base fuzzili update #52
Open
Dudcom wants to merge 367 commits into
Open
Conversation
Bug: 465497343 Change-Id: I0b136da11c15bd83353c76fae8d1c168f92f5d34 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9026976 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
Bug: 465497343 Change-Id: I37625a7b5dc60ea9fc60efb083b36a8b92720588 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9028516 Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Bug: 465497343 Change-Id: Ic5371de6093189b8519c7491037acd38e2774a11 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9027056 Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Dominik Klemba <tacet@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Similar to commit 72dd5d7 but on a wasm module level instead of inside a wasm function. This is a conservative workaround to ensure that we don't lose any chances of emitting operations that previously used static ILTypes but will depend on a signature input for the migration to wasm-gc. Bug: 448860865 Change-Id: Ife60126cabb8c49a0493736603611b9b2dd3e67b Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8938986 Reviewed-by: Doga Yüksel <dyuksel@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bug: 448860865 Change-Id: Ifd01ae66b862e844bfbdb781dac36b3a8ba2d0bd Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8956316 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Doga Yüksel <dyuksel@google.com>
Bug: 448860865 Change-Id: I89bdc92e1757a68dec64da8a7ab90e7c397694eb Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8956317 Reviewed-by: Doga Yüksel <dyuksel@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bug: 448860865 Change-Id: I01de000a5ae5fae47634ca64edad7dfd9d028695 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8956318 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Doga Yüksel <dyuksel@google.com>
With all instructions interacting with Wasm tags switched over to
using wasm-gc signatures in previous changes, tags can now also be
adapted to use wasm-gc types in their signature (their parameter
types).
Note that it is also possible to define tags from JS, e.g.:
> new WebAssembly.Tag({parameters: ['i32']})
However, these tags do not support index types in the JS API spec, so
they can continue using the current mechanism for their type
information.
Bug: 448860865
Change-Id: If558f0562609d7a26a0119a4055184506351bd52
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8956197
Reviewed-by: Doga Yüksel <dyuksel@google.com>
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
The pinning ensures that our presubmit-check and all developers working on Fuzzilli have a consistent version used for regenerating the *.bp.swift files. The non-exact version caused the GitHub run to fail as a newer swift-protobuf version now resulted in diffs in the generated files. Change-Id: I4edeae1a38e0b912a45e17b20b950066db4b24d4 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9032256 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com>
Change-Id: I174dd958c7854b0fa59228085bd23fe01cdf1fa0 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9032276 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Change the loop condition to compare the iteration index against 'indices.count - 1' instead of 'indices.last!'. Also added regression test testDestructuringSimplificationWithRest, which reproduces the original bug using sparse indices with 'lastIsRest' set to true, ensuring that DestructArray is simplified into GetElement and a residual DestructArray for the rest elements. Change-Id: Ic630615bb85231d703046be4dc669e4314927db2 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9027276 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Dominik Klemba <tacet@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com>
While this feature is disabled by default, it is a non-experimental feature and other fuzzers already create exposure of this feature (see https://source.chromium.org/chromium/chromium/src/+/main:v8/tools/clusterfuzz/trials/clusterfuzz_trials_config.json;l=60;drc=84a1682b877e88c8912cebf44a8513c7d84206ed) Bug: 485657212 Change-Id: I899357c64d4e2dfd9385d3da5f445f0edc447765 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9035976 Reviewed-by: Darius Mercadier <dmercadier@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Change-Id: Icee437b92f284e7f9f7dc339d31ee157c6f876ae Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9032277 Reviewed-by: Samuel Groß <saelo@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bug: 465497343 Change-Id: I81b857dc9dac3fb95f8cd3b0f45be04b396626d8 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9043816 Commit-Queue: Michael Achenbach <machenbach@google.com> Auto-Submit: Michael Achenbach <machenbach@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
Change-Id: I7351c40670430f5b21ecff521eb5d419dc3ce2ac Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9051356 Reviewed-by: Dominik Klemba <tacet@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Dominik Klemba <tacet@google.com>
This is needed for a tool that uses the JavaScriptExecutor and produces a large amount of output (the list of all builtins available in the global scope). Bug: 487347678 Change-Id: Ib83ee2ae33a609e5b8ce1598b14892a8cedfd0a4 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9047637 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/constructor Change-Id: Iaa324d06653a8dfeb2cc5e48b8357f5e4d2670c2 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9051196 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Fuzzilli functionality for ref.cast added similarly to ref.test Bug: 474940922 Change-Id: I7cd3a28b05b7289c8ea0836be0c6d1024556e24c Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8995238 Commit-Queue: Doga Yüksel <dyuksel@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
…d instance type See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/DisposableStack Bug: 487347678 Change-Id: I85e523864482d16d5b1f2a1c9d0cd3ba0cb77613 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9051796 Commit-Queue: Rezvan Mahdavi Hezaveh <rezvan@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Rezvan Mahdavi Hezaveh <rezvan@google.com>
…ds and instance types See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/AsyncDisposableStack Bug: 487347678 Change-Id: I6a0506f0e09c8597c8f24a22833083a99c0c4472 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9051797 Reviewed-by: Rezvan Mahdavi Hezaveh <rezvan@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
getBigInt64 and getBigUin64 also take an optional second parameter which is a bool to mark if little-endian encoding should be used. Bug: 487347678 Change-Id: I352e74c7e5d74bd72f5c7ae35c8114bceba297d6 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9050878 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bug: 487347678 Change-Id: Ide8f3c5d4439981c729f14ecc96e4e54e4cfbe6f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9050879 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
This also requires some refactoring: 1) We need to extend createPrototypeObjectGroup() to also allow additional properties as BYTES_PER_ELEMENT appears on the TypedArray builtin (the constructor) and on its prototype (and due to the prototype also on any instance of such typed array). 2) Merge Uint8Array (which is somewhat special due to base64) with the other typed arrays to reduce the amount of duplication. Bug: 487347678 Change-Id: I795b16468ec9b52108dd41fee3ff54d74604df18 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9050880 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
With this change we support defining methods on classes and objects with non-identifier names, like number and string literals. Internally, all method names remain strings, reusing any type information. At lifting, we approximate simple identifiers and use them unquoted for method definition and for usage in dot notation. For definitions, we also support quoted strings and unquoted index values. At call sites, we ensure bracket notation where needed, supporting index access without quotes. This covers method names for plain objects and classes. This does not cover properties, getters and setters yet. We also add 2 custom method names to the environment that don't follow the previous identifier naming. Instructions that define such methods currently are: ObjectLiteralMethod ClassInstanceMethod ClassStaticMethod Instructions that use such methods are: CallMethod CallMethodWithSpread CallSuperMethod BindMethod We ignore definitions and calls of private methods. They also reuse the same typer logic, but naming rules are more strict here, non-identifiers are not supported and should never be produced. We need to separate now identifiers for private and other method names in the JS environment. This also extends the compiler to enable importing the new method types. Bug: 446634535 Change-Id: I2b8fbb8306e4b6bd901b61952c6da91d4210ae3f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9047716 Reviewed-by: Dominik Klemba <tacet@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
Bug: 487347678 Change-Id: I37f8126dbd08e989f229246f68675540cfc8c9f4 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9052178 Commit-Queue: Danylo Mocherniuk <mdanylo@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Bug: 487347678 Change-Id: I312d4574513d40fc0ecb43218ee62dcd8eada091 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9052179 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
The added properties are deprecated, but in the end it matters what we ship, not if it's deprecated. Bug: 487347678 Change-Id: I3e027d8a1ece8a6bdf31929fd3952d2589cc0bfa Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9052180 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
Bug: 487347678 Change-Id: I11dd214d888556ded07b3d41afe387ae5c4c79cc Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9052181 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Bug: 487347678 Change-Id: I08a1e7346eb50d85832e4d4df798ba5b52348382 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9052182 Commit-Queue: Danylo Mocherniuk <mdanylo@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
Change-Id: I13e3653837dbc4502252cbe2ac25e8b4dbb7c44f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9058297 Commit-Queue: Doga Yüksel <dyuksel@google.com> Reviewed-by: Doga Yüksel <dyuksel@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
exposed group interface. Bug: 515363087 Change-Id: Id50b6d4ec3308a5b039b82670ec2f4c5db288330 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9375340 Commit-Queue: Raphaël Hérouart <rherouart@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
It will run Tools/presubmit.py which already existed (but had to be manually run). Change-Id: I89fff893e441144dfe50663e23b613ce9e58d625 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9231116 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Marja Hölttä <marja@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
…and cannot generate more This can happen when we have enough non-JS variables (eg modules and labels) but not enough JS variables. There was already a safeguard to generate more code in this case, but if we're not in .javaScript context, that won't work. This CL just makes the mutator bail out instead. Fixed: 521241274 Change-Id: Id39090b27e8bc8c3948b17d1765b6292a418fb9a Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9374180 Reviewed-by: Leon Bettscheider <bettscheider@google.com> Commit-Queue: Marja Hölttä <marja@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Raphaël Hérouart <rherouart@google.com>
Bug:498924945 TAG=agy Change-Id: I9e7cf4eabb5af5df23aa49d8ffcf86fc58416c5b Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9268503 Commit-Queue: Rezvan Mahdavi Hezaveh <rezvan@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This CL * adds `concreteHeapSupertype` to WasmTypeDescription, * implements `subsumes()`, `intersection()`, and `union()` based on that, and * uses them in WasmTypeDefinition and WasmReferenceType. Bug: 517707090 Change-Id: I59c36b73cc30e5269302404d1bd2f508d0cb22d2 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9351448 Commit-Queue: Leon Bettscheider <bettscheider@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This fixes bugs for named variables, with-statements and private properties, where generic property names slipped into the generation of these more restrictive identifiers. Named variables and properties in with-statements can only be proper JS identifiers, while generic property names are broader. The same holds for valid names that can be used for private properties. This creates a separate custom identifier list that doesn't include unorthodox cases like symbols and numbers. Named variables, with-statements and private properties are now solely generated from this separate list. TAG=agy Fixed: 518435525 Change-Id: Ie3566467e7f729661a04eba47debc18bc53d610f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9375380 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Leon Bettscheider <bettscheider@chromium.org> Commit-Queue: Michael Achenbach <machenbach@google.com>
…iables InliningReducer could crash when encountering disposable variables (or other instructions that fallthrough to the same check) at the top-level of a module (e.g. inside a bundle module entry point) where activeSubroutineDefinitions is empty. This fix safely unwraps activeSubroutineDefinitions.last to avoid force-unwrapping nil. TAG=agy CONV=3d0eb06a-4c48-4640-92dc-a149665be30b Change-Id: I55bdc95e0d622fc94dd6709338e3fca6dad6192b Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9378962 Reviewed-by: Marja Hölttä <marja@google.com> Commit-Queue: Olivier Flückiger <olivf@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Olivier Flückiger <olivf@google.com>
Change-Id: I2832d19e66780fe0947a7220484f5eac9f88688c Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9379402 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Leon Bettscheider <bettscheider@chromium.org>
This CL adds an optional superType input to the WasmDefineArrayType JS operation. It also extends WasmArrayTypeDescription to take an optional superType parameter that it passes on to the WasmTypeDescription constructor. Bug: 517707090 Change-Id: I8c388cf5acc269935dbec19cc07dd62beb870b05 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9362880 Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This CL adds an optional superType input to the WasmDefineStructType JS operation. It also extends WasmStructTypeDescription to take an optional superType parameter that it passes on to the WasmTypeDescription constructor. Bug: 517707090 Change-Id: I4490df2cee14c2d2b7905bad520f47cf08beeff8 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9362881 Reviewed-by: Matthias Liedtke <mliedtke@google.com>
- Run the transpiled script if --d8-path is provided - Accept a custom --test-dir to run only a subset of the tests Change-Id: I9771a83c79dab9a54eb8ef6facf6f697884bfa10 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9336704 Auto-Submit: Raphaël Hérouart <rherouart@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
Change-Id: I51e13233b12b8baa912e3c944c80bde94a556709 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9379364 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Rezvan Mahdavi Hezaveh <rezvan@google.com>
As a first step only migrate a small set of tests. This change also modifies the MockFuzzer to support running on other threads than the main thread (as parallelism is the main purpose of this.) Bug: 522635668 Change-Id: I90215a3448a0644712e081f294d695c84a0c43f4 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9375860 Reviewed-by: Leon Bettscheider <bettscheider@chromium.org> Reviewed-by: Raphaël Hérouart <rherouart@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
This CL adds an optional superType input to the WasmDefineSignatureType JS operation. It also extends WasmSignatureTypeDescription to take an optional superType parameter that it passes on to the WasmTypeDescription constructor. Bug: 517707090 Change-Id: I0b6aa71450534d0a113d8bd4f3d57195d2d7245d Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9358622 Commit-Queue: Leon Bettscheider <bettscheider@chromium.org> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Change-Id: Ib49e26b947ff06614e2301e81a2df94a334dd081 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9393241 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Marja Hölttä <marja@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
In CombineMutator, allow inserting bundles on the top level of other bundles. This assumes instances running with and without --bundle are kept separate, and we will have either only bundles or only non-bundles in the corpus. TAG=agy CONV=4a533892-13ed-4e3d-9c14-ddbea92f43a1 Bug: 342521422 Change-Id: Id87de88649825ab4a5fab5cd847fd71d84e1b743 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9378862 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Marja Hölttä <marja@google.com>
Fixed: 522692767 Change-Id: I5184713517701ea73a0df8a7fa610ce2670214bb Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9389661 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Leon Bettscheider <bettscheider@chromium.org> Commit-Queue: Marja Hölttä <marja@google.com> Reviewed-by: Raphaël Hérouart <rherouart@google.com>
This allows the fuzzer to add and remove variadic inputs from it. Change-Id: I4e7e640af6ae295a9e2bad0cfe52959ef90181b1 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9336703 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Leon Bettscheider <bettscheider@chromium.org> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bug: 522635668 Change-Id: I238b2364bc86b95782776f7b92c3c520b5e1b6a4 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9409540 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Leon Bettscheider <bettscheider@chromium.org>
This patch replaces the flat `DestructObject` and `DestructArray` instructions with a recursive `DestructuringPattern` AST and FuzzIL implementation.
Key capabilities introduced:
- Deeply nested array and object patterns (e.g., `let { a: [ b, { c } ] } = obj`)
- Default values for both flat bindings and nested patterns
- Computed property keys in object destructuring
- Proper elision and rest element support within nested contexts
- Generalizes both variable declaration (`Destruct`) and reassignment (`DestructAndReassign`)
Bug: 515363087
Change-Id: I79fff58c693a5fc8879c00e439f9ad56655c42e7
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9379120
Reviewed-by: Michael Achenbach <machenbach@google.com>
Commit-Queue: Raphaël Hérouart <rherouart@google.com>
This fixes two severe bugs in `OperationMutator.swift` that caused the
fuzzer to crash when mutating destructuring operations:
* Array Mutator Crash: Fixed a bug where toggling the rest target on an `.array` pattern incorrectly appended or removed variables from the `inouts` array. Array rest targets do not add a new binding constraint (they merely convert the last existing index), so altering the `inouts` size caused an immediate sanity check assertion failure during corpus generation.
* Object Mutator Crash: Fixed a fatal validation crash ("variable definitions are not contiguous") in the `.object` mutator. Toggling `hasRestElement` on an object pattern adds or removes an output variable. This is now restricted to reassignment operations (`DestructAndReassign`) to prevent changing the number of outputs on standard `Destruct` instructions, which corrupts the FuzzIL output variable sequence for the rest of the program.
Bug: 515363087
Change-Id: I12bc3fda136d994755fcc62872ada171a294a975
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9410534
Commit-Queue: Raphaël Hérouart <rherouart@google.com>
Reviewed-by: Michael Achenbach <machenbach@google.com>
This reverts commit e177651. Reason for revert: Check whether this caused a spike in use-before-def failures Failure Link: https://g-issues.chromium.org/issues/524213342 Original change's description: > [wasm] Add superType input to WasmDefineSignatureType > > This CL adds an optional superType input to the WasmDefineSignatureType > JS operation. It also extends WasmSignatureTypeDescription to take an > optional superType parameter that it passes on to the > WasmTypeDescription constructor. > > Bug: 517707090 > Change-Id: I0b6aa71450534d0a113d8bd4f3d57195d2d7245d > Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9358622 > Commit-Queue: Leon Bettscheider <bettscheider@chromium.org> > Reviewed-by: Matthias Liedtke <mliedtke@google.com> Bug: 517707090 Change-Id: I8d11e29e493b23cc55a245937d7b0927ad91026b Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9413674 Bot-Commit: rubber-stamper@appspot.gserviceaccount.com <rubber-stamper@appspot.gserviceaccount.com> Commit-Queue: Leon Bettscheider <bettscheider@chromium.org> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This reduces the runtime for this set of tests from ~50 seconds to ~20 seconds (which is the runtime of a single test case that probably could be improved as some follow-up). Bug: 522635668 Change-Id: I45f0d5cd922c3ad1914218f0580f7679185adce9 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9410100 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Leon Bettscheider <bettscheider@chromium.org>
This was broken in commit 46170c0. Change-Id: I65a34cfc257db839eb277de5da563075ea26934f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9413596 Commit-Queue: Raphaël Hérouart <rherouart@google.com> Reviewed-by: Raphaël Hérouart <rherouart@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
to check whether the recent crashes are related to importing outdated protobuf files. Bug: 524213342 Change-Id: I169c4e928a05e41b120dcf28b7eb8d08d74fa55a Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9414414 Reviewed-by: Michael Achenbach <machenbach@google.com> Reviewed-by: Marja Hölttä <marja@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
LHS of exponentiation operator (**) must be parenthesized if it is a unary expression or a negative number literal, otherwise it is a syntax error in JavaScript. TAG=agy CONV=2999790b-3693-4f68-a976-4cc8e35ad72e BUG:524562043 Change-Id: I1795fafef47ff9e930c7afc037f07dcfa47a3c84 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9413974 Reviewed-by: Raphaël Hérouart <rherouart@google.com> Commit-Queue: Marja Hölttä <marja@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Other fuzzers have a head-start already with crrev.com/c/7939890 (and are already reporting issues.) Bug: 458409082 Change-Id: If1fc65fc34c5325b5535a9bf8a08fe4e432203ba Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9419314 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
Revert "[wasm] Add superType input to WasmDefineArrayType" This reverts commit 3a03d76. Revert "[wasm] Add superType input to WasmDefineStructType" This reverts commit 5ce4c59. Also bump protobuf version. Bug: 524213342, 517707090 Change-Id: I0d10c4d9123292dd184281de0f0c02a12a199f13 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9425034 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
Bug: 522635668 Change-Id: I56d82eda0050b03c01e7b0af241ef58e2a820fd2 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9393800 Reviewed-by: Leon Bettscheider <bettscheider@chromium.org> Commit-Queue: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Bug: 524213342 Change-Id: Ib5ecc32559db751e8e48460a95ea896cf46d9d50 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9432455 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
14 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
updating with head