AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
16d9298a9c
v8/test/fuzzer/wasm.cc
Andreas Haas 16d9298a9c [api] Add callback to set up conditional features 
Origin trials allow webpages to use experimental features even though
the features are not yet enabled by default. These features will then
get enabled per execution context: it is possible that the feature is
enabled in one execution context but disabled in another execution
context. In V8 we check for origin trials by calling a callback provided
by the embedder that takes the context as a parameter and returns
whether a feature is enabled in this context or not.

This approach fails when a feature changes the context itself, e.g. by
extending the global object. In that case the context is not available
yet to check for the origin trial.

To solve the problem this CL adds a new API function that can be called
by the embedder to notify V8 that context with the origin trial
information is finished. After that V8 can read the origin trial
information from the context and extend e.g. the global object with the
origin trial features.

Additionally to the API this CL also adds code to enable the
WebAssembly.Exception constructor conditionally, depending on whether
it has been enabled by an origin trial or not.

The Blink-side change: https://crrev.com/c/2775573

R=ulan@chromium.org, jkummerow@chromium.org

Change-Id: Ic05c4a89eb3e0e31469e49da8767d630c43b2e00
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2773287
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73597}
2021-03-23 09:03:34 +00:00

74 lines
2.5 KiB
C++
Raw Blame History

// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include <limits.h>
#include <stddef.h>
#include <stdint.h>
#include "include/v8.h"
#include "src/execution/isolate-inl.h"
#include "src/heap/factory.h"
#include "src/objects/objects-inl.h"
#include "src/wasm/wasm-engine.h"
#include "src/wasm/wasm-feature-flags.h"
#include "src/wasm/wasm-module.h"
#include "test/common/wasm/flag-utils.h"
#include "test/common/wasm/wasm-module-runner.h"
#include "test/fuzzer/fuzzer-support.h"
#include "test/fuzzer/wasm-fuzzer-common.h"
namespace i = v8::internal;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
v8_fuzzer::FuzzerSupport* support = v8_fuzzer::FuzzerSupport::Get();
v8::Isolate* isolate = support->GetIsolate();
// We reduce the maximum memory size and table size of WebAssembly instances
// to avoid OOMs in the fuzzer.
i::FLAG_wasm_max_mem_pages = 32;
i::FLAG_wasm_max_table_size = 100;
i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(isolate);
// Clear any pending exceptions from a prior run.
if (i_isolate->has_pending_exception()) {
i_isolate->clear_pending_exception();
}
v8::Isolate::Scope isolate_scope(isolate);
v8::HandleScope handle_scope(isolate);
v8::Context::Scope context_scope(support->GetContext());
// We explicitly enable staged WebAssembly features here to increase fuzzer
// coverage. For libfuzzer fuzzers it is not possible that the fuzzer enables
// the flag by itself.
i::wasm::fuzzer::OneTimeEnableStagedWasmFeatures(isolate);
v8::TryCatch try_catch(isolate);
i::wasm::testing::SetupIsolateForWasmModule(i_isolate);
i::wasm::ModuleWireBytes wire_bytes(data, data + size);
i::HandleScope scope(i_isolate);
i::wasm::ErrorThrower thrower(i_isolate, "wasm fuzzer");
i::Handle<i::WasmModuleObject> module_object;
auto enabled_features = i::wasm::WasmFeatures::FromIsolate(i_isolate);
bool compiles =
i_isolate->wasm_engine()
->SyncCompile(i_isolate, enabled_features, &thrower, wire_bytes)
.ToHandle(&module_object);
if (i::FLAG_wasm_fuzzer_gen_test) {
i::wasm::fuzzer::GenerateTestCase(i_isolate, wire_bytes, compiles);
}
if (compiles) {
i::wasm::fuzzer::InterpretAndExecuteModule(i_isolate, module_object);
}
// Pump the message loop and run micro tasks, e.g. GC finalization tasks.
support->PumpMessageLoop(v8::platform::MessageLoopBehavior::kDoNotWait);
isolate->PerformMicrotaskCheckpoint();
return 0;
}
Reference in New Issue View Git Blame Copy Permalink