[wasm] Add a flag to generate an mjsunit test out of a wasm-code fuzzer test case.

R=titzer@chromium.org CC=mtrofin@chromium.org Review-Url: https://codereview.chromium.org/2520853003 Cr-Commit-Position: refs/heads/master@{#41155}

[wasm] Add a flag to generate an mjsunit test out of a wasm-code fuzzer test case.
R=titzer@chromium.org CC=mtrofin@chromium.org Review-Url: https://codereview.chromium.org/2520853003 Cr-Commit-Position: refs/heads/master@{#41155}
480a6573 · ahaas · Commit bot · d96131ed · 480a6573 · 480a6573
Commit 480a6573 authored Nov 21, 2016 by ahaas Committed by Commit bot Nov 21, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 50 additions and 3 deletions

flag-definitions.h src/flag-definitions.h +2 -1

ast-decoder.cc src/wasm/ast-decoder.cc +4 -1

wasm-code.cc test/fuzzer/wasm-code.cc +44 -1

No files found.
--- a/src/flag-definitions.h
+++ b/src/flag-definitions.h
@@ -533,7 +533,8 @@ DEFINE_BOOL(wasm_guard_pages, false,
            "add guard pages to the end of WebWassembly memory"
            " (experimental, no effect on 32-bit)")
 DEFINE_IMPLICATION(wasm_trap_handler, wasm_guard_pages)
-
+DEFINE_BOOL(wasm_code_fuzzer_gen_test, false,
+            "Generate a test case when running the wasm-code fuzzer")
 // Profiler flags.
 DEFINE_INT(frame_count, 1, "number of stack frames inspected by the profiler")
 // 0x1800 fits in the immediate field of an ARM instruction.

--- a/src/wasm/ast-decoder.cc
+++ b/src/wasm/ast-decoder.cc
@@ -381,6 +381,9 @@ class WasmFullDecoder : public WasmDecoder {
  }

  bool Decode() {
+    if (FLAG_wasm_code_fuzzer_gen_test) {
+      PrintAstForDebugging(start_, end_);
+    }
    base::ElapsedTimer decode_timer;
    if (FLAG_trace_wasm_decode_time) {
      decode_timer.Start();
@@ -1928,7 +1931,7 @@ bool PrintAst(AccountingAllocator* allocator, const FunctionBody& body,
  // Print the local declarations.
  AstLocalDecls decls(&zone);
  BytecodeIterator i(body.start, body.end, &decls);
-  if (body.start != i.pc()) {
+  if (body.start != i.pc() && !FLAG_wasm_code_fuzzer_gen_test) {
    os << "// locals: ";
    for (auto p : decls.local_types) {
      LocalType type = p.first;

--- a/test/fuzzer/wasm-code.cc
+++ b/test/fuzzer/wasm-code.cc
@@ -8,6 +8,7 @@
 #include "include/v8.h"
 #include "src/isolate.h"
 #include "src/objects.h"
+#include "src/ostreams.h"
 #include "src/wasm/wasm-interpreter.h"
 #include "src/wasm/wasm-module-builder.h"
 #include "src/wasm/wasm-module.h"
@@ -20,6 +21,28 @@
 using namespace v8::internal::wasm;

 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  // Save the flag so that we can change it and restore it later.
+  bool generate_test = v8::internal::FLAG_wasm_code_fuzzer_gen_test;
+  if (generate_test) {
+    v8::internal::OFStream os(stdout);
+
+    os << "// Copyright 2016 the V8 project authors. All rights reserved."
+       << std::endl;
+    os << "// Use of this source code is governed by a BSD-style license that "
+          "can be"
+       << std::endl;
+    os << "// found in the LICENSE file." << std::endl;
+    os << std::endl;
+    os << "// Flags: --expose-wasm" << std::endl;
+    os << std::endl;
+    os << "load(\"test/mjsunit/wasm/wasm-constants.js\");" << std::endl;
+    os << "load(\"test/mjsunit/wasm/wasm-module-builder.js\");" << std::endl;
+    os << std::endl;
+    os << "(function() {" << std::endl;
+    os << "  var builder = new WasmModuleBuilder();" << std::endl;
+    os << "  builder.addFunction(\"test\", kSig_i_iii)" << std::endl;
+    os << "    .addBody([" << std::endl;
+  }
  v8_fuzzer::FuzzerSupport* support = v8_fuzzer::FuzzerSupport::Get();
  v8::Isolate* isolate = support->GetIsolate();
  v8::internal::Isolate* i_isolate =
@@ -59,9 +82,28 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
      i_isolate, &interpreter_thrower, buffer.begin(), buffer.end(),
      v8::internal::wasm::ModuleOrigin::kWasmOrigin, true));

+  // Clear the flag so that the WebAssembly code is not printed twice.
+  v8::internal::FLAG_wasm_code_fuzzer_gen_test = false;
  if (module == nullptr) {
+    if (generate_test) {
+      v8::internal::OFStream os(stdout);
+      os << "            ])" << std::endl;
+      os << "            .exportFunc();" << std::endl;
+      os << "  assertThrows(function() { builder.instantiate(); });"
+         << std::endl;
+      os << "})();" << std::endl;
+    }
    return 0;
  }
+  if (generate_test) {
+    v8::internal::OFStream os(stdout);
+    os << "            ])" << std::endl;
+    os << "            .exportFunc();" << std::endl;
+    os << "  var module = builder.instantiate();" << std::endl;
+    os << "  module.exports.test(1, 2, 3);" << std::endl;
+    os << "})();" << std::endl;
+  }
+
  int32_t result_interpreted;
  bool possible_nondeterminism = false;
  {
@@ -75,7 +117,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
  v8::internal::Handle<v8::internal::JSObject> instance =
      testing::InstantiateModuleForTesting(i_isolate, &compiler_thrower,
                                           module.get());
-
+  // Restore the flag.
+  v8::internal::FLAG_wasm_code_fuzzer_gen_test = generate_test;
  if (!interpreter_thrower.error()) {
    CHECK(!instance.is_null());
  } else {