765f3c33b9
Before this change, the mutation order of js-fuzzer was hard-coded and always executed in the same order. This e.g. prevents certain mutation interactions. E.g. in the typical V8 pattern: %Prep(foo);foo(N);foo(N);%Opt(foo);foo(N); This gets typically inserted by the FunctionCallMutator, but none of the arguments N would get mutated later, since e.g. the NumberMutator is executed earlier. This change adds an experiment that makes the top-level mutation flow more flexible. With a probability of 20% each we now also: - Shuffle the different mutators. - Run a few random extra mutators after the first round. We annotate the output files with comments if the experiment was chosen to easier analyze later if interesting new bugs were found. Change-Id: I581d43b41a8e1d87ff1e8cab435a1b6e834db0f1 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4096477 Commit-Queue: Michael Achenbach <machenbach@chromium.org> Reviewed-by: Liviu Rau <liviurau@chromium.org> Cr-Commit-Position: refs/heads/main@{#84863} |
||
|---|---|---|
| .. | ||
| foozzie | ||
| js_fuzzer | ||
| trials | ||
| OWNERS | ||