AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
3b3ad5b486
v8/test/fuzzer/wasm-fuzzer-common.h
Andreas Haas 7b53a0e010 [wasm] Avoid executing infinite loops in the wasm fuzzers 
The wasm-async fuzzer uses the bytes provided by the fuzzer engine
directly as wasm module bytes, compiles them with async compilation, and
then tries to execute the "main" function of the module. This "main"
can have an infinite loop which causes a timeout in the fuzzer. With
this CL the "main" function is first executed with the interpreter. If
the execution in the interpreter finishes within 16k steps, which means
that there is no infinite loop, also the compiled code is executed.

I added the raw fuzzer input as a test case because in this case I
really want to test the fuzzer and not V8.

R=clemensh@chromium.org

Bug: chromium:761784
Change-Id: Id1fe5da0da8670ec821ab9979fdb9454dbde1162
Reviewed-on: https://chromium-review.googlesource.com/651046
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47874}
2017-09-07 12:35:45 +00:00

47 lines
1.4 KiB
C++
Raw Blame History

// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef WASM_SECTION_FUZZERS_H_
#define WASM_SECTION_FUZZERS_H_
#include <stddef.h>
#include <stdint.h>
#include "src/wasm/module-decoder.h"
#include "src/wasm/wasm-interpreter.h"
#include "src/wasm/wasm-module-builder.h"
namespace v8 {
namespace internal {
namespace wasm {
namespace fuzzer {
int FuzzWasmSection(SectionCode section, const uint8_t* data, size_t size);
// First instantiates and interprets the "main" function within module_object if
// possible. If the interpretation finishes within kMaxSteps steps,
// module_object is instantiated again and the compiled "main" function is
// executed.
void InterpretAndExecuteModule(Isolate* isolate,
Handle<WasmModuleObject> module_object);
class WasmExecutionFuzzer {
public:
virtual ~WasmExecutionFuzzer() {}
int FuzzWasmModule(const uint8_t* data, size_t size);
protected:
virtual bool GenerateModule(
Isolate* isolate, Zone* zone, const uint8_t* data, size_t size,
ZoneBuffer& buffer, int32_t& num_args,
std::unique_ptr<WasmValue[]>& interpreter_args,
std::unique_ptr<Handle<Object>[]>& compiler_args) = 0;
};
} // namespace fuzzer
} // namespace wasm
} // namespace internal
} // namespace v8
#endif // WASM_SECTION_FUZZERS_H_
Reference in New Issue View Git Blame Copy Permalink