Skip to content

base fuzzili update #52

Open
Dudcom wants to merge 395 commits into
VRIG-RITSEC:agentfrom
googleprojectzero:main
Open

base fuzzili update #52
Dudcom wants to merge 395 commits into
VRIG-RITSEC:agentfrom
googleprojectzero:main

Conversation

@Dudcom

@Dudcom Dudcom commented Jan 25, 2026

Copy link
Copy Markdown

updating with head

Liedtke and others added 30 commits February 26, 2026 08:19
Bug: 487347678
Change-Id: I08a1e7346eb50d85832e4d4df798ba5b52348382
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9052182
Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
Change-Id: I13e3653837dbc4502252cbe2ac25e8b4dbb7c44f
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9058297
Commit-Queue: Doga Yüksel <dyuksel@google.com>
Reviewed-by: Doga Yüksel <dyuksel@google.com>
Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Bug: 487347678
Change-Id: I5fdc080270ee713b71c46faf867a800180c1ec22
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9058836
Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Bug: 487347678
Change-Id: I649849a5e3d9511e82e5e47a5ffc61433ca8822e
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9058837
Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
- Proxy.revocabale
- Promise.withResolvers
- Number.parseFloat
- Number.parseInt
- Object.groupBy
- Object.hasOwn

Bug: 487347678
Change-Id: I67c3c1c0b0d517dc61cc8a26c69031b81cf9eccc
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9058838
Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
Change-Id: I539c771195a5c9a5242c9650815496f8c255cdba
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064096
Commit-Queue: Doga Yüksel <dyuksel@google.com>
Auto-Submit: Danylo Mocherniuk <mdanylo@google.com>
Reviewed-by: Doga Yüksel <dyuksel@google.com>
and add a custom generator for Intl.DisplayNames.prototype.of() as it
contains a tight coupling between the constructor arguments and the code
provided to the "of" function as an argument.

Bug: 487347678
Change-Id: Ia0ffd3f51599b501a6855b07931249abcf777984
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9063878
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Reviewed-by: Manish Goregaokar <manishearth@google.com>
Bug: 487347678
Change-Id: I92fa5d5dccfcd3b5f5590ecea134265bb10d1190
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064297
Reviewed-by: Manish Goregaokar <manishearth@google.com>
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
- <Error>.name for all builtin error types
- <Error>.prototype.mesage and <Error>.prototype.name for all builtin
  error types
- ArrayBuffer.prototype.sliceToImmutable
- Date.prototype.toLocaleDateString
- Date.prototype.toLocaleTimeString

Bug: 487347678
Change-Id: I766290ca1e2ced9556448bf31dbbd4d8f6656576
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064298
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
Bug: 487347678
Change-Id: Ib8ecc8268ef60847919abe2dc6f081665930fde3
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064299
Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
V8-side change: https://crrev.com/c/7623762

Bug: 487620644
Change-Id: Iee848582cf8ed19085daea8c7715bf8c3f54f3d9
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064480
Reviewed-by: Michael Achenbach <machenbach@google.com>
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Change-Id: I95e6e68e0ce4d2051f3c267667aedef63207b6c2
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064377
Commit-Queue: Michael Achenbach <machenbach@google.com>
Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Reviewed-by: Michael Achenbach <machenbach@google.com>
…ion.

This will probably be needed later for the descriptor/describes
relation.

Bug: 448858866
Change-Id: Ie4793668172cc9730e1c97a7ceae2f0c10ff2f3b
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9067096
Auto-Submit: Danylo Mocherniuk <mdanylo@google.com>
Reviewed-by: Doga Yüksel <dyuksel@google.com>
Commit-Queue: Doga Yüksel <dyuksel@google.com>
Bug: 487347678
Change-Id: Iea000a7b4e83ad259bd9e41c2863e279352c625c
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064303
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
Follow-up to commit e12a171

Change-Id: Ie4cfa33fef72c15caaf88336ca408d94c37e759a
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9067018
Commit-Queue: Manish Goregaokar <manishearth@google.com>
Reviewed-by: Manish Goregaokar <manishearth@google.com>
Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Maybe I shouldn't just predict crashes but instead fix them before
landing my changes.

Bug: 448860865
Change-Id: I7df709799f11fcaec590960c4eeecdc17696772c
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9073196
Reviewed-by: Michael Achenbach <machenbach@google.com>
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bug: 487347678
Change-Id: Id253e99069ceb17b0b6da92876234eb1fec2329c
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9044026
Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
There are some test-only / d8-only functions that we don't need to or
don't want to fuzz.

Bug: 487347678
Change-Id: Idea475a3afdf4dcba2787e497fca45580299d265
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9051197
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
There is a large amount of properties on prototype objects that can only
be called on a proper instance, e.g. trying to access
> DisposableStack.prototype.disposed
will throw an error as DisposableStack.prototype is not the expected
receiver type (unlike new DisposableStack().disposed).
While the property exists on the prototype, it should not be registered
as the fuzzer can't really do anything useful with something that always
throws.

Bug: 487347678
Change-Id: Ie8b2e5d30caa819f512d6791afb1a22d11761c7f
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9058839
Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
and skip their prototypes in FuzzilliDetectMissingBuiltins.

Bug: 487347678
Change-Id: Ib74c990924c2b194f486c14c8578148240b9a1f5
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064302
Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Reviewed-by: Michael Achenbach <machenbach@google.com>
Commit-Queue: Michael Achenbach <machenbach@google.com>
This test case is obsolete. For detecting missing builtins, there is now
a script that can recursively scan the available global context of a
JavaScript shell.

Bug: 487347678
Change-Id: If785dc73fca43d693e29d1c22e345381568072bd
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064301
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
Bug: 487347678
Change-Id: I2157fdb4904c8cd5886c8cf9c3f230cab85fdd76
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9078877
Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Michael Achenbach <machenbach@google.com>
Reviewed-by: Michael Achenbach <machenbach@google.com>
Bug: 487347678
Change-Id: I00083540222506cfb09d7b1dfe5d040b7818a58b
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9081256
Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bug: 445356784
Change-Id: I488149208dcda6e632ff1fc36d7c959978c3d470
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9078876
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Reviewed-by: Manos Koukoutos <manoskouk@google.com>
These are fixed in d8 via https://crrev.com/c/7642309.

Bug: 487347678
Change-Id: I772ae90c0cee6a4c126f11d84934c132bc69c463
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9081257
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
Bug: 445356784
Change-Id: I583e24a56e0e97b589a9bd796ee7e4e23cd63d0d
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9081258
Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
This flag is enabled by default and has been removed from v8 in:
https://crrev.com/c/7642813

Change-Id: I442cd7dfcb0b7d457a06fb73d808285b336738fc
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9081797
Commit-Queue: Michael Achenbach <machenbach@google.com>
Reviewed-by: Michael Achenbach <machenbach@google.com>
Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Also add DataView.prototype.setBigUint64 and its optional littleEndian
parameter.

Bug: 445356784
Change-Id: If49c62df8beb2c7202ad12bad58d220ca3f1a3ad
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9081796
Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Michael Achenbach <machenbach@google.com>
Reviewed-by: Michael Achenbach <machenbach@google.com>
- Promise.all, Promise.race, Promise.allSettled expect a single
  (iterable) argument.
- Date.now, Date.parse, Date.UTC don't return a Date, they return a
  number (the timestamp). The same applies to all the mutator / setter
  methods on Date.prototype.
- String.prototype.localeCompare returns an integer, not a string.
- String.prototype.match returns an array of matches, not a single
  string.
- FinalizationRegistry.prototype.register doesn't return anything.
- FinalizationRegistry.prototype.unregister returns a boolean (whether
  at least one cell was unregistered).
- Reflect.getPrototypeOf, Reflect.isExtensible, and Reflect.ownKeys
  throw a TypeError if passed a primitive value, so type them as
  requiring an object.
- DataView: The multi-byte getter and setter methods were missing the
  optional littleEndian boolean parameter.
- Math.max and Math.min return a number (which might be NaN).
- Object.assign, .defineProperty, .defineProperties and .freeze all
  return the object.
- Array.fill, .reverse and .sort return the passed (modified) array.
- The same is true for the typed arrays (Int8Array and friends).

Change-Id: I1c96b03f3303aad8868a13102b6675126bcc3997
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9087136
Reviewed-by: Michael Achenbach <machenbach@google.com>
Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Michael Achenbach <machenbach@google.com>
Test cases that use OSR currently only do this through --jit-fuzzing
triggering OSR in loops, often leading to brittle repros like the
referenced bug.

This creates a typical pattern in a code generator making use of
the %OptimizeOsr() runtime function.

Bug: 490353576
Change-Id: Id09459d8f7ba26a1b0eaec7e438de555b22fc7b5
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9087056
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Michael Achenbach <machenbach@google.com>
Liedtke and others added 30 commits June 19, 2026 01:03
Bug: 522635668
Change-Id: I56d82eda0050b03c01e7b0af241ef58e2a820fd2
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9393800
Reviewed-by: Leon Bettscheider <bettscheider@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Bug: 524213342
Change-Id: Ib5ecc32559db751e8e48460a95ea896cf46d9d50
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9432455
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Michael Achenbach <machenbach@google.com>
This was already fixed once by https://crrev.com/i/8543776 which
introduced PropertyFlags.randomWithoutWritable() to prevent generating
both accessors and a writable attribute, which is invalid in JS.

However, a subsequent large refactoring https://crrev.com/i/8386801
reverted this fix back to PropertyFlags.random().

Bug: 524562043
Change-Id: I8dd52a6c4b15936e7d585482379f5d7768e77316
TAG=agy
CONV=6b998cbb-ce46-4ab8-8af9-d1ed0f9a0cf9
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9419396
Reviewed-by: Leon Bettscheider <bettscheider@chromium.org>
Commit-Queue: Marja Hölttä <marja@google.com>
Reviewed-by: Raphaël Hérouart <rherouart@google.com>
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This CL adds an optional superType input to the WasmDefineArrayType
JS operation. It also extends WasmArrayTypeDescription to take an
optional superType parameter that it passes on to the
WasmTypeDescription constructor.

Bug: 517707090
Change-Id: I70b82608d49514ce29666f3e4d8d2ced5d8dcae0
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9425994
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Leon Bettscheider <bettscheider@chromium.org>
This CL adds an optional superType input to the WasmDefineStructType
JS operation. It also extends WasmStructTypeDescription to take an
optional superType parameter that it passes on to the
WasmTypeDescription constructor.

Bug: 517707090
Change-Id: I9c0b3eb323e8251dffae80008df385eb945dc673
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9426034
Reviewed-by: Michael Achenbach <machenbach@google.com>
Commit-Queue: Leon Bettscheider <bettscheider@chromium.org>
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This CL adds an optional superType input to the WasmDefineSignatureType
JS operation. It also extends WasmSignatureTypeDescription to take an
optional superType parameter that it passes on to the
WasmTypeDescription constructor.

Bug: 517707090
Change-Id: I1004b24c3d3df8f0b41ba9bf7ad41df9155770c1
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9425995
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Leon Bettscheider <bettscheider@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@google.com>
In both loop headers and simple declarations, Destructuring was only
supported with variable declarations (let/const/var keyword); it can now
be utilized for re-assigning existing variables.

Bug: 515363087
Change-Id: I081689487006a3f63aec5a07df924038d853bf51
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9425996
Commit-Queue: Raphaël Hérouart <rherouart@google.com>
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Reviewed-by: Marja Hölttä <marja@google.com>
This change adopts `instr.inouts` first to avoid confusing variables
originating from the original and the current program. Now, all
inouts are lifted to the current program context, which matches
any additional variables that may be added, e.g., by
`extendVariadicOperation()`. Finally, the mutated instruction
is appended.

Bug: 524213342
Change-Id: I35f54adc31adbaaad94cd91de6b3bfcc2fdebdf5
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9449094
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Leon Bettscheider <bettscheider@chromium.org>
This enables subtyping support for arrays.

Bug: 517707090
Change-Id: I05a9e409ff643f6effa5da766977208ab2e1ede3
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9408800
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Leon Bettscheider <bettscheider@chromium.org>
Follow Up From https://crrev.com/i/9379120

Bug: 515363087
Change-Id: I8ea35cd8e941ab586b34365462582280dde80f8f
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9419397
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Raphaël Hérouart <rherouart@google.com>
The test asserts that we do try to generate the proper input types
for a generator even if the it declares its inputs as .preferred().

Change-Id: Iff53d9489140f0f1e1b80cf067186bb839b05987
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9457034
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Marja Hölttä <marja@google.com>
Change-Id: I563425858ed162ab8dbc2699abf6c94cca98d3ca
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9457294
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Reviewed-by: Raphaël Hérouart <rherouart@google.com>
Commit-Queue: Marja Hölttä <marja@google.com>
This CL adds a test for CL 9449094.

Bug: 524213342
Change-Id: I8021e4ea491df1fac17bc151bf9935bb55a4136b
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9457295
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Reviewed-by: Michael Achenbach <machenbach@google.com>
Commit-Queue: Leon Bettscheider <bettscheider@chromium.org>
Bug: 522635668
Change-Id: I08c6d379e958dcc2bacb57fd720d366efcd902ee
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9415874
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Reviewed-by: Leon Bettscheider <bettscheider@chromium.org>
This reverts commit 1e31dbd.

Reason for revert: This was likely not the culprit of
https://crbug.com/524213342. The real fix landed in the mean
time.

Original change's description:
> Temporarily make destruct operation-immutable
>
> Bug: 524213342
> Change-Id: Ib5ecc32559db751e8e48460a95ea896cf46d9d50
> Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9432455
> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
> Commit-Queue: Michael Achenbach <machenbach@google.com>

Bug: 524213342
Change-Id: Icb00b787fdeb9c6a6b162583058a2ab50999d92e
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9463495
Bot-Commit: rubber-stamper@appspot.gserviceaccount.com <rubber-stamper@appspot.gserviceaccount.com>
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Michael Achenbach <machenbach@google.com>
…atch

Many JavaScript input requirements are listed as "preferred". This means,
even if we do have a variable of the correct type, we might not use it.

Increasing this constant increases the probability that we will pick
a variable of a correct type, and increase the probability of generating
interesting code (e.g., trying to iterate an iterable instead of a non-
iterable object).

Fixed: 522657728
Change-Id: Ie0f6a1e4b8cd905c072bd8a36e96e4d4ecd5a0ef
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9463335
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Marja Hölttä <marja@google.com>
This CL enables subtyping support for structs.

Bug: 517707090
Change-Id: I932a38eb1f29161cf2552d9aae83960f18c6b431
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9452016
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Leon Bettscheider <bettscheider@chromium.org>
This CL enables subtyping support for signatures.

Bug: 517707090
Change-Id: Ibf052051b643341fe5555be819593c4a75393aa6
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9457035
Commit-Queue: Leon Bettscheider <bettscheider@chromium.org>
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This CL adds missing calls to registerTypeGroupDependency() for
structs/arrays/signatures.

This issue flushed out when FuzzilliCli ran into
`Fuzzilli/WasmLifter.swift:564: Fatal error:
Unexpectedly found nil while unwrapping an Optional value`.

Bug: 517707090
Change-Id: I84f9aeedbfb8f5762ee113df44c3417aade15d6b
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9463675
Commit-Queue: Leon Bettscheider <bettscheider@chromium.org>
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
…for debugging

Bug: 524213342
Change-Id: Id78d02bee00f3d032c515ea2f349238665d31fc3
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9470675
Commit-Queue: Michael Achenbach <machenbach@google.com>
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Reviewed-by: Leon Bettscheider <bettscheider@chromium.org>
Cyclic imports require knowing which modules and exports we will generate *later*. Add the "pending module" concept to support this.

We use .jsAnything as the type for the variables which will be exported later - it's hard to decide a better type upfront and those won't technically be true (since we might access a "var" variable before it has its final value).

TAG=agy
CONV=9d719888-54be-4548-b5e1-2eec15f7d6bc

Bug: 342521422
Change-Id: I4f9621d5771244a12e18937688fed3327757658d
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9408620
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Marja Hölttä <marja@google.com>
Before this CL, we chose which CodeGenerators to use in the prefix based
on IsValueGenerator property (= all stubs in the generator require no
inputs and produce something).

However, we want to have CodeGenerators which satisfy that
property, but which are not used in the prefix.

This CL solves this problem by adding an explicit way to mark which code
generators should be used in the prefix.

CONV=fe946adb-0cf0-4d0b-a600-a45a70ecddad
TAG=agy
Bug: 526979176
Change-Id: Ib5dd42efbaf082e7196992c00aa867a23c4609b0
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9457934
Commit-Queue: Marja Hölttä <marja@google.com>
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
…noise

Optimize the reporting of poorly performing code generators and program templates by aggregating their stats across all fuzzer nodes and centralizing the output on the main thread.

This makes log messages more actionable and easier to read and navigate in cloud logging.

Key changes:
- Moved the generator/template stats from individual worker threads to the root node.
- Merged validSamples and interestingSamples into correctSamples.
- Print compact, table-based logs.
- Reduced log frequency to every 5th statistics update and on termination.

TAG=agy

Bug: 465497343
Change-Id: I146e8b08057ee1ed84cf64c8f308b6be7b63bbf3
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9432454
Reviewed-by: Leon Bettscheider <bettscheider@chromium.org>
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Michael Achenbach <machenbach@google.com>
The index passed into the `translateInput` is unused, as the code
hard-coded to use 0.

Bug: 527887612, 524213342
Change-Id: I7e8604ae8cc814ab588614dff70a77d2db8fe732
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9471895
Commit-Queue: Tigran Bantikyan <bantikyan@google.com>
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Auto-Submit: Tigran Bantikyan <bantikyan@google.com>
This CL adds `isFinal` to WasmTypeDescription and subclasses
WasmArrayTypeDescription, WasmStructTypeDescription,
WasmSignatureTypeDescription.

In code generators, we only use non-final super types.
All generated types are final with a probability of 25%.

Bug: 517707090
Change-Id: I47df3b1b8f06f5b133f3a349f0c1c7aeebdc975f
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9464195
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Leon Bettscheider <bettscheider@chromium.org>
and make them parallelizable.

- AnalyzerTest.swift
- ContextGraphTest.swift
- DiffOracleTests.swift
- EngineTests.swift

Bug: 522635668
Change-Id: Icb3e6503cd84d2fffeb9952c866e6f7a40c618f1
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9471917
Reviewed-by: Leon Bettscheider <bettscheider@chromium.org>
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bug: 515363087
Change-Id: Ib12bedcdabb2681a10afcce1bb26dae5a89c56f1
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9453876
Commit-Queue: Raphaël Hérouart <rherouart@google.com>
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Bug: 522635668
Change-Id: I42ffbdb0fbf0f25a621a14466a3c4c9d815089fb
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9475596
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Reviewed-by: Leon Bettscheider <bettscheider@chromium.org>
Bug: 498924945
TAG=agy
Change-Id: Idf0bab6bef6811f82abd8bfc5586e4d699b90d4a
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9376411
Commit-Queue: Rezvan Mahdavi Hezaveh <rezvan@google.com>
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This reverts commit a799a23.

Reason for revert: Suspected to crash with:
Fatal error: Code generators must contain at least one generator to be used in the prefix

Original change's description:
> [code generators] Introduce explicit "useInPrefix"
>
> Before this CL, we chose which CodeGenerators to use in the prefix based
> on IsValueGenerator property (= all stubs in the generator require no
> inputs and produce something).
>
> However, we want to have CodeGenerators which satisfy that
> property, but which are not used in the prefix.
>
> This CL solves this problem by adding an explicit way to mark which code
> generators should be used in the prefix.
>
> CONV=fe946adb-0cf0-4d0b-a600-a45a70ecddad
> TAG=agy
> Bug: 526979176
> Change-Id: Ib5dd42efbaf082e7196992c00aa867a23c4609b0
> Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9457934
> Commit-Queue: Marja Hölttä <marja@google.com>
> Reviewed-by: Matthias Liedtke <mliedtke@google.com>

Bug: 526979176
Change-Id: I1acc51b237c4ece57cf9ef7b4637a6bd16c6ebf6
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9482515
Bot-Commit: rubber-stamper@appspot.gserviceaccount.com <rubber-stamper@appspot.gserviceaccount.com>
Commit-Queue: Michael Achenbach <machenbach@google.com>
Reviewed-by: Marja Hölttä <marja@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.