base fuzzili update #52
Open
Dudcom wants to merge 273 commits into
Open
Conversation
This reverts commit e35cbb5. Reason for revert: Crashes and not reviewed yet. Original change's description: > Add support for shared references. > > Generating shared ref variables to be done in following CLs. > > See https://github.com/WebAssembly/shared-everything-threads/blob/main/proposals/shared-everything-threads/Overview.md. > > Bug: 448349112 > Change-Id: I3358ce9cdd528147b66f1954ef1a008b048e06df > Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8734256 > Commit-Queue: Matthias Liedtke <mliedtke@google.com> > Reviewed-by: Dominik Klemba <tacet@google.com> > Commit-Queue: Pawel Krawczyk <pawkra@google.com> Bug: 448349112 No-Presubmit: true No-Tree-Checks: true No-Try: true Change-Id: I8bc73bef53d053078db9318de6408d4dbf2f4cda Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8810396 Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
This change allows the JavaScriptLifter to inline arrow functions (e.g., 'foo(() => 42)') by treating them as expressions.
- Adds ArrowFunctionExpression to JSExpressions.
- Updates JavaScriptLifter to detect recursive arrow functions and block boundaries.
- Non-recursive arrow functions are buffered and assigned as expressions.
- Recursive arrow functions retain the original variable declaration strategy.
- Implements concise body syntax ('() => expr') for single-line returns without comments.
- Updates JavaScriptWriter to use emitBlock for multi-line inlined expressions.
Bug: 464228572, 456164925
Change-Id: Ic4618c2ba92ad96d95303e83f8551c13beef508c
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8808456
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Dominik Klemba <tacet@google.com>
Auto-Submit: Dominik Klemba <tacet@google.com>
This is a mini-fuzzer for the new BytecodeVerifier in V8. It uses %GetBytecode to obtain a JS representation of the BytecodeArray of an existing function, mutates it, then installs it back on the function using %InstallBytecode and finally executes the function. As the verifier only ensures that the bytecode does not cause a sandbox breakout (not general memory corruption), the mini-fuzzer is also specific to the V8Sandbox fuzzing profile. Bug: 461681036 Change-Id: Iac64f3c9532f47455c57cf4251197771b0663612 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8814316 Commit-Queue: Samuel Groß <saelo@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This enables calling the script with the arguments --num-shards and --shard-index. The former defines on how many shards (bots) the overall task gets distributed, the latter the index n to deterministically determined the sub-task for the n'th shard. The test order is deterministic and we assume that this script is called from different shards with the same test archive. The sub task is then evenly divided with a simple modulo algorithm. Bug: 442444727 Change-Id: I32803d2bae14f9387e445b627363f4de7ac7efe4 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8817538 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
…bility)." This reverts commit 8a542af. Reason for revert: V8/d8 is not seeded, therefore crashes are not reproducible (and the code is unstable). Original change's description: > Throw exception in TryCatchFinally blocks (with certain probability). > > Bug: 455512155,455513417 > Change-Id: I52dc1b9d27d02ee1e5d905eca3705d9a9c4a6661 > Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8796096 > Commit-Queue: Pawel Krawczyk <pawkra@google.com> > Reviewed-by: Dominik Klemba <tacet@google.com> Bug: 455512155,455513417 Change-Id: I17514fcc50b60232faccd0a7b418fad0b187174d Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8821316 Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Commit-Queue: Dominik Klemba <tacet@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com> Auto-Submit: Dominik Klemba <tacet@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
This makes it possible to call the script from some nested work dir. Bug: 442444727 Change-Id: I5f6f4313b652cb09e4d168785e78a2334495ccd9 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8821322 Auto-Submit: Michael Achenbach <machenbach@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This allows using parameter types which are indexed types (things like `(ref null 1)`). Implementation: - Each WasmLoop instruction now takes its signature as the first input. - The static signature types are removed from the begin and endLoop. - The loop code generator emits an "ad hoc" signature in order to emit signatures for which we already have corresponding inputs available. Bug: 445356784 Change-Id: Ic58ab7d6a092a39de77c974142dd7f976786e8e1 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8792956 Reviewed-by: Pawel Krawczyk <pawkra@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
* JSON.parse source text access & RawJSON * Iterator helpers * upsert Change-Id: I1dad9b38c1a42ba8cfdb055651db06e0947dd184 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8814317 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Olivier Flückiger <olivf@google.com> Auto-Submit: Olivier Flückiger <olivf@google.com>
This adds a simple script to merge data from multiple sharded calls to transpile_tests.py. We keep the merge script side-by-side with the main script to ease changing details in the data later, e.g. adding additional keys. This also drops two redundant entries from the current format. Bug: 442444727 Change-Id: I774c078455028a01eb97276b90120a0f03c14f7a Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8832116 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
Bug: 442444727 Change-Id: I6bc7c8744a7237e6d7c7c4bb204aeb530ed272e5 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8832418 Auto-Submit: Michael Achenbach <machenbach@google.com> Commit-Queue: Pawel Krawczyk <pawkra@google.com> Reviewed-by: Pawel Krawczyk <pawkra@google.com>
Besides the existing --gc-interval=n flag, this can help finding bugs for a GC happening at a specific point in a builtin or runtime function. Bug: 467294029 Change-Id: I9d78d7d01d229ecd3e0c631f9d1e2f54a456b4ba Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8832419 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Calling apply() with an array like this generator does will create a function call with as many arguments as the size of the array. It is meant to cover the discrepencies in max argument counts between turboshaft and maglev. Bug: b/455503442 Change-Id: Ia605368687970369e168796273486d75de4cc811 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8839116 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Hendrik Wüthrich <whendrik@google.com>
This flag is incomplete. Before fuzzing it, all V8 tests should pass. Recent fuzzer reports show that this is not the case. Bug: 468167782 Change-Id: I80d2cba60f1d553dd47cff338dee40a3b7c1ffbd Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8843276 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Thibaud Michaud <thibaudm@google.com> Commit-Queue: Thibaud Michaud <thibaudm@google.com>
This enhances the results format after test transpilation.
Before, we had only one level of:
{num_tests: int, failures: [{path: string, output: string}]}
Now we'll key the two lowest directory levels in Test262, e.g. for a
typical path like: language/literals/boolean/S7.8.2_A1_T1.js,
the key would be language/literals.
All results under this directory will be listed as a dict value,
with numbers and failures as previously, further directories
accordingly:
{
language/literals: {num_tests: ..., failures: ...},
language/identifiers: ...
...
}
We will now transpile all Test262 tests in one run and won't need
to exclude any subdirectories, like staging, as we can now report
separate numbers anyways.
This also updates the merge script to the new format and adds
additional unit tests for some helper functions.
Bug: 442444727
Change-Id: Idf23c650c646bc970d81fc8a318d4a8c76797a4d
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8841396
Commit-Queue: Michael Achenbach <machenbach@google.com>
Reviewed-by: Liviu Rau <liviurau@google.com>
JS files often contain meta data in leading comments. We require these comments to be able to execute JS code again after transpiling it with the FuzzILTool. This preserves such comments, whenever the `--outputPathJS` option is used. The comments are extracted using information from the Babel AST in the parser. Bug: 442444727 Change-Id: Ibc9fda5f99a69123672b75970f9b5801c2695074 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8839676 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
Added generators for: - ResizableArrayBuffer (RAB) and GrowableSharedArrayBuffer (GSAB) operations (resize, grow). - Creating TypedArrays and DataViews from buffers (including fixed-length views). - Converting Wasm memory to RAB/GSAB. - Increasing chance of accessing last element Improved existing generators: - ResizableArrayBufferGenerator, GrowableSharedArrayBufferGenerator Added a program template testing the interaction between Wasm memory growth and JS buffer resizing. Change-Id: I2127a84796470efff4304402f8fd7a9cc3b8f008 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8836397 Commit-Queue: Dominik Klemba <tacet@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
In the overall results directory tree, certain directories contain large and interesting subtrees (e.g. large directories with low import coverage). This change enables us listing such additional directories to expand their subdirectories in the results mapping. E.g. if now a directory is listed in this config, the directory itself and one level of subdirectories below are now also listed as single result entities. Bug: 442444727 Change-Id: Iba585221622c054985f2307389fccf35d3b10fec Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8845316 Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Pawel Krawczyk <pawkra@google.com> Reviewed-by: Liviu Rau <liviurau@google.com>
Previously, if we caught an error during translation of a RuntimeAssistedMutator's Actions back to FuzzIL instructions, we simply logged an error but otherwise continued the mutation. This, however, can lead to invalid programs as we're essentially deleting the current instruction (which may e.g. have produced an output needed later on). This might then lead to various other crashes later on. Instead, we should simply abort the mutation when we see such an error. Bug: 468928010 Change-Id: Iefd1010d9c7bd72444d5be1258f81b3063f7b39b Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8849276 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Samuel Groß <saelo@google.com>
Without this, the wrapped error's text is later shown with encoded
linebreaks ("\n").
Bug: 442444727
Change-Id: I2b0aa87d7582d83a8339b105f03ac87df59da873
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8852616
Reviewed-by: Pawel Krawczyk <pawkra@google.com>
Commit-Queue: Michael Achenbach <machenbach@google.com>
See https://github.com/WebAssembly/shared-everything-threads/blob/main/proposals/shared-everything-threads/Overview.md. Bug: 448349112 Change-Id: Ifcc6666c0f3c282078954902853dff23b72e43f9 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8832117 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Pawel Krawczyk <pawkra@google.com>
See crrev.com/c/7269586 for context. Here we add the fuzzilli-side testcases for the new crash types and also extend the ASAN_OPTIONS with `handle_sigill=1` so we get ASAN splats for non-ud2 SIGILL crashes. Bug: 42202821 Change-Id: I08d7d42e8ef9869cd1a228ce15654b23c956ded3 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8857196 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Samuel Groß <saelo@google.com>
Bug: 468928010 Change-Id: I00d34c83bf727b1efece464787910ecfdc3a61fe Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8861036 Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Samuel Groß <saelo@google.com>
Bug: 448349112 Change-Id: Icef73c9f72668e31b48d6c71699b0392f20a5fb2 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8832118 Auto-Submit: Pawel Krawczyk <pawkra@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Pawel Krawczyk <pawkra@google.com>
Though Fuzzilli has no way to introduce a double quote character into a string, it can get them when tests are imported from JS. We assume the string representations in FuzzIL are raw (i.e. not escaped) and now escape the double quote character when lifting to JS. Bug: 469712158 Change-Id: I33e843b39959538fc5a1f0aacaae522af63ec1c0 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8857197 Reviewed-by: Samuel Groß <saelo@google.com> Reviewed-by: Pawel Krawczyk <pawkra@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
This guards an optional unwrapping that frequently fails in production with an assertion with more debug output. Bug: 470273473 Change-Id: I17cbc86c698ff629708d9fd893e2bec80a79b6d8 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8888616 Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
This is a follow-up to commit beddc75 Bug: 470273473 Change-Id: Ia3bc85a8632efe75a009f5c11ec47b3611f42998 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8901816 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com>
This reverts commit 36d6258. Reason for revert: The code we want to target is unreachable due to hitting syntax errors from the parser before we could ever compile and bailout. Original change's description: > Add ManyArgumentsCall CodeGenerator > > Calling apply() with an array like this generator does will create a > function call with as many arguments as the size of the array. > It is meant to cover the discrepencies in max argument counts between > turboshaft and maglev. > > Bug: b/455503442 > Change-Id: Ia605368687970369e168796273486d75de4cc811 > Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8839116 > Reviewed-by: Matthias Liedtke <mliedtke@google.com> > Commit-Queue: Hendrik Wüthrich <whendrik@google.com> Bug: b/455503442 Change-Id: Ie18ec8668485fe8518b14a7d95ba6dea74886364 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8910656 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Hendrik Wüthrich <whendrik@google.com>
Change-Id: I6d1d5fad1fee59368e3b277e43db96f56e8ff903 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8902196 Commit-Queue: Olivier Flückiger <olivf@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Inlining can crash if a function is also used as a disposable variable in some other function. This also adds a minimizer test that demonstrates the crash in patchset 10. Bug: 468928010 Change-Id: Ic9554163e536b0cfb909783ec401062014270cf8 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8861857 Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
We cannot guarantee that `.integer` is produced because the `.length` property could be overwritten, and nothing else produces integers. We don't want `produces: [.jsAnything]` as it doesn't have value. Bug: 470273473 Change-Id: Ib3c78e05ea2845ed3e7966b1e10aaa51f3a0e5b5 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8911216 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Dominik Klemba <tacet@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Change-Id: I24bb99a2e76a21d1ac8d57edff615f77555901cd Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9220441 Reviewed-by: Daniel Lehmann <dlehmann@google.com> Commit-Queue: Daniel Lehmann <dlehmann@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Like the comment says, if we want to generate a variable of type ".object(type description) + .another_requirement", we need to use the .object type generator, not the .another_requirement type generator. This CL makes the code to do what the comment says. Fixed: 504534963 Change-Id: I0fc3970dc29130eb18c42cec91d28eb5e210e6f8 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9227037 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Marja Hölttä <marja@google.com>
In subsequent CLs, I'll add support for if/else, switch, and loops (and "continue lbl;"). Bug: 504947197 Change-Id: Idfcd4c6f263b184057a6adbc0478fde6b1b24b34 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9223779 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@google.com>
This was only added to the generated file, not to the source. Bug: 504947197 Change-Id: I255fd5471f0aa8270615bb34594e16daa5f57608 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9230417 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Marja Hölttä <marja@google.com> Reviewed-by: Marja Hölttä <marja@google.com>
…e empty string This makes debug prints easier to read. Change-Id: I5f11063abed9e312840ddcf041ce17dfefb36ff4 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9230296 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Marja Hölttä <marja@google.com>
Randomly pick up the values for "baseline-batch-compilation", "lazy-feedback-allocation". Also do the same for "stress-lazy-source-positions", but only in non-sandbox fuzzing sessions: this stress enables additional CHECKs that are suppressed by V8's sandbox fuzzer crash filters as non-issues, and hence may result in masking real issues from the fuzzer. Note that V8 currently has implications from "--fuzzing" and "--jit-fuzzing" that will take precedence over some of these random selections, however this is about to change (see https://crbug.com/475707969). Bug: 475707969 Change-Id: I56e367afd403578c05dcc3a3011cc183b55801d8 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9211137 Commit-Queue: Maksim Ivanov <emaxx@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
ObjectGroupType was unused, but provided a safeguard for forcing the developer to modify groupsMatchByPrefix when adding new ObjectGroupTypes (which the developer likely would do, since ObjectGroupManager.finalize() wanted an ObjectGroupType as a param). This removes ObjectGroupType but adds another safeguard to keep groupsMatchByPrefix working. Change-Id: I99f194a47cb58ffda4d9131b5ad3aad5549edff4 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9233976 Commit-Queue: Marja Hölttä <marja@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Instead of storing a WasmSignature, store an ILType that describes the Wasm signature definition. Bug: 445356784 Change-Id: Id28fe78817f7140084eaa87db751b739aa36975d Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9129496 Reviewed-by: Manos Koukoutos <manoskouk@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bug: 445356784 Change-Id: Ie030285f1545181e55eabdabe2afa4793e2a69c9 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9133336 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Manos Koukoutos <manoskouk@google.com>
We don't need to assert the exact prefixes anymore, since the code below will handle everything automatically. But we can add the assert that the prefixes are not prefixes of each other, instead of relying on human verification. Change-Id: I4cec6fa48d5b2103ec1f32e897d5e05cbf38e8b9 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9233978 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Marja Hölttä <marja@google.com>
In line with loops, if/else, and block statements, now switch statements also have a unique label of type .jsBlockLabel. This label is only emitted when it’s used. For “break;” without a label, we still use switchBreak() that requires the .switchCase context. For “break label;”, we reuse blockBreak() which requires a .jsBlockLabel to be in scope. Bug: 504947197 Change-Id: I9fa291e62cb330694119693404d49e37ccbb4cb7 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9223516 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Bug: 445356784 Change-Id: If9706cdc8876721e00289eb096f35b555981c129 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9151896 Reviewed-by: Manos Koukoutos <manoskouk@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bug: 504947197 Change-Id: If1b2d420b60e54cee67e43ea91570bf4267e086f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9227078 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Bug: 504947197 Change-Id: Ia94e0b0521df38e9f3b94e434e7e80fda5cc063b Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9227536 Commit-Queue: Leon Bettscheider <bettscheider@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Bug: 504947197 Change-Id: I82446d1bc4ad71ed518307e7ae3388639a0c6171 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9227556 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Many places were checking hasVisibleVariables, but then calling randomJsVariable() and assuming it will succeed. They should've used hasVisibleJsVariables instead. Bug: 342521422 Change-Id: I6e407c31751faf1a73bdb3497d515b39253c228a Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9234178 Commit-Queue: Marja Hölttä <marja@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Currently, Fuzzilli has no native mechanism to declare an iterable that yeilds elements of only a specific type. As a result, Fuzzilli struggles to generate correct programs for code that operates on such iterables. While a workaround is possible by using custom types and CodeGenerators, that approach relies on ProgramBuilder's `setType`, which does not persist type info when the program is saved to the corpus. This CL introduces parameterizability to the `iterable` type with the addition of the `iterableElementType` to the `TypeExtension`. Importantly, the nature of Fuzzilli makes it so this type is just an assumption at generation time, and does not guarantee that the iterable will not hold elements of other types as a program grows and mutates. Accompanying this new feature is an update to the `format` method used for debugging. Parameterized iterables are serialized as "iterable<T>", where T is the serialization of the type stored in `iterableElementType`. Additionally, this CL updates internal type generation in `ProgramBuilder` so that parameterized iterables are generated as single-element arrays of the corresponding type parameter. Bug: 503429420 Change-Id: Ie49882d6eea61a992f51b6e1fab030e2e198144c Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9234311 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Tigran Bantikyan <bantikyan@google.com>
Change-Id: I404ec9aba3dedd3caa4f198188c520154f886317 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9240360 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@google.com> Reviewed-by: Leon Bettscheider <bettscheider@google.com>
ExplorationMutator may explore inner outputs, which adds instrumentation code immediately. However, such arbitrary JS code is not allowed in the outer switch context, before a `case` was seen. In general, exploring labels probably does not make sense, so this CL avoids all labels from being explored. Bug: 504947197 Change-Id: I9ed4b30e12fb277cc4136ec9d4edfa1c0e2166e9 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9241640 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Those places were interested in visible JS variables. Bug: 342521422 Change-Id: I3c7fb727c2d212a76ce5488360f7c8cd011df2bb Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9244060 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Marja Hölttä <marja@google.com>
.resumesSurroundingContext is used for a start block that doesn't want to propagate the surrounding context but wants to resume the context surrounding the surrounding context (see implementation of skipsSurroundingContext). This change ensures that we don't use this on .isBlockEnd as a block end will always resume the surrounding context and we shouldn't set this attribute for that as its presence is completely ignored. Change-Id: Ie2c55fc19c591c68873e73446ecb2e8e8e5748ac Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9248740 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Marja Hölttä <marja@google.com>
Bug: 498924945 Change-Id: Ib4dcf00db95622059098e1afa1d3680d78dba060 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9232421 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Rezvan Mahdavi Hezaveh <rezvan@google.com>
This CL makes sure that "break <lbl>;" and "continue <lbl>;" instructions are never mutated in a way such that <lbl> is replaced with an arbitrary variable; only labels of the specific type will be chosen. Bug: 504947197 Change-Id: I2669f0f74f79b4570c40dfcb431c594185d3a279 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9252860 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Bug: 504947197 Change-Id: I77e956c3b1026a9715fa2c706254518a7d19e581 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9252780 Reviewed-by: Leon Bettscheider <bettscheider@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Fuzzilli's `jsArray`s are defined using a non-parameterized `iterable`. To support assumptions regarding the typing of a `jsArray`'s elements, this CL makes `jsArray` optionally parametrizable through the `createJsArrayType` function. This CL avoids introducing type serialization for the type argument. Rather, the CreateArray operation stores the type argument's group name. As a result, types without an associated group name, such as `.string` or `.iterable`, should not be used as a type argument. Parameterized iterables details: cc0ff34 Fixed: 503429420 Change-Id: I3c3d2f56b7bd4eba14682ac496b097df9f57cd7f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9249980 Commit-Queue: Tigran Bantikyan <bantikyan@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
A bundle can contain one or several modules. A module provides a
.moduleTopLevle | .javascript context. Imports and exports can occur
only in the .moduleTopLevel context.
For now, modules can only have very simple imports and exports:
export {v1 as export0_1, v2 as export0_2};
import {v1 as v3, v2 as v4} from 'a.mjs';
More complex cases will be added later.
Bug: 342521422
Change-Id: Ie4b0b30ce2976981a5ec2279d3214196e1e62a6b
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9230416
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Marja Hölttä <marja@google.com>
Fuzzilli's current ordering for which source it uses to generate `.object()` types is: 1. Producing generators 2. Properties and methods 3. CodeGenerators marked with `produces` (distinct from item 1) 4. Generating object properties directly With producing properties and methods overshadowing CodeGenerators, using CodeGenerators for types with sophisticated generation logic, in order to ensure program quality, required workarounds and compromises such as not registering the type as a builtin. This CL reorders the logic to favor custom CodeGenerators with matching `produces` annotations. The CodeGenerators block is moved to be after the producing generators block. A 75% probability check is introduced for selecting whether to use CodeGenerators to maintain diversity in how Fuzzilli generates objects. Bug: 479225937 Change-Id: I59ead967e9710749cb13b433fb74c64ebc8ba085 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9253961 Commit-Queue: Tigran Bantikyan <bantikyan@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This makes ProgramBuilderTests.testFindOrGenerateWithCodeGenerator not flaky by ensuring we will always use a generator if there is one and we didn't find another way for creating the object. Change-Id: Ie5cd0b787432588fb9152e0996a68a1644247167 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9266720 Commit-Queue: Marja Hölttä <marja@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
…iables Drive-by: Add ProbingMutator tests. Bug: 342521422 Change-Id: I234dd9bb1f7c026c9a30bd3aef50d39054bf8455 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9263440 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Marja Hölttä <marja@google.com>
Iterator.zipKeyed was added to V8 with https://crrev.com/c/7776198. This CL registers it for fuzzing, passing as a first parameter an object whose values are iterables. Bug: 465357675 Change-Id: Ic952e32aaa5551fb94ac3c1cba4c600602e4fb80 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9265100 Reviewed-by: Marja Hölttä <marja@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Nikos Papaspyrou <nikolaos@google.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
18 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
updating with head