base fuzzili update #52
Open
Dudcom wants to merge 337 commits into
Open
Conversation
Bug: 450237486 Change-Id: I30de85f87ca170a998fc17a72e15c4579db37774 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8901996 Auto-Submit: Olivier Flückiger <olivf@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
This fixes #546 Change-Id: I8331dd909c05a51bfe73749e8677b18501e261bd Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8956179 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Add the `--maglev-assert-types` flag to the list of possible flags, with a 10% probability. This flag is enabled only when sandbox-fuzzing is disabled. Change-Id: Ic710d8b6c185af79979b50bb991672e6e1563dd3 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8963977 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Dominik Klemba <tacet@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com> Reviewed-by: Marja Hölttä <marja@chromium.org>
Had some logs about them, but removed them for review. Now it is time to add proper reporting. Bug:441467877 Change-Id: I03bf6a6ae447caa4bc3eae202709fb2976a017c0 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8969557 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
Before we were printing 0 always. Bug: 441467877 Change-Id: Icacd9310f8cd845695d2a83e5eb297ce2e60882b Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8977177 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
Bug: 441467877 Change-Id: Id3793d3065384bfb2e190c626ed014782d9ebb63 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8977176 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
Adds builtins from the following stage 4 proposals: - https://github.com/tc39/proposal-array-from-async - https://github.com/tc39/proposal-float16array - https://github.com/tc39/proposal-math-sum - https://github.com/tc39/proposal-promise-try - https://github.com/tc39/proposal-regex-escaping
Change-Id: I00ec85b51048e0bc9dc90f96610c293c5d7f3089 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8977237 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
Interpreter dumping produces 1 frame at a single offset, for optimized compilers we might dump the same frame many times on a single offset, because there might be many deopt points on a single offset. Bug: 441467877 Change-Id: Iaff7dd987d9352d0b95c1c53ffd54ef0ae7e8f1d Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8986716 Commit-Queue: Dominik Klemba <tacet@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com> Reviewed-by: Dominik Klemba <tacet@google.com>
New generator is able to create two patterns (with 50/50 probability):
1) if(boolean_variable){throw random_variable;}
2) if(!boolean_variable){throw random_variable;}
Bug: 455512155, 455513417
Change-Id: Ief3ddeef21653cdda3fd1fdd154c0d248dc77631
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8991196
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Auto-Submit: Dominik Klemba <tacet@google.com>
NOTE: `undefined` is lifted to holes in that case (which is unintuitive). Adds HoleyArrayGenerator to create arrays with holes. Adds testHoleyArrayLifting to verify intended lifting of holey arrays. Generated hole types (can be in dictionary mode): - Holey Smi - Holey Double - Holey Elements Adds ArrayIntegrityLevelGenerator to freeze/seal/preventExtensions objects. There is a chance of transitioning the hole type with ArrayIntegrityLevelGenerator to: - HOLEY_SEALED_ELEMENTS - HOLEY_FROZEN_ELEMENTS - HOLEY_NONEXTENSIBLE_ELEMENTS Bug: 476158042, 455513417 Change-Id: Id396b72183f70ce98d0c97b4c202efffc1c31cbe Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8956876 Reviewed-by: Michael Achenbach <machenbach@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Dominik Klemba <tacet@google.com>
This change fixes a bug in DiffOracle where register and argument values were lost when transitioning between frame types with different register counts. In original-original code (in Dumpling GitHub), DiffOracle relied on prevFrame to reconstruct the state. We removed prevFrame, erroneously thinking that it is not needed. Now if a frame reports fewer registers than the preceding frame, the parser would shrink the register array to match. This causes data loss for the higher-index registers. When execution later has a higher count of register and was expecting them to still exist, they are erroneously reported as missing or reset, causing false positive mismatches. Thus we go back to have runningRegs/Args (same stuff as prevFrame in original-original code but still more refactored and simplified). Bug: 441467877 Change-Id: Ic85d7d8b9ef19d359ca9cc7e4af8bb6c36468c2b Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8995239 Commit-Queue: Danylo Mocherniuk <mdanylo@google.com> Reviewed-by: Dominik Klemba <tacet@google.com>
My eyes hurt. Bug: 441467877 Change-Id: Ib8522847f46e1c0dd72bef19904a4fcd7d744f93 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9012356 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
wasmRefTest operation was added which can work with either concrete or abstract wasm types. Since concrete types need a type definition there are two code generators; one where we need such a type definition to already exist and a more generic one that tests against abstract types. Bug: 474940922 Change-Id: I148c1bc44c8649fcdb92d0afc52efa3af8d34b33 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8952838 Commit-Queue: Doga Yüksel <dyuksel@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
With 0.5 probability, adds guard try/catch blocks around calls in ForceTurboFanCompilationGenerator, ForceMaglevCompilationGenerator, LazyDeoptFuzzer, and FastApiCallFuzzer. Bug: 483578451 Change-Id: Iecaededb94c0dfbf6e49f20c6b69ddf38e500cb0 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9012916 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Dominik Klemba <tacet@google.com>
Bug: 481610393 Change-Id: I815e16a598e7c0d3eafc39608fea1e41f96096d9 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9012919 Commit-Queue: Michael Achenbach <machenbach@google.com> Auto-Submit: Michael Achenbach <machenbach@google.com> Reviewed-by: Leszek Swirski <leszeks@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Leszek Swirski <leszeks@google.com>
Quoting Leszek: "--predictable basically disables any concurrency so that everything is scheduled on the main thread. --verify-predictable additionally adds a synthetic clock so that things like timestamps have a fixed value, for being able to verify predictability by hashing" Additionally --verify-predictable implies --predictable. Bug: 441467877 Change-Id: I7c47d00b8de8242f4b029e60fe79816713756a2f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9012917 Reviewed-by: Dominik Klemba <tacet@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
There are a few more steps to actually report a thing as differential but I don't want to miss anything, so I will print it here too. Bug: 441467877 Change-Id: I009ed1792ae486e55cbd65bf63c0863077a6a375 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9012880 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
This reverts commit 597241f. Reason for revert: it didn't help with all timestamps, adding code prefix to mock date looks more promising. Additionally this flag does a bunch of other stuff and requires a build flag to work properly, so let's ditch it. Original change's description: > [dumpling] Disable timestamp non-determinism. > > Quoting Leszek: "--predictable basically disables any concurrency so > that everything is scheduled on the main thread. --verify-predictable > additionally adds a synthetic clock so that things like timestamps have > a fixed value, for being able to verify predictability by hashing" > > Additionally --verify-predictable implies --predictable. > > Bug: 441467877 > Change-Id: I7c47d00b8de8242f4b029e60fe79816713756a2f > Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9012917 > Reviewed-by: Dominik Klemba <tacet@google.com> > Commit-Queue: Danylo Mocherniuk <mdanylo@google.com> Bug: 441467877 No-Presubmit: true No-Tree-Checks: true No-Try: true Change-Id: I8ed49d648aa34a7c75f1ebb220d52a16ee396259 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9014817 Commit-Queue: Danylo Mocherniuk <mdanylo@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bug: 441467877 Change-Id: I0ae0f1e833dfbc6a590d5dfe8d83a6e16836311f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9016616 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
Bug: 441467877 Change-Id: I8346b2e0eba7877d86e2db1ceb35a236c4bf0545 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9012879 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
Bug: 441467877 Change-Id: I104bc80f10573790e0a4c81ba99d70dcc1bac99e Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9012959 Commit-Queue: Danylo Mocherniuk <mdanylo@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com> Reviewed-by: Dominik Klemba <tacet@google.com>
This diversifies the arguments for the function calls in V8's typical function-optimization shortcuts. Often, reproducers have an argument pattern across the functions that is not all equal. For getting polymorphic feedback or a type deviation in the optimized function call, we see patterns like: f(a); f(a); %Opt(f); f(b); Or: f(a); f(b); %Opt(f); f(c); Though Fuzzilli will eventually mutate the arguments, this change attempts to tickle out this diversity a bit more. With the largest percentage we retain the old behavior. Change-Id: I58c8e7361aa3ce122a034417708dcedb8b4d7888 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9020237 Reviewed-by: Dominik Klemba <tacet@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
This merges the code of the two generators forcing Maglev or Turbofan compilation. The separation is probably not adding any value. This also doubles the weight of the resulting generator as local experiments show that it's called a bit too rarely. Probably due to other generators being added over time. Fly-by: Remove a counter-productive generator for Dumpling. Bug: 465497343 Change-Id: I208fc1ba47caa3b3d0f2d672b72b527e001a0f45 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9020158 Reviewed-by: Dominik Klemba <tacet@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
Until non-materialized printing is implemented for everything, we will allow it to match anything similar to <optimized_out>. Bug: 441467877 Change-Id: I681ceba56a88e66220ee00d65a7f8f4166042cd5 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9026356 Commit-Queue: Danylo Mocherniuk <mdanylo@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com>
Similar to Date, we also need to mock Temporal Bug: 441467877 Change-Id: I72f44575b2c9c08c9067f55518259727b8cb10b1 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9026357 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
This reverts commit 57da3ab. Reason for revert: The simplification doesn't take the swarm mode into account. Original change's description: > Simplify force-compilation generator > > This merges the code of the two generators forcing Maglev or > Turbofan compilation. The separation is probably not adding any > value. > > This also doubles the weight of the resulting generator as local > experiments show that it's called a bit too rarely. Probably > due to other generators being added over time. > > Fly-by: Remove a counter-productive generator for Dumpling. > > Bug: 465497343 > Change-Id: I208fc1ba47caa3b3d0f2d672b72b527e001a0f45 > Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9020158 > Reviewed-by: Dominik Klemba <tacet@google.com> > Commit-Queue: Michael Achenbach <machenbach@google.com> Bug: 465497343 Change-Id: I98fdb06431c296b7a516502899b6a94712cb3dcd Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9026358 Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
Share the generator code, but keep the separate generator instances. Bug: 465497343 Change-Id: Ie31c5b0fd8e1853a93dc26664ac863c28ac567ff Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9026476 Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Also sometimes explicitly enable or disable lazy compilation. Bug: 475707969 Change-Id: Ic13b6843ae0d478f0d9e6ce77a0d7318d1f47e03 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8999276 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Leszek Swirski <leszeks@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
The goal is to improve readability. It affects probability distribution: - Allows up to 4 distinct argument sets (previously capped at 3). - When reusing arguments, selects uniformly from all previously generated sets, eliminating the bias towards the first set found in the previous implementation. Original implementation added in: crrev/i/9020237 Change-Id: I590149d3d0cf7f1889c68c30fc8d4b0f0d71e6e5 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9022358 Commit-Queue: Dominik Klemba <tacet@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Dominik Klemba <tacet@google.com>
This CL adds support for the br_on_cast_fail instruction. Bug: 474940922 Change-Id: Icacbd109fff843179f69806769437322f14326c8 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9299601 Commit-Queue: Leon Bettscheider <bettscheider@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Bug: 515363087 Change-Id: I41e4b487ee08dbf7da22959c6c1d08e4099a6ad4 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9317282 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Raphaël Hérouart <rherouart@google.com> Auto-Submit: Raphaël Hérouart <rherouart@google.com>
This was staged for V8 in https://crrev.com/c/7845195. Bug: 465715798 Change-Id: I1b01eea17c3c1049d66251de6a025747aef43bb7 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9333500 Reviewed-by: Olivier Flückiger <olivf@google.com> Commit-Queue: Olivier Flückiger <olivf@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Node.js v26 branched, the new nightly version is v27. we need to stay up-to-date to be able to test new V8 features. Change-Id: I4eea87f24cfff0e2cb48cb21904d6c0c5bb97421 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9317781 Commit-Queue: Marja Hölttä <marja@google.com> Reviewed-by: Marja Hölttä <marja@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
This CL adapts WasmReturnCallDirectGenerator and WasmReturnCallIndirectGenerator to use `subsumes()` instead of equality to find functions with compatible output types. Bug: 445356784 Change-Id: I7c3113c54b7752809320e9d58fbbb11eaca10d4f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9318221 Commit-Queue: Leon Bettscheider <bettscheider@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This CL adds support for the ref.func instruction. Bug: 474940922 Change-Id: I885b966598a9d72c161d2ef7bee910032576a53d Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9296864 Commit-Queue: Leon Bettscheider <bettscheider@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
The table type can be easily inferred by the input table, so the table.get doesn't need a type immediate. For fuzzilli however, the input table can also come from JS (created by CreateWasmTable). Later on, the fuzzer can replace that table input with an arbitrary other input. This means that we need to encode the element type in the table.get operation, so that the JSTyper always knows the correct result type. I removed this in commit 7e5724c (among other things that are indeed unnecessary). Bug: 430171132 Change-Id: Icffc95fadb79979d7125a33d797868c5a6ad50e5 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9337021 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Leon Bettscheider <bettscheider@google.com>
This allows fuzzilli to use the same handler object in different proxy objects. Helps testing upcoming proxy ICs. Bug: 516717223 Change-Id: Ia5c47196a9233e3696b81d0b31c63a728c57fa50 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9336380 Commit-Queue: Olivier Flückiger <olivf@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Olivier Flückiger <olivf@google.com>
- Add support for i31ref in JavaScriptLifter for CreateWasmTable. - Update WasmDefineTableGenerator to randomly use funcref, externref, and i31ref. - Add missing WasmTableGenerator to generate JS-side WebAssembly.Table objects. Bug: 430171132 Change-Id: I4a435276d6e7a2d602738ae0b1b3f4c45788e0a7 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9333760 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Leon Bettscheider <bettscheider@google.com>
Bug: 430171132 Change-Id: I4697952c9cef237c2cb9339343d6fec127d2c347 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9333860 Reviewed-by: Leon Bettscheider <bettscheider@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
The test is executed only when generating bundles, since it requires passing --bundles to d8 to run. TAG=agy CONV=5588ce4d-a98f-415f-b04b-5c6a9c3508b7 Change-Id: I7eb330ea3ce547f96fc55892c961a49515721546 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9336701 Commit-Queue: Marja Hölttä <marja@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Change-Id: Id0b6a94c906b48cbe6a194e77e47016868dd0e8a Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9340380 Reviewed-by: Marja Hölttä <marja@google.com> Commit-Queue: Marja Hölttä <marja@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
These should now be in sync with what v8 supports. (V8 does not allow null types like noexternref and also disallows exnref.) The spec as written is much more restrictive. Until WebAssembly/spec#1980 gets resolved, we'll simply test what V8 supports and ignore these discrepancy issues for fuzzing. Bug: 430171132 Change-Id: Id1462e3b978305539e5adeda7beb86fa6719feba Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9336702 Reviewed-by: Leon Bettscheider <bettscheider@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bug: 515363087 Change-Id: I8b5f3189ad34b3a6e117e3cf066e6afe62c20aba Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9336920 Commit-Queue: Raphaël Hérouart <rherouart@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This CL registers Iterator.prototype.includes for fuzzing, which was added to V8 with https://crrev.com/c/7867647. Bug: 504886973 Change-Id: I27af5809e4ab47eff7cb4db545f06940762db3c3 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9334922 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Nikos Papaspyrou <nikolaos@google.com>
Bug: 474940922 Change-Id: I20f142ba41d3efa88872ae0dfa308170a8c0ff11 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8956716 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Leon Bettscheider <bettscheider@google.com>
Change-Id: I6a7de94f7a30f30ab30ed17f1760fddaaa7b9758 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9347700 Reviewed-by: Leon Bettscheider <bettscheider@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@google.com>
This CL adds support for the call_ref instruction. Bug: 474940922 Change-Id: If708e70dc9fcdd2f53f218f85e93c3d807a5ab9a Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9330021 Commit-Queue: Leon Bettscheider <bettscheider@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This reverts unreviewed changes that were accidentally added to commit 8fbbfdc. Original change's description: > [wasm] Implement ref.as_non_null > > Bug: 474940922 > Change-Id: I20f142ba41d3efa88872ae0dfa308170a8c0ff11 > Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8956716 > Commit-Queue: Matthias Liedtke <mliedtke@google.com> > Auto-Submit: Matthias Liedtke <mliedtke@google.com> > Reviewed-by: Leon Bettscheider <bettscheider@google.com> Bug: 474940922 Change-Id: I5a8d7cc465384c304908502d0447cc3b6c9be6ef Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9347522 Reviewed-by: Leon Bettscheider <bettscheider@google.com> Commit-Queue: Leon Bettscheider <bettscheider@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
This CL adds support for the return_call_ref instruction. Bug: 474940922 Change-Id: I8b53203020238fc24c002cbe27f8f60c7fa7fee7 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9317782 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Though `ref func` only if there is a visible Wasm function definition. Change-Id: I931a8ab63994f415f0a333fdde5fccee95d4037d Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9347701 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Leon Bettscheider <bettscheider@google.com>
Bug: 515363087 Change-Id: I6fd7618baa5c357d2ab21fe0610f2d53ce4effd1 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9345643 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Raphaël Hérouart <rherouart@google.com> Commit-Queue: Raphaël Hérouart <rherouart@google.com>
Change-Id: I73725256a59e3d2bd9fe00cb302bc40e2e8a219b Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9359700 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Olivier Flückiger <olivf@google.com> Commit-Queue: Olivier Flückiger <olivf@google.com>
Bug: 515363087 Change-Id: I56b113d9ff73c86e3f8458e31ae72499da8901e6 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9362882 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Raphaël Hérouart <rherouart@google.com>
Bug: 515363087 Change-Id: I3653827b5d1467c95c607306bb42cfa97d8cb0a9 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9366042 Commit-Queue: Raphaël Hérouart <rherouart@google.com> Reviewed-by: Marja Hölttä <marja@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Fuzzilli does not have robust support for a function that can have two different types for a parameter. Overloads are not supported for builtins / constructors, and union types may be too much of an over-approximation. This change introduces an `.either` parameter that is resolved to just one of its types. Fixed: 515122865 Change-Id: I73d900b183386507ad7cc4a1551b0c4dd5770bf3 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9351247 Commit-Queue: Tigran Bantikyan <bantikyan@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Bug: 398218423 Change-Id: I0fe7cd10030e18c3014e4c8220830631d1b92cce Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9355960 Auto-Submit: Olivier Flückiger <olivf@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Filtering a `WeightedList` and then calling `randomElement` on the
result is a common pattern in Fuzzilli:
```
generator = fuzzer.codeGenerators.filter({
$0.requiredContext.isSubset(of: context)
}).randomElement()
```
In a few cases, the resulting variable (i.e. `generator`) is typed as an
optional. Consequently, the Swift compiler selects that it is more
appropriate to call `Sequence.filter`, returning an array object instead
of a `WeightedList`, and then call `Array.randomElement`, as that method
return an optional. As a result, the weighting of the `WeightedList`
elements is lost.
To resolve this, this CL updates the `WeightedList.randomElement`
overload to return an optional type as well.
Minimal example: https://godbolt.org/z/6vGWzq9PY
Fixed: 521398642
Change-Id: I9a2681c7795036f5953accde518e550f021d8fac
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9371100
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Declarations Bug: 515363087 Change-Id: Ia5de523536d0be873ea6dfa58260f80b8402536a Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9371140 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Raphaël Hérouart <rherouart@google.com>
Allow top level await in modules by adding .async to beginBundleModule. Drive-By: Rename .asyncFunction to .async Fixed: 521338444 Change-Id: I3c8bac11b6f41bf2565596b8c3ef2f79161e198f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9362884 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Olivier Flückiger <olivf@google.com> Auto-Submit: Olivier Flückiger <olivf@google.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
15 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
updating with head