5a50750651
The fuzzers based on {WasmExecutionFuzzer} (wasm-code, wasm-compile)
were already switched over in https://crrev.com/c/4042288.
The wasm-async and wasm fuzzers were still testing against the
interpreter, even though WasmGC opcodes are enabled, which leads to
crashes due to incomplete interpreter support.
This CL now switches those remaining fuzzers to "liftoff as reference"
mode, and removes support for testing against the interpreter.
As Liftoff code runs a lot faster than the interpreter, we bump the
limit for the number of executed instructions from 16k to 1M.
R=jkummerow@chromium.org
Bug: chromium:1387316, chromium:1393379, v8:13496
Change-Id: Id3e6177cc89b49e69d03515f10eedaf0872bde82
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4078983
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84644}
78 lines
2.6 KiB
C++
78 lines
2.6 KiB
C++
// Copyright 2016 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
#include <limits.h>
|
|
#include <stddef.h>
|
|
#include <stdint.h>
|
|
|
|
#include "include/libplatform/libplatform.h"
|
|
#include "include/v8-context.h"
|
|
#include "include/v8-exception.h"
|
|
#include "include/v8-isolate.h"
|
|
#include "include/v8-local-handle.h"
|
|
#include "src/execution/isolate-inl.h"
|
|
#include "src/wasm/wasm-engine.h"
|
|
#include "src/wasm/wasm-feature-flags.h"
|
|
#include "src/wasm/wasm-module.h"
|
|
#include "test/common/wasm/wasm-module-runner.h"
|
|
#include "test/fuzzer/fuzzer-support.h"
|
|
#include "test/fuzzer/wasm-fuzzer-common.h"
|
|
|
|
namespace v8::internal::wasm::fuzzer {
|
|
|
|
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
|
|
v8_fuzzer::FuzzerSupport* support = v8_fuzzer::FuzzerSupport::Get();
|
|
v8::Isolate* isolate = support->GetIsolate();
|
|
|
|
// We reduce the maximum memory size and table size of WebAssembly instances
|
|
// to avoid OOMs in the fuzzer.
|
|
v8_flags.wasm_max_mem_pages = 32;
|
|
v8_flags.wasm_max_table_size = 100;
|
|
|
|
Isolate* i_isolate = reinterpret_cast<Isolate*>(isolate);
|
|
|
|
// Clear any pending exceptions from a prior run.
|
|
if (i_isolate->has_pending_exception()) {
|
|
i_isolate->clear_pending_exception();
|
|
}
|
|
|
|
v8::Isolate::Scope isolate_scope(isolate);
|
|
v8::HandleScope handle_scope(isolate);
|
|
v8::Context::Scope context_scope(support->GetContext());
|
|
|
|
// We explicitly enable staged/experimental WebAssembly features here to
|
|
// increase fuzzer coverage. For libfuzzer fuzzers it is not possible that the
|
|
// fuzzer enables the flag by itself.
|
|
EnableExperimentalWasmFeatures(isolate);
|
|
|
|
v8::TryCatch try_catch(isolate);
|
|
testing::SetupIsolateForWasmModule(i_isolate);
|
|
ModuleWireBytes wire_bytes(data, data + size);
|
|
|
|
HandleScope scope(i_isolate);
|
|
ErrorThrower thrower(i_isolate, "wasm fuzzer");
|
|
Handle<WasmModuleObject> module_object;
|
|
auto enabled_features = WasmFeatures::FromIsolate(i_isolate);
|
|
bool compiles =
|
|
GetWasmEngine()
|
|
->SyncCompile(i_isolate, enabled_features, &thrower, wire_bytes)
|
|
.ToHandle(&module_object);
|
|
|
|
if (v8_flags.wasm_fuzzer_gen_test) {
|
|
GenerateTestCase(i_isolate, wire_bytes, compiles);
|
|
}
|
|
|
|
if (compiles) {
|
|
ExecuteAgainstReference(i_isolate, module_object,
|
|
kDefaultMaxFuzzerExecutedInstructions);
|
|
}
|
|
|
|
// Pump the message loop and run micro tasks, e.g. GC finalization tasks.
|
|
support->PumpMessageLoop(v8::platform::MessageLoopBehavior::kDoNotWait);
|
|
isolate->PerformMicrotaskCheckpoint();
|
|
return 0;
|
|
}
|
|
|
|
} // namespace v8::internal::wasm::fuzzer
|