base fuzzili update #52
Open
Dudcom wants to merge 395 commits into
Open
Conversation
Bug: 487347678 Change-Id: I08a1e7346eb50d85832e4d4df798ba5b52348382 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9052182 Commit-Queue: Danylo Mocherniuk <mdanylo@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
Change-Id: I13e3653837dbc4502252cbe2ac25e8b4dbb7c44f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9058297 Commit-Queue: Doga Yüksel <dyuksel@google.com> Reviewed-by: Doga Yüksel <dyuksel@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Bug: 487347678 Change-Id: I5fdc080270ee713b71c46faf867a800180c1ec22 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9058836 Commit-Queue: Danylo Mocherniuk <mdanylo@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Bug: 487347678 Change-Id: I649849a5e3d9511e82e5e47a5ffc61433ca8822e Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9058837 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
- Proxy.revocabale - Promise.withResolvers - Number.parseFloat - Number.parseInt - Object.groupBy - Object.hasOwn Bug: 487347678 Change-Id: I67c3c1c0b0d517dc61cc8a26c69031b81cf9eccc Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9058838 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
Change-Id: I539c771195a5c9a5242c9650815496f8c255cdba Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064096 Commit-Queue: Doga Yüksel <dyuksel@google.com> Auto-Submit: Danylo Mocherniuk <mdanylo@google.com> Reviewed-by: Doga Yüksel <dyuksel@google.com>
and add a custom generator for Intl.DisplayNames.prototype.of() as it contains a tight coupling between the constructor arguments and the code provided to the "of" function as an argument. Bug: 487347678 Change-Id: Ia0ffd3f51599b501a6855b07931249abcf777984 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9063878 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Manish Goregaokar <manishearth@google.com>
Bug: 487347678 Change-Id: I92fa5d5dccfcd3b5f5590ecea134265bb10d1190 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064297 Reviewed-by: Manish Goregaokar <manishearth@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
- <Error>.name for all builtin error types - <Error>.prototype.mesage and <Error>.prototype.name for all builtin error types - ArrayBuffer.prototype.sliceToImmutable - Date.prototype.toLocaleDateString - Date.prototype.toLocaleTimeString Bug: 487347678 Change-Id: I766290ca1e2ced9556448bf31dbbd4d8f6656576 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064298 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
Bug: 487347678 Change-Id: Ib8ecc8268ef60847919abe2dc6f081665930fde3 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064299 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
V8-side change: https://crrev.com/c/7623762 Bug: 487620644 Change-Id: Iee848582cf8ed19085daea8c7715bf8c3f54f3d9 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064480 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Change-Id: I95e6e68e0ce4d2051f3c267667aedef63207b6c2 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064377 Commit-Queue: Michael Achenbach <machenbach@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com>
…ion. This will probably be needed later for the descriptor/describes relation. Bug: 448858866 Change-Id: Ie4793668172cc9730e1c97a7ceae2f0c10ff2f3b Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9067096 Auto-Submit: Danylo Mocherniuk <mdanylo@google.com> Reviewed-by: Doga Yüksel <dyuksel@google.com> Commit-Queue: Doga Yüksel <dyuksel@google.com>
Bug: 487347678 Change-Id: Iea000a7b4e83ad259bd9e41c2863e279352c625c Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064303 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
Follow-up to commit e12a171 Change-Id: Ie4cfa33fef72c15caaf88336ca408d94c37e759a Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9067018 Commit-Queue: Manish Goregaokar <manishearth@google.com> Reviewed-by: Manish Goregaokar <manishearth@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Maybe I shouldn't just predict crashes but instead fix them before landing my changes. Bug: 448860865 Change-Id: I7df709799f11fcaec590960c4eeecdc17696772c Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9073196 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bug: 487347678 Change-Id: Id253e99069ceb17b0b6da92876234eb1fec2329c Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9044026 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
There are some test-only / d8-only functions that we don't need to or don't want to fuzz. Bug: 487347678 Change-Id: Idea475a3afdf4dcba2787e497fca45580299d265 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9051197 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
There is a large amount of properties on prototype objects that can only be called on a proper instance, e.g. trying to access > DisposableStack.prototype.disposed will throw an error as DisposableStack.prototype is not the expected receiver type (unlike new DisposableStack().disposed). While the property exists on the prototype, it should not be registered as the fuzzer can't really do anything useful with something that always throws. Bug: 487347678 Change-Id: Ie8b2e5d30caa819f512d6791afb1a22d11761c7f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9058839 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
and skip their prototypes in FuzzilliDetectMissingBuiltins. Bug: 487347678 Change-Id: Ib74c990924c2b194f486c14c8578148240b9a1f5 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064302 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
This test case is obsolete. For detecting missing builtins, there is now a script that can recursively scan the available global context of a JavaScript shell. Bug: 487347678 Change-Id: If785dc73fca43d693e29d1c22e345381568072bd Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064301 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
Bug: 487347678 Change-Id: I2157fdb4904c8cd5886c8cf9c3f230cab85fdd76 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9078877 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com>
Bug: 487347678 Change-Id: I00083540222506cfb09d7b1dfe5d040b7818a58b Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9081256 Commit-Queue: Danylo Mocherniuk <mdanylo@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bug: 445356784 Change-Id: I488149208dcda6e632ff1fc36d7c959978c3d470 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9078876 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Manos Koukoutos <manoskouk@google.com>
These are fixed in d8 via https://crrev.com/c/7642309. Bug: 487347678 Change-Id: I772ae90c0cee6a4c126f11d84934c132bc69c463 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9081257 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
Bug: 445356784 Change-Id: I583e24a56e0e97b589a9bd796ee7e4e23cd63d0d Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9081258 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
This flag is enabled by default and has been removed from v8 in: https://crrev.com/c/7642813 Change-Id: I442cd7dfcb0b7d457a06fb73d808285b336738fc Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9081797 Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Also add DataView.prototype.setBigUint64 and its optional littleEndian parameter. Bug: 445356784 Change-Id: If49c62df8beb2c7202ad12bad58d220ca3f1a3ad Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9081796 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com>
- Promise.all, Promise.race, Promise.allSettled expect a single (iterable) argument. - Date.now, Date.parse, Date.UTC don't return a Date, they return a number (the timestamp). The same applies to all the mutator / setter methods on Date.prototype. - String.prototype.localeCompare returns an integer, not a string. - String.prototype.match returns an array of matches, not a single string. - FinalizationRegistry.prototype.register doesn't return anything. - FinalizationRegistry.prototype.unregister returns a boolean (whether at least one cell was unregistered). - Reflect.getPrototypeOf, Reflect.isExtensible, and Reflect.ownKeys throw a TypeError if passed a primitive value, so type them as requiring an object. - DataView: The multi-byte getter and setter methods were missing the optional littleEndian boolean parameter. - Math.max and Math.min return a number (which might be NaN). - Object.assign, .defineProperty, .defineProperties and .freeze all return the object. - Array.fill, .reverse and .sort return the passed (modified) array. - The same is true for the typed arrays (Int8Array and friends). Change-Id: I1c96b03f3303aad8868a13102b6675126bcc3997 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9087136 Reviewed-by: Michael Achenbach <machenbach@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
Test cases that use OSR currently only do this through --jit-fuzzing triggering OSR in loops, often leading to brittle repros like the referenced bug. This creates a typical pattern in a code generator making use of the %OptimizeOsr() runtime function. Bug: 490353576 Change-Id: Id09459d8f7ba26a1b0eaec7e438de555b22fc7b5 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9087056 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
Bug: 522635668 Change-Id: I56d82eda0050b03c01e7b0af241ef58e2a820fd2 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9393800 Reviewed-by: Leon Bettscheider <bettscheider@chromium.org> Commit-Queue: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Bug: 524213342 Change-Id: Ib5ecc32559db751e8e48460a95ea896cf46d9d50 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9432455 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
This was already fixed once by https://crrev.com/i/8543776 which introduced PropertyFlags.randomWithoutWritable() to prevent generating both accessors and a writable attribute, which is invalid in JS. However, a subsequent large refactoring https://crrev.com/i/8386801 reverted this fix back to PropertyFlags.random(). Bug: 524562043 Change-Id: I8dd52a6c4b15936e7d585482379f5d7768e77316 TAG=agy CONV=6b998cbb-ce46-4ab8-8af9-d1ed0f9a0cf9 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9419396 Reviewed-by: Leon Bettscheider <bettscheider@chromium.org> Commit-Queue: Marja Hölttä <marja@google.com> Reviewed-by: Raphaël Hérouart <rherouart@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This CL adds an optional superType input to the WasmDefineArrayType JS operation. It also extends WasmArrayTypeDescription to take an optional superType parameter that it passes on to the WasmTypeDescription constructor. Bug: 517707090 Change-Id: I70b82608d49514ce29666f3e4d8d2ced5d8dcae0 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9425994 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@chromium.org>
This CL adds an optional superType input to the WasmDefineStructType JS operation. It also extends WasmStructTypeDescription to take an optional superType parameter that it passes on to the WasmTypeDescription constructor. Bug: 517707090 Change-Id: I9c0b3eb323e8251dffae80008df385eb945dc673 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9426034 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Leon Bettscheider <bettscheider@chromium.org> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This CL adds an optional superType input to the WasmDefineSignatureType JS operation. It also extends WasmSignatureTypeDescription to take an optional superType parameter that it passes on to the WasmTypeDescription constructor. Bug: 517707090 Change-Id: I1004b24c3d3df8f0b41ba9bf7ad41df9155770c1 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9425995 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@chromium.org> Reviewed-by: Michael Achenbach <machenbach@google.com>
In both loop headers and simple declarations, Destructuring was only supported with variable declarations (let/const/var keyword); it can now be utilized for re-assigning existing variables. Bug: 515363087 Change-Id: I081689487006a3f63aec5a07df924038d853bf51 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9425996 Commit-Queue: Raphaël Hérouart <rherouart@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Marja Hölttä <marja@google.com>
This change adopts `instr.inouts` first to avoid confusing variables originating from the original and the current program. Now, all inouts are lifted to the current program context, which matches any additional variables that may be added, e.g., by `extendVariadicOperation()`. Finally, the mutated instruction is appended. Bug: 524213342 Change-Id: I35f54adc31adbaaad94cd91de6b3bfcc2fdebdf5 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9449094 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@chromium.org>
This enables subtyping support for arrays. Bug: 517707090 Change-Id: I05a9e409ff643f6effa5da766977208ab2e1ede3 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9408800 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@chromium.org>
Follow Up From https://crrev.com/i/9379120 Bug: 515363087 Change-Id: I8ea35cd8e941ab586b34365462582280dde80f8f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9419397 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Raphaël Hérouart <rherouart@google.com>
The test asserts that we do try to generate the proper input types for a generator even if the it declares its inputs as .preferred(). Change-Id: Iff53d9489140f0f1e1b80cf067186bb839b05987 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9457034 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Marja Hölttä <marja@google.com>
Change-Id: I563425858ed162ab8dbc2699abf6c94cca98d3ca Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9457294 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Raphaël Hérouart <rherouart@google.com> Commit-Queue: Marja Hölttä <marja@google.com>
This CL adds a test for CL 9449094. Bug: 524213342 Change-Id: I8021e4ea491df1fac17bc151bf9935bb55a4136b Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9457295 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Leon Bettscheider <bettscheider@chromium.org>
Bug: 522635668 Change-Id: I08c6d379e958dcc2bacb57fd720d366efcd902ee Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9415874 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Leon Bettscheider <bettscheider@chromium.org>
This reverts commit 1e31dbd. Reason for revert: This was likely not the culprit of https://crbug.com/524213342. The real fix landed in the mean time. Original change's description: > Temporarily make destruct operation-immutable > > Bug: 524213342 > Change-Id: Ib5ecc32559db751e8e48460a95ea896cf46d9d50 > Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9432455 > Reviewed-by: Matthias Liedtke <mliedtke@google.com> > Commit-Queue: Michael Achenbach <machenbach@google.com> Bug: 524213342 Change-Id: Icb00b787fdeb9c6a6b162583058a2ab50999d92e Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9463495 Bot-Commit: rubber-stamper@appspot.gserviceaccount.com <rubber-stamper@appspot.gserviceaccount.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
…atch Many JavaScript input requirements are listed as "preferred". This means, even if we do have a variable of the correct type, we might not use it. Increasing this constant increases the probability that we will pick a variable of a correct type, and increase the probability of generating interesting code (e.g., trying to iterate an iterable instead of a non- iterable object). Fixed: 522657728 Change-Id: Ie0f6a1e4b8cd905c072bd8a36e96e4d4ecd5a0ef Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9463335 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Marja Hölttä <marja@google.com>
This CL enables subtyping support for structs. Bug: 517707090 Change-Id: I932a38eb1f29161cf2552d9aae83960f18c6b431 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9452016 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@chromium.org>
This CL enables subtyping support for signatures. Bug: 517707090 Change-Id: Ibf052051b643341fe5555be819593c4a75393aa6 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9457035 Commit-Queue: Leon Bettscheider <bettscheider@chromium.org> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This CL adds missing calls to registerTypeGroupDependency() for structs/arrays/signatures. This issue flushed out when FuzzilliCli ran into `Fuzzilli/WasmLifter.swift:564: Fatal error: Unexpectedly found nil while unwrapping an Optional value`. Bug: 517707090 Change-Id: I84f9aeedbfb8f5762ee113df44c3417aade15d6b Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9463675 Commit-Queue: Leon Bettscheider <bettscheider@chromium.org> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
…for debugging Bug: 524213342 Change-Id: Id78d02bee00f3d032c515ea2f349238665d31fc3 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9470675 Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Leon Bettscheider <bettscheider@chromium.org>
Cyclic imports require knowing which modules and exports we will generate *later*. Add the "pending module" concept to support this. We use .jsAnything as the type for the variables which will be exported later - it's hard to decide a better type upfront and those won't technically be true (since we might access a "var" variable before it has its final value). TAG=agy CONV=9d719888-54be-4548-b5e1-2eec15f7d6bc Bug: 342521422 Change-Id: I4f9621d5771244a12e18937688fed3327757658d Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9408620 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Marja Hölttä <marja@google.com>
Before this CL, we chose which CodeGenerators to use in the prefix based on IsValueGenerator property (= all stubs in the generator require no inputs and produce something). However, we want to have CodeGenerators which satisfy that property, but which are not used in the prefix. This CL solves this problem by adding an explicit way to mark which code generators should be used in the prefix. CONV=fe946adb-0cf0-4d0b-a600-a45a70ecddad TAG=agy Bug: 526979176 Change-Id: Ib5dd42efbaf082e7196992c00aa867a23c4609b0 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9457934 Commit-Queue: Marja Hölttä <marja@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
…noise Optimize the reporting of poorly performing code generators and program templates by aggregating their stats across all fuzzer nodes and centralizing the output on the main thread. This makes log messages more actionable and easier to read and navigate in cloud logging. Key changes: - Moved the generator/template stats from individual worker threads to the root node. - Merged validSamples and interestingSamples into correctSamples. - Print compact, table-based logs. - Reduced log frequency to every 5th statistics update and on termination. TAG=agy Bug: 465497343 Change-Id: I146e8b08057ee1ed84cf64c8f308b6be7b63bbf3 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9432454 Reviewed-by: Leon Bettscheider <bettscheider@chromium.org> Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
The index passed into the `translateInput` is unused, as the code hard-coded to use 0. Bug: 527887612, 524213342 Change-Id: I7e8604ae8cc814ab588614dff70a77d2db8fe732 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9471895 Commit-Queue: Tigran Bantikyan <bantikyan@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Tigran Bantikyan <bantikyan@google.com>
This CL adds `isFinal` to WasmTypeDescription and subclasses WasmArrayTypeDescription, WasmStructTypeDescription, WasmSignatureTypeDescription. In code generators, we only use non-final super types. All generated types are final with a probability of 25%. Bug: 517707090 Change-Id: I47df3b1b8f06f5b133f3a349f0c1c7aeebdc975f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9464195 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@chromium.org>
and make them parallelizable. - AnalyzerTest.swift - ContextGraphTest.swift - DiffOracleTests.swift - EngineTests.swift Bug: 522635668 Change-Id: Icb3e6503cd84d2fffeb9952c866e6f7a40c618f1 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9471917 Reviewed-by: Leon Bettscheider <bettscheider@chromium.org> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bug: 515363087 Change-Id: Ib12bedcdabb2681a10afcce1bb26dae5a89c56f1 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9453876 Commit-Queue: Raphaël Hérouart <rherouart@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Bug: 522635668 Change-Id: I42ffbdb0fbf0f25a621a14466a3c4c9d815089fb Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9475596 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Leon Bettscheider <bettscheider@chromium.org>
Bug: 498924945 TAG=agy Change-Id: Idf0bab6bef6811f82abd8bfc5586e4d699b90d4a Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9376411 Commit-Queue: Rezvan Mahdavi Hezaveh <rezvan@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This reverts commit a799a23. Reason for revert: Suspected to crash with: Fatal error: Code generators must contain at least one generator to be used in the prefix Original change's description: > [code generators] Introduce explicit "useInPrefix" > > Before this CL, we chose which CodeGenerators to use in the prefix based > on IsValueGenerator property (= all stubs in the generator require no > inputs and produce something). > > However, we want to have CodeGenerators which satisfy that > property, but which are not used in the prefix. > > This CL solves this problem by adding an explicit way to mark which code > generators should be used in the prefix. > > CONV=fe946adb-0cf0-4d0b-a600-a45a70ecddad > TAG=agy > Bug: 526979176 > Change-Id: Ib5dd42efbaf082e7196992c00aa867a23c4609b0 > Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9457934 > Commit-Queue: Marja Hölttä <marja@google.com> > Reviewed-by: Matthias Liedtke <mliedtke@google.com> Bug: 526979176 Change-Id: I1acc51b237c4ece57cf9ef7b4637a6bd16c6ebf6 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9482515 Bot-Commit: rubber-stamper@appspot.gserviceaccount.com <rubber-stamper@appspot.gserviceaccount.com> Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Marja Hölttä <marja@google.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
updating with head