- 21 Jun, 2017 1 commit
-
-
Andreas Haas authored
The fuzzer has already been removed from chromium. In addition I removed code which was only used by this fuzzer. BUG=chromium:734550 R=clemensh@chromium.org CC=mstarzinger@chromium.org Change-Id: I2ff4614e4d64131412ead759318e5c38e38f5d3d Reviewed-on: https://chromium-review.googlesource.com/542816 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#46078}
-
- 13 Jun, 2017 1 commit
-
-
Andreas Haas authored
The new fuzzer takes the fuzzer input as module bytes and compiles them with WebAssembly asynchronous compilation. R=mtrofin@chromium.org Change-Id: I9740edec68e26c04d011d85c68521e340be13c4c Reviewed-on: https://chromium-review.googlesource.com/506156 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Mircea Trofin <mtrofin@chromium.org> Cr-Commit-Position: refs/heads/master@{#45912}
-
- 31 May, 2017 1 commit
-
-
Andreas Haas authored
In https://chromium-review.googlesource.com/c/505614/ I added code to the test runner which deletes the old corpus of the wasm fuzzer. It's time now to remove this code again. R=machenbach@chromium.org Change-Id: Ic3b8f7a1f6d725f0bf070b404a75ac37551a07c0 Reviewed-on: https://chromium-review.googlesource.com/519405Reviewed-by: Michael Achenbach <machenbach@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#45641}
-
- 19 May, 2017 1 commit
-
-
Andreas Haas authored
In a recent CL I moved the corpus of the wasm fuzzer and of the wasm-asmjs fuzzer to a different directory (wasm_corpus and wasm_asmjs_corpus) so that the corpus is not executed on the try-bots. With this CL I remove the old corpus from the .gitignore file. In addition I removed the hooks for wasm_corpus and wasm_asmjs_corpus from the V8 DEPS file, because in a V8 checkout they are not used anyway. I also added code to the test runner to delete all *.wasm files from the directories test/fuzzer/wasm and test/fuzzer/wasm_asmjs. This code should be removed in a week, but it will help my coworkers to cleanup their V8 checkout. R=bradnelson@chromium.org CC=machenbach@chromium.org Change-Id: I9fdf9d77b71b133f84f7e744763d65fdf127d624 Reviewed-on: https://chromium-review.googlesource.com/505614 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Michael Achenbach <machenbach@chromium.org> Cr-Commit-Position: refs/heads/master@{#45417}
-
- 17 Feb, 2017 1 commit
-
-
eholk authored
This is the beginning of a new fuzzer that generates correct-by-construction Wasm modules. This should allow us to better exercise the compiler and correctness aspects of fuzzing. It is based off of ahaas' original Wasm fuzzer. At the moment, it can generate expressions made up of most binops, and also nested blocks with unconditional breaks. Future CLs will add additional constructs, such as br_if, loops, memory access, etc. The way the fuzzer works is that it starts with an array of arbitrary data provided by libfuzzer. It uses the data to generate an expression. Care is taken to make use of the entire string. Basically, the generator has a bunch of grammar-like rules for how to construct an expression of a given type. For example, an i32 can be made by adding two other i32s, or by wrapping an i64. The process then continues recursively until all the data is consumed. We generate an expression from a slice of data as follows: * If the slice is less than or equal to the size of the type (e.g. 4 bytes for i32), then it will emit the entire slice as a constant. * Otherwise, it will consume the first 4 bytes of the slice and use this to select which rule to apply. Each rule then consumes the remainder of the slice in an appropriate way. For example: * Unary ops use the remainder of the slice to generate the argument. * Binary ops consume another four bytes and mod this with the length of the remaining slice to split the slice into two parts. Each of these subslices are then used to generate one of the arguments to the binop. * Blocks are basically like a unary op, but a stack of block types is maintained to facilitate branches. For blocks that end in a break, the first four bytes of a slice are used to select the break depth and the stack determines what type of expression to generate. The goal is that once this generator is complete, it will provide a one to one mapping between binary strings and valid Wasm modules. Review-Url: https://codereview.chromium.org/2658723006 Cr-Commit-Position: refs/heads/master@{#43289}
-
- 24 Oct, 2016 1 commit
-
-
ahaas authored
Depending on the inputs the fuzzer creates multiple functions. These functions can have signatures with an int32 return value and up to three parameters of type int32, int64, float32, or float64. R=titzer@chromium.org, clemensh@chromium.org Review-Url: https://codereview.chromium.org/2447643002 Cr-Commit-Position: refs/heads/master@{#40530}
-
- 14 Sep, 2016 1 commit
-
-
ahaas authored
This CL adds fuzzers for the wasm module sections 'types', 'names', 'globals', 'imports', 'function signatures', 'memory', and 'data', one fuzzer per section. No fuzzers are added for the other sections because either there already exists a fuzzer (e.g. wasm-code), or there exist inter-section dependencies. To avoid introducing a bunch executables which would make compilation with make slow, I introduce a single executable 'v8_simple_wasm_section_fuzzer' which calls the fuzzers mentioned above. This executable is run by the trybots and ensures that the fuzzers actually compile. For debugging I introduce commandline parameters which allow to execute the specific fuzzers from 'v8_simple_wasm_section_fuzzer'. R=titzer@chromium.org, jochen@chromium.org, mstarzinger@chromium.org Review-Url: https://codereview.chromium.org/2336603002 Cr-Commit-Position: refs/heads/master@{#39413}
-
- 29 Aug, 2016 1 commit
-
-
ahaas authored
The new fuzzer constructs a dummy module header and uses the fuzzer data only as function code. R=titzer@chromium.org, jochen@chromium.org Review-Url: https://codereview.chromium.org/2280623002 Cr-Commit-Position: refs/heads/master@{#38983}
-
- 03 Jun, 2016 1 commit
-
-
machenbach authored
This adds the v8-side fuzzer executables for smoke testing. This also renames the old gyp targets to stay consistent with chromium. Naming convention for type X after the rename: library: X_fuzzer (gn), X_fuzzer_lib (gyp) executable v8: v8_simple_X_fuzzer executable chromium: v8_X_fuzzer BUG=chromium:474921 Review-Url: https://codereview.chromium.org/2032363002 Cr-Commit-Position: refs/heads/master@{#36713}
-
- 02 Mar, 2016 1 commit
-
-
bradnelson authored
Fixing a memory leak in CompileAndRunModule. BUG= https://code.google.com/p/v8/issues/detail?id=4203 TEST=wasm-fuzzer R=jochen@chromium.org,jarin@chromium.org,kcc@chromium.org,machenbach@chromium.org,titzer@chromium.org LOG=N Review URL: https://codereview.chromium.org/1738943004 Cr-Commit-Position: refs/heads/master@{#34415}
-
- 02 Feb, 2016 2 commits
-
-
jochen authored
BUG=chromium:577261 R=machenbach@chromium.org,yangguo@chromium.org LOG=n Review URL: https://codereview.chromium.org/1652963002 Cr-Commit-Position: refs/heads/master@{#33673}
-
yangguo authored
R=jochen@chromium.org, machenbach@chromium.org BUG=chromium:577261 LOG=N Review URL: https://codereview.chromium.org/1660463002 Cr-Commit-Position: refs/heads/master@{#33661}
-
- 01 Feb, 2016 1 commit
-
-
yangguo authored
R=jochen@chromium.org BUG=chromium:577261 LOG=N Review URL: https://codereview.chromium.org/1655853002 Cr-Commit-Position: refs/heads/master@{#33640}
-
- 26 Jan, 2016 1 commit
-
-
jochen authored
BUG=chromium:577261 R=machenbach@chromium.org,jarin@chromium.org LOG=n Review URL: https://codereview.chromium.org/1604203002 Cr-Commit-Position: refs/heads/master@{#33508}
-