Commit 02becb16 authored by Andreas Haas's avatar Andreas Haas Committed by Commit Bot

[wasm] Enable --wasm-staging in libfuzzer fuzzers

As described in https://docs.google.com/document/d/1hB8mpWmzmtaxZ8PuJEkAWLwFqXTjrw7mJ3Ge9W1dB4E,
we want to enable --wasm-staging for libfuzzer fuzzers to increase test
coverage of new feature implementations. As discussed in https://docs.google.com/a/chromium.org/document/d/1hB8mpWmzmtaxZ8PuJEkAWLwFqXTjrw7mJ3Ge9W1dB4E/edit?disco=AAAADPrjhdA,
this has to be done in our implementations manually.


R=thibaudm@chromium.org

Bug: v8:9601
Change-Id: Iab35af75bb71b6fca697ab7e4ac37b04e1d6da35
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1768581Reviewed-by: 's avatarThibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63392}
parent 156f187c
...@@ -140,6 +140,8 @@ void GenerateTestCase(Isolate* isolate, ModuleWireBytes wire_bytes, ...@@ -140,6 +140,8 @@ void GenerateTestCase(Isolate* isolate, ModuleWireBytes wire_bytes,
"can be\n" "can be\n"
"// found in the LICENSE file.\n" "// found in the LICENSE file.\n"
"\n" "\n"
"// Flags: --wasm-staging\n"
"\n"
"load('test/mjsunit/wasm/wasm-module-builder.js');\n" "load('test/mjsunit/wasm/wasm-module-builder.js');\n"
"\n" "\n"
"(function() {\n" "(function() {\n"
...@@ -249,6 +251,11 @@ void GenerateTestCase(Isolate* isolate, ModuleWireBytes wire_bytes, ...@@ -249,6 +251,11 @@ void GenerateTestCase(Isolate* isolate, ModuleWireBytes wire_bytes,
void WasmExecutionFuzzer::FuzzWasmModule(Vector<const uint8_t> data, void WasmExecutionFuzzer::FuzzWasmModule(Vector<const uint8_t> data,
bool require_valid) { bool require_valid) {
// We explicitly enable staged WebAssembly features here to increase fuzzer
// coverage. For libfuzzer fuzzers it is not possible that the fuzzer enables
// the flag by itself.
FlagScope<bool> enable_staged_features(&FLAG_wasm_staging, true);
// Strictly enforce the input size limit. Note that setting "max_len" on the // Strictly enforce the input size limit. Note that setting "max_len" on the
// fuzzer target is not enough, since different fuzzers are used and not all // fuzzer target is not enough, since different fuzzers are used and not all
// respect that limit. // respect that limit.
......
...@@ -20,6 +20,13 @@ ...@@ -20,6 +20,13 @@
namespace i = v8::internal; namespace i = v8::internal;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
// We explicitly enable staged WebAssembly features here to increase fuzzer
// coverage. For libfuzzer fuzzers it is not possible that the fuzzer enables
// the flag by itself.
i::FlagScope<bool> enable_staged_features(&i::FLAG_wasm_staging, true);
// We reduce the maximum memory size and table size of WebAssembly instances
// to avoid OOMs in the fuzzer.
i::FlagScope<uint32_t> max_mem_flag_scope(&i::FLAG_wasm_max_mem_pages, 32); i::FlagScope<uint32_t> max_mem_flag_scope(&i::FLAG_wasm_max_mem_pages, 32);
i::FlagScope<uint32_t> max_table_size_scope(&i::FLAG_wasm_max_table_size, i::FlagScope<uint32_t> max_table_size_scope(&i::FLAG_wasm_max_table_size,
100); 100);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment