[v8] Add %AllocationTimeout generator

Besides the existing --gc-interval=n flag, this can help finding bugs
for a GC happening at a specific point in a builtin or runtime
function.

Bug: 467294029
Change-Id: I9d78d7d01d229ecd3e0c631f9d1e2f54a456b4ba
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8832419
Reviewed-by: Michael Achenbach <machenbach@google.com>
Commit-Queue: Matthias Liedtke <mliedtke@google.com>

Author: Liedtke

Sources/FuzzilliCli/Profiles/V8CommonProfile.swift

@@ -51,6 +51,13 @@ public let V8GcGenerator = CodeGenerator("GcGenerator") { b in
     b.callFunction(gc, withArgs: b.findOrGenerateArguments(forSignature: b.fuzzer.environment.type(ofBuiltin: "gc").signature!))
 }
 
+public let V8AllocationTimeoutGenerator = CodeGenerator("AllocationTimeoutGenerator") { b in
+    // Repeated GCs are expensive, so only rarely use an interval.
+    let interval = probability(0.1) ? Int64.random(in: 100...10000) : -1
+    let timeout = Int64.random(in: 0...(Bool.random() ? 10 : 100)) // prefer small values
+    b.eval("%SetAllocationTimeout(%@, %@)", with: [b.loadInt(interval), b.loadInt(timeout)]);
+}
+
 public let V8MajorGcGenerator = CodeGenerator("MajorGcGenerator") { b in
     // Differently to `gc()`, this intrinsic is registered with less effects, preventing fewer
     // optimizations in V8's optimizing compilers.

Sources/FuzzilliCli/Profiles/V8Profile.swift

@@ -63,6 +63,7 @@ let v8Profile = Profile(
 
         (WorkerGenerator,                         10),
         (V8GcGenerator,                            5),
+        (V8AllocationTimeoutGenerator,             5),
         (V8MajorGcGenerator,                       5),
 
         (WasmStructGenerator,                     15),