// Copyright 2024 the V8 project authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "include/v8-context.h" #include "include/v8-exception.h" #include "include/v8-isolate.h" #include "include/v8-local-handle.h" #include "src/base/vector.h" #include "src/execution/isolate.h" #include "src/objects/property-descriptor.h" #include "src/wasm/compilation-environment-inl.h" #include "src/wasm/fuzzing/random-module-generation.h" #include "src/wasm/module-compiler.h" #include "src/wasm/wasm-engine.h" #include "src/wasm/wasm-feature-flags.h" #include "src/wasm/wasm-module.h" #include "src/wasm/wasm-objects-inl.h" #include "src/wasm/wasm-subtyping.h" #include "src/zone/accounting-allocator.h" #include "src/zone/zone.h" #include "test/common/flag-utils.h" #include "test/common/wasm/wasm-module-runner.h" #include "test/fuzzer/fuzzer-support.h" #include "test/fuzzer/wasm-fuzzer-common.h" // This fuzzer fuzzes deopts. // It generates a main function accepting a call target. The call target is then // used in a call_ref or call_indirect. The fuzzer runs the program in a // reference run to collect expected results. // Then it performs the same run on a new module optimizing the module after // every target, causing emission of deopt nodes and potentially triggering // deopts. Note that if the code containing the speculative call is unreachable // or not inlined, the fuzzer won't generate a deopt node and won't perform a // deopt. // Pseudo code of a minimal wasm module that the fuzzer could generate: // // int global0 = 0; // Table table = [callee0, callee1]; // // int callee0(int a, int b) { // return a + b; // } // // int callee1(int a, int b) { // return a * b; // } // // int inlinee(int a, int b) { // auto callee = table.get(global0); // return call_ref(auto_callee)(a, b); // } // // int main(int callee_index) { // global0 = callee_index; // return inlinee(1, 2); // } // The fuzzer then performs the following test: // assertEquals(expected_val0, main(0)); // Collects feedback. // %WasmTierUpFunction(main); // assertEquals(expected_val1, main(1)); // Potentially triggers deopt. namespace v8::internal::wasm::fuzzing { namespace { ExecutionResult; std::ostream& operator<<(std::ostream& out, const ExecutionResult& result) { … } class NearHeapLimitCallbackScope { … }; std::vector<ExecutionResult> PerformReferenceRun( const std::vector<std::string>& callees, ModuleWireBytes wire_bytes, WasmEnabledFeatures enabled_features, bool valid, Isolate* isolate) { … } int FuzzIt(base::Vector<const uint8_t> data) { … } } // anonymous namespace extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { … } } // namespace v8::internal::wasm::fuzzing
Codebase Browser
chromium