[wasm-simd] Add some simd ops to fuzzer

This is still very limited, but we will have some simd instructions. We add 2 kinds of instructions: - any_true to generate i32 from v128 - add to generate v128 from v128 and v128 - extract_lane to generate v128 from all other types We do not add v128 to the list of types returned by GetValueType, since that is used in a couple of places, like generating globals, which requires v128.const but is not implemented yet. Special case to enable the experimental-wasm-simd flag since simd is not included in wasm-staging yet. Bug: v8:10180 Change-Id: Ifd86f55bdd49cae9514b061965de81ff6d579934 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2040514Reviewed-by: Deepti Gandluri <gdeepti@chromium.org> Commit-Queue: Zhi An Ng <zhin@chromium.org> Cr-Commit-Position: refs/heads/master@{#66326}

[wasm-simd] Add some simd ops to fuzzer
This is still very limited, but we will have some simd instructions. We add 2 kinds of instructions: - any_true to generate i32 from v128 - add to generate v128 from v128 and v128 - extract_lane to generate v128 from all other types We do not add v128 to the list of types returned by GetValueType, since that is used in a couple of places, like generating globals, which requires v128.const but is not implemented yet. Special case to enable the experimental-wasm-simd flag since simd is not included in wasm-staging yet. Bug: v8:10180 Change-Id: Ifd86f55bdd49cae9514b061965de81ff6d579934 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2040514Reviewed-by: Deepti Gandluri <gdeepti@chromium.org> Commit-Queue: Zhi An Ng <zhin@chromium.org> Cr-Commit-Position: refs/heads/master@{#66326}
27b41b54 · Ng Zhi An · Commit Bot · 2975ead6 · 27b41b54 · 27b41b54
Commit 27b41b54 authored Feb 06, 2020 by Ng Zhi An Committed by Commit Bot Feb 19, 2020
Show whitespace changes
Inline Side-by-side

Showing with 46 additions and 0 deletions

wasm-compile.cc test/fuzzer/wasm-compile.cc +44 -0

wasm-fuzzer-common.cc test/fuzzer/wasm-fuzzer-common.cc +2 -0

No files found.
--- a/test/fuzzer/wasm-compile.cc
+++ b/test/fuzzer/wasm-compile.cc
@@ -79,6 +79,9 @@ class DataRange {
 };

 ValueType GetValueType(DataRange* data) {
+  // TODO(v8:8460): We do not add kWasmS128 here yet because this method is used
+  // to generate globals, and since we do not have v128.const yet, there is no
+  // way to specify an initial value a global of this type.
  switch (data->get<uint8_t>() % 4) {
    case 0:
      return kWasmI32;
@@ -300,6 +303,12 @@ class WasmGenerator {
    builder_->EmitU32V(offset);
  }

+  template <WasmOpcode Op, ValueType... Args>
+  void simd_op(DataRange* data) {
+    Generate<Args...>(data);
+    builder_->EmitWithPrefix(Op);
+  }
+
  void drop(DataRange* data) {
    Generate(GetValueType(data), data);
    builder_->Emit(kExprDrop);
@@ -723,6 +732,10 @@ void WasmGenerator::Generate<kWasmI32>(DataRange* data) {
      &WasmGenerator::atomic_op<kExprI32AtomicCompareExchange16U, kWasmI32,
                                kWasmI32, kWasmI32>,

+      &WasmGenerator::simd_op<kExprS1x16AnyTrue, kWasmS128>,
+      &WasmGenerator::simd_op<kExprS1x8AnyTrue, kWasmS128>,
+      &WasmGenerator::simd_op<kExprS1x4AnyTrue, kWasmS128>,
+
      &WasmGenerator::current_memory,
      &WasmGenerator::grow_memory,

@@ -948,6 +961,35 @@ void WasmGenerator::Generate<kWasmF64>(DataRange* data) {
  GenerateOneOf(alternatives, data);
 }

+template <>
+void WasmGenerator::Generate<kWasmS128>(DataRange* data) {
+  GeneratorRecursionScope rec_scope(this);
+  if (recursion_limit_reached() || data->size() <= sizeof(int32_t)) {
+    // TODO(v8:8460): v128.const is not implemented yet, and we need a way to
+    // "bottom-out", so use a splat to generate this.
+    builder_->EmitI32Const(data->get<int32_t>());
+    builder_->EmitWithPrefix(kExprI8x16Splat);
+    return;
+  }
+
+  constexpr GenerateFn alternatives[] = {
+      &WasmGenerator::simd_op<kExprI8x16Splat, kWasmI32>,
+      &WasmGenerator::simd_op<kExprI16x8Splat, kWasmI32>,
+      &WasmGenerator::simd_op<kExprI32x4Splat, kWasmI32>,
+      &WasmGenerator::simd_op<kExprI64x2Splat, kWasmI64>,
+      &WasmGenerator::simd_op<kExprF32x4Splat, kWasmF32>,
+      &WasmGenerator::simd_op<kExprF64x2Splat, kWasmF64>,
+
+      &WasmGenerator::simd_op<kExprI8x16Add, kWasmS128, kWasmS128>,
+      &WasmGenerator::simd_op<kExprI16x8Add, kWasmS128, kWasmS128>,
+      &WasmGenerator::simd_op<kExprI32x4Add, kWasmS128, kWasmS128>,
+      &WasmGenerator::simd_op<kExprI64x2Add, kWasmS128, kWasmS128>,
+      &WasmGenerator::simd_op<kExprF32x4Add, kWasmS128, kWasmS128>,
+      &WasmGenerator::simd_op<kExprF64x2Add, kWasmS128, kWasmS128>};
+
+  GenerateOneOf(alternatives, data);
+}
+
 void WasmGenerator::grow_memory(DataRange* data) {
  Generate<kWasmI32>(data);
  builder_->EmitWithU8(kExprMemoryGrow, 0);
@@ -965,6 +1007,8 @@ void WasmGenerator::Generate(ValueType type, DataRange* data) {
      return Generate<kWasmF32>(data);
    case kWasmF64:
      return Generate<kWasmF64>(data);
+    case kWasmS128:
+      return Generate<kWasmS128>(data);
    default:
      UNREACHABLE();
  }

--- a/test/fuzzer/wasm-fuzzer-common.cc
+++ b/test/fuzzer/wasm-fuzzer-common.cc
@@ -264,6 +264,8 @@ void WasmExecutionFuzzer::FuzzWasmModule(Vector<const uint8_t> data,
  FlagScope<bool> enable_##feat(&FLAG_experimental_wasm_##feat, true);
  FOREACH_WASM_STAGING_FEATURE_FLAG(ENABLE_STAGED_FEATURES)
 #undef ENABLE_STAGED_FEATURES
+  // SIMD is not included in staging yet, so we enable it here for fuzzing.
+  EXPERIMENTAL_FLAG_SCOPE(simd);

  // Strictly enforce the input size limit. Note that setting "max_len" on the
  // fuzzer target is not enough, since different fuzzers are used and not all