Open
Conversation
V8 side change: https://crrev.com/c/7137442 Bug: 457866804 Change-Id: Id01597d3194e4c88d38623f646c1671330e63b43 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8753396 Reviewed-by: Michael Achenbach <[email protected]> Auto-Submit: Matthias Liedtke <[email protected]> Commit-Queue: Michael Achenbach <[email protected]>
This replaces the separate logic for lastFunctionVariable with the generic runtimeData approach. This doesn't change behavior. Change-Id: I9cc988879638b423dabc99d4598028caacb6a3de Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8714836 Commit-Queue: Michael Achenbach <[email protected]> Reviewed-by: Matthias Liedtke <[email protected]>
Similarly to objects as disposable variables, this enables generating instances of classes as disposable variables, used with both: `using` and `await using`. The generators have the new style and provide a class with a computed method with Symbol.dispose or Symbol.asyncDispose. As a fly-by, this also makes use of `b.runtimeData` to store the symbol of the existing generator for disposable objects. Bug: 446632644 Change-Id: I433ce357e4649230b803361e6fba15ca2cb954e2 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8715016 Reviewed-by: Danylo Mocherniuk <[email protected]> Commit-Queue: Michael Achenbach <[email protected]> Reviewed-by: Matthias Liedtke <[email protected]>
V8-side change: https://crrev.com/c/7137292 Bug: 455552707 Change-Id: Ifd5f44b69ef62f18ecfa03525e988bd2f43253cc Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8756377 Commit-Queue: Matthias Liedtke <[email protected]> Reviewed-by: Victor Gomes <[email protected]>
Many (all?) JS engines have optimizations for string concatenations. To make it more likely having such concatenated strings (ConsString in V8), add a code generator for string concatenation. Fixed: 455552707 Change-Id: I0a9bf66a5f721d38f34327f7acd8c5344086cf10 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8756756 Commit-Queue: Matthias Liedtke <[email protected]> Reviewed-by: Dominik Klemba <[email protected]> Reviewed-by: Victor Gomes <[email protected]>
So far this will only fuzz the definition of these signatures as there aren't any operations registered which would make use of these definitions, yet. Bug: 445356784 Change-Id: I1c6b99e863bf359e4c505605d2d7f64533553f19 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8753596 Reviewed-by: Pawel Krawczyk <[email protected]> Commit-Queue: Matthias Liedtke <[email protected]>
Change-Id: Ib70851f9cd9d11f39501815280d6ea641c6df40e Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8764020 Reviewed-by: Carl Smith <[email protected]> Commit-Queue: Carl Smith <[email protected]> Auto-Submit: Pawel Krawczyk <[email protected]>
Bug: 458429784 Change-Id: If21b4e7bd0670939f0413c11e8d6c8ef1b5e5823 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8783156 Reviewed-by: Michael Achenbach <[email protected]> Commit-Queue: Michael Achenbach <[email protected]> Auto-Submit: Darius Mercadier <[email protected]>
type for input requirements and output guarantees. Bug: 445356784 Change-Id: Ib1319c8e42e33688c7c0921b166e46e50b031748 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8760696 Commit-Queue: Matthias Liedtke <[email protected]> Reviewed-by: Carl Smith <[email protected]>
Bug: 429332174 Change-Id: Ic644ce211f96e1bd2c3044bc14fa12ee4410fa24 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8783696 Commit-Queue: Matthias Liedtke <[email protected]> Reviewed-by: Dominik Klemba <[email protected]>
V8-side-change: https://crrev.com/c/7178541 Right now this probably doesn't change much as the ProgramTemplate from commit 9e2e2a3 uses multiple assignments and other instructions will never emit the correct bytecode due to how expression inlining is implemented for assignments right now. Still, it doesn't hurt to add this flag to Fuzzilli as well. Bug: 429332174 Change-Id: I7a4318ba434d701c530fef72a31bce1497f51529 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8792496 Auto-Submit: Matthias Liedtke <[email protected]> Commit-Queue: Raphaël Hérouart <[email protected]> Reviewed-by: Raphaël Hérouart <[email protected]>
Change-Id: Ib196ad69f5a3a09620b82da5e60694777a024aef Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8783856 Reviewed-by: Dominik Klemba <[email protected]> Commit-Queue: Pawel Krawczyk <[email protected]> Reviewed-by: Matthias Liedtke <[email protected]> Auto-Submit: Pawel Krawczyk <[email protected]>
This way the new code generation logic can resolve dependencies when it requires a Wasm struct, array, or signature type. In theory, these could all be registered as separate code generators, however it seems simpler having one that just generates all 3 types. We need the separate generator and can't rely on the "inner" generators like the "ArrayTypeGenerator" as these can only run inside the `.wasmTypeGroup` context. Bug: 445356784 Change-Id: I5c2b9e37aeb9b3ab50f05a37e49147efff4acaa7 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8767377 Commit-Queue: Matthias Liedtke <[email protected]> Auto-Submit: Matthias Liedtke <[email protected]> Reviewed-by: Pawel Krawczyk <[email protected]>
Change-Id: I9f502e7d70fcccbb335f424391bebfdb6561f3e0 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8764022 Commit-Queue: Matthias Liedtke <[email protected]> Reviewed-by: Pawel Krawczyk <[email protected]>
V8-side-change: https://crrev.com/c/7198340 Change-Id: I423361da98643dcde469b8a13c6b7df44114d8c6 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8793536 Reviewed-by: Dominik Klemba <[email protected]> Auto-Submit: Matthias Liedtke <[email protected]> Commit-Queue: Dominik Klemba <[email protected]>
…function To allow defining a block with a wasm-gc signature while already being in the .wasmFunction context, this change adds a new operation WasmDefineAdHocSignature. This way statements requiring a signature type input can directly embed this signature definition inside the function. Bug: 445356784 Change-Id: I56754224551ea82883c71410f4aca957b7bf24d4 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8787096 Reviewed-by: Pawel Krawczyk <[email protected]> Commit-Queue: Matthias Liedtke <[email protected]>
To ensure that this function is correctly detected as a crash in both regular fuzzing and sandbox fuzzing configurations Change-Id: I22eae385d08d343926624d5e6f33b7e6dbf72993 Bug: 461681036 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8796176 Commit-Queue: Samuel Groß <[email protected]> Reviewed-by: Matthias Liedtke <[email protected]>
This change increases the probability of accessing the length of rest parameters and rest elements to improve fuzzing coverage of V8's optimizations for RestLength (rest.length). With a 20% probability, FuzzIL variable is created for the "length" property of a newly created rest parameter or element. This affects all function types and array destructuring generators. For function generators and 'ForOfWithDestructLoopGenerator', we do not need to check if outputs are empty: 'hasRestParameter' implies the existence of parameters, and loop generation logic guarantees non-empty indices. For 'DestructArrayGenerator' and 'DestructArrayAndReassignGenerator', we now ensure that 'lastIsRest' is only true when the variable list is non-empty. Assertions were also added to the DestructArray instructions to enforce this invariant. Bug: 456162872 Change-Id: I37b78cc892aac5bb5e5164864863dc51dba40f51 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8741996 Reviewed-by: Matthias Liedtke <[email protected]> Commit-Queue: Dominik Klemba <[email protected]>
Change-Id: I02ac85b1f90e3a21a6310157457d2e0c0ec364d3 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8796658 Auto-Submit: Pawel Krawczyk <[email protected]> Commit-Queue: Dominik Klemba <[email protected]> Reviewed-by: Dominik Klemba <[email protected]>
Bug: 455512155,455513417 Change-Id: I52dc1b9d27d02ee1e5d905eca3705d9a9c4a6661 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8796096 Commit-Queue: Pawel Krawczyk <[email protected]> Reviewed-by: Dominik Klemba <[email protected]>
This adds a stand-alone python script that with the following properties: * Mimic various test configs from V8 (for now test262 without staging) * List all supported tests from a config * Transpile all tests in parallel (i.e. compile to FuzzIL and lift back to JS) * Print statistics and return relevant results as a json file * The results contain stats that we can track as a metric, e.g. the percentage of properly transpiled tests. The script is tested with a Python unit tests that runs the script E2E, also hooked up through a presubmit script so that it's tested on updates. Bug: 442444727 Change-Id: I29c89cede59aef885e45a0ae0821d3388bc51e8f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8787097 Reviewed-by: Matthias Liedtke <[email protected]> Commit-Queue: Michael Achenbach <[email protected]>
This makes the executor look for Node.js in the CWD, which makes it easy to bundle both together when porting the FuzzILTool to another machine. Bug: 442444727 Change-Id: I80adcde79fb6d773f3f47817da24188bbbe5431e Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8796659 Reviewed-by: Pawel Krawczyk <[email protected]> Commit-Queue: Michael Achenbach <[email protected]> Reviewed-by: Matthias Liedtke <[email protected]>
Generating shared ref variables to be done in following CLs. See https://github.com/WebAssembly/shared-everything-threads/blob/main/proposals/shared-everything-threads/Overview.md. Bug: 448349112 Change-Id: I3358ce9cdd528147b66f1954ef1a008b048e06df Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8734256 Commit-Queue: Matthias Liedtke <[email protected]> Reviewed-by: Dominik Klemba <[email protected]> Commit-Queue: Pawel Krawczyk <[email protected]>
This reverts commit e35cbb5. Reason for revert: Crashes and not reviewed yet. Original change's description: > Add support for shared references. > > Generating shared ref variables to be done in following CLs. > > See https://github.com/WebAssembly/shared-everything-threads/blob/main/proposals/shared-everything-threads/Overview.md. > > Bug: 448349112 > Change-Id: I3358ce9cdd528147b66f1954ef1a008b048e06df > Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8734256 > Commit-Queue: Matthias Liedtke <[email protected]> > Reviewed-by: Dominik Klemba <[email protected]> > Commit-Queue: Pawel Krawczyk <[email protected]> Bug: 448349112 No-Presubmit: true No-Tree-Checks: true No-Try: true Change-Id: I8bc73bef53d053078db9318de6408d4dbf2f4cda Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8810396 Bot-Commit: Rubber Stamper <[email protected]> Auto-Submit: Matthias Liedtke <[email protected]> Commit-Queue: Rubber Stamper <[email protected]>
This change allows the JavaScriptLifter to inline arrow functions (e.g., 'foo(() => 42)') by treating them as expressions.
- Adds ArrowFunctionExpression to JSExpressions.
- Updates JavaScriptLifter to detect recursive arrow functions and block boundaries.
- Non-recursive arrow functions are buffered and assigned as expressions.
- Recursive arrow functions retain the original variable declaration strategy.
- Implements concise body syntax ('() => expr') for single-line returns without comments.
- Updates JavaScriptWriter to use emitBlock for multi-line inlined expressions.
Bug: 464228572, 456164925
Change-Id: Ic4618c2ba92ad96d95303e83f8551c13beef508c
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8808456
Reviewed-by: Matthias Liedtke <[email protected]>
Commit-Queue: Dominik Klemba <[email protected]>
Auto-Submit: Dominik Klemba <[email protected]>
This is a mini-fuzzer for the new BytecodeVerifier in V8. It uses %GetBytecode to obtain a JS representation of the BytecodeArray of an existing function, mutates it, then installs it back on the function using %InstallBytecode and finally executes the function. As the verifier only ensures that the bytecode does not cause a sandbox breakout (not general memory corruption), the mini-fuzzer is also specific to the V8Sandbox fuzzing profile. Bug: 461681036 Change-Id: Iac64f3c9532f47455c57cf4251197771b0663612 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8814316 Commit-Queue: Samuel Groß <[email protected]> Reviewed-by: Matthias Liedtke <[email protected]>
This enables calling the script with the arguments --num-shards and --shard-index. The former defines on how many shards (bots) the overall task gets distributed, the latter the index n to deterministically determined the sub-task for the n'th shard. The test order is deterministic and we assume that this script is called from different shards with the same test archive. The sub task is then evenly divided with a simple modulo algorithm. Bug: 442444727 Change-Id: I32803d2bae14f9387e445b627363f4de7ac7efe4 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8817538 Reviewed-by: Matthias Liedtke <[email protected]> Commit-Queue: Michael Achenbach <[email protected]>
…bility)." This reverts commit 8a542af. Reason for revert: V8/d8 is not seeded, therefore crashes are not reproducible (and the code is unstable). Original change's description: > Throw exception in TryCatchFinally blocks (with certain probability). > > Bug: 455512155,455513417 > Change-Id: I52dc1b9d27d02ee1e5d905eca3705d9a9c4a6661 > Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8796096 > Commit-Queue: Pawel Krawczyk <[email protected]> > Reviewed-by: Dominik Klemba <[email protected]> Bug: 455512155,455513417 Change-Id: I17514fcc50b60232faccd0a7b418fad0b187174d Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8821316 Bot-Commit: Rubber Stamper <[email protected]> Commit-Queue: Dominik Klemba <[email protected]> Reviewed-by: Michael Achenbach <[email protected]> Auto-Submit: Dominik Klemba <[email protected]> Commit-Queue: Michael Achenbach <[email protected]>
This makes it possible to call the script from some nested work dir. Bug: 442444727 Change-Id: I5f6f4313b652cb09e4d168785e78a2334495ccd9 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8821322 Auto-Submit: Michael Achenbach <[email protected]> Commit-Queue: Michael Achenbach <[email protected]> Reviewed-by: Matthias Liedtke <[email protected]>
This allows using parameter types which are indexed types (things like `(ref null 1)`). Implementation: - Each WasmLoop instruction now takes its signature as the first input. - The static signature types are removed from the begin and endLoop. - The loop code generator emits an "ad hoc" signature in order to emit signatures for which we already have corresponding inputs available. Bug: 445356784 Change-Id: Ic58ab7d6a092a39de77c974142dd7f976786e8e1 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8792956 Reviewed-by: Pawel Krawczyk <[email protected]> Commit-Queue: Matthias Liedtke <[email protected]>
This test case is obsolete. For detecting missing builtins, there is now a script that can recursively scan the available global context of a JavaScript shell. Bug: 487347678 Change-Id: If785dc73fca43d693e29d1c22e345381568072bd Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064301 Commit-Queue: Matthias Liedtke <[email protected]> Reviewed-by: Danylo Mocherniuk <[email protected]>
Bug: 487347678 Change-Id: I2157fdb4904c8cd5886c8cf9c3f230cab85fdd76 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9078877 Auto-Submit: Matthias Liedtke <[email protected]> Commit-Queue: Michael Achenbach <[email protected]> Reviewed-by: Michael Achenbach <[email protected]>
Bug: 487347678 Change-Id: I00083540222506cfb09d7b1dfe5d040b7818a58b Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9081256 Commit-Queue: Danylo Mocherniuk <[email protected]> Reviewed-by: Danylo Mocherniuk <[email protected]> Auto-Submit: Matthias Liedtke <[email protected]> Commit-Queue: Matthias Liedtke <[email protected]>
Bug: 445356784 Change-Id: I488149208dcda6e632ff1fc36d7c959978c3d470 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9078876 Commit-Queue: Matthias Liedtke <[email protected]> Auto-Submit: Matthias Liedtke <[email protected]> Reviewed-by: Manos Koukoutos <[email protected]>
These are fixed in d8 via https://crrev.com/c/7642309. Bug: 487347678 Change-Id: I772ae90c0cee6a4c126f11d84934c132bc69c463 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9081257 Commit-Queue: Matthias Liedtke <[email protected]> Reviewed-by: Danylo Mocherniuk <[email protected]>
Bug: 445356784 Change-Id: I583e24a56e0e97b589a9bd796ee7e4e23cd63d0d Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9081258 Reviewed-by: Danylo Mocherniuk <[email protected]> Commit-Queue: Matthias Liedtke <[email protected]>
This flag is enabled by default and has been removed from v8 in: https://crrev.com/c/7642813 Change-Id: I442cd7dfcb0b7d457a06fb73d808285b336738fc Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9081797 Commit-Queue: Michael Achenbach <[email protected]> Reviewed-by: Michael Achenbach <[email protected]> Auto-Submit: Matthias Liedtke <[email protected]>
Also add DataView.prototype.setBigUint64 and its optional littleEndian parameter. Bug: 445356784 Change-Id: If49c62df8beb2c7202ad12bad58d220ca3f1a3ad Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9081796 Auto-Submit: Matthias Liedtke <[email protected]> Commit-Queue: Michael Achenbach <[email protected]> Reviewed-by: Michael Achenbach <[email protected]>
- Promise.all, Promise.race, Promise.allSettled expect a single (iterable) argument. - Date.now, Date.parse, Date.UTC don't return a Date, they return a number (the timestamp). The same applies to all the mutator / setter methods on Date.prototype. - String.prototype.localeCompare returns an integer, not a string. - String.prototype.match returns an array of matches, not a single string. - FinalizationRegistry.prototype.register doesn't return anything. - FinalizationRegistry.prototype.unregister returns a boolean (whether at least one cell was unregistered). - Reflect.getPrototypeOf, Reflect.isExtensible, and Reflect.ownKeys throw a TypeError if passed a primitive value, so type them as requiring an object. - DataView: The multi-byte getter and setter methods were missing the optional littleEndian boolean parameter. - Math.max and Math.min return a number (which might be NaN). - Object.assign, .defineProperty, .defineProperties and .freeze all return the object. - Array.fill, .reverse and .sort return the passed (modified) array. - The same is true for the typed arrays (Int8Array and friends). Change-Id: I1c96b03f3303aad8868a13102b6675126bcc3997 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9087136 Reviewed-by: Michael Achenbach <[email protected]> Auto-Submit: Matthias Liedtke <[email protected]> Commit-Queue: Michael Achenbach <[email protected]>
Test cases that use OSR currently only do this through --jit-fuzzing triggering OSR in loops, often leading to brittle repros like the referenced bug. This creates a typical pattern in a code generator making use of the %OptimizeOsr() runtime function. Bug: 490353576 Change-Id: Id09459d8f7ba26a1b0eaec7e438de555b22fc7b5 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9087056 Reviewed-by: Matthias Liedtke <[email protected]> Commit-Queue: Michael Achenbach <[email protected]>
Moves the randomness of the sandbox corruption engine from the JavaScript runtime to the Swift program generator. Functional changes: - Splits the monolithic `corrupt(obj, seed)` JS payload into modular entry points: `corruptDataWithBitflip`, `corruptDataWithIncrement`, `corruptDataWithReplace`, `corruptWithWorker`, and `corruptFunction`. - Replaces JS recursion with deterministic `pathArray` tuples generated by Fuzzilli, explicitly passing required entropy seeds (e.g., `[[Step.POINTER, offsetSeed], [Step.NEIGHBOR, hashQuery]]`). - `corruptFunction` evaluates the entire traversal path first and only hijacks the function if the final target is a JSFunction. - `corruptWithWorker` only sets up a background flipping race condition. - Operations, sizes, bit positions, sub-field offsets, and BigInt increment values are now calculated natively by Fuzzilli and passed to JS as explicit arguments. - Deletes the JS `Mutator` and `RNG` classes entirely, rendering the JS payload completely state-free. - Adds startup tests to explicitly verify the parser and read-only safety logic for all new corruption entry points. Bug: 490512258, 490522975 Change-Id: Ia4459efa2526ecd46aa6db441657905c057e1e37 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9053496 Reviewed-by: Michael Achenbach <[email protected]> Auto-Submit: Dominik Klemba <[email protected]> Commit-Queue: Dominik Klemba <[email protected]>
Changes the failure rate for LiveTests.testWasmCodeGenerationAndCompilationAndExecution from 25% to 35%. This threshold should be reduced again once ref.cast is properly handled. Change-Id: I92938e5c58ce6171627cc003a13d5344c9cafe70 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9087656 Commit-Queue: Matthias Liedtke <[email protected]> Auto-Submit: Dominik Klemba <[email protected]> Commit-Queue: Dominik Klemba <[email protected]> Reviewed-by: Matthias Liedtke <[email protected]>
Change-Id: I28783d963f1ac4678f2e2cdd170f9a8c5182e299 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9091116 Commit-Queue: Marja Hölttä <[email protected]> Reviewed-by: Michael Achenbach <[email protected]>
and support iterables in OptionsBags. Iterator.zip was added to V8 with https://crrev.com/c/7605659. Bug: 465357675 Change-Id: Ia5e5c49831f8ad10c166bb32a264ee90a1aadead Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9090936 Auto-Submit: Matthias Liedtke <[email protected]> Reviewed-by: Olivier Flückiger <[email protected]> Commit-Queue: Nikos Papaspyrou <[email protected]> Reviewed-by: Nikos Papaspyrou <[email protected]>
…codes` Include `--private_field_bytecodes` with a 0.5 probability. Include `--proto_assign_seq_lazy_func_opt` with a 0.5 probability in fuzzili. This flag does imply the flag it replaces. Seq count is fixed to 1 to stress the pattern. Bug: 449885256 Bug: 474269456 Change-Id: I4e9928c2c3b23ebc129bfae67d06dc286a8dfba7 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9095116 Reviewed-by: Michael Achenbach <[email protected]> Reviewed-by: Matthias Liedtke <[email protected]> Commit-Queue: Raphaël Hérouart <[email protected]>
Change-Id: I9f2aedf60a7d3d8eec7011243e6ddac5af94aa74 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9099036 Commit-Queue: Marja Hölttä <[email protected]> Reviewed-by: Matthias Liedtke <[email protected]> Reviewed-by: Darius Mercadier <[email protected]>
Same as commit 226938a but now for the tail call variant (in preparation for using wasm-gc signatures for wasm functions.) Bug: 445356784 Change-Id: I5b2501b45a4a3f7e15c8814008d2d6d5bc9a9974 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9108116 Reviewed-by: Manos Koukoutos <[email protected]> Commit-Queue: Manos Koukoutos <[email protected]> Auto-Submit: Matthias Liedtke <[email protected]>
Currently, when Fuzzilli fails to execute a script via the REPRL protocol (e.g., if the target fails to launch and send the HELO message, or crashes unexpectedly), the resulting error message is opaque (e.g., "Did not receive HELO message from child: Bad file descriptor"). Fuzzilli already captures the target's stdout and stderr in memory-mapped files by default, this change extracts those buffers and appends them to the Fuzzilli warning and error logs whenever `reprl_execute` fails. This surfaces the actual crash dump, missing dependencies, or startup errors directly in the logs, making debugging broken targets locally or on bots significantly easier. Bug: 492209808 Change-Id: If94fc9eadc97645ab240f648b7e6cf42378d091e Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9095283 Auto-Submit: Giovanni Ortuño Urquidi <[email protected]> Reviewed-by: Matthias Liedtke <[email protected]> Commit-Queue: Matthias Liedtke <[email protected]>
V8 has lots of optimizations around smi ranges (e.g. untagging smis). Change-Id: I1393d1c30a61ef43d45f3ede4a74e6fe0b6c0e2d Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9111056 Reviewed-by: Darius Mercadier <[email protected]> Commit-Queue: Darius Mercadier <[email protected]> Commit-Queue: Matthias Liedtke <[email protected]> Auto-Submit: Matthias Liedtke <[email protected]>
Bug: 445356784 Change-Id: I0eb33e4e3f800919b5c92bf6ce48ded45d372ac5 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9108176 Auto-Submit: Matthias Liedtke <[email protected]> Reviewed-by: Manos Koukoutos <[email protected]> Commit-Queue: Matthias Liedtke <[email protected]>
Bug: 491410818 Change-Id: I400fbd530f32c3a8ee2c16cd71c73d24adf43357 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9110957 Commit-Queue: Darius Mercadier <[email protected]> Reviewed-by: Matthias Liedtke <[email protected]>
This works around false positives in connection with code referring to `f.arguments` in differential fuzzing. We now suppress any access to the `arguments` property and instead reject such samples. This has only an effect in differential fuzzing and is a no-op otherwise. We don't really care if the receiver actually is a function, and instead over-approximate this slightly. This might cover weird other ways of transferring the arguments to another object with `o.__proto__ = f`. Bug: 490382714 Change-Id: Ia7e78a6708f4d0db4c1ba671cfd279db8f57b70e Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9102176 Commit-Queue: Michael Achenbach <[email protected]> Reviewed-by: Matthias Liedtke <[email protected]>
While this changes the IL to emit wasm-gc signatures for the functions, it doesn't yet actually allow using wasm-gc types in them. A few places (WasmDefineTable and WasmCallIndirect / WasmReturnCallIndirect) still need to be adapted to allow wasm-gc types before we can actually allow indexed wasm-gc types in function signatures. Bug: 445356784 Change-Id: I5715f584cfa5ee664f957a28e28bf80b6f3cdd9e Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9115296 Commit-Queue: Matthias Liedtke <[email protected]> Reviewed-by: Manos Koukoutos <[email protected]>
Change-Id: I4e2111aca7b7619584bffe9d008c60f55da18999 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9122916 Auto-Submit: Michael Achenbach <[email protected]> Reviewed-by: Matthias Liedtke <[email protected]> Commit-Queue: Matthias Liedtke <[email protected]>
This simplifies and reduces a lot of code and prepares adding support for more kinds of class members without exploding the number of instructions due to the additional factor 2 for static and instance members. Concretely this merges instructions for all members (properties, elements and methods) that have a static and non-static (instance) variant. The static bit is represented by a variable in the instruction. This was also tested locally with and without this change, both with large number for class-related code generators. Both versions resulted in similar correctness stats without any crashes. Bug: 446634535 Change-Id: I57b3261e202dffeb57704d0040b2a8d02b50a9e6 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9094176 Reviewed-by: Matthias Liedtke <[email protected]> Commit-Queue: Michael Achenbach <[email protected]>
The TableType will need to be adapted for tracking wasm-gc signatures. I just couldn't find a good reason why we'd need to store the TableType on Table.get and Table.set? Bug: 445356784 Change-Id: Ia115d287b27cc18f52a48ddce25b897f1a19b293 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9123736 Reviewed-by: Manos Koukoutos <[email protected]> Commit-Queue: Matthias Liedtke <[email protected]>
Change-Id: I99bc88a3cefdd5d4cbaf645b10e1cdcd66138a52 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9123977 Commit-Queue: Manos Koukoutos <[email protected]> Reviewed-by: Manos Koukoutos <[email protected]> Auto-Submit: Matthias Liedtke <[email protected]>
The WasmThrowRefGenerator requires an exnref as an input. Without having a generator that produces it, it isn't very likely that there is an exnref available in the current program, so the generator cannot be run in most cases. Registering a generator producing that exnref (if a tag is available) helps significantly. Change-Id: Idbd9337f5a7339d58fe1f76e264569907f7081ce Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9123976 Auto-Submit: Matthias Liedtke <[email protected]> Reviewed-by: Manos Koukoutos <[email protected]> Commit-Queue: Manos Koukoutos <[email protected]>
The first attempt of fixing this was commit 89691a1, however this means we might end up not typing the inner outputs (the tag's "elements" available inside the catch) which breaks the typer's assumptions that everything gets typed. Typing it with some dummy value can also lead to issues downstream (e.g. by the next instruction taking now an input that isn't of the needed type any more), so instead we solve this issue by always also adding a signature as an input. As the signature is defined in Wasm, input replacement can only happen with strict type checks, so it is safe to rely on this. It's a bit annoying for the WasmBeginCatch to take an extra input for this specific problem, however, WasmBeginCatch is anyways related to the "legacy" exception handling which isn't a properly spec'ed Wasm feature but a "browsers have been shipping this without a finished spec" kind of thing. Bug: 448860865 Change-Id: I06638ccbb5ed0c9dbb7355ac198b7ace25f521b8 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9129497 Reviewed-by: Michael Achenbach <[email protected]> Auto-Submit: Matthias Liedtke <[email protected]> Commit-Queue: Matthias Liedtke <[email protected]>
The issue was introduced with commit 7fb8254 While I was running the fuzzer for multiple hours, the fuzzer is more persmissive in not crashing on invalid programs send over the wire, so this wasn't detected. Change-Id: I34f04902915539cb688c5c6eb6825d28a123ccb0 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9130176 Reviewed-by: Michael Achenbach <[email protected]> Commit-Queue: Michael Achenbach <[email protected]> Auto-Submit: Matthias Liedtke <[email protected]> Reviewed-by: Olivier Flückiger <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
13 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
updating with head