base fuzzili update #52
Open
Dudcom wants to merge 298 commits into
Open
Conversation
This is a follow-up to commit beddc75 Bug: 470273473 Change-Id: Ia3bc85a8632efe75a009f5c11ec47b3611f42998 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8901816 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com>
This reverts commit 36d6258. Reason for revert: The code we want to target is unreachable due to hitting syntax errors from the parser before we could ever compile and bailout. Original change's description: > Add ManyArgumentsCall CodeGenerator > > Calling apply() with an array like this generator does will create a > function call with as many arguments as the size of the array. > It is meant to cover the discrepencies in max argument counts between > turboshaft and maglev. > > Bug: b/455503442 > Change-Id: Ia605368687970369e168796273486d75de4cc811 > Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8839116 > Reviewed-by: Matthias Liedtke <mliedtke@google.com> > Commit-Queue: Hendrik Wüthrich <whendrik@google.com> Bug: b/455503442 Change-Id: Ie18ec8668485fe8518b14a7d95ba6dea74886364 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8910656 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Hendrik Wüthrich <whendrik@google.com>
Change-Id: I6d1d5fad1fee59368e3b277e43db96f56e8ff903 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8902196 Commit-Queue: Olivier Flückiger <olivf@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Inlining can crash if a function is also used as a disposable variable in some other function. This also adds a minimizer test that demonstrates the crash in patchset 10. Bug: 468928010 Change-Id: Ic9554163e536b0cfb909783ec401062014270cf8 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8861857 Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
We cannot guarantee that `.integer` is produced because the `.length` property could be overwritten, and nothing else produces integers. We don't want `produces: [.jsAnything]` as it doesn't have value. Bug: 470273473 Change-Id: Ib3c78e05ea2845ed3e7966b1e10aaa51f3a0e5b5 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8911216 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Dominik Klemba <tacet@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
This fills in some support for Intl.Locale. There's still work to be done, but this covers most of the API. Bug: 450083673 Change-Id: I7b2f899b7d2a8ff44a10a7ecea5f8a906a6a6964 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8881013 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Manish Goregaokar <manishearth@google.com>
DiffOracle is a library that allows to see if there was a difference between optimized and unoptimized runs. RelateTool is designed as a CLI tool to compare optimized vs unoptimized runs. Usage: swift run -c release RelateTool --d8=... --poc=... Bug: 441467877 Change-Id: Ie8850e8534ae3a890f93be77ba2d0961f51a129e Co-authored-by: Mathias Payer <mathias.payer@gmail.com> Co-authored-by: Liam Wachter <liam.g.wachter@gmail.com> Co-authored-by: Flavio Toffalini <flavio87@gmail.com> Co-authored-by: Christian Wressnegger <intellisec.de@gmail.com> Co-authored-by: Julian Gremminger <asdfju77@gmail.com> Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8759816 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
Change-Id: I63cb4c1f7aef06240729a3879eb20ab3ef452549 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8911776 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Pawel Krawczyk <pawkra@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bug: 434977727 Change-Id: I24617b4353f7205c8654ce9f555ed043fb5e4b8c Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8902197 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Olivier Flückiger <olivf@google.com>
Bug: 442444727 Change-Id: Ia254954f25df8284a58d43cce0c27383027e01db Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8926738 Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
There is an ever-growing list of properties that exist on a receiver which don't exist on the corresponding prototype object of the constructor or are not usable on it. So far, there are two cases for it: 1) They simply do not come from the prototype, e.g. iterator instances have properties that are part of the Iterator protocol, like `next`, while Iterator.prototype.next does not exist. 2) The property does exist on the prototype object, however it is not usable on it. There are a few properties that aren't actually regular properties but get accessors. These get accessors cannot be used on the prototype object as they will throw on access, e.g. `Intl.Collator.prototype.compare`. For nicer documentation, move these excluded properties to the call that registers the prototype object on the environment. Change-Id: I6e6163e0424a3e1f7e213ea2700d2dc8c883cd31 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8926737 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com>
Similar to commit 3b241b0 this change makes wasm's if-else control flow blocks use wasm-gc signatures as inputs instead of having the signature stored as a property inside the operation. This allows using wasm-gc index types inside these signatures. Bug: 445356784 Change-Id: I8315f64be536a1882ab9d4d39a3b7b72eb690456 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8914456 Reviewed-by: Pawel Krawczyk <pawkra@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bug: 445356784 Change-Id: Ic309942aac909ffa6397fc889fd4cd8fe86e6b4e Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8914596 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Pawel Krawczyk <pawkra@google.com>
Change-Id: Id1322a5847527125d3282da5d80e861422bd7f45 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8914597 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Pawel Krawczyk <pawkra@google.com>
Change-Id: Ia6616629177ee5f941377471a998d59e1ab31d06 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8922297 Reviewed-by: Pawel Krawczyk <pawkra@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Adds support for wasm struct.new operation to be able to generate structs with initial non-default values. Bug: 474940922 Change-Id: Ic8f1cc8d7f9dc24dc73b342fb3d55c35e1a33446 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8921896 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Dominik Klemba <tacet@google.com> Commit-Queue: Doga Yüksel <dyuksel@google.com>
Change-Id: Id6f1609bf09df512aced5db86f979e3709647446 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8926736 Reviewed-by: Doga Yüksel <dyuksel@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bug: 475996631 Change-Id: I2fed02882da99abdaaca11d5bed21ebd0f0ff833 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8932836 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
So far we didn't try to resolve input requirements for JS types by scheduling code generators that produce these inputs. This change fixes that and also fixes the test case and the compile warning it produces for the unused Swift variable due to commented out code. Change-Id: I7c090fc164b00df5ef31353447ae4f993538c437 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8929438 Reviewed-by: Dominik Klemba <tacet@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
in cases where it doesn't have a wasmReferenceType WasmTypeExtension. The better printing in commit f418a5e doesn't do anything if we don't ever reach it because we already crash earlier. This change adapts generateRandomWasmVar to return nil if it receives an index reference type without the expected type extension. If this still causes crashes, we'd then get the better error message from above. Bug: 475996631 Change-Id: I86f89855724f09de3875770e2380257c07d54062 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8932837 Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Bug: 475996631 Change-Id: If8b92877f88b5852184d69477bc508d6c039c294 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8932857 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
While the WasmTypeGroupReducer shall remove all inputs which are not used from the WasmEndTypeGroup (so that these types can be removed in a following iteration), it should still expose all types which are used inside the type group, so that the JSTyper still continues to handle them correctly. This will hopefully fix the current crashes we are observing for types missing the linkage from a wasm index reference type to the corresponding type definition variable in the JSTyper. Bug: 475996631 Change-Id: I571a44fabee3f302c8f53fad14d6f62263d0a8ca Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8935617 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Bug: 442444727 Change-Id: I2b829da00393a63f40ac2791091ff73bd288aa24 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8935636 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
Adds support for ref.eq instruction to be generated Bug: 474940922 Change-Id: I7b88ceffed5252878132406da30a570be01f13ad Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8933276 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Doga Yüksel <dyuksel@google.com>
Seems like the previous change didn't do that because configuration objects never got this boolean. Bug: 422361840 Change-Id: I9a4fd2af616b7dd5dd27126fe10004374a41992a Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8940976 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Bug: 441467877 Change-Id: I7278380605e40ca79b4dc889cb8b6734aa7c4327 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8908076 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
By removing the types from the WasmThrow, this prepares Fuzzilli to adapt the tags as a next step to use wasm-gc signatures instead of static parameter types (there might be more dependencies for that). Bug: 445356784 Change-Id: I852a84efd928ed593bbb84105a95ab7a09cde9a7 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8926696 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Doga Yüksel <dyuksel@google.com>
Bug: 445356784 Change-Id: I960d64621c3faac93083b44935382a05dee93d84 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8926697 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Doga Yüksel <dyuksel@google.com>
Bug: 445356784 Change-Id: I5d827c480f633e4efe565ac139f91c4fb5e04e79 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8926698 Reviewed-by: Doga Yüksel <dyuksel@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bug: 445356784 Change-Id: Ia1a6b4606ba85e5c6f0093cc8c43cc4726a7b907 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8926699 Reviewed-by: Doga Yüksel <dyuksel@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
A bundle can contain one or several modules. A module provides a
.moduleTopLevle | .javascript context. Imports and exports can occur
only in the .moduleTopLevel context.
For now, modules can only have very simple imports and exports:
export {v1 as export0_1, v2 as export0_2};
import {v1 as v3, v2 as v4} from 'a.mjs';
More complex cases will be added later.
Bug: 342521422
Change-Id: Ie4b0b30ce2976981a5ec2279d3214196e1e62a6b
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9230416
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Marja Hölttä <marja@google.com>
Fuzzilli's current ordering for which source it uses to generate `.object()` types is: 1. Producing generators 2. Properties and methods 3. CodeGenerators marked with `produces` (distinct from item 1) 4. Generating object properties directly With producing properties and methods overshadowing CodeGenerators, using CodeGenerators for types with sophisticated generation logic, in order to ensure program quality, required workarounds and compromises such as not registering the type as a builtin. This CL reorders the logic to favor custom CodeGenerators with matching `produces` annotations. The CodeGenerators block is moved to be after the producing generators block. A 75% probability check is introduced for selecting whether to use CodeGenerators to maintain diversity in how Fuzzilli generates objects. Bug: 479225937 Change-Id: I59ead967e9710749cb13b433fb74c64ebc8ba085 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9253961 Commit-Queue: Tigran Bantikyan <bantikyan@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This makes ProgramBuilderTests.testFindOrGenerateWithCodeGenerator not flaky by ensuring we will always use a generator if there is one and we didn't find another way for creating the object. Change-Id: Ie5cd0b787432588fb9152e0996a68a1644247167 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9266720 Commit-Queue: Marja Hölttä <marja@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
…iables Drive-by: Add ProbingMutator tests. Bug: 342521422 Change-Id: I234dd9bb1f7c026c9a30bd3aef50d39054bf8455 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9263440 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Marja Hölttä <marja@google.com>
Iterator.zipKeyed was added to V8 with https://crrev.com/c/7776198. This CL registers it for fuzzing, passing as a first parameter an object whose values are iterables. Bug: 465357675 Change-Id: Ic952e32aaa5551fb94ac3c1cba4c600602e4fb80 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9265100 Reviewed-by: Marja Hölttä <marja@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Nikos Papaspyrou <nikolaos@google.com>
Bug: 445356784 Change-Id: Iad19076024c4e313b62edd94b3cca50d60a62281 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9197817 Commit-Queue: Leon Bettscheider <bettscheider@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Leon Bettscheider <bettscheider@google.com>
This CL adds support for the br_on_null instruction. Bug: 474940922 Change-Id: Ifbbc676becc471382ef35c347fc578437bab6063 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9250640 Commit-Queue: Leon Bettscheider <bettscheider@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
The analysis of VariableAnalyzer is simpler than the one in ProgramBuilder. In particular, it accounts for JS label variables even if they're currently hidden, which lead to an assertion failure in CodeGenMutator.mutate(). This CL fixes this by building additional variables if too few are visible. Bug: 504947197 Change-Id: I4c832385d655bfbb9ccdac6d0b09d8b429136c28 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9268280 Reviewed-by: Marja Hölttä <marja@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@google.com>
In many cases we either have a generic JS signature without any type information or we reuse the same JS function multiple times, in both cases we often end up using equivalent Wasm signature definition multiple times but defining a new signature for each of them. This change simplifies the generated code (and the lifted type section of the Wasm module) to not emit duplicate signatures for such imported JS functions. Bug: 445356784 Change-Id: I4ef30ba12aa333b44cf234c4ec5bf5bce6f3f031 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9234376 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Leon Bettscheider <bettscheider@google.com>
1) Try to generate more unique export names (which will stay unique if programs are spliced into another programs) in ProgramBuilder. This approach will still generate duplicate export names when a program is spliced into itself. 2) Handle duplicate exports gracefully in JSTyper Fixed: 510644538 Bug: 342521422 Change-Id: If371e40f9c112e6880efb56736bb7d42a2a92fa3 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9273902 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Marja Hölttä <marja@google.com>
As long as V8's full bytecode verification isn't enabled in production, fuzzers should exercise different levels of the bytecode verification, as this may explore different areas of the code (e.g., disabling the verification in sandbox fuzzers will prevent them from bailing out at "harmless error was encountered: Bytecode verification failed" before an actual sandbox violation may ever be detected). Bug: 475707969, 461681036 Change-Id: I85bc2bf6a03fd003a10d5cbf7287dc58d0efaa8a Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9275460 Commit-Queue: Maksim Ivanov <emaxx@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This adds a CodeGenerator for generating a set of homomorphic objects, and a ProgramTemplate for optimizing a function which has seen homomorphic objects. Change-Id: Iac8a52c4a021f48ee74bbe24f545b62fa7305697 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9278060 Commit-Queue: Marja Hölttä <marja@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This CL adds support for the br_on_non_null instruction. Bug: 474940922 Change-Id: I485b7b49e5c036acb29d55acfadaa707a6bf5664 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9274500 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@google.com>
… OperationMutator Bug: 342521422 Change-Id: I64b68d2b3e5aa78b329d56494a76f9caac626480 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9278600 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Marja Hölttä <marja@google.com>
To support assumptions regarding the typing of a `jsMap`'s elements, this CL makes `jsMap` optionally parametrizable through the `createJsMapType` function. This CL also introduces a `CreateMap` operation that persists the key and value type arguments for the map. This CL avoids introducing type serialization for the type arguments, storing the type group names instead. Parameterized iterables details: cc0ff34 Bug: 510424762 Change-Id: I570fb962dc027d48e222acc62b85609cd1048d15 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9274841 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Tigran Bantikyan <bantikyan@google.com>
This CL includes outputs in the IL, similarly to how we already do for WasmBranchOnNull. So they won’t be dropped, but spilled. We also don't drop outputs of WasmBranch now, as this code is unreachable. Change-Id: I7b6e9ee6a1bb91aa23dab5e68cf0237742f073ef Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9273901 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@google.com>
as this can cause issues with variable visibility. (assert only) Ad-hoc signatures exist so that we are always able to generate e.g. a wasm function definition even if we are already in the .wasm context and therefore can't emit a wasm type group any more (which are only allowed in the .javascript context). However, these signatures are there for that wasm function then, not to use them as element types as part of other types (e.g. another ad-hoc signature for a Wasm tag definition as such a tag can be exported and reimported by a different module and then a throw of that tag might need to create a value of the element's type (which is the other ad-hoc signature that was only visible in the first Wasm module.) Bug: 445356784 Fixed: 508306801 Change-Id: Idf10b4093913dc252dbead329fad7d54ff46615d Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9267281 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Leon Bettscheider <bettscheider@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
With this change wasm functions can finally include wasm-gc index types in their parameter and result types. Bug: 445356784 Change-Id: I9a57724206d853218624fb8dcfa916169b82a573 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9197816 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@google.com> Reviewed-by: Leon Bettscheider <bettscheider@google.com>
in block arugments. All usages have been adapted to using wasm-gc signatures and therefore allow indexed wasm-gc types. Bug: 445356784 Change-Id: I9db52423e11f5658c7ed20870d51d867eb17c573 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9288584 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Leon Bettscheider <bettscheider@google.com>
Add support for CreateMap operations in VariadicInputReducer, OperationMutator, and MinimizationPostProcessor. Fixed: 510424762 Change-Id: Ia7fc6c70922dac8f265746895b0a6894611437d6 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9289344 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Tigran Bantikyan <bantikyan@google.com>
The flag was removed in: https://crrev.com/c/7840605 Change-Id: I49e417d602fc6a6fd40e2ca852dc4c7965e84ff3 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9305241 Auto-Submit: Michael Achenbach <machenbach@google.com> Reviewed-by: Clemens Backes <clemensb@google.com> Commit-Queue: Clemens Backes <clemensb@google.com>
Bug: 447125167 Change-Id: I694c2feac0d42f1afb47f3ec2e9c94b2401382fe Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9279080 Reviewed-by: Rezvan Mahdavi Hezaveh <rezvan@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bug: 447125167 Change-Id: Ifa7899b5e12a30718f64ccac36e693aa91020e5d Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9288582 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Rezvan Mahdavi Hezaveh <rezvan@google.com>
This flag used to be always set in fuzzers due to the implication from `--fuzzing`, but the implication is removed now (crrev.com/c/7845199). Hence randomize it with high probability (still not 100% to avoid having blind spots), except for sandbox fuzzers where it'd not bring any benefit due to them ignoring CHECKs. Bug: 475707969 Change-Id: Ia8a495af600acc40dcd188fc1726e1e039237c79 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9310081 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Maksim Ivanov <emaxx@google.com>
Add support for handling CreateArray operations with the `elementGroupName` property set in OperationMutator and MinimizationPostProcessor. Bug: 503429420 Change-Id: I29170419cda15d9a73d0a9ad43aaa2ebd0322081 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9293280 Commit-Queue: Tigran Bantikyan <bantikyan@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Add randomized addition of --no-flush-bytecode, to occasionally test this non-production scenario. Don't explicitly add --flush-bytecode: it's the default value anyway, and it didn't help to reenable it when flag implications (--jit-fuzzing to --no-flush-bytecode) disable it. Bug: 475707969 Change-Id: Ia2c2141430f222f6c3d7c4cb946762c725c65204 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9278461 Commit-Queue: Maksim Ivanov <emaxx@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Bug: 514576448 Change-Id: I5b818576409d654a039edac6dbcfa959352018aa Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9296863 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Marja Hölttä <marja@google.com> Auto-Submit: Raphaël Hérouart <rherouart@google.com>
Bug: 514576448 Change-Id: I4f0236055f21611a582fef526a721e13f58ca2f9 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9310040 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Marja Hölttä <marja@google.com> Commit-Queue: Raphaël Hérouart <rherouart@google.com> Auto-Submit: Raphaël Hérouart <rherouart@google.com>
Bug: 445356784 Change-Id: I3a07fe4d292dd5b988c655936e0abd889338cbe8 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9310720 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Leon Bettscheider <bettscheider@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
This CL adds the `selectionMode` property to the `OptionsBag` struct to configure how `OptionsBag` selects the properties for the object literal it generates. The default behavior is preserved with the `anySubset` case. The new `exactlyOne` case configures `OptionsBag` to select exactly one property for the object literal. This CL also makes `OptionsBag` easily usable in profiles by adding an `additionalOptionsBag` property to the `Profile` struct and by removing the strict assert on the supported `OptionsBag` properties array. Bug: 512875834 Change-Id: I6b6348f515cc736ee281af9c9e384ac93eaf762c Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9311541 Commit-Queue: Tigran Bantikyan <bantikyan@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
17 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
updating with head