Open
Conversation
V8 side change: https://crrev.com/c/7137442 Bug: 457866804 Change-Id: Id01597d3194e4c88d38623f646c1671330e63b43 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8753396 Reviewed-by: Michael Achenbach <machenbach@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
This replaces the separate logic for lastFunctionVariable with the generic runtimeData approach. This doesn't change behavior. Change-Id: I9cc988879638b423dabc99d4598028caacb6a3de Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8714836 Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Similarly to objects as disposable variables, this enables generating instances of classes as disposable variables, used with both: `using` and `await using`. The generators have the new style and provide a class with a computed method with Symbol.dispose or Symbol.asyncDispose. As a fly-by, this also makes use of `b.runtimeData` to store the symbol of the existing generator for disposable objects. Bug: 446632644 Change-Id: I433ce357e4649230b803361e6fba15ca2cb954e2 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8715016 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
V8-side change: https://crrev.com/c/7137292 Bug: 455552707 Change-Id: Ifd5f44b69ef62f18ecfa03525e988bd2f43253cc Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8756377 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Victor Gomes <victorgomes@google.com>
Many (all?) JS engines have optimizations for string concatenations. To make it more likely having such concatenated strings (ConsString in V8), add a code generator for string concatenation. Fixed: 455552707 Change-Id: I0a9bf66a5f721d38f34327f7acd8c5344086cf10 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8756756 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Dominik Klemba <tacet@google.com> Reviewed-by: Victor Gomes <victorgomes@google.com>
So far this will only fuzz the definition of these signatures as there aren't any operations registered which would make use of these definitions, yet. Bug: 445356784 Change-Id: I1c6b99e863bf359e4c505605d2d7f64533553f19 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8753596 Reviewed-by: Pawel Krawczyk <pawkra@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Change-Id: Ib70851f9cd9d11f39501815280d6ea641c6df40e Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8764020 Reviewed-by: Carl Smith <cffsmith@google.com> Commit-Queue: Carl Smith <cffsmith@google.com> Auto-Submit: Pawel Krawczyk <pawkra@google.com>
Bug: 458429784 Change-Id: If21b4e7bd0670939f0413c11e8d6c8ef1b5e5823 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8783156 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com> Auto-Submit: Darius Mercadier <dmercadier@google.com>
type for input requirements and output guarantees. Bug: 445356784 Change-Id: Ib1319c8e42e33688c7c0921b166e46e50b031748 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8760696 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Carl Smith <cffsmith@google.com>
Bug: 429332174 Change-Id: Ic644ce211f96e1bd2c3044bc14fa12ee4410fa24 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8783696 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Dominik Klemba <tacet@google.com>
V8-side-change: https://crrev.com/c/7178541 Right now this probably doesn't change much as the ProgramTemplate from commit 9e2e2a3 uses multiple assignments and other instructions will never emit the correct bytecode due to how expression inlining is implemented for assignments right now. Still, it doesn't hurt to add this flag to Fuzzilli as well. Bug: 429332174 Change-Id: I7a4318ba434d701c530fef72a31bce1497f51529 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8792496 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Raphaël Hérouart <rherouart@google.com> Reviewed-by: Raphaël Hérouart <rherouart@google.com>
Change-Id: Ib196ad69f5a3a09620b82da5e60694777a024aef Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8783856 Reviewed-by: Dominik Klemba <tacet@google.com> Commit-Queue: Pawel Krawczyk <pawkra@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Pawel Krawczyk <pawkra@google.com>
This way the new code generation logic can resolve dependencies when it requires a Wasm struct, array, or signature type. In theory, these could all be registered as separate code generators, however it seems simpler having one that just generates all 3 types. We need the separate generator and can't rely on the "inner" generators like the "ArrayTypeGenerator" as these can only run inside the `.wasmTypeGroup` context. Bug: 445356784 Change-Id: I5c2b9e37aeb9b3ab50f05a37e49147efff4acaa7 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8767377 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Pawel Krawczyk <pawkra@google.com>
Change-Id: I9f502e7d70fcccbb335f424391bebfdb6561f3e0 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8764022 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Pawel Krawczyk <pawkra@google.com>
V8-side-change: https://crrev.com/c/7198340 Change-Id: I423361da98643dcde469b8a13c6b7df44114d8c6 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8793536 Reviewed-by: Dominik Klemba <tacet@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Dominik Klemba <tacet@google.com>
…function To allow defining a block with a wasm-gc signature while already being in the .wasmFunction context, this change adds a new operation WasmDefineAdHocSignature. This way statements requiring a signature type input can directly embed this signature definition inside the function. Bug: 445356784 Change-Id: I56754224551ea82883c71410f4aca957b7bf24d4 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8787096 Reviewed-by: Pawel Krawczyk <pawkra@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
To ensure that this function is correctly detected as a crash in both regular fuzzing and sandbox fuzzing configurations Change-Id: I22eae385d08d343926624d5e6f33b7e6dbf72993 Bug: 461681036 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8796176 Commit-Queue: Samuel Groß <saelo@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This change increases the probability of accessing the length of rest parameters and rest elements to improve fuzzing coverage of V8's optimizations for RestLength (rest.length). With a 20% probability, FuzzIL variable is created for the "length" property of a newly created rest parameter or element. This affects all function types and array destructuring generators. For function generators and 'ForOfWithDestructLoopGenerator', we do not need to check if outputs are empty: 'hasRestParameter' implies the existence of parameters, and loop generation logic guarantees non-empty indices. For 'DestructArrayGenerator' and 'DestructArrayAndReassignGenerator', we now ensure that 'lastIsRest' is only true when the variable list is non-empty. Assertions were also added to the DestructArray instructions to enforce this invariant. Bug: 456162872 Change-Id: I37b78cc892aac5bb5e5164864863dc51dba40f51 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8741996 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Dominik Klemba <tacet@google.com>
Change-Id: I02ac85b1f90e3a21a6310157457d2e0c0ec364d3 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8796658 Auto-Submit: Pawel Krawczyk <pawkra@google.com> Commit-Queue: Dominik Klemba <tacet@google.com> Reviewed-by: Dominik Klemba <tacet@google.com>
Bug: 455512155,455513417 Change-Id: I52dc1b9d27d02ee1e5d905eca3705d9a9c4a6661 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8796096 Commit-Queue: Pawel Krawczyk <pawkra@google.com> Reviewed-by: Dominik Klemba <tacet@google.com>
This adds a stand-alone python script that with the following properties: * Mimic various test configs from V8 (for now test262 without staging) * List all supported tests from a config * Transpile all tests in parallel (i.e. compile to FuzzIL and lift back to JS) * Print statistics and return relevant results as a json file * The results contain stats that we can track as a metric, e.g. the percentage of properly transpiled tests. The script is tested with a Python unit tests that runs the script E2E, also hooked up through a presubmit script so that it's tested on updates. Bug: 442444727 Change-Id: I29c89cede59aef885e45a0ae0821d3388bc51e8f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8787097 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
This makes the executor look for Node.js in the CWD, which makes it easy to bundle both together when porting the FuzzILTool to another machine. Bug: 442444727 Change-Id: I80adcde79fb6d773f3f47817da24188bbbe5431e Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8796659 Reviewed-by: Pawel Krawczyk <pawkra@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Generating shared ref variables to be done in following CLs. See https://github.com/WebAssembly/shared-everything-threads/blob/main/proposals/shared-everything-threads/Overview.md. Bug: 448349112 Change-Id: I3358ce9cdd528147b66f1954ef1a008b048e06df Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8734256 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Dominik Klemba <tacet@google.com> Commit-Queue: Pawel Krawczyk <pawkra@google.com>
This reverts commit e35cbb5. Reason for revert: Crashes and not reviewed yet. Original change's description: > Add support for shared references. > > Generating shared ref variables to be done in following CLs. > > See https://github.com/WebAssembly/shared-everything-threads/blob/main/proposals/shared-everything-threads/Overview.md. > > Bug: 448349112 > Change-Id: I3358ce9cdd528147b66f1954ef1a008b048e06df > Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8734256 > Commit-Queue: Matthias Liedtke <mliedtke@google.com> > Reviewed-by: Dominik Klemba <tacet@google.com> > Commit-Queue: Pawel Krawczyk <pawkra@google.com> Bug: 448349112 No-Presubmit: true No-Tree-Checks: true No-Try: true Change-Id: I8bc73bef53d053078db9318de6408d4dbf2f4cda Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8810396 Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
This change allows the JavaScriptLifter to inline arrow functions (e.g., 'foo(() => 42)') by treating them as expressions.
- Adds ArrowFunctionExpression to JSExpressions.
- Updates JavaScriptLifter to detect recursive arrow functions and block boundaries.
- Non-recursive arrow functions are buffered and assigned as expressions.
- Recursive arrow functions retain the original variable declaration strategy.
- Implements concise body syntax ('() => expr') for single-line returns without comments.
- Updates JavaScriptWriter to use emitBlock for multi-line inlined expressions.
Bug: 464228572, 456164925
Change-Id: Ic4618c2ba92ad96d95303e83f8551c13beef508c
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8808456
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Dominik Klemba <tacet@google.com>
Auto-Submit: Dominik Klemba <tacet@google.com>
This is a mini-fuzzer for the new BytecodeVerifier in V8. It uses %GetBytecode to obtain a JS representation of the BytecodeArray of an existing function, mutates it, then installs it back on the function using %InstallBytecode and finally executes the function. As the verifier only ensures that the bytecode does not cause a sandbox breakout (not general memory corruption), the mini-fuzzer is also specific to the V8Sandbox fuzzing profile. Bug: 461681036 Change-Id: Iac64f3c9532f47455c57cf4251197771b0663612 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8814316 Commit-Queue: Samuel Groß <saelo@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This enables calling the script with the arguments --num-shards and --shard-index. The former defines on how many shards (bots) the overall task gets distributed, the latter the index n to deterministically determined the sub-task for the n'th shard. The test order is deterministic and we assume that this script is called from different shards with the same test archive. The sub task is then evenly divided with a simple modulo algorithm. Bug: 442444727 Change-Id: I32803d2bae14f9387e445b627363f4de7ac7efe4 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8817538 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
…bility)." This reverts commit 8a542af. Reason for revert: V8/d8 is not seeded, therefore crashes are not reproducible (and the code is unstable). Original change's description: > Throw exception in TryCatchFinally blocks (with certain probability). > > Bug: 455512155,455513417 > Change-Id: I52dc1b9d27d02ee1e5d905eca3705d9a9c4a6661 > Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8796096 > Commit-Queue: Pawel Krawczyk <pawkra@google.com> > Reviewed-by: Dominik Klemba <tacet@google.com> Bug: 455512155,455513417 Change-Id: I17514fcc50b60232faccd0a7b418fad0b187174d Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8821316 Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Commit-Queue: Dominik Klemba <tacet@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com> Auto-Submit: Dominik Klemba <tacet@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
This makes it possible to call the script from some nested work dir. Bug: 442444727 Change-Id: I5f6f4313b652cb09e4d168785e78a2334495ccd9 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8821322 Auto-Submit: Michael Achenbach <machenbach@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This allows using parameter types which are indexed types (things like `(ref null 1)`). Implementation: - Each WasmLoop instruction now takes its signature as the first input. - The static signature types are removed from the begin and endLoop. - The loop code generator emits an "ad hoc" signature in order to emit signatures for which we already have corresponding inputs available. Bug: 445356784 Change-Id: Ic58ab7d6a092a39de77c974142dd7f976786e8e1 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8792956 Reviewed-by: Pawel Krawczyk <pawkra@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
To align better with the current formatting. No other reason. Also add a few swift-ignore-format annotations for weights. Bug: 430616180 Change-Id: I07b5dae4938578a49ec393faaf18959e2867e58f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9155817 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
The implicit import mechanism in Wasm needs a rework sooner or later. For now, let's make it more robust in this case. Fixed: 498266575 Change-Id: I17cc0021cbe945d5db16029c451e3ea6bfb55ff1 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9159837 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com>
Author
|
we are in hell |
Change-Id: I9e7e47344d5c9fb3e56545be210788e1d8e492ef Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9155596 Commit-Queue: Marja Hölttä <marja@chromium.org> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
RAB/GSAB was shipped a while ago, we don't need the boosted weights any more Change-Id: Ic7da221bc2d47b1966906566d1e0ca4616251153 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9160936 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Change-Id: If51387c564c5c4245d23122be751ce46682b0fee Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9159756 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Marja Hölttä <marja@chromium.org> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Mostly just to match the naming of `newValue` and the subtyping idea of the forUseAs where we try to find something that is a subtype of the current variable's type, not the other way around. Change-Id: I3144025a0e1850892936087fdf275d318943f963 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9159757 Reviewed-by: Marja Hölttä <marja@chromium.org> Commit-Queue: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Bug: 430616180 Change-Id: I12f41e8c87913481f05f3bf350acdb88ac08c163 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9155818 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com>
Bug: 430616180 Change-Id: I6784d3f4232e11b272cbb7a345713edff05c7426 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9156216 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com>
This CL adds support for default parameters in generated functions. Methods with default parameters, and JS to FuzzIL compilation code will be added later. Change-Id: I5b3583a8656c72a4068c497677bd6f18c98badb8 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9176497 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@google.com>
This CL adds JS to FuzzIL transpilation support for default parameters in the context of functions. Change-Id: If3451444a6ef0ce032825039a92acbef340438ed Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9182176 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Change-Id: Id5d47cf3d566fbcd1d9e671220d9cdcc930b201a Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9182836 Reviewed-by: Michael Achenbach <machenbach@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
Change-Id: I8d4b9ee4f0648091b06262a0cbee6a65b311db92 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9184556 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This CL adds support for default parameters in generated methods and constructors. JS to FuzzIL compilation code will be added in a subsequent CL. Change-Id: Idc8ba4b53be0373f5090e7b8f78db583e3eab0dd Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9184576 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@google.com>
This CL adds JS to FuzzIL transpilation support for default parameters in the context of methods. Change-Id: I92b72780e1e994b86d067f3239d87507afde15f7 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9184577 Commit-Queue: Leon Bettscheider <bettscheider@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Change-Id: I4e0f51c795d4d262c420b28cbc059e70b4060506 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9189336 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com>
Fuzzilli currently only has support for enumerations with string values. Being able to represent integer enumerations through the Fuzzilli type system would reduce the amount of supporting code that profile authors need to write. For instance, if a method has an argument that is of an integer enumeration type, the current approach would be to mark the argument as a `integer` in the Fuzzilli profile and write a custom CodeGenerator that constains the argument's values to those of the enumeration. The author cannot rely on CodeGenerators such as `MethodCallGenerator`, since these will overwhelmingly provide incorrect integer values for this argument. This CL introduces the `intEnumeration` type to Fuzzilli to support integer enumerations. The changes follow the example set by the existing `enumeration`. Namely, the introduction of a `customName` field for integers allows Fuzzilli to reliably distinguish regular integer variabels from intEnumeration variables. Rather than complicating the `isEnumeration` and `isEnumerationOrNamedString` properties on `ILType`, this CL also introduces an `isEnumeration` parameter to the `TypeExtension` constructor to explicitly identify enumerations. Fixed: 500001059 Change-Id: Ia5b2c632864a0b9fa7e7d4c7357f0de3e0a5e23c Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9182892 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
This change refactors the WasmTypeGroupReducer to not just remove unused type definitions from the WasmEndTypeGroup but to also remove the type definition itself. In general, the GenericInstructionReducer should take care of that, however, with a sufficiently large program it could happen that the minimization doesn't finish within its max iteration count and it removed the input-wiring but not the type definition. The CodeGenMutator can then perform a `buildIntoTypeGroup()` and add a new struct type that uses the "unexported" type definition as an element type. Subsequently, another run of the CodeGenMutator can add a WasmStructNew operation that will then call jsTyper.getWasmTypeDef() which relies on all typess inside a type group (including the element type) being exported by the WasmEndTypeGroup operation which isn't the case here causing the fatalError. Bug: 475996631 Change-Id: I269d7c9c2069c1b31e85a17e103c87f593a241f0 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9188577 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com>
There isn't any escaping that prevents having property names containing new-lines and we do not escape them e.g. in the FuzzILLifter. This should be fine, the indentation might be ugly for it and in the JavaScriptLifter in the worst case we might create syntax errors but consistently and properly escaping string literals is not something that Fuzzilli seems to do (as of now). Change-Id: I974d10ecbe5d919b898e418815d8f72c199d0178 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9206257 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
This feature isn't usable standalone any more, only as part of the turbolev pipeline. As such we'll be testing this implicitly via --turbolev-future (and eventually --turbolev once it's stable enough). Bug: 353475584, 455524488 Change-Id: I1f7566952c7fb33b20f59a58fd0795b5fa0bee16 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9206258 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Daniel Lehmann <dlehmann@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
This allows to specify, e.g., --corpusGenerationIterations=1 such that the main fuzzing phase is triggered earlier. This can be helpful for quickly checking if a change causes a problem in the main fuzzing phase. Change-Id: Iedee6175b7fe15f677bb5a015aeeea555f7ce16b Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9207316 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@google.com>
The fuzzer should report whether node.js wasn't available or whether the npm dependencies were missing. This commit also changes the order of the two warnings, so we first print: > Mutated program did not crash, reporting original crash of the > instrumented program and then print any failures for trying to transpile the instrumented program. Bug: 488963988 Change-Id: I30fd95b8a0eaa10fb0050866cf5099e356086dd6 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9206260 Reviewed-by: Leon Bettscheider <bettscheider@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
There isn't any guarantee for that, in the worst case, removing comments can be enough to not encounter a crash any more (mostly in cases of moving gc-intervals as the JS code itself is part of the JS heap and therefore its size can affect reproducability.) Bug: 488963988 Change-Id: Id41eb32cc7517965c1de425e1d1be76ddd9f4370 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9206261 Reviewed-by: Leon Bettscheider <bettscheider@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bundles can contain multiple scripts which will be executed sequentially. Modules will be added as a follow up. Bug: 342521422 Change-Id: Icedae3b6805bf6db0359bb6fbdff69cfb2f0d48a Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9184296 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Marja Hölttä <marja@chromium.org>
Change-Id: I2d86a3970a67ac92c9a2c8690b255b18b8d71bee Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9210757 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Marja Hölttä <marja@chromium.org>
Change-Id: I04428445c2feae6749a74f71a63ce4e3363f3f3a Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9211138 Reviewed-by: Marja Hölttä <marja@chromium.org> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Change-Id: Ifa582d369584dc6ba774112f5f7dba6f1b7663fb Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9210758 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
…erating bundles Bug: 342521422 Change-Id: I5b40c6c2e97ed1e52a48d987d96cb00bbbdf82c9 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9211116 Auto-Submit: Marja Hölttä <marja@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Marja Hölttä <marja@google.com>
This CL renames wasm-related labels to better distinguish them from js-related labels, which we're currently adding. Change-Id: I9682b4a30e18c0d4f5704a49a2890c4647def159 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9210958 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This cleans up the code a bit. Change-Id: I12c467936fbfaceec025922aee407e00ce82c545 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9211219 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
15 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
updating with head