1. 22 Nov, 2016 1 commit
    • ahaas's avatar
      [regexp fuzzer] Let the fuzzer input select the regexp flag. · 2ba24a71
      ahaas authored
      With this CL the regexp-parser-fuzzer uses the first byte of the fuzzer
      input to select the regexp flag instead of executing each input with all
      possible flags. Thereby the fuzzer can explore more inputs and with its
      coverage metric will explore all flags only for interesting inputs.
      
      I updated all files in test/fuzzer/regexp and added a random byte at the beginning. This byte is used by the fuzzer to determine the flag.
      
      BUG=chromium:664436
      R=yangguo@chromium.org
      
      Review-Url: https://codereview.chromium.org/2511373002
      Cr-Commit-Position: refs/heads/master@{#41176}
      2ba24a71
  2. 21 Nov, 2016 1 commit
  3. 18 Nov, 2016 1 commit
  4. 14 Nov, 2016 1 commit
  5. 10 Nov, 2016 1 commit
  6. 24 Oct, 2016 2 commits
  7. 20 Oct, 2016 1 commit
    • ahaas's avatar
      [wasm] Track in the interpreter if a NaN could have been produced. · 57b14b06
      ahaas authored
      The wasm specification does not fully specify the binary representation
      of NaN: the sign bit can be non-deterministic. The wasm-code fuzzer
      found a test case where the wasm interpreter and the compiled code
      produce a different sign bit for a NaN, and as a consequence they
      produce different results.
      
      With this CL the interpreter tracks whether it executed an instruction
      which can produce a NaN, which are div and sqrt instructions. The
      fuzzer uses this information and compares the result of the interpreter
      with the result of the compiled code only if there was no instruction
      which could have produced a NaN.
      
      R=titzer@chromium.org
      
      TEST=cctest/test-run-wasm-interpreter/TestMayProduceNaN
      BUG=chromium:657481
      
      Review-Url: https://chromiumcodereview.appspot.com/2438603003
      Cr-Commit-Position: refs/heads/master@{#40474}
      57b14b06
  8. 19 Oct, 2016 1 commit
    • titzer's avatar
      [wasm] Use a Managed<WasmModule> to hold metadata about modules. · 418b239f
      titzer authored
      This CL refactors the handling of metadata associated with WebAssembly
      modules to reduce the duplicate marshalling of data from the C++ world
      to the JavaScript world. It does this by wrapping the C++ WasmModule*
      object in a Foreign that is rooted from the on-heap WasmCompiledModule
      (which is itself just a FixedArray). Upon serialization, the C++ object
      is ignored and the original WASM wire bytes are serialized. Upon
      deserialization, the C++ object is reconstituted by reparsing the bytes.
      
      This is motivated by increasing complications in implementing the JS
      API, in particular WebAssembly.Table, which must perform signature
      canonicalization across instances.
      
      Additionally, this CL implements the proper base + offset initialization
      behavior for tables.
      
      R=rossberg@chromium.org,bradnelson@chromium.org,mtrofin@chromium.org,yangguo@chromium.org
      BUG=v8:5507, chromium:575167, chromium:657316
      
      Review-Url: https://chromiumcodereview.appspot.com/2424623002
      Cr-Commit-Position: refs/heads/master@{#40434}
      418b239f
  9. 17 Oct, 2016 1 commit
  10. 14 Oct, 2016 2 commits
  11. 13 Oct, 2016 1 commit
  12. 11 Oct, 2016 1 commit
  13. 07 Oct, 2016 2 commits
  14. 05 Oct, 2016 3 commits
  15. 04 Oct, 2016 3 commits
    • machenbach's avatar
      Revert of Turn libbase into a component (patchset #10 id:180001 of... · efcb1ff4
      machenbach authored
      Revert of Turn libbase into a component (patchset #10 id:180001 of https://codereview.chromium.org/2381273002/ )
      
      Reason for revert:
      Main suspect for roll block:
      https://codereview.chromium.org/2387403002/
      
      Original issue's description:
      > Turn libbase into a component
      >
      > This is a precondition for turning libplatform into a component
      >
      > BUG=v8:5412
      > R=jgruber@chromium.org,machenbach@chromium.org
      > CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_chromium_compile_dbg_ng;master.tryserver.chromium.android:android_clang_dbg_recipe
      >
      > Committed: https://crrev.com/614e615775f732d71b5ee94ed29737d8de687104
      > Cr-Commit-Position: refs/heads/master@{#39950}
      
      TBR=jgruber@chromium.org,jochen@chromium.org
      # Skipping CQ checks because original CL landed less than 1 days ago.
      NOPRESUBMIT=true
      NOTREECHECKS=true
      NOTRY=true
      BUG=v8:5412
      
      Review-Url: https://codereview.chromium.org/2393603002
      Cr-Commit-Position: refs/heads/master@{#39960}
      efcb1ff4
    • ahaas's avatar
      [wasm] Adjust crash message of the correctness fuzzer to avoid clustering. · 55da769b
      ahaas authored
      The correctness fuzzer executes the input array in two different
      execution engines and compares the results. If the results don't match,
      the correctness fuzzer crashes.
      
      Since the crash signature is always the same if the results don't match,
      cluster fuzz would group all inputs which lead to non-matching results.
      
      To avoid the grouping a base64 hash has to be appended to the crash
      signature. This CL changes the text which is appended to the crash
      signature to a base64 hash.
      
      Note that I do not create a base64 hash directly because the base64
      class is not available in V8. Instead I create a string which looks
      like a base64 hash.
      
      R=mmoroz@chromium.org, aarya@chromium.org, titzer@chromium.org
      
      Review-Url: https://codereview.chromium.org/2390233002
      Cr-Commit-Position: refs/heads/master@{#39953}
      55da769b
    • jochen's avatar
      Turn libbase into a component · 614e6157
      jochen authored
      This is a precondition for turning libplatform into a component
      
      BUG=v8:5412
      R=jgruber@chromium.org,machenbach@chromium.org
      CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_chromium_compile_dbg_ng;master.tryserver.chromium.android:android_clang_dbg_recipe
      
      Review-Url: https://codereview.chromium.org/2381273002
      Cr-Commit-Position: refs/heads/master@{#39950}
      614e6157
  16. 29 Sep, 2016 1 commit
  17. 27 Sep, 2016 1 commit
    • titzer's avatar
      [wasm] Master CL for Binary 0xC changes. · 28392ab1
      titzer authored
      [0xC] Convert to stack machine semantics.
      [0xC] Use section codes instead of names.
      [0xC] Add elements section decoding.
      [0xC] Decoding of globals section.
      [0xC] Decoding of memory section.
      [0xC] Decoding of imports section.
      [0xC] Decoding of exports section.
      [0xC] Decoding of data section.
      [0xC] Remove CallImport bytecode.
      [0xC] Function bodies have an implicit block.
      [0xC] Remove the bottom label from loops.
      [0xC] Add signatures to blocks.
      [0xC] Remove arities from branches.
      Add tests for init expression decoding.
      Rework compilation of import wrappers and how they are patched.
      Rework function indices in debugging.
      Fix ASM->WASM builder for stack machine.
      Reorganize asm.js foreign functions due to import indices change.
      
      R=ahaas@chromium.org,rossberg@chromium.org,bradnelson@chromium.org
      BUG=chromium:575167
      LOG=Y
      
      Committed: https://crrev.com/76eb976a67273b8c03c744f64ad850b0432554b9
      Review-Url: https://codereview.chromium.org/2345593003
      Cr-Original-Commit-Position: refs/heads/master@{#39678}
      Cr-Commit-Position: refs/heads/master@{#39795}
      28392ab1
  18. 26 Sep, 2016 1 commit
    • jgruber's avatar
      Enable component builds for fuzzers · 22606f0c
      jgruber authored
      V8 is collecting a growing amount of fuzzers, all of which take substantial
      space on the bots and in chromium build archives. This CL improves that
      situation by allowing component (shared library) builds for almost all fuzzers.
      
      The parser fuzzer is handled as an exception since it would require exporting a
      large number of additional functions.
      
      A component build results in about a 50-100x improvement in file size for each
      fuzzer (~50M-100M to around 1.1M).
      
      BUG=chromium:648864
      CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_chromium_compile_dbg_ng;master.tryserver.chromium.android:android_clang_dbg_recipe
      
      Review-Url: https://codereview.chromium.org/2360983002
      Cr-Commit-Position: refs/heads/master@{#39709}
      22606f0c
  19. 23 Sep, 2016 2 commits
    • machenbach's avatar
      Revert of [wasm] Master CL for Binary 0xC changes. (patchset #26 id:490001 of... · e1eee748
      machenbach authored
      Revert of [wasm] Master CL for Binary 0xC changes. (patchset #26 id:490001 of https://codereview.chromium.org/2345593003/ )
      
      Reason for revert:
      Main suspect for tsan:
      https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20TSAN/builds/11893
      
      Also changes layout tests:
      https://build.chromium.org/p/client.v8.fyi/builders/V8-Blink%20Linux%2064/builds/10036
      
      +mips builder:
      https://build.chromium.org/p/client.v8.ports/builders/V8%20Mips%20-%20builder/builds/4032
      
      Original issue's description:
      > [wasm] Master CL for Binary 0xC changes.
      >
      > [0xC] Convert to stack machine semantics.
      > [0xC] Use section codes instead of names.
      > [0xC] Add elements section decoding.
      > [0xC] Decoding of globals section.
      > [0xC] Decoding of memory section.
      > [0xC] Decoding of imports section.
      > [0xC] Decoding of exports section.
      > [0xC] Decoding of data section.
      > [0xC] Remove CallImport bytecode.
      > [0xC] Function bodies have an implicit block.
      > [0xC] Remove the bottom label from loops.
      > [0xC] Add signatures to blocks.
      > [0xC] Remove arities from branches.
      > Add tests for init expression decoding.
      > Rework compilation of import wrappers and how they are patched.
      > Rework function indices in debugging.
      > Fix ASM->WASM builder for stack machine.
      > Reorganize asm.js foreign functions due to import indices change.
      >
      > R=ahaas@chromium.org,rossberg@chromium.org,bradnelson@chromium.org
      > BUG=chromium:575167
      > LOG=Y
      >
      > Committed: https://crrev.com/76eb976a67273b8c03c744f64ad850b0432554b9
      > Cr-Commit-Position: refs/heads/master@{#39678}
      
      TBR=ahaas@chromium.org,bradnelson@chromium.org,mtrofin@chromium.org,rossberg@chromium.org,bradnelson@google.com,titzer@chromium.org
      # Skipping CQ checks because original CL landed less than 1 days ago.
      NOPRESUBMIT=true
      NOTREECHECKS=true
      NOTRY=true
      BUG=chromium:575167
      
      Review-Url: https://codereview.chromium.org/2361053004
      Cr-Commit-Position: refs/heads/master@{#39685}
      e1eee748
    • titzer's avatar
      [wasm] Master CL for Binary 0xC changes. · 76eb976a
      titzer authored
      [0xC] Convert to stack machine semantics.
      [0xC] Use section codes instead of names.
      [0xC] Add elements section decoding.
      [0xC] Decoding of globals section.
      [0xC] Decoding of memory section.
      [0xC] Decoding of imports section.
      [0xC] Decoding of exports section.
      [0xC] Decoding of data section.
      [0xC] Remove CallImport bytecode.
      [0xC] Function bodies have an implicit block.
      [0xC] Remove the bottom label from loops.
      [0xC] Add signatures to blocks.
      [0xC] Remove arities from branches.
      Add tests for init expression decoding.
      Rework compilation of import wrappers and how they are patched.
      Rework function indices in debugging.
      Fix ASM->WASM builder for stack machine.
      Reorganize asm.js foreign functions due to import indices change.
      
      R=ahaas@chromium.org,rossberg@chromium.org,bradnelson@chromium.org
      BUG=chromium:575167
      LOG=Y
      
      Review-Url: https://codereview.chromium.org/2345593003
      Cr-Commit-Position: refs/heads/master@{#39678}
      76eb976a
  20. 22 Sep, 2016 1 commit
  21. 20 Sep, 2016 1 commit
  22. 19 Sep, 2016 1 commit
  23. 17 Sep, 2016 1 commit
    • gdeepti's avatar
      [wasm] Fix test-run-wasm-module tests in debug mode. · dd3b14b7
      gdeepti authored
      test-run-wasm-module cctests broken in debug since recent refactoring changes for moving Compilation/Instantiation off the module object (https://codereview.chromium.org/2320723005). The problem here is that SetupIsolateForWasm tries to add the same property to a module_object multiple times and hits a DCHECK when this property is found on a lookup.
       - Fixed to use the setup method only once when CcTest::InitIsolateOnce is used.
       - Move setup method to test as this is only used for cctests/fuzzers. The install method should take care of this in the regular JS pipeline.
      
       R=mtrofin@chromium.org, ahaas@chromium.org
      
      Review-Url: https://codereview.chromium.org/2342263002
      Cr-Commit-Position: refs/heads/master@{#39484}
      dd3b14b7
  24. 15 Sep, 2016 1 commit
  25. 14 Sep, 2016 3 commits
    • ahaas's avatar
      [wasm] Write fuzzers for single wasm sections. · 3ff20190
      ahaas authored
      This CL adds fuzzers for the wasm module sections 'types', 'names',
      'globals', 'imports', 'function signatures', 'memory', and 'data', one
      fuzzer per section. No fuzzers are added for the other sections because
      either there already exists a fuzzer (e.g. wasm-code), or there exist
      inter-section dependencies.
      
      To avoid introducing a bunch executables which would make compilation
      with make slow, I introduce a single executable
      'v8_simple_wasm_section_fuzzer' which calls the fuzzers mentioned above.
      This executable is run by the trybots and ensures that the fuzzers
      actually compile. For debugging I introduce commandline parameters which
      allow to execute the specific fuzzers from 'v8_simple_wasm_section_fuzzer'.
      
      R=titzer@chromium.org, jochen@chromium.org, mstarzinger@chromium.org
      
      Review-Url: https://codereview.chromium.org/2336603002
      Cr-Commit-Position: refs/heads/master@{#39413}
      3ff20190
    • ahaas's avatar
      [wasm] Move the wasm-module-runner from test/cctest to test/common · cc7926d6
      ahaas authored
      The wasm-module-runner is used both in cctests and in fuzzers. As
      discussed offline, it is weird to include cctest header files in
      fuzzers, so I introduce a new test/common directory which contains the
      common files.
      
      R=titzer@chromium.org, jochen@chromium.org
      
      Review-Url: https://codereview.chromium.org/2335193002
      Cr-Commit-Position: refs/heads/master@{#39411}
      cc7926d6
    • ahaas's avatar
      [wasm] Pass the same parameters to the interpreter and the compiled module in the fuzzer. · 19522d8e
      ahaas authored
      BUG=chromium:646564
      
      R=titzer@chromium.org
      
      Review-Url: https://codereview.chromium.org/2336363003
      Cr-Commit-Position: refs/heads/master@{#39405}
      19522d8e
  26. 12 Sep, 2016 2 commits
    • mtrofin's avatar
      [wasm] Compilation/Instantiation pipeline works off module object · 8e5ac62d
      mtrofin authored
      Moved the compilation/instantiation pipeline to work off the
      module object (JSObject), making the compiled module data (the
      FixedArray) an implementation detail. This:
      - simplifies the code by removing duplicate decode->compile->instantiate
      sequences
      - sets up the stage for "dressing up" the runtime model with
      stronger typed APIs
      - helps relanding this CL: https://codereview.chromium.org/2305903002/.
        It turns out that GCs during the cloning/instantiation events cause
      trouble, and centering the source of truth on the module object helps
      address this issue.
      
      In the process, clarified cctest setup for wasm-capable isolates,
      and changed signatures for consistency (using ModuleOrigin througout).
      
      BUG=
      
      Review-Url: https://codereview.chromium.org/2320723005
      Cr-Commit-Position: refs/heads/master@{#39360}
      8e5ac62d
    • ahaas's avatar
      [wasm] Call the wasm interpreter from the wasm-code-fuzzer. · 1521fe9c
      ahaas authored
      With this CL the wasm-code-fuzzer first decodes and interprets the test
      case generated by the fuzzer. It then compiles the test case, but only
      executes the compiled instance if the interpretation of the test case
      was successful. If the compiled instance is executed, then the result of
      the execution is compared with the result of the interpretation.
      
      Additionally this CL refactors the CompileAndRunWasmModule function in
      wasm-module.cc to resuse code in the call to the interpreter.
      
      R=titzer@chromium.org
      
      Review-Url: https://codereview.chromium.org/2321443002
      Cr-Commit-Position: refs/heads/master@{#39351}
      1521fe9c
  27. 29 Aug, 2016 3 commits