[WASM] Adding fuzzing binaries for wasm, and script to update them.

This adds:
* A script (tools/update-wasm-fuzzers.sh), which creates a new fuzzing seed
  corpus and uploads to google storage (you must have the right credentials).
* A new pair of DEPS entries to pull in the current version of the corpus
  based on a checked in pair of hash files.

BUG=None
TEST=None
R=ahaas@chromium.org,kcc@chromium.org,mvstanton@chromium.org

Review-Url: https://codereview.chromium.org/2273303002
Cr-Commit-Position: refs/heads/master@{#38987}

.gitignore

@@ -87,6 +87,8 @@ shell_g
 /tools/swarming_client
 /tools/visual_studio/Debug
 /tools/visual_studio/Release
+/test/fuzzer/wasm
+/test/fuzzer/wasm_asmjs
 /v8.log.ll
 /xcodebuild
 TAGS

DEPS

@@ -203,6 +203,28 @@ hooks = [
                 "-s", "v8/buildtools/linux64/gn.sha1",
     ],
   },
+  {
+    "name": "wasm_fuzzer",
+    "pattern": ".",
+    "action": [ "download_from_google_storage",
+                "--no_resume",
+                "--no_auth",
+                "-u",
+                "--bucket", "v8-wasm-fuzzer",
+                "-s", "v8/test/fuzzer/wasm.tar.gz.sha1",
+    ],
+  },
+  {
+    "name": "wasm_asmjs_fuzzer",
+    "pattern": ".",
+    "action": [ "download_from_google_storage",
+                "--no_resume",
+                "--no_auth",
+                "-u",
+                "--bucket", "v8-wasm-asmjs-fuzzer",
+                "-s", "v8/test/fuzzer/wasm_asmjs.tar.gz.sha1",
+    ],
+  },
   {
     # Downloads the current stable linux sysroot to build/linux/ if needed.
     # This sysroot updates at about the same rate that the chrome build deps

src/wasm/wasm-module.cc

@@ -1664,15 +1664,21 @@ int32_t CompileAndRunWasmModule(Isolate* isolate, const byte* module_start,
                               Handle<JSArrayBuffer>::null())
           .ToHandleChecked();
 
-  return CallFunction(isolate, instance, &thrower, "main", 0, nullptr);
+  return CallFunction(isolate, instance, &thrower, asm_js ? "caller" : "main",
+                      0, nullptr, asm_js);
 }
 
 int32_t CallFunction(Isolate* isolate, Handle<JSObject> instance,
                      ErrorThrower* thrower, const char* name, int argc,
-                     Handle<Object> argv[]) {
-  Handle<Name> exports = isolate->factory()->InternalizeUtf8String("exports");
-  Handle<JSObject> exports_object = Handle<JSObject>::cast(
-      JSObject::GetProperty(instance, exports).ToHandleChecked());
+                     Handle<Object> argv[], bool asm_js) {
+  Handle<JSObject> exports_object;
+  if (asm_js) {
+    exports_object = instance;
+  } else {
+    Handle<Name> exports = isolate->factory()->InternalizeUtf8String("exports");
+    exports_object = Handle<JSObject>::cast(
+        JSObject::GetProperty(instance, exports).ToHandleChecked());
+  }
   Handle<Name> main_name = isolate->factory()->NewStringFromAsciiChecked(name);
   PropertyDescriptor desc;
   Maybe<bool> property_found = JSReceiver::GetOwnPropertyDescriptor(

src/wasm/wasm-module.h

@@ -410,7 +410,7 @@ int32_t CompileAndRunWasmModule(Isolate* isolate, const byte* module_start,
 
 int32_t CallFunction(Isolate* isolate, Handle<JSObject> instance,
                      ErrorThrower* thrower, const char* name, int argc,
-                     Handle<Object> argv[]);
+                     Handle<Object> argv[], bool asm_js = false);
 }  // namespace testing
 }  // namespace wasm
 }  // namespace internal

test/fuzzer/wasm.tar.gz.sha1

+f79cf321bca34d18f51b189dc3ce760690d09d44
\ No newline at end of file

test/fuzzer/wasm_asmjs.tar.gz.sha1

+ec40c2e864dc023142ad50f74f68262932ef7081
\ No newline at end of file

tools/update-wasm-fuzzers.sh

+#!/bin/bash
+# Copyright 2016 the V8 project authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+set -e
+
+TOOLS_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+cd ${TOOLS_DIR}/..
+
+rm -rf test/fuzzer/wasm
+rm -rf test/fuzzer/wasm_asmjs
+
+make x64.debug -j
+
+mkdir -p test/fuzzer/wasm
+mkdir -p test/fuzzer/wasm_asmjs
+
+# asm.js
+./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64 \
+  --mode=debug --no-presubmit --extra-flags="--dump-wasm-module \
+  --dump-wasm-module-path=./test/fuzzer/wasm_asmjs/" mjsunit/wasm/asm*
+./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64 \
+  --mode=debug --no-presubmit --extra-flags="--dump-wasm-module \
+  --dump-wasm-module-path=./test/fuzzer/wasm_asmjs/" mjsunit/asm/*
+./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64 \
+  --mode=debug --no-presubmit --extra-flags="--dump-wasm-module \
+  --dump-wasm-module-path=./test/fuzzer/wasm_asmjs/" mjsunit/regress/asm/*
+# WASM
+./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64 \
+  --mode=debug --no-presubmit --extra-flags="--dump-wasm-module \
+  --dump-wasm-module-path=./test/fuzzer/wasm/" unittests
+./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64 \
+  --mode=debug --no-presubmit --extra-flags="--dump-wasm-module \
+  --dump-wasm-module-path=./test/fuzzer/wasm/" mjsunit/wasm/*
+./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64 \
+  --mode=debug --no-presubmit --extra-flags="--dump-wasm-module \
+  --dump-wasm-module-path=./test/fuzzer/wasm/" \
+  $(cd test/; ls cctest/wasm/test-*.cc | \
+  sed -es/wasm\\///g | sed -es/[.]cc/\\/\\*/g)
+
+# Delete items over 20k.
+for x in $(find ./test/fuzzer/wasm/ -type f -size +20k)
+do
+  rm $x
+done
+for x in $(find ./test/fuzzer/wasm_asmjs/ -type f -size +20k)
+do
+  rm $x
+done
+
+# Upload changes.
+cd test/fuzzer
+upload_to_google_storage.py -a -b v8-wasm-fuzzer wasm
+upload_to_google_storage.py -a -b v8-wasm-asmjs-fuzzer wasm_asmjs