base fuzzili update #52
Open
Dudcom wants to merge 351 commits into
Open
Conversation
With 0.5 probability, adds guard try/catch blocks around calls in ForceTurboFanCompilationGenerator, ForceMaglevCompilationGenerator, LazyDeoptFuzzer, and FastApiCallFuzzer. Bug: 483578451 Change-Id: Iecaededb94c0dfbf6e49f20c6b69ddf38e500cb0 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9012916 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Dominik Klemba <tacet@google.com>
Bug: 481610393 Change-Id: I815e16a598e7c0d3eafc39608fea1e41f96096d9 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9012919 Commit-Queue: Michael Achenbach <machenbach@google.com> Auto-Submit: Michael Achenbach <machenbach@google.com> Reviewed-by: Leszek Swirski <leszeks@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Leszek Swirski <leszeks@google.com>
Quoting Leszek: "--predictable basically disables any concurrency so that everything is scheduled on the main thread. --verify-predictable additionally adds a synthetic clock so that things like timestamps have a fixed value, for being able to verify predictability by hashing" Additionally --verify-predictable implies --predictable. Bug: 441467877 Change-Id: I7c47d00b8de8242f4b029e60fe79816713756a2f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9012917 Reviewed-by: Dominik Klemba <tacet@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
There are a few more steps to actually report a thing as differential but I don't want to miss anything, so I will print it here too. Bug: 441467877 Change-Id: I009ed1792ae486e55cbd65bf63c0863077a6a375 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9012880 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
This reverts commit 597241f. Reason for revert: it didn't help with all timestamps, adding code prefix to mock date looks more promising. Additionally this flag does a bunch of other stuff and requires a build flag to work properly, so let's ditch it. Original change's description: > [dumpling] Disable timestamp non-determinism. > > Quoting Leszek: "--predictable basically disables any concurrency so > that everything is scheduled on the main thread. --verify-predictable > additionally adds a synthetic clock so that things like timestamps have > a fixed value, for being able to verify predictability by hashing" > > Additionally --verify-predictable implies --predictable. > > Bug: 441467877 > Change-Id: I7c47d00b8de8242f4b029e60fe79816713756a2f > Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9012917 > Reviewed-by: Dominik Klemba <tacet@google.com> > Commit-Queue: Danylo Mocherniuk <mdanylo@google.com> Bug: 441467877 No-Presubmit: true No-Tree-Checks: true No-Try: true Change-Id: I8ed49d648aa34a7c75f1ebb220d52a16ee396259 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9014817 Commit-Queue: Danylo Mocherniuk <mdanylo@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bug: 441467877 Change-Id: I0ae0f1e833dfbc6a590d5dfe8d83a6e16836311f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9016616 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
Bug: 441467877 Change-Id: I8346b2e0eba7877d86e2db1ceb35a236c4bf0545 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9012879 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
Bug: 441467877 Change-Id: I104bc80f10573790e0a4c81ba99d70dcc1bac99e Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9012959 Commit-Queue: Danylo Mocherniuk <mdanylo@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com> Reviewed-by: Dominik Klemba <tacet@google.com>
This diversifies the arguments for the function calls in V8's typical function-optimization shortcuts. Often, reproducers have an argument pattern across the functions that is not all equal. For getting polymorphic feedback or a type deviation in the optimized function call, we see patterns like: f(a); f(a); %Opt(f); f(b); Or: f(a); f(b); %Opt(f); f(c); Though Fuzzilli will eventually mutate the arguments, this change attempts to tickle out this diversity a bit more. With the largest percentage we retain the old behavior. Change-Id: I58c8e7361aa3ce122a034417708dcedb8b4d7888 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9020237 Reviewed-by: Dominik Klemba <tacet@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
This merges the code of the two generators forcing Maglev or Turbofan compilation. The separation is probably not adding any value. This also doubles the weight of the resulting generator as local experiments show that it's called a bit too rarely. Probably due to other generators being added over time. Fly-by: Remove a counter-productive generator for Dumpling. Bug: 465497343 Change-Id: I208fc1ba47caa3b3d0f2d672b72b527e001a0f45 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9020158 Reviewed-by: Dominik Klemba <tacet@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
Until non-materialized printing is implemented for everything, we will allow it to match anything similar to <optimized_out>. Bug: 441467877 Change-Id: I681ceba56a88e66220ee00d65a7f8f4166042cd5 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9026356 Commit-Queue: Danylo Mocherniuk <mdanylo@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com>
Similar to Date, we also need to mock Temporal Bug: 441467877 Change-Id: I72f44575b2c9c08c9067f55518259727b8cb10b1 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9026357 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
This reverts commit 57da3ab. Reason for revert: The simplification doesn't take the swarm mode into account. Original change's description: > Simplify force-compilation generator > > This merges the code of the two generators forcing Maglev or > Turbofan compilation. The separation is probably not adding any > value. > > This also doubles the weight of the resulting generator as local > experiments show that it's called a bit too rarely. Probably > due to other generators being added over time. > > Fly-by: Remove a counter-productive generator for Dumpling. > > Bug: 465497343 > Change-Id: I208fc1ba47caa3b3d0f2d672b72b527e001a0f45 > Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9020158 > Reviewed-by: Dominik Klemba <tacet@google.com> > Commit-Queue: Michael Achenbach <machenbach@google.com> Bug: 465497343 Change-Id: I98fdb06431c296b7a516502899b6a94712cb3dcd Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9026358 Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
Share the generator code, but keep the separate generator instances. Bug: 465497343 Change-Id: Ie31c5b0fd8e1853a93dc26664ac863c28ac567ff Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9026476 Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Also sometimes explicitly enable or disable lazy compilation. Bug: 475707969 Change-Id: Ic13b6843ae0d478f0d9e6ce77a0d7318d1f47e03 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8999276 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Leszek Swirski <leszeks@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
The goal is to improve readability. It affects probability distribution: - Allows up to 4 distinct argument sets (previously capped at 3). - When reusing arguments, selects uniformly from all previously generated sets, eliminating the bias towards the first set found in the previous implementation. Original implementation added in: crrev/i/9020237 Change-Id: I590149d3d0cf7f1889c68c30fc8d4b0f0d71e6e5 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9022358 Commit-Queue: Dominik Klemba <tacet@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Dominik Klemba <tacet@google.com>
Bug: 465497343 Change-Id: I0b136da11c15bd83353c76fae8d1c168f92f5d34 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9026976 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
Bug: 465497343 Change-Id: I37625a7b5dc60ea9fc60efb083b36a8b92720588 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9028516 Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Bug: 465497343 Change-Id: Ic5371de6093189b8519c7491037acd38e2774a11 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9027056 Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Dominik Klemba <tacet@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Similar to commit 72dd5d7 but on a wasm module level instead of inside a wasm function. This is a conservative workaround to ensure that we don't lose any chances of emitting operations that previously used static ILTypes but will depend on a signature input for the migration to wasm-gc. Bug: 448860865 Change-Id: Ife60126cabb8c49a0493736603611b9b2dd3e67b Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8938986 Reviewed-by: Doga Yüksel <dyuksel@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bug: 448860865 Change-Id: Ifd01ae66b862e844bfbdb781dac36b3a8ba2d0bd Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8956316 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Doga Yüksel <dyuksel@google.com>
Bug: 448860865 Change-Id: I89bdc92e1757a68dec64da8a7ab90e7c397694eb Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8956317 Reviewed-by: Doga Yüksel <dyuksel@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bug: 448860865 Change-Id: I01de000a5ae5fae47634ca64edad7dfd9d028695 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8956318 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Doga Yüksel <dyuksel@google.com>
With all instructions interacting with Wasm tags switched over to
using wasm-gc signatures in previous changes, tags can now also be
adapted to use wasm-gc types in their signature (their parameter
types).
Note that it is also possible to define tags from JS, e.g.:
> new WebAssembly.Tag({parameters: ['i32']})
However, these tags do not support index types in the JS API spec, so
they can continue using the current mechanism for their type
information.
Bug: 448860865
Change-Id: If558f0562609d7a26a0119a4055184506351bd52
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8956197
Reviewed-by: Doga Yüksel <dyuksel@google.com>
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
The pinning ensures that our presubmit-check and all developers working on Fuzzilli have a consistent version used for regenerating the *.bp.swift files. The non-exact version caused the GitHub run to fail as a newer swift-protobuf version now resulted in diffs in the generated files. Change-Id: I4edeae1a38e0b912a45e17b20b950066db4b24d4 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9032256 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com>
Change-Id: I174dd958c7854b0fa59228085bd23fe01cdf1fa0 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9032276 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Change the loop condition to compare the iteration index against 'indices.count - 1' instead of 'indices.last!'. Also added regression test testDestructuringSimplificationWithRest, which reproduces the original bug using sparse indices with 'lastIsRest' set to true, ensuring that DestructArray is simplified into GetElement and a residual DestructArray for the rest elements. Change-Id: Ic630615bb85231d703046be4dc669e4314927db2 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9027276 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Dominik Klemba <tacet@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com>
While this feature is disabled by default, it is a non-experimental feature and other fuzzers already create exposure of this feature (see https://source.chromium.org/chromium/chromium/src/+/main:v8/tools/clusterfuzz/trials/clusterfuzz_trials_config.json;l=60;drc=84a1682b877e88c8912cebf44a8513c7d84206ed) Bug: 485657212 Change-Id: I899357c64d4e2dfd9385d3da5f445f0edc447765 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9035976 Reviewed-by: Darius Mercadier <dmercadier@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Change-Id: Icee437b92f284e7f9f7dc339d31ee157c6f876ae Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9032277 Reviewed-by: Samuel Groß <saelo@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bug: 465497343 Change-Id: I81b857dc9dac3fb95f8cd3b0f45be04b396626d8 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9043816 Commit-Queue: Michael Achenbach <machenbach@google.com> Auto-Submit: Michael Achenbach <machenbach@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
This CL registers Iterator.prototype.includes for fuzzing, which was added to V8 with https://crrev.com/c/7867647. Bug: 504886973 Change-Id: I27af5809e4ab47eff7cb4db545f06940762db3c3 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9334922 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Nikos Papaspyrou <nikolaos@google.com>
Bug: 474940922 Change-Id: I20f142ba41d3efa88872ae0dfa308170a8c0ff11 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8956716 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Leon Bettscheider <bettscheider@google.com>
Change-Id: I6a7de94f7a30f30ab30ed17f1760fddaaa7b9758 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9347700 Reviewed-by: Leon Bettscheider <bettscheider@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@google.com>
This CL adds support for the call_ref instruction. Bug: 474940922 Change-Id: If708e70dc9fcdd2f53f218f85e93c3d807a5ab9a Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9330021 Commit-Queue: Leon Bettscheider <bettscheider@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This reverts unreviewed changes that were accidentally added to commit 8fbbfdc. Original change's description: > [wasm] Implement ref.as_non_null > > Bug: 474940922 > Change-Id: I20f142ba41d3efa88872ae0dfa308170a8c0ff11 > Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8956716 > Commit-Queue: Matthias Liedtke <mliedtke@google.com> > Auto-Submit: Matthias Liedtke <mliedtke@google.com> > Reviewed-by: Leon Bettscheider <bettscheider@google.com> Bug: 474940922 Change-Id: I5a8d7cc465384c304908502d0447cc3b6c9be6ef Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9347522 Reviewed-by: Leon Bettscheider <bettscheider@google.com> Commit-Queue: Leon Bettscheider <bettscheider@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
This CL adds support for the return_call_ref instruction. Bug: 474940922 Change-Id: I8b53203020238fc24c002cbe27f8f60c7fa7fee7 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9317782 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Though `ref func` only if there is a visible Wasm function definition. Change-Id: I931a8ab63994f415f0a333fdde5fccee95d4037d Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9347701 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Leon Bettscheider <bettscheider@google.com>
Bug: 515363087 Change-Id: I6fd7618baa5c357d2ab21fe0610f2d53ce4effd1 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9345643 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Raphaël Hérouart <rherouart@google.com> Commit-Queue: Raphaël Hérouart <rherouart@google.com>
Change-Id: I73725256a59e3d2bd9fe00cb302bc40e2e8a219b Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9359700 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Olivier Flückiger <olivf@google.com> Commit-Queue: Olivier Flückiger <olivf@google.com>
Bug: 515363087 Change-Id: I56b113d9ff73c86e3f8458e31ae72499da8901e6 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9362882 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Raphaël Hérouart <rherouart@google.com>
Bug: 515363087 Change-Id: I3653827b5d1467c95c607306bb42cfa97d8cb0a9 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9366042 Commit-Queue: Raphaël Hérouart <rherouart@google.com> Reviewed-by: Marja Hölttä <marja@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Fuzzilli does not have robust support for a function that can have two different types for a parameter. Overloads are not supported for builtins / constructors, and union types may be too much of an over-approximation. This change introduces an `.either` parameter that is resolved to just one of its types. Fixed: 515122865 Change-Id: I73d900b183386507ad7cc4a1551b0c4dd5770bf3 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9351247 Commit-Queue: Tigran Bantikyan <bantikyan@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Bug: 398218423 Change-Id: I0fe7cd10030e18c3014e4c8220830631d1b92cce Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9355960 Auto-Submit: Olivier Flückiger <olivf@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Filtering a `WeightedList` and then calling `randomElement` on the
result is a common pattern in Fuzzilli:
```
generator = fuzzer.codeGenerators.filter({
$0.requiredContext.isSubset(of: context)
}).randomElement()
```
In a few cases, the resulting variable (i.e. `generator`) is typed as an
optional. Consequently, the Swift compiler selects that it is more
appropriate to call `Sequence.filter`, returning an array object instead
of a `WeightedList`, and then call `Array.randomElement`, as that method
return an optional. As a result, the weighting of the `WeightedList`
elements is lost.
To resolve this, this CL updates the `WeightedList.randomElement`
overload to return an optional type as well.
Minimal example: https://godbolt.org/z/6vGWzq9PY
Fixed: 521398642
Change-Id: I9a2681c7795036f5953accde518e550f021d8fac
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9371100
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Declarations Bug: 515363087 Change-Id: Ia5de523536d0be873ea6dfa58260f80b8402536a Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9371140 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Raphaël Hérouart <rherouart@google.com>
Allow top level await in modules by adding .async to beginBundleModule. Drive-By: Rename .asyncFunction to .async Fixed: 521338444 Change-Id: I3c8bac11b6f41bf2565596b8c3ef2f79161e198f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9362884 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Olivier Flückiger <olivf@google.com> Auto-Submit: Olivier Flückiger <olivf@google.com>
exposed group interface. Bug: 515363087 Change-Id: Id50b6d4ec3308a5b039b82670ec2f4c5db288330 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9375340 Commit-Queue: Raphaël Hérouart <rherouart@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
It will run Tools/presubmit.py which already existed (but had to be manually run). Change-Id: I89fff893e441144dfe50663e23b613ce9e58d625 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9231116 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Marja Hölttä <marja@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
…and cannot generate more This can happen when we have enough non-JS variables (eg modules and labels) but not enough JS variables. There was already a safeguard to generate more code in this case, but if we're not in .javaScript context, that won't work. This CL just makes the mutator bail out instead. Fixed: 521241274 Change-Id: Id39090b27e8bc8c3948b17d1765b6292a418fb9a Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9374180 Reviewed-by: Leon Bettscheider <bettscheider@google.com> Commit-Queue: Marja Hölttä <marja@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Raphaël Hérouart <rherouart@google.com>
Bug:498924945 TAG=agy Change-Id: I9e7cf4eabb5af5df23aa49d8ffcf86fc58416c5b Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9268503 Commit-Queue: Rezvan Mahdavi Hezaveh <rezvan@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This CL * adds `concreteHeapSupertype` to WasmTypeDescription, * implements `subsumes()`, `intersection()`, and `union()` based on that, and * uses them in WasmTypeDefinition and WasmReferenceType. Bug: 517707090 Change-Id: I59c36b73cc30e5269302404d1bd2f508d0cb22d2 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9351448 Commit-Queue: Leon Bettscheider <bettscheider@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This fixes bugs for named variables, with-statements and private properties, where generic property names slipped into the generation of these more restrictive identifiers. Named variables and properties in with-statements can only be proper JS identifiers, while generic property names are broader. The same holds for valid names that can be used for private properties. This creates a separate custom identifier list that doesn't include unorthodox cases like symbols and numbers. Named variables, with-statements and private properties are now solely generated from this separate list. TAG=agy Fixed: 518435525 Change-Id: Ie3566467e7f729661a04eba47debc18bc53d610f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9375380 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Leon Bettscheider <bettscheider@chromium.org> Commit-Queue: Michael Achenbach <machenbach@google.com>
…iables InliningReducer could crash when encountering disposable variables (or other instructions that fallthrough to the same check) at the top-level of a module (e.g. inside a bundle module entry point) where activeSubroutineDefinitions is empty. This fix safely unwraps activeSubroutineDefinitions.last to avoid force-unwrapping nil. TAG=agy CONV=3d0eb06a-4c48-4640-92dc-a149665be30b Change-Id: I55bdc95e0d622fc94dd6709338e3fca6dad6192b Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9378962 Reviewed-by: Marja Hölttä <marja@google.com> Commit-Queue: Olivier Flückiger <olivf@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Olivier Flückiger <olivf@google.com>
Change-Id: I2832d19e66780fe0947a7220484f5eac9f88688c Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9379402 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Leon Bettscheider <bettscheider@chromium.org>
This CL adds an optional superType input to the WasmDefineArrayType JS operation. It also extends WasmArrayTypeDescription to take an optional superType parameter that it passes on to the WasmTypeDescription constructor. Bug: 517707090 Change-Id: I8c388cf5acc269935dbec19cc07dd62beb870b05 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9362880 Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This CL adds an optional superType input to the WasmDefineStructType JS operation. It also extends WasmStructTypeDescription to take an optional superType parameter that it passes on to the WasmTypeDescription constructor. Bug: 517707090 Change-Id: I4490df2cee14c2d2b7905bad520f47cf08beeff8 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9362881 Reviewed-by: Matthias Liedtke <mliedtke@google.com>
- Run the transpiled script if --d8-path is provided - Accept a custom --test-dir to run only a subset of the tests Change-Id: I9771a83c79dab9a54eb8ef6facf6f697884bfa10 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9336704 Auto-Submit: Raphaël Hérouart <rherouart@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
Change-Id: I51e13233b12b8baa912e3c944c80bde94a556709 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9379364 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Rezvan Mahdavi Hezaveh <rezvan@google.com>
As a first step only migrate a small set of tests. This change also modifies the MockFuzzer to support running on other threads than the main thread (as parallelism is the main purpose of this.) Bug: 522635668 Change-Id: I90215a3448a0644712e081f294d695c84a0c43f4 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9375860 Reviewed-by: Leon Bettscheider <bettscheider@chromium.org> Reviewed-by: Raphaël Hérouart <rherouart@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
This CL adds an optional superType input to the WasmDefineSignatureType JS operation. It also extends WasmSignatureTypeDescription to take an optional superType parameter that it passes on to the WasmTypeDescription constructor. Bug: 517707090 Change-Id: I0b6aa71450534d0a113d8bd4f3d57195d2d7245d Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9358622 Commit-Queue: Leon Bettscheider <bettscheider@chromium.org> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
13 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
updating with head