitly by module-decoder as
> an AST (WasmInitExpr), but rather as a WireBytesRef, and are decoded
> again during module instantiation. This should reduce memory
> consumption for globals and other module elements with initializer
> expressions (which has been observed in the 40MB range in some
> real-world benchmarks.
>
> Summary of changes:
> - Add a static parameter {kFunctionBody, kInitExpression} to the
> WasmDecoder. Use it to specialize validation to function bodies/init.
> expressions.
> - Introduce a new Interface for the WasmFullDecoder for init.
> expressions.
> - Differentiate between constant and non-constant opcodes in
> WasmFullDecoder.
> - Change representation of init. expressions in WasmModule to
> WireBytesRef.
> - Reimplement EvaluateInitExpression in module-instantiate to re-decode
> initializer expressions.
> - Remove some now-invalid module decoder tests.
>
> Pending changes:
> - Also refactor initializer expressions for element segment entries.
> - Reintroduce deleted tests.
>
> Bug: v8:11895
> Change-Id: I76512bfe1386c8338667d30fa6db93880a1e4b42
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2972910
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#75476}
Bug: v8:11895
Change-Id: I2dface5ff28d5a2d439a65d3e5cb83135c061bb9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2997722
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75492}
This reverts commit 071a1acf32.
Reason for revert: Breaks on nosse: https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Linux/42795/overview
Original change's description:
> [wasm] Refactor initializer expression handling
>
> Design doc: https://bit.ly/3xPxWUe
>
> This CL introduces two main changes:
> - Initializer expressions are now decoded by WasmFullDecoder. With
> wasm-gc, initializer expressions are no longer just constants, and
> require complex decoding (including stack tracking). This resulted in
> extensive code duplication.
> - Initializer expressions are not stored explicitly by module-decoder as
> an AST (WasmInitExpr), but rather as a WireBytesRef, and are decoded
> again during module instantiation. This should reduce memory
> consumption for globals and other module elements with initializer
> expressions (which has been observed in the 40MB range in some
> real-world benchmarks.
>
> Summary of changes:
> - Add a static parameter {kFunctionBody, kInitExpression} to the
> WasmDecoder. Use it to specialize validation to function bodies/init.
> expressions.
> - Introduce a new Interface for the WasmFullDecoder for init.
> expressions.
> - Differentiate between constant and non-constant opcodes in
> WasmFullDecoder.
> - Change representation of init. expressions in WasmModule to
> WireBytesRef.
> - Reimplement EvaluateInitExpression in module-instantiate to re-decode
> initializer expressions.
> - Remove some now-invalid module decoder tests.
>
> Pending changes:
> - Also refactor initializer expressions for element segment entries.
> - Reintroduce deleted tests.
>
> Bug: v8:11895
> Change-Id: I76512bfe1386c8338667d30fa6db93880a1e4b42
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2972910
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#75476}
Bug: v8:11895
Change-Id: I9fcfdedad73ef21beb9632f50305b8e678a2dff6
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2997582
Auto-Submit: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#75484}
Design doc: https://bit.ly/3xPxWUe
This CL introduces two main changes:
- Initializer expressions are now decoded by WasmFullDecoder. With
wasm-gc, initializer expressions are no longer just constants, and
require complex decoding (including stack tracking). This resulted in
extensive code duplication.
- Initializer expressions are not stored explicitly by module-decoder as
an AST (WasmInitExpr), but rather as a WireBytesRef, and are decoded
again during module instantiation. This should reduce memory
consumption for globals and other module elements with initializer
expressions (which has been observed in the 40MB range in some
real-world benchmarks.
Summary of changes:
- Add a static parameter {kFunctionBody, kInitExpression} to the
WasmDecoder. Use it to specialize validation to function bodies/init.
expressions.
- Introduce a new Interface for the WasmFullDecoder for init.
expressions.
- Differentiate between constant and non-constant opcodes in
WasmFullDecoder.
- Change representation of init. expressions in WasmModule to
WireBytesRef.
- Reimplement EvaluateInitExpression in module-instantiate to re-decode
initializer expressions.
- Remove some now-invalid module decoder tests.
Pending changes:
- Also refactor initializer expressions for element segment entries.
- Reintroduce deleted tests.
Bug: v8:11895
Change-Id: I76512bfe1386c8338667d30fa6db93880a1e4b42
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2972910
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75476}