base fuzzili update #52
Open
Dudcom wants to merge 264 commits intoVRIG-RITSEC:agentfrom
Open
Conversation
V8-side-change: https://crrev.com/c/7198340 Change-Id: I423361da98643dcde469b8a13c6b7df44114d8c6 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8793536 Reviewed-by: Dominik Klemba <tacet@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Dominik Klemba <tacet@google.com>
…function To allow defining a block with a wasm-gc signature while already being in the .wasmFunction context, this change adds a new operation WasmDefineAdHocSignature. This way statements requiring a signature type input can directly embed this signature definition inside the function. Bug: 445356784 Change-Id: I56754224551ea82883c71410f4aca957b7bf24d4 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8787096 Reviewed-by: Pawel Krawczyk <pawkra@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
To ensure that this function is correctly detected as a crash in both regular fuzzing and sandbox fuzzing configurations Change-Id: I22eae385d08d343926624d5e6f33b7e6dbf72993 Bug: 461681036 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8796176 Commit-Queue: Samuel Groß <saelo@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This change increases the probability of accessing the length of rest parameters and rest elements to improve fuzzing coverage of V8's optimizations for RestLength (rest.length). With a 20% probability, FuzzIL variable is created for the "length" property of a newly created rest parameter or element. This affects all function types and array destructuring generators. For function generators and 'ForOfWithDestructLoopGenerator', we do not need to check if outputs are empty: 'hasRestParameter' implies the existence of parameters, and loop generation logic guarantees non-empty indices. For 'DestructArrayGenerator' and 'DestructArrayAndReassignGenerator', we now ensure that 'lastIsRest' is only true when the variable list is non-empty. Assertions were also added to the DestructArray instructions to enforce this invariant. Bug: 456162872 Change-Id: I37b78cc892aac5bb5e5164864863dc51dba40f51 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8741996 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Dominik Klemba <tacet@google.com>
Change-Id: I02ac85b1f90e3a21a6310157457d2e0c0ec364d3 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8796658 Auto-Submit: Pawel Krawczyk <pawkra@google.com> Commit-Queue: Dominik Klemba <tacet@google.com> Reviewed-by: Dominik Klemba <tacet@google.com>
Bug: 455512155,455513417 Change-Id: I52dc1b9d27d02ee1e5d905eca3705d9a9c4a6661 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8796096 Commit-Queue: Pawel Krawczyk <pawkra@google.com> Reviewed-by: Dominik Klemba <tacet@google.com>
This adds a stand-alone python script that with the following properties: * Mimic various test configs from V8 (for now test262 without staging) * List all supported tests from a config * Transpile all tests in parallel (i.e. compile to FuzzIL and lift back to JS) * Print statistics and return relevant results as a json file * The results contain stats that we can track as a metric, e.g. the percentage of properly transpiled tests. The script is tested with a Python unit tests that runs the script E2E, also hooked up through a presubmit script so that it's tested on updates. Bug: 442444727 Change-Id: I29c89cede59aef885e45a0ae0821d3388bc51e8f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8787097 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
This makes the executor look for Node.js in the CWD, which makes it easy to bundle both together when porting the FuzzILTool to another machine. Bug: 442444727 Change-Id: I80adcde79fb6d773f3f47817da24188bbbe5431e Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8796659 Reviewed-by: Pawel Krawczyk <pawkra@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Generating shared ref variables to be done in following CLs. See https://github.com/WebAssembly/shared-everything-threads/blob/main/proposals/shared-everything-threads/Overview.md. Bug: 448349112 Change-Id: I3358ce9cdd528147b66f1954ef1a008b048e06df Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8734256 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Dominik Klemba <tacet@google.com> Commit-Queue: Pawel Krawczyk <pawkra@google.com>
This reverts commit e35cbb5. Reason for revert: Crashes and not reviewed yet. Original change's description: > Add support for shared references. > > Generating shared ref variables to be done in following CLs. > > See https://github.com/WebAssembly/shared-everything-threads/blob/main/proposals/shared-everything-threads/Overview.md. > > Bug: 448349112 > Change-Id: I3358ce9cdd528147b66f1954ef1a008b048e06df > Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8734256 > Commit-Queue: Matthias Liedtke <mliedtke@google.com> > Reviewed-by: Dominik Klemba <tacet@google.com> > Commit-Queue: Pawel Krawczyk <pawkra@google.com> Bug: 448349112 No-Presubmit: true No-Tree-Checks: true No-Try: true Change-Id: I8bc73bef53d053078db9318de6408d4dbf2f4cda Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8810396 Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
This change allows the JavaScriptLifter to inline arrow functions (e.g., 'foo(() => 42)') by treating them as expressions.
- Adds ArrowFunctionExpression to JSExpressions.
- Updates JavaScriptLifter to detect recursive arrow functions and block boundaries.
- Non-recursive arrow functions are buffered and assigned as expressions.
- Recursive arrow functions retain the original variable declaration strategy.
- Implements concise body syntax ('() => expr') for single-line returns without comments.
- Updates JavaScriptWriter to use emitBlock for multi-line inlined expressions.
Bug: 464228572, 456164925
Change-Id: Ic4618c2ba92ad96d95303e83f8551c13beef508c
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8808456
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Dominik Klemba <tacet@google.com>
Auto-Submit: Dominik Klemba <tacet@google.com>
This is a mini-fuzzer for the new BytecodeVerifier in V8. It uses %GetBytecode to obtain a JS representation of the BytecodeArray of an existing function, mutates it, then installs it back on the function using %InstallBytecode and finally executes the function. As the verifier only ensures that the bytecode does not cause a sandbox breakout (not general memory corruption), the mini-fuzzer is also specific to the V8Sandbox fuzzing profile. Bug: 461681036 Change-Id: Iac64f3c9532f47455c57cf4251197771b0663612 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8814316 Commit-Queue: Samuel Groß <saelo@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This enables calling the script with the arguments --num-shards and --shard-index. The former defines on how many shards (bots) the overall task gets distributed, the latter the index n to deterministically determined the sub-task for the n'th shard. The test order is deterministic and we assume that this script is called from different shards with the same test archive. The sub task is then evenly divided with a simple modulo algorithm. Bug: 442444727 Change-Id: I32803d2bae14f9387e445b627363f4de7ac7efe4 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8817538 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
…bility)." This reverts commit 8a542af. Reason for revert: V8/d8 is not seeded, therefore crashes are not reproducible (and the code is unstable). Original change's description: > Throw exception in TryCatchFinally blocks (with certain probability). > > Bug: 455512155,455513417 > Change-Id: I52dc1b9d27d02ee1e5d905eca3705d9a9c4a6661 > Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8796096 > Commit-Queue: Pawel Krawczyk <pawkra@google.com> > Reviewed-by: Dominik Klemba <tacet@google.com> Bug: 455512155,455513417 Change-Id: I17514fcc50b60232faccd0a7b418fad0b187174d Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8821316 Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Commit-Queue: Dominik Klemba <tacet@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com> Auto-Submit: Dominik Klemba <tacet@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
This makes it possible to call the script from some nested work dir. Bug: 442444727 Change-Id: I5f6f4313b652cb09e4d168785e78a2334495ccd9 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8821322 Auto-Submit: Michael Achenbach <machenbach@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This allows using parameter types which are indexed types (things like `(ref null 1)`). Implementation: - Each WasmLoop instruction now takes its signature as the first input. - The static signature types are removed from the begin and endLoop. - The loop code generator emits an "ad hoc" signature in order to emit signatures for which we already have corresponding inputs available. Bug: 445356784 Change-Id: Ic58ab7d6a092a39de77c974142dd7f976786e8e1 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8792956 Reviewed-by: Pawel Krawczyk <pawkra@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
* JSON.parse source text access & RawJSON * Iterator helpers * upsert Change-Id: I1dad9b38c1a42ba8cfdb055651db06e0947dd184 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8814317 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Olivier Flückiger <olivf@google.com> Auto-Submit: Olivier Flückiger <olivf@google.com>
This adds a simple script to merge data from multiple sharded calls to transpile_tests.py. We keep the merge script side-by-side with the main script to ease changing details in the data later, e.g. adding additional keys. This also drops two redundant entries from the current format. Bug: 442444727 Change-Id: I774c078455028a01eb97276b90120a0f03c14f7a Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8832116 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
Bug: 442444727 Change-Id: I6bc7c8744a7237e6d7c7c4bb204aeb530ed272e5 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8832418 Auto-Submit: Michael Achenbach <machenbach@google.com> Commit-Queue: Pawel Krawczyk <pawkra@google.com> Reviewed-by: Pawel Krawczyk <pawkra@google.com>
Besides the existing --gc-interval=n flag, this can help finding bugs for a GC happening at a specific point in a builtin or runtime function. Bug: 467294029 Change-Id: I9d78d7d01d229ecd3e0c631f9d1e2f54a456b4ba Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8832419 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Calling apply() with an array like this generator does will create a function call with as many arguments as the size of the array. It is meant to cover the discrepencies in max argument counts between turboshaft and maglev. Bug: b/455503442 Change-Id: Ia605368687970369e168796273486d75de4cc811 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8839116 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Hendrik Wüthrich <whendrik@google.com>
This flag is incomplete. Before fuzzing it, all V8 tests should pass. Recent fuzzer reports show that this is not the case. Bug: 468167782 Change-Id: I80d2cba60f1d553dd47cff338dee40a3b7c1ffbd Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8843276 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Thibaud Michaud <thibaudm@google.com> Commit-Queue: Thibaud Michaud <thibaudm@google.com>
This enhances the results format after test transpilation.
Before, we had only one level of:
{num_tests: int, failures: [{path: string, output: string}]}
Now we'll key the two lowest directory levels in Test262, e.g. for a
typical path like: language/literals/boolean/S7.8.2_A1_T1.js,
the key would be language/literals.
All results under this directory will be listed as a dict value,
with numbers and failures as previously, further directories
accordingly:
{
language/literals: {num_tests: ..., failures: ...},
language/identifiers: ...
...
}
We will now transpile all Test262 tests in one run and won't need
to exclude any subdirectories, like staging, as we can now report
separate numbers anyways.
This also updates the merge script to the new format and adds
additional unit tests for some helper functions.
Bug: 442444727
Change-Id: Idf23c650c646bc970d81fc8a318d4a8c76797a4d
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8841396
Commit-Queue: Michael Achenbach <machenbach@google.com>
Reviewed-by: Liviu Rau <liviurau@google.com>
JS files often contain meta data in leading comments. We require these comments to be able to execute JS code again after transpiling it with the FuzzILTool. This preserves such comments, whenever the `--outputPathJS` option is used. The comments are extracted using information from the Babel AST in the parser. Bug: 442444727 Change-Id: Ibc9fda5f99a69123672b75970f9b5801c2695074 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8839676 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
Added generators for: - ResizableArrayBuffer (RAB) and GrowableSharedArrayBuffer (GSAB) operations (resize, grow). - Creating TypedArrays and DataViews from buffers (including fixed-length views). - Converting Wasm memory to RAB/GSAB. - Increasing chance of accessing last element Improved existing generators: - ResizableArrayBufferGenerator, GrowableSharedArrayBufferGenerator Added a program template testing the interaction between Wasm memory growth and JS buffer resizing. Change-Id: I2127a84796470efff4304402f8fd7a9cc3b8f008 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8836397 Commit-Queue: Dominik Klemba <tacet@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
In the overall results directory tree, certain directories contain large and interesting subtrees (e.g. large directories with low import coverage). This change enables us listing such additional directories to expand their subdirectories in the results mapping. E.g. if now a directory is listed in this config, the directory itself and one level of subdirectories below are now also listed as single result entities. Bug: 442444727 Change-Id: Iba585221622c054985f2307389fccf35d3b10fec Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8845316 Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Pawel Krawczyk <pawkra@google.com> Reviewed-by: Liviu Rau <liviurau@google.com>
Previously, if we caught an error during translation of a RuntimeAssistedMutator's Actions back to FuzzIL instructions, we simply logged an error but otherwise continued the mutation. This, however, can lead to invalid programs as we're essentially deleting the current instruction (which may e.g. have produced an output needed later on). This might then lead to various other crashes later on. Instead, we should simply abort the mutation when we see such an error. Bug: 468928010 Change-Id: Iefd1010d9c7bd72444d5be1258f81b3063f7b39b Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8849276 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Samuel Groß <saelo@google.com>
Without this, the wrapped error's text is later shown with encoded
linebreaks ("\n").
Bug: 442444727
Change-Id: I2b0aa87d7582d83a8339b105f03ac87df59da873
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8852616
Reviewed-by: Pawel Krawczyk <pawkra@google.com>
Commit-Queue: Michael Achenbach <machenbach@google.com>
See https://github.com/WebAssembly/shared-everything-threads/blob/main/proposals/shared-everything-threads/Overview.md. Bug: 448349112 Change-Id: Ifcc6666c0f3c282078954902853dff23b72e43f9 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8832117 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Pawel Krawczyk <pawkra@google.com>
See crrev.com/c/7269586 for context. Here we add the fuzzilli-side testcases for the new crash types and also extend the ASAN_OPTIONS with `handle_sigill=1` so we get ASAN splats for non-ud2 SIGILL crashes. Bug: 42202821 Change-Id: I08d7d42e8ef9869cd1a228ce15654b23c956ded3 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8857196 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Samuel Groß <saelo@google.com>
Don't crash on "delete a[numeric_literal]" for cases where numeric_literal is outside of the Int64 range. Change-Id: Id844f50fbcf2c00e3242094472a5c46163daa092 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9218736 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com>
There is some failure on the GitHub workflow and I have no idea what's exactly going wrong if the only output is "Could not execute script". Change-Id: Iba8ac6adb87295e0d3eb364b9431f4488f42b45d Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9220436 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
This CL adds a label to each generated loop, which is accessible in its scope via `innerOutputs.last`. When generating `break` or `continue` statements, with a probability of 20%, one of the loop labels that are currently in scope are selected as the target. A label is added to each loop and increments the variable counter of the program, but it’s only emitted if the label is referenced. In subsequent CLs, I plan to add: - label support for block, switch, if/else statements - parsing support for such labels Change-Id: I79606416e91525a42d5bcd91583f72c904a1dc80 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9206398 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@google.com>
This CL extends code generation with break statements in block
statements, such as:
L1: {
// ...
break L1;
// ...
}
Change-Id: I4d2ec93db1e6ade577618e9dc6d89e35fa6f806f
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9211136
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Leon Bettscheider <bettscheider@google.com>
When assembling synthetic generators, we picked a path which was short in the context graph (note: getAllPaths did not return all paths, but an arbitrary shortest path), even though that path might require many generator stubs. In particular, AsyncDisposableClassVariableGenerator advertises that it can go from .javaScript to .method, and it probably got picked disproportionally often in comparison to how complex it is. This CL makes the "shortest path" computation in the context graph take into account how many generator stubs are needed for each edge. This also fixes the flaky test which was asserting that we always find a path with less than 10 generator stubs. Fixed: 503657557 Change-Id: Ied65808f3b3ea7e6f42c17672e7cece0fb9ab119 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9220456 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Marja Hölttä <marja@google.com> Auto-Submit: Marja Hölttä <marja@google.com>
The template contains a JS function that calls a Wasm function with an inlineable wrapper. Bug: 353475584, 455524488 Change-Id: I1590eaaa1646b4d966ad6d3e047cf6bf7235631f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9211130 Reviewed-by: Daniel Lehmann <dlehmann@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bug: 435589244 Change-Id: I1a8d2dd8ec1014a6bcf6c34d8c2c17409257d948 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9223176 Auto-Submit: Darius Mercadier <dmercadier@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
This CL hides JS labels when opening subroutine scopes (and others)
and unhides them again when these scopes are closed.
The reason is that labels may not be referenced in such scopes.
For example, we don’t want to generate things like:
L1: while (true) {
function f() {
break L1;
}
}
Change-Id: Id3b98e4fcb6244abd72ebdefaa4cdaeb478e420c
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9221756
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Leon Bettscheider <bettscheider@google.com>
This CL adds support for labels to if/else blocks. Each block has its own unique label in the IL. When lifting IL to JS code, the label of the if-block will be emitted. Bug: 504947197 Change-Id: If72b01f65156b1d33791ae25ea63375a21a6f1fe Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9221776 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Change-Id: I24bb99a2e76a21d1ac8d57edff615f77555901cd Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9220441 Reviewed-by: Daniel Lehmann <dlehmann@google.com> Commit-Queue: Daniel Lehmann <dlehmann@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Like the comment says, if we want to generate a variable of type ".object(type description) + .another_requirement", we need to use the .object type generator, not the .another_requirement type generator. This CL makes the code to do what the comment says. Fixed: 504534963 Change-Id: I0fc3970dc29130eb18c42cec91d28eb5e210e6f8 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9227037 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Marja Hölttä <marja@google.com>
In subsequent CLs, I'll add support for if/else, switch, and loops (and "continue lbl;"). Bug: 504947197 Change-Id: Idfcd4c6f263b184057a6adbc0478fde6b1b24b34 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9223779 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@google.com>
This was only added to the generated file, not to the source. Bug: 504947197 Change-Id: I255fd5471f0aa8270615bb34594e16daa5f57608 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9230417 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Marja Hölttä <marja@google.com> Reviewed-by: Marja Hölttä <marja@google.com>
…e empty string This makes debug prints easier to read. Change-Id: I5f11063abed9e312840ddcf041ce17dfefb36ff4 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9230296 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Marja Hölttä <marja@google.com>
Randomly pick up the values for "baseline-batch-compilation", "lazy-feedback-allocation". Also do the same for "stress-lazy-source-positions", but only in non-sandbox fuzzing sessions: this stress enables additional CHECKs that are suppressed by V8's sandbox fuzzer crash filters as non-issues, and hence may result in masking real issues from the fuzzer. Note that V8 currently has implications from "--fuzzing" and "--jit-fuzzing" that will take precedence over some of these random selections, however this is about to change (see https://crbug.com/475707969). Bug: 475707969 Change-Id: I56e367afd403578c05dcc3a3011cc183b55801d8 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9211137 Commit-Queue: Maksim Ivanov <emaxx@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
ObjectGroupType was unused, but provided a safeguard for forcing the developer to modify groupsMatchByPrefix when adding new ObjectGroupTypes (which the developer likely would do, since ObjectGroupManager.finalize() wanted an ObjectGroupType as a param). This removes ObjectGroupType but adds another safeguard to keep groupsMatchByPrefix working. Change-Id: I99f194a47cb58ffda4d9131b5ad3aad5549edff4 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9233976 Commit-Queue: Marja Hölttä <marja@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Instead of storing a WasmSignature, store an ILType that describes the Wasm signature definition. Bug: 445356784 Change-Id: Id28fe78817f7140084eaa87db751b739aa36975d Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9129496 Reviewed-by: Manos Koukoutos <manoskouk@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bug: 445356784 Change-Id: Ie030285f1545181e55eabdabe2afa4793e2a69c9 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9133336 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Manos Koukoutos <manoskouk@google.com>
We don't need to assert the exact prefixes anymore, since the code below will handle everything automatically. But we can add the assert that the prefixes are not prefixes of each other, instead of relying on human verification. Change-Id: I4cec6fa48d5b2103ec1f32e897d5e05cbf38e8b9 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9233978 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Marja Hölttä <marja@google.com>
In line with loops, if/else, and block statements, now switch statements also have a unique label of type .jsBlockLabel. This label is only emitted when it’s used. For “break;” without a label, we still use switchBreak() that requires the .switchCase context. For “break label;”, we reuse blockBreak() which requires a .jsBlockLabel to be in scope. Bug: 504947197 Change-Id: I9fa291e62cb330694119693404d49e37ccbb4cb7 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9223516 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Bug: 445356784 Change-Id: If9706cdc8876721e00289eb096f35b555981c129 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9151896 Reviewed-by: Manos Koukoutos <manoskouk@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bug: 504947197 Change-Id: If1b2d420b60e54cee67e43ea91570bf4267e086f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9227078 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Bug: 504947197 Change-Id: Ia94e0b0521df38e9f3b94e434e7e80fda5cc063b Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9227536 Commit-Queue: Leon Bettscheider <bettscheider@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Bug: 504947197 Change-Id: I82446d1bc4ad71ed518307e7ae3388639a0c6171 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9227556 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Many places were checking hasVisibleVariables, but then calling randomJsVariable() and assuming it will succeed. They should've used hasVisibleJsVariables instead. Bug: 342521422 Change-Id: I6e407c31751faf1a73bdb3497d515b39253c228a Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9234178 Commit-Queue: Marja Hölttä <marja@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Currently, Fuzzilli has no native mechanism to declare an iterable that yeilds elements of only a specific type. As a result, Fuzzilli struggles to generate correct programs for code that operates on such iterables. While a workaround is possible by using custom types and CodeGenerators, that approach relies on ProgramBuilder's `setType`, which does not persist type info when the program is saved to the corpus. This CL introduces parameterizability to the `iterable` type with the addition of the `iterableElementType` to the `TypeExtension`. Importantly, the nature of Fuzzilli makes it so this type is just an assumption at generation time, and does not guarantee that the iterable will not hold elements of other types as a program grows and mutates. Accompanying this new feature is an update to the `format` method used for debugging. Parameterized iterables are serialized as "iterable<T>", where T is the serialization of the type stored in `iterableElementType`. Additionally, this CL updates internal type generation in `ProgramBuilder` so that parameterized iterables are generated as single-element arrays of the corresponding type parameter. Bug: 503429420 Change-Id: Ie49882d6eea61a992f51b6e1fab030e2e198144c Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9234311 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Tigran Bantikyan <bantikyan@google.com>
Change-Id: I404ec9aba3dedd3caa4f198188c520154f886317 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9240360 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@google.com> Reviewed-by: Leon Bettscheider <bettscheider@google.com>
ExplorationMutator may explore inner outputs, which adds instrumentation code immediately. However, such arbitrary JS code is not allowed in the outer switch context, before a `case` was seen. In general, exploring labels probably does not make sense, so this CL avoids all labels from being explored. Bug: 504947197 Change-Id: I9ed4b30e12fb277cc4136ec9d4edfa1c0e2166e9 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9241640 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Those places were interested in visible JS variables. Bug: 342521422 Change-Id: I3c7fb727c2d212a76ce5488360f7c8cd011df2bb Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9244060 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Marja Hölttä <marja@google.com>
.resumesSurroundingContext is used for a start block that doesn't want to propagate the surrounding context but wants to resume the context surrounding the surrounding context (see implementation of skipsSurroundingContext). This change ensures that we don't use this on .isBlockEnd as a block end will always resume the surrounding context and we shouldn't set this attribute for that as its presence is completely ignored. Change-Id: Ie2c55fc19c591c68873e73446ecb2e8e8e5748ac Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9248740 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Marja Hölttä <marja@google.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
16 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
updating with head