[wasm] Add a new fuzzer which can also test wasm function calls.

Depending on the inputs the fuzzer creates multiple functions. These
functions can have signatures with an int32 return value and up to three
parameters of type int32, int64, float32, or float64.

R=titzer@chromium.org, clemensh@chromium.org

Review-Url: https://codereview.chromium.org/2447643002
Cr-Commit-Position: refs/heads/master@{#40530}

BUILD.gn

@@ -2816,6 +2816,26 @@ v8_source_set("wasm_code_fuzzer") {
 v8_fuzzer("wasm_code_fuzzer") {
 }
 
+v8_source_set("wasm_call_fuzzer") {
+  sources = [
+    "test/fuzzer/wasm-call.cc",
+  ]
+
+  deps = [
+    ":fuzzer_support",
+    ":wasm_module_runner",
+    ":wasm_test_signatures",
+  ]
+
+  configs = [
+    ":external_config",
+    ":internal_config_base",
+  ]
+}
+
+v8_fuzzer("wasm_call_fuzzer") {
+}
+
 v8_source_set("lib_wasm_section_fuzzer") {
   sources = [
     "test/fuzzer/wasm-section-fuzzers.cc",

test/fuzzer/fuzzer.gyp

@@ -142,6 +142,35 @@
         '../common/wasm/wasm-module-runner.h',
       ],
     },
+    {
+      'target_name': 'v8_simple_wasm_call_fuzzer',
+      'type': 'executable',
+      'dependencies': [
+        'wasm_call_fuzzer_lib',
+      ],
+      'include_dirs': [
+        '../..',
+      ],
+      'sources': [
+        'fuzzer.cc',
+      ],
+    },
+    {
+      'target_name': 'wasm_call_fuzzer_lib',
+      'type': 'static_library',
+      'dependencies': [
+        'fuzzer_support',
+      ],
+      'include_dirs': [
+        '../..',
+      ],
+      'sources': [  ### gcmole(all) ###
+        'wasm-call.cc',
+        '../common/wasm/test-signatures.h',
+        '../common/wasm/wasm-module-runner.cc',
+        '../common/wasm/wasm-module-runner.h',
+      ],
+    },
     {
       'target_name': 'v8_simple_wasm_code_fuzzer',
       'type': 'executable',

test/fuzzer/fuzzer.isolate

@@ -10,6 +10,7 @@
       '<(PRODUCT_DIR)/v8_simple_regexp_fuzzer<(EXECUTABLE_SUFFIX)',
       '<(PRODUCT_DIR)/v8_simple_wasm_fuzzer<(EXECUTABLE_SUFFIX)',
       '<(PRODUCT_DIR)/v8_simple_wasm_asmjs_fuzzer<(EXECUTABLE_SUFFIX)',
+      '<(PRODUCT_DIR)/v8_simple_wasm_call_fuzzer<(EXECUTABLE_SUFFIX)',
       '<(PRODUCT_DIR)/v8_simple_wasm_code_fuzzer<(EXECUTABLE_SUFFIX)',
       '<(PRODUCT_DIR)/v8_simple_wasm_data_section_fuzzer<(EXECUTABLE_SUFFIX)',
       '<(PRODUCT_DIR)/v8_simple_wasm_function_sigs_section_fuzzer<(EXECUTABLE_SUFFIX)',
@@ -25,6 +26,7 @@
       './regexp/',
       './wasm/',
       './wasm_asmjs/',
+      './wasm_call/',
       './wasm_code/',
       './wasm_data_section/',
       './wasm_function_sigs_section/',

test/fuzzer/testcfg.py

@@ -18,8 +18,8 @@ class FuzzerVariantGenerator(testsuite.VariantGenerator):
 
 
 class FuzzerTestSuite(testsuite.TestSuite):
-  SUB_TESTS = ( 'json', 'parser', 'regexp', 'wasm', 'wasm_asmjs', 'wasm_code',
-          'wasm_data_section', 'wasm_function_sigs_section',
+  SUB_TESTS = ( 'json', 'parser', 'regexp', 'wasm', 'wasm_asmjs', 'wasm_call',
+          'wasm_code', 'wasm_data_section', 'wasm_function_sigs_section',
           'wasm_globals_section', 'wasm_imports_section', 'wasm_memory_section',
           'wasm_names_section', 'wasm_types_section' )
 

test/fuzzer/wasm-call.cc

+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "include/v8.h"
+#include "src/isolate.h"
+#include "src/objects.h"
+#include "src/wasm/wasm-interpreter.h"
+#include "src/wasm/wasm-module-builder.h"
+#include "src/wasm/wasm-module.h"
+#include "test/common/wasm/test-signatures.h"
+#include "test/common/wasm/wasm-module-runner.h"
+#include "test/fuzzer/fuzzer-support.h"
+
+#define WASM_CODE_FUZZER_HASH_SEED 83
+#define MAX_NUM_FUNCTIONS 3
+#define MAX_NUM_PARAMS 3
+
+#define FUZZER_TYPE_FLOAT32 0
+#define FUZZER_TYPE_FLOAT64 1
+#define FUZZER_TYPE_INT32 2
+#define FUZZER_TYPE_INT64 3
+
+using namespace v8::internal::wasm;
+
+template <typename V>
+static inline V read_value(const uint8_t** data, size_t* size, bool* ok) {
+  // The status flag {ok} checks that the decoding up until now was okay, and
+  // that a value of type V can be read without problems.
+  *ok &= (*size > sizeof(V));
+  if (!(*ok)) return 0;
+  V result = *reinterpret_cast<const V*>(*data);
+  *data += sizeof(V);
+  *size -= sizeof(V);
+  return result;
+}
+
+static void add_argument(
+    v8::internal::Isolate* isolate, uint8_t type, WasmVal* interpreter_args,
+    v8::internal::Handle<v8::internal::Object>* compiled_args, int* argc,
+    const uint8_t** data, size_t* size, bool* ok) {
+  if (!(*ok)) return;
+  switch (type) {
+    case FUZZER_TYPE_FLOAT32: {
+      float value = read_value<float>(data, size, ok);
+      interpreter_args[*argc] = WasmVal(value);
+      compiled_args[*argc] =
+          isolate->factory()->NewNumber(static_cast<double>(value));
+      break;
+    }
+    case FUZZER_TYPE_FLOAT64: {
+      double value = read_value<double>(data, size, ok);
+      interpreter_args[*argc] = WasmVal(value);
+      compiled_args[*argc] = isolate->factory()->NewNumber(value);
+      break;
+    }
+    case FUZZER_TYPE_INT32: {
+      int32_t value = read_value<int32_t>(data, size, ok);
+      interpreter_args[*argc] = WasmVal(value);
+      compiled_args[*argc] =
+          isolate->factory()->NewNumber(static_cast<double>(value));
+      break;
+    }
+    default:
+      UNREACHABLE();
+  }
+  (*argc)++;
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  v8_fuzzer::FuzzerSupport* support = v8_fuzzer::FuzzerSupport::Get();
+  v8::Isolate* isolate = support->GetIsolate();
+  v8::internal::Isolate* i_isolate =
+      reinterpret_cast<v8::internal::Isolate*>(isolate);
+
+  // Clear any pending exceptions from a prior run.
+  if (i_isolate->has_pending_exception()) {
+    i_isolate->clear_pending_exception();
+  }
+
+  v8::Isolate::Scope isolate_scope(isolate);
+  v8::HandleScope handle_scope(isolate);
+  v8::Context::Scope context_scope(support->GetContext());
+  v8::TryCatch try_catch(isolate);
+
+  v8::internal::AccountingAllocator allocator;
+  v8::internal::Zone zone(&allocator, ZONE_NAME);
+
+  bool ok = true;
+  uint8_t num_functions =
+      (read_value<uint8_t>(&data, &size, &ok) % MAX_NUM_FUNCTIONS) + 1;
+
+  LocalType types[] = {kAstF32, kAstF64, kAstI32, kAstI64};
+  WasmVal interpreter_args[3];
+  v8::internal::Handle<v8::internal::Object> compiled_args[3];
+  int argc = 0;
+
+  WasmModuleBuilder builder(&zone);
+  for (int fun = 0; fun < num_functions; fun++) {
+    size_t num_params = static_cast<size_t>(
+        (read_value<uint8_t>(&data, &size, &ok) % MAX_NUM_PARAMS) + 1);
+    FunctionSig::Builder sig_builder(&zone, 1, num_params);
+    sig_builder.AddReturn(kAstI32);
+    for (size_t param = 0; param < num_params; param++) {
+      // The main function cannot handle int64 parameters.
+      uint8_t param_type = (read_value<uint8_t>(&data, &size, &ok) %
+                            (arraysize(types) - (fun == 0 ? 1 : 0)));
+      sig_builder.AddParam(types[param_type]);
+      if (fun == 0) {
+        add_argument(i_isolate, param_type, interpreter_args, compiled_args,
+                     &argc, &data, &size, &ok);
+      }
+    }
+    v8::internal::wasm::WasmFunctionBuilder* f =
+        builder.AddFunction(sig_builder.Build());
+    uint32_t code_size = static_cast<uint32_t>(size / num_functions);
+    f->EmitCode(data, code_size);
+    data += code_size;
+    size -= code_size;
+    if (fun == 0) {
+      f->ExportAs(v8::internal::CStrVector("main"));
+    }
+  }
+
+  ZoneBuffer buffer(&zone);
+  builder.WriteTo(buffer);
+
+  if (!ok) {
+    // The input data was too short.
+    return 0;
+  }
+
+  v8::internal::wasm::testing::SetupIsolateForWasmModule(i_isolate);
+
+  v8::internal::HandleScope scope(i_isolate);
+
+  ErrorThrower interpreter_thrower(i_isolate, "Interpreter");
+  std::unique_ptr<const WasmModule> module(testing::DecodeWasmModuleForTesting(
+      i_isolate, &interpreter_thrower, buffer.begin(), buffer.end(),
+      v8::internal::wasm::ModuleOrigin::kWasmOrigin));
+
+  if (module == nullptr) {
+    return 0;
+  }
+  int32_t result_interpreted;
+  bool possible_nondeterminism = false;
+  {
+    result_interpreted = testing::InterpretWasmModule(
+        i_isolate, &interpreter_thrower, module.get(), 0, interpreter_args,
+        &possible_nondeterminism);
+  }
+
+  ErrorThrower compiler_thrower(i_isolate, "Compiler");
+  v8::internal::Handle<v8::internal::JSObject> instance =
+      testing::InstantiateModuleForTesting(i_isolate, &compiler_thrower,
+                                           module.get());
+
+  if (!interpreter_thrower.error()) {
+    CHECK(!instance.is_null());
+  } else {
+    return 0;
+  }
+  int32_t result_compiled;
+  {
+    result_compiled = testing::CallWasmFunctionForTesting(
+        i_isolate, instance, &compiler_thrower, "main", argc, compiled_args,
+        v8::internal::wasm::ModuleOrigin::kWasmOrigin);
+  }
+  if (result_interpreted == 0xdeadbeef) {
+    CHECK(i_isolate->has_pending_exception());
+    i_isolate->clear_pending_exception();
+  } else {
+    // The WebAssembly spec allows the sign bit of NaN to be non-deterministic.
+    // This sign bit may cause result_interpreted to be different than
+    // result_compiled. Therefore we do not check the equality of the results
+    // if the execution may have produced a NaN at some point.
+    if (!possible_nondeterminism && (result_interpreted != result_compiled)) {
+      V8_Fatal(__FILE__, __LINE__, "WasmCodeFuzzerHash=%x",
+               v8::internal::StringHasher::HashSequentialString(
+                   data, static_cast<int>(size), WASM_CODE_FUZZER_HASH_SEED));
+    }
+  }
+  return 0;
+}