[wasm] Write fuzzers for single wasm sections.

This CL adds fuzzers for the wasm module sections 'types', 'names',
'globals', 'imports', 'function signatures', 'memory', and 'data', one
fuzzer per section. No fuzzers are added for the other sections because
either there already exists a fuzzer (e.g. wasm-code), or there exist
inter-section dependencies.

To avoid introducing a bunch executables which would make compilation
with make slow, I introduce a single executable
'v8_simple_wasm_section_fuzzer' which calls the fuzzers mentioned above.
This executable is run by the trybots and ensures that the fuzzers
actually compile. For debugging I introduce commandline parameters which
allow to execute the specific fuzzers from 'v8_simple_wasm_section_fuzzer'.

R=titzer@chromium.org, jochen@chromium.org, mstarzinger@chromium.org

Review-Url: https://codereview.chromium.org/2336603002
Cr-Commit-Position: refs/heads/master@{#39413}

BUILD.gn

@@ -2640,3 +2640,131 @@ v8_source_set("wasm_code_fuzzer") {
 
 v8_fuzzer("wasm_code_fuzzer") {
 }
+
+v8_source_set("lib_wasm_section_fuzzer") {
+  sources = [
+    "test/fuzzer/wasm-section-fuzzers.cc",
+    "test/fuzzer/wasm-section-fuzzers.h",
+  ]
+
+  configs = [ ":internal_config" ]
+}
+
+v8_source_set("wasm_types_section_fuzzer") {
+  sources = [
+    "test/fuzzer/wasm-types-section.cc",
+  ]
+
+  deps = [
+    ":fuzzer_support",
+    ":lib_wasm_section_fuzzer",
+    ":wasm_module_runner",
+  ]
+
+  configs = [ ":internal_config" ]
+}
+
+v8_fuzzer("wasm_types_section_fuzzer") {
+}
+
+v8_source_set("wasm_names_section_fuzzer") {
+  sources = [
+    "test/fuzzer/wasm-names-section.cc",
+  ]
+
+  deps = [
+    ":fuzzer_support",
+    ":lib_wasm_section_fuzzer",
+    ":wasm_module_runner",
+  ]
+
+  configs = [ ":internal_config" ]
+}
+
+v8_fuzzer("wasm_names_section_fuzzer") {
+}
+
+v8_source_set("wasm_globals_section_fuzzer") {
+  sources = [
+    "test/fuzzer/wasm-globals-section.cc",
+  ]
+
+  deps = [
+    ":fuzzer_support",
+    ":lib_wasm_section_fuzzer",
+    ":wasm_module_runner",
+  ]
+
+  configs = [ ":internal_config" ]
+}
+
+v8_fuzzer("wasm_globals_section_fuzzer") {
+}
+
+v8_source_set("wasm_imports_section_fuzzer") {
+  sources = [
+    "test/fuzzer/wasm-imports-section.cc",
+  ]
+
+  deps = [
+    ":fuzzer_support",
+    ":lib_wasm_section_fuzzer",
+    ":wasm_module_runner",
+  ]
+
+  configs = [ ":internal_config" ]
+}
+
+v8_fuzzer("wasm_imports_section_fuzzer") {
+}
+
+v8_source_set("wasm_function_sigs_section_fuzzer") {
+  sources = [
+    "test/fuzzer/wasm-function-sigs-section.cc",
+  ]
+
+  deps = [
+    ":fuzzer_support",
+    ":lib_wasm_section_fuzzer",
+    ":wasm_module_runner",
+  ]
+
+  configs = [ ":internal_config" ]
+}
+
+v8_fuzzer("wasm_function_sigs_section_fuzzer") {
+}
+
+v8_source_set("wasm_memory_section_fuzzer") {
+  sources = [
+    "test/fuzzer/wasm-memory-section.cc",
+  ]
+
+  deps = [
+    ":fuzzer_support",
+    ":lib_wasm_section_fuzzer",
+    ":wasm_module_runner",
+  ]
+
+  configs = [ ":internal_config" ]
+}
+
+v8_fuzzer("wasm_memory_section_fuzzer") {
+}
+
+v8_source_set("wasm_data_section_fuzzer") {
+  sources = [
+    "test/fuzzer/wasm-data-section.cc",
+  ]
+
+  deps = [
+    ":fuzzer_support",
+    ":lib_wasm_section_fuzzer",
+    ":wasm_module_runner",
+  ]
+
+  configs = [ ":internal_config" ]
+}
+
+v8_fuzzer("wasm_data_section_fuzzer") {
+}

test/fuzzer/fuzzer.gyp

@@ -170,6 +170,216 @@
         '../common/wasm/wasm-module-runner.h',
       ],
     },
+    {
+      'target_name': 'v8_simple_wasm_data_section_fuzzer',
+      'type': 'executable',
+      'dependencies': [
+        'wasm_data_section_fuzzer_lib',
+      ],
+      'include_dirs': [
+        '../..',
+      ],
+      'sources': [
+        'fuzzer.cc',
+      ],
+    },
+    {
+      'target_name': 'wasm_data_section_fuzzer_lib',
+      'type': 'static_library',
+      'dependencies': [
+        'fuzzer_support',
+      ],
+      'include_dirs': [
+        '../..',
+      ],
+      'sources': [  ### gcmole(all) ###
+        'wasm-data-section.cc',
+        '../common/wasm/wasm-module-runner.cc',
+        '../common/wasm/wasm-module-runner.h',
+        '../fuzzer/wasm-section-fuzzers.cc',
+        '../fuzzer/wasm-section-fuzzers.h',
+      ],
+    },
+    {
+      'target_name': 'v8_simple_wasm_function_sigs_section_fuzzer',
+      'type': 'executable',
+      'dependencies': [
+        'wasm_function_sigs_section_fuzzer_lib',
+      ],
+      'include_dirs': [
+        '../..',
+      ],
+      'sources': [
+        'fuzzer.cc',
+      ],
+    },
+    {
+      'target_name': 'wasm_function_sigs_section_fuzzer_lib',
+      'type': 'static_library',
+      'dependencies': [
+        'fuzzer_support',
+      ],
+      'include_dirs': [
+        '../..',
+      ],
+      'sources': [  ### gcmole(all) ###
+        'wasm-function-sigs-section.cc',
+        '../common/wasm/wasm-module-runner.cc',
+        '../common/wasm/wasm-module-runner.h',
+        '../fuzzer/wasm-section-fuzzers.cc',
+        '../fuzzer/wasm-section-fuzzers.h',
+      ],
+    },
+    {
+      'target_name': 'v8_simple_wasm_globals_section_fuzzer',
+      'type': 'executable',
+      'dependencies': [
+        'wasm_globals_section_fuzzer_lib',
+      ],
+      'include_dirs': [
+        '../..',
+      ],
+      'sources': [
+        'fuzzer.cc',
+      ],
+    },
+    {
+      'target_name': 'wasm_globals_section_fuzzer_lib',
+      'type': 'static_library',
+      'dependencies': [
+        'fuzzer_support',
+      ],
+      'include_dirs': [
+        '../..',
+      ],
+      'sources': [  ### gcmole(all) ###
+        'wasm-globals-section.cc',
+        '../common/wasm/wasm-module-runner.cc',
+        '../common/wasm/wasm-module-runner.h',
+        '../fuzzer/wasm-section-fuzzers.cc',
+        '../fuzzer/wasm-section-fuzzers.h',
+      ],
+    },
+    {
+      'target_name': 'v8_simple_wasm_imports_section_fuzzer',
+      'type': 'executable',
+      'dependencies': [
+        'wasm_imports_section_fuzzer_lib',
+      ],
+      'include_dirs': [
+        '../..',
+      ],
+      'sources': [
+        'fuzzer.cc',
+      ],
+    },
+    {
+      'target_name': 'wasm_imports_section_fuzzer_lib',
+      'type': 'static_library',
+      'dependencies': [
+        'fuzzer_support',
+      ],
+      'include_dirs': [
+        '../..',
+      ],
+      'sources': [  ### gcmole(all) ###
+        'wasm-imports-section.cc',
+        '../common/wasm/wasm-module-runner.cc',
+        '../common/wasm/wasm-module-runner.h',
+        '../fuzzer/wasm-section-fuzzers.cc',
+        '../fuzzer/wasm-section-fuzzers.h',
+      ],
+    },
+    {
+      'target_name': 'v8_simple_wasm_memory_section_fuzzer',
+      'type': 'executable',
+      'dependencies': [
+        'wasm_memory_section_fuzzer_lib',
+      ],
+      'include_dirs': [
+        '../..',
+      ],
+      'sources': [
+        'fuzzer.cc',
+      ],
+    },
+    {
+      'target_name': 'wasm_memory_section_fuzzer_lib',
+      'type': 'static_library',
+      'dependencies': [
+        'fuzzer_support',
+      ],
+      'include_dirs': [
+        '../..',
+      ],
+      'sources': [  ### gcmole(all) ###
+        'wasm-memory-section.cc',
+        '../common/wasm/wasm-module-runner.cc',
+        '../common/wasm/wasm-module-runner.h',
+        '../fuzzer/wasm-section-fuzzers.cc',
+        '../fuzzer/wasm-section-fuzzers.h',
+      ],
+    },
+    {
+      'target_name': 'v8_simple_wasm_names_section_fuzzer',
+      'type': 'executable',
+      'dependencies': [
+        'wasm_names_section_fuzzer_lib',
+      ],
+      'include_dirs': [
+        '../..',
+      ],
+      'sources': [
+        'fuzzer.cc',
+      ],
+    },
+    {
+      'target_name': 'wasm_names_section_fuzzer_lib',
+      'type': 'static_library',
+      'dependencies': [
+        'fuzzer_support',
+      ],
+      'include_dirs': [
+        '../..',
+      ],
+      'sources': [  ### gcmole(all) ###
+        'wasm-names-section.cc',
+        '../common/wasm/wasm-module-runner.cc',
+        '../common/wasm/wasm-module-runner.h',
+        '../fuzzer/wasm-section-fuzzers.cc',
+        '../fuzzer/wasm-section-fuzzers.h',
+      ],
+    },
+    {
+      'target_name': 'v8_simple_wasm_types_section_fuzzer',
+      'type': 'executable',
+      'dependencies': [
+        'wasm_types_section_fuzzer_lib',
+      ],
+      'include_dirs': [
+        '../..',
+      ],
+      'sources': [
+        'fuzzer.cc',
+      ],
+    },
+    {
+      'target_name': 'wasm_types_section_fuzzer_lib',
+      'type': 'static_library',
+      'dependencies': [
+        'fuzzer_support',
+      ],
+      'include_dirs': [
+        '../..',
+      ],
+      'sources': [  ### gcmole(all) ###
+        'wasm-types-section.cc',
+        '../common/wasm/wasm-module-runner.cc',
+        '../common/wasm/wasm-module-runner.h',
+        '../fuzzer/wasm-section-fuzzers.cc',
+        '../fuzzer/wasm-section-fuzzers.h',
+      ],
+    },
     {
       'target_name': 'fuzzer_support',
       'type': 'static_library',

test/fuzzer/fuzzer.isolate

@@ -11,6 +11,13 @@
       '<(PRODUCT_DIR)/v8_simple_wasm_fuzzer<(EXECUTABLE_SUFFIX)',
       '<(PRODUCT_DIR)/v8_simple_wasm_asmjs_fuzzer<(EXECUTABLE_SUFFIX)',
       '<(PRODUCT_DIR)/v8_simple_wasm_code_fuzzer<(EXECUTABLE_SUFFIX)',
+      '<(PRODUCT_DIR)/v8_simple_wasm_data_section_fuzzer<(EXECUTABLE_SUFFIX)',
+      '<(PRODUCT_DIR)/v8_simple_wasm_function_sigs_section_fuzzer<(EXECUTABLE_SUFFIX)',
+      '<(PRODUCT_DIR)/v8_simple_wasm_globals_section_fuzzer<(EXECUTABLE_SUFFIX)',
+      '<(PRODUCT_DIR)/v8_simple_wasm_imports_section_fuzzer<(EXECUTABLE_SUFFIX)',
+      '<(PRODUCT_DIR)/v8_simple_wasm_memory_section_fuzzer<(EXECUTABLE_SUFFIX)',
+      '<(PRODUCT_DIR)/v8_simple_wasm_names_section_fuzzer<(EXECUTABLE_SUFFIX)',
+      '<(PRODUCT_DIR)/v8_simple_wasm_types_section_fuzzer<(EXECUTABLE_SUFFIX)',
       './fuzzer.status',
       './testcfg.py',
       './json/',
@@ -19,6 +26,13 @@
       './wasm/',
       './wasm_asmjs/',
       './wasm_code/',
+      './wasm_data_section/',
+      './wasm_function_sigs_section/',
+      './wasm_globals_section/',
+      './wasm_imports_section/',
+      './wasm_memory_section/',
+      './wasm_names_section/',
+      './wasm_types_section/',
     ],
   },
   'includes': [

test/fuzzer/testcfg.py

@@ -18,7 +18,10 @@ class FuzzerVariantGenerator(testsuite.VariantGenerator):
 
 
 class FuzzerTestSuite(testsuite.TestSuite):
-  SUB_TESTS = ( 'json', 'parser', 'regexp', 'wasm', 'wasm_asmjs', 'wasm_code' )
+  SUB_TESTS = ( 'json', 'parser', 'regexp', 'wasm', 'wasm_asmjs', 'wasm_code',
+          'wasm_data_section', 'wasm_function_sigs_section',
+          'wasm_globals_section', 'wasm_imports_section', 'wasm_memory_section',
+          'wasm_names_section', 'wasm_types_section' )
 
   def __init__(self, name, root):
     super(FuzzerTestSuite, self).__init__(name, root)

test/fuzzer/wasm-data-section.cc

+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "test/fuzzer/wasm-section-fuzzers.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  return fuzz_wasm_section(v8::internal::wasm::WasmSection::Code::DataSegments,
+                           data, size);
+}

test/fuzzer/wasm-function-sigs-section.cc

+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "test/fuzzer/wasm-section-fuzzers.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  return fuzz_wasm_section(
+      v8::internal::wasm::WasmSection::Code::FunctionSignatures, data, size);
+}

test/fuzzer/wasm-globals-section.cc

+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "test/fuzzer/wasm-section-fuzzers.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  return fuzz_wasm_section(v8::internal::wasm::WasmSection::Code::Globals, data,
+                           size);
+}

test/fuzzer/wasm-imports-section.cc

+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "test/fuzzer/wasm-section-fuzzers.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  return fuzz_wasm_section(v8::internal::wasm::WasmSection::Code::ImportTable,
+                           data, size);
+}

test/fuzzer/wasm-memory-section.cc

+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "test/fuzzer/wasm-section-fuzzers.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  return fuzz_wasm_section(v8::internal::wasm::WasmSection::Code::Memory, data,
+                           size);
+}

test/fuzzer/wasm-names-section.cc

+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "test/fuzzer/wasm-section-fuzzers.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  return fuzz_wasm_section(v8::internal::wasm::WasmSection::Code::Names, data,
+                           size);
+}

test/fuzzer/wasm-section-fuzzers.cc

+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "test/fuzzer/wasm-section-fuzzers.h"
+
+#include "include/v8.h"
+#include "src/isolate.h"
+#include "src/wasm/encoder.h"
+#include "src/wasm/wasm-module.h"
+#include "src/zone.h"
+#include "test/common/wasm/wasm-module-runner.h"
+#include "test/fuzzer/fuzzer-support.h"
+
+using namespace v8::internal::wasm;
+
+int fuzz_wasm_section(WasmSection::Code section, const uint8_t* data,
+                      size_t size) {
+  v8_fuzzer::FuzzerSupport* support = v8_fuzzer::FuzzerSupport::Get();
+  v8::Isolate* isolate = support->GetIsolate();
+  v8::internal::Isolate* i_isolate =
+      reinterpret_cast<v8::internal::Isolate*>(isolate);
+
+  // Clear any pending exceptions from a prior run.
+  if (i_isolate->has_pending_exception()) {
+    i_isolate->clear_pending_exception();
+  }
+
+  v8::Isolate::Scope isolate_scope(isolate);
+  v8::HandleScope handle_scope(isolate);
+  v8::Context::Scope context_scope(support->GetContext());
+  v8::TryCatch try_catch(isolate);
+
+  v8::base::AccountingAllocator allocator;
+  v8::internal::Zone zone(&allocator);
+
+  ZoneBuffer buffer(&zone);
+  buffer.write_u32(kWasmMagic);
+  buffer.write_u32(kWasmVersion);
+  const char* name = WasmSection::getName(section);
+  size_t length = WasmSection::getNameLength(section);
+  buffer.write_size(length);  // Section name string size.
+  buffer.write(reinterpret_cast<const uint8_t*>(name), length);
+  buffer.write_u32v(static_cast<uint32_t>(size));
+  buffer.write(data, size);
+
+  ErrorThrower thrower(i_isolate, "decoder");
+
+  std::unique_ptr<const WasmModule> module(testing::DecodeWasmModuleForTesting(
+      i_isolate, &zone, thrower, buffer.begin(), buffer.end(), kWasmOrigin));
+
+  return 0;
+}

test/fuzzer/wasm-section-fuzzers.h

+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef WASM_SECTION_FUZZERS_H_
+#define WASM_SECTION_FUZZERS_H_
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "src/wasm/wasm-module.h"
+
+int fuzz_wasm_section(v8::internal::wasm::WasmSection::Code section,
+                      const uint8_t* data, size_t size);
+
+#endif  // WASM_SECTION_FUZZERS_H_

test/fuzzer/wasm-types-section.cc

+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "test/fuzzer/wasm-section-fuzzers.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  return fuzz_wasm_section(v8::internal::wasm::WasmSection::Code::Signatures,
+                           data, size);
+}

test/fuzzer/wasm.tar.gz.sha1

-25c2eb2a1d7fddac98cf3cdad539025e4d145a2e
\ No newline at end of file
+43dbe4810e9b08a5add1dd4076e26410e18c828c
\ No newline at end of file

test/fuzzer/wasm_asmjs.tar.gz.sha1

-f1b18ceb19a59d531a3c4f088755fd24749303c4
\ No newline at end of file
+3a2c9658f3f644c7b8c309201b964fedc2766f9c
\ No newline at end of file