base fuzzili update #52
Open
Dudcom wants to merge 377 commits into
Open
Conversation
Change the loop condition to compare the iteration index against 'indices.count - 1' instead of 'indices.last!'. Also added regression test testDestructuringSimplificationWithRest, which reproduces the original bug using sparse indices with 'lastIsRest' set to true, ensuring that DestructArray is simplified into GetElement and a residual DestructArray for the rest elements. Change-Id: Ic630615bb85231d703046be4dc669e4314927db2 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9027276 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Dominik Klemba <tacet@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com>
While this feature is disabled by default, it is a non-experimental feature and other fuzzers already create exposure of this feature (see https://source.chromium.org/chromium/chromium/src/+/main:v8/tools/clusterfuzz/trials/clusterfuzz_trials_config.json;l=60;drc=84a1682b877e88c8912cebf44a8513c7d84206ed) Bug: 485657212 Change-Id: I899357c64d4e2dfd9385d3da5f445f0edc447765 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9035976 Reviewed-by: Darius Mercadier <dmercadier@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Change-Id: Icee437b92f284e7f9f7dc339d31ee157c6f876ae Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9032277 Reviewed-by: Samuel Groß <saelo@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bug: 465497343 Change-Id: I81b857dc9dac3fb95f8cd3b0f45be04b396626d8 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9043816 Commit-Queue: Michael Achenbach <machenbach@google.com> Auto-Submit: Michael Achenbach <machenbach@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
Change-Id: I7351c40670430f5b21ecff521eb5d419dc3ce2ac Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9051356 Reviewed-by: Dominik Klemba <tacet@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Dominik Klemba <tacet@google.com>
This is needed for a tool that uses the JavaScriptExecutor and produces a large amount of output (the list of all builtins available in the global scope). Bug: 487347678 Change-Id: Ib83ee2ae33a609e5b8ce1598b14892a8cedfd0a4 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9047637 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/constructor Change-Id: Iaa324d06653a8dfeb2cc5e48b8357f5e4d2670c2 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9051196 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Fuzzilli functionality for ref.cast added similarly to ref.test Bug: 474940922 Change-Id: I7cd3a28b05b7289c8ea0836be0c6d1024556e24c Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8995238 Commit-Queue: Doga Yüksel <dyuksel@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
…d instance type See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/DisposableStack Bug: 487347678 Change-Id: I85e523864482d16d5b1f2a1c9d0cd3ba0cb77613 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9051796 Commit-Queue: Rezvan Mahdavi Hezaveh <rezvan@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Rezvan Mahdavi Hezaveh <rezvan@google.com>
…ds and instance types See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/AsyncDisposableStack Bug: 487347678 Change-Id: I6a0506f0e09c8597c8f24a22833083a99c0c4472 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9051797 Reviewed-by: Rezvan Mahdavi Hezaveh <rezvan@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
getBigInt64 and getBigUin64 also take an optional second parameter which is a bool to mark if little-endian encoding should be used. Bug: 487347678 Change-Id: I352e74c7e5d74bd72f5c7ae35c8114bceba297d6 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9050878 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bug: 487347678 Change-Id: Ide8f3c5d4439981c729f14ecc96e4e54e4cfbe6f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9050879 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
This also requires some refactoring: 1) We need to extend createPrototypeObjectGroup() to also allow additional properties as BYTES_PER_ELEMENT appears on the TypedArray builtin (the constructor) and on its prototype (and due to the prototype also on any instance of such typed array). 2) Merge Uint8Array (which is somewhat special due to base64) with the other typed arrays to reduce the amount of duplication. Bug: 487347678 Change-Id: I795b16468ec9b52108dd41fee3ff54d74604df18 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9050880 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
With this change we support defining methods on classes and objects with non-identifier names, like number and string literals. Internally, all method names remain strings, reusing any type information. At lifting, we approximate simple identifiers and use them unquoted for method definition and for usage in dot notation. For definitions, we also support quoted strings and unquoted index values. At call sites, we ensure bracket notation where needed, supporting index access without quotes. This covers method names for plain objects and classes. This does not cover properties, getters and setters yet. We also add 2 custom method names to the environment that don't follow the previous identifier naming. Instructions that define such methods currently are: ObjectLiteralMethod ClassInstanceMethod ClassStaticMethod Instructions that use such methods are: CallMethod CallMethodWithSpread CallSuperMethod BindMethod We ignore definitions and calls of private methods. They also reuse the same typer logic, but naming rules are more strict here, non-identifiers are not supported and should never be produced. We need to separate now identifiers for private and other method names in the JS environment. This also extends the compiler to enable importing the new method types. Bug: 446634535 Change-Id: I2b8fbb8306e4b6bd901b61952c6da91d4210ae3f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9047716 Reviewed-by: Dominik Klemba <tacet@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
Bug: 487347678 Change-Id: I37f8126dbd08e989f229246f68675540cfc8c9f4 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9052178 Commit-Queue: Danylo Mocherniuk <mdanylo@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Bug: 487347678 Change-Id: I312d4574513d40fc0ecb43218ee62dcd8eada091 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9052179 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
The added properties are deprecated, but in the end it matters what we ship, not if it's deprecated. Bug: 487347678 Change-Id: I3e027d8a1ece8a6bdf31929fd3952d2589cc0bfa Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9052180 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
Bug: 487347678 Change-Id: I11dd214d888556ded07b3d41afe387ae5c4c79cc Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9052181 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Bug: 487347678 Change-Id: I08a1e7346eb50d85832e4d4df798ba5b52348382 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9052182 Commit-Queue: Danylo Mocherniuk <mdanylo@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
Change-Id: I13e3653837dbc4502252cbe2ac25e8b4dbb7c44f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9058297 Commit-Queue: Doga Yüksel <dyuksel@google.com> Reviewed-by: Doga Yüksel <dyuksel@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Bug: 487347678 Change-Id: I5fdc080270ee713b71c46faf867a800180c1ec22 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9058836 Commit-Queue: Danylo Mocherniuk <mdanylo@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Bug: 487347678 Change-Id: I649849a5e3d9511e82e5e47a5ffc61433ca8822e Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9058837 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
- Proxy.revocabale - Promise.withResolvers - Number.parseFloat - Number.parseInt - Object.groupBy - Object.hasOwn Bug: 487347678 Change-Id: I67c3c1c0b0d517dc61cc8a26c69031b81cf9eccc Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9058838 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
Change-Id: I539c771195a5c9a5242c9650815496f8c255cdba Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064096 Commit-Queue: Doga Yüksel <dyuksel@google.com> Auto-Submit: Danylo Mocherniuk <mdanylo@google.com> Reviewed-by: Doga Yüksel <dyuksel@google.com>
and add a custom generator for Intl.DisplayNames.prototype.of() as it contains a tight coupling between the constructor arguments and the code provided to the "of" function as an argument. Bug: 487347678 Change-Id: Ia0ffd3f51599b501a6855b07931249abcf777984 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9063878 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Manish Goregaokar <manishearth@google.com>
Bug: 487347678 Change-Id: I92fa5d5dccfcd3b5f5590ecea134265bb10d1190 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064297 Reviewed-by: Manish Goregaokar <manishearth@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
- <Error>.name for all builtin error types - <Error>.prototype.mesage and <Error>.prototype.name for all builtin error types - ArrayBuffer.prototype.sliceToImmutable - Date.prototype.toLocaleDateString - Date.prototype.toLocaleTimeString Bug: 487347678 Change-Id: I766290ca1e2ced9556448bf31dbbd4d8f6656576 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064298 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
Bug: 487347678 Change-Id: Ib8ecc8268ef60847919abe2dc6f081665930fde3 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064299 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
V8-side change: https://crrev.com/c/7623762 Bug: 487620644 Change-Id: Iee848582cf8ed19085daea8c7715bf8c3f54f3d9 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064480 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Change-Id: I95e6e68e0ce4d2051f3c267667aedef63207b6c2 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064377 Commit-Queue: Michael Achenbach <machenbach@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com>
- Run the transpiled script if --d8-path is provided - Accept a custom --test-dir to run only a subset of the tests Change-Id: I9771a83c79dab9a54eb8ef6facf6f697884bfa10 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9336704 Auto-Submit: Raphaël Hérouart <rherouart@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
Change-Id: I51e13233b12b8baa912e3c944c80bde94a556709 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9379364 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Rezvan Mahdavi Hezaveh <rezvan@google.com>
As a first step only migrate a small set of tests. This change also modifies the MockFuzzer to support running on other threads than the main thread (as parallelism is the main purpose of this.) Bug: 522635668 Change-Id: I90215a3448a0644712e081f294d695c84a0c43f4 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9375860 Reviewed-by: Leon Bettscheider <bettscheider@chromium.org> Reviewed-by: Raphaël Hérouart <rherouart@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
This CL adds an optional superType input to the WasmDefineSignatureType JS operation. It also extends WasmSignatureTypeDescription to take an optional superType parameter that it passes on to the WasmTypeDescription constructor. Bug: 517707090 Change-Id: I0b6aa71450534d0a113d8bd4f3d57195d2d7245d Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9358622 Commit-Queue: Leon Bettscheider <bettscheider@chromium.org> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Change-Id: Ib49e26b947ff06614e2301e81a2df94a334dd081 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9393241 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Marja Hölttä <marja@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
In CombineMutator, allow inserting bundles on the top level of other bundles. This assumes instances running with and without --bundle are kept separate, and we will have either only bundles or only non-bundles in the corpus. TAG=agy CONV=4a533892-13ed-4e3d-9c14-ddbea92f43a1 Bug: 342521422 Change-Id: Id87de88649825ab4a5fab5cd847fd71d84e1b743 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9378862 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Marja Hölttä <marja@google.com>
Fixed: 522692767 Change-Id: I5184713517701ea73a0df8a7fa610ce2670214bb Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9389661 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Leon Bettscheider <bettscheider@chromium.org> Commit-Queue: Marja Hölttä <marja@google.com> Reviewed-by: Raphaël Hérouart <rherouart@google.com>
This allows the fuzzer to add and remove variadic inputs from it. Change-Id: I4e7e640af6ae295a9e2bad0cfe52959ef90181b1 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9336703 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Leon Bettscheider <bettscheider@chromium.org> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bug: 522635668 Change-Id: I238b2364bc86b95782776f7b92c3c520b5e1b6a4 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9409540 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Leon Bettscheider <bettscheider@chromium.org>
This patch replaces the flat `DestructObject` and `DestructArray` instructions with a recursive `DestructuringPattern` AST and FuzzIL implementation.
Key capabilities introduced:
- Deeply nested array and object patterns (e.g., `let { a: [ b, { c } ] } = obj`)
- Default values for both flat bindings and nested patterns
- Computed property keys in object destructuring
- Proper elision and rest element support within nested contexts
- Generalizes both variable declaration (`Destruct`) and reassignment (`DestructAndReassign`)
Bug: 515363087
Change-Id: I79fff58c693a5fc8879c00e439f9ad56655c42e7
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9379120
Reviewed-by: Michael Achenbach <machenbach@google.com>
Commit-Queue: Raphaël Hérouart <rherouart@google.com>
This fixes two severe bugs in `OperationMutator.swift` that caused the
fuzzer to crash when mutating destructuring operations:
* Array Mutator Crash: Fixed a bug where toggling the rest target on an `.array` pattern incorrectly appended or removed variables from the `inouts` array. Array rest targets do not add a new binding constraint (they merely convert the last existing index), so altering the `inouts` size caused an immediate sanity check assertion failure during corpus generation.
* Object Mutator Crash: Fixed a fatal validation crash ("variable definitions are not contiguous") in the `.object` mutator. Toggling `hasRestElement` on an object pattern adds or removes an output variable. This is now restricted to reassignment operations (`DestructAndReassign`) to prevent changing the number of outputs on standard `Destruct` instructions, which corrupts the FuzzIL output variable sequence for the rest of the program.
Bug: 515363087
Change-Id: I12bc3fda136d994755fcc62872ada171a294a975
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9410534
Commit-Queue: Raphaël Hérouart <rherouart@google.com>
Reviewed-by: Michael Achenbach <machenbach@google.com>
This reverts commit e177651. Reason for revert: Check whether this caused a spike in use-before-def failures Failure Link: https://g-issues.chromium.org/issues/524213342 Original change's description: > [wasm] Add superType input to WasmDefineSignatureType > > This CL adds an optional superType input to the WasmDefineSignatureType > JS operation. It also extends WasmSignatureTypeDescription to take an > optional superType parameter that it passes on to the > WasmTypeDescription constructor. > > Bug: 517707090 > Change-Id: I0b6aa71450534d0a113d8bd4f3d57195d2d7245d > Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9358622 > Commit-Queue: Leon Bettscheider <bettscheider@chromium.org> > Reviewed-by: Matthias Liedtke <mliedtke@google.com> Bug: 517707090 Change-Id: I8d11e29e493b23cc55a245937d7b0927ad91026b Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9413674 Bot-Commit: rubber-stamper@appspot.gserviceaccount.com <rubber-stamper@appspot.gserviceaccount.com> Commit-Queue: Leon Bettscheider <bettscheider@chromium.org> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This reduces the runtime for this set of tests from ~50 seconds to ~20 seconds (which is the runtime of a single test case that probably could be improved as some follow-up). Bug: 522635668 Change-Id: I45f0d5cd922c3ad1914218f0580f7679185adce9 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9410100 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Leon Bettscheider <bettscheider@chromium.org>
This was broken in commit 46170c0. Change-Id: I65a34cfc257db839eb277de5da563075ea26934f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9413596 Commit-Queue: Raphaël Hérouart <rherouart@google.com> Reviewed-by: Raphaël Hérouart <rherouart@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
to check whether the recent crashes are related to importing outdated protobuf files. Bug: 524213342 Change-Id: I169c4e928a05e41b120dcf28b7eb8d08d74fa55a Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9414414 Reviewed-by: Michael Achenbach <machenbach@google.com> Reviewed-by: Marja Hölttä <marja@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
LHS of exponentiation operator (**) must be parenthesized if it is a unary expression or a negative number literal, otherwise it is a syntax error in JavaScript. TAG=agy CONV=2999790b-3693-4f68-a976-4cc8e35ad72e BUG:524562043 Change-Id: I1795fafef47ff9e930c7afc037f07dcfa47a3c84 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9413974 Reviewed-by: Raphaël Hérouart <rherouart@google.com> Commit-Queue: Marja Hölttä <marja@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Other fuzzers have a head-start already with crrev.com/c/7939890 (and are already reporting issues.) Bug: 458409082 Change-Id: If1fc65fc34c5325b5535a9bf8a08fe4e432203ba Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9419314 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
Revert "[wasm] Add superType input to WasmDefineArrayType" This reverts commit 3a03d76. Revert "[wasm] Add superType input to WasmDefineStructType" This reverts commit 5ce4c59. Also bump protobuf version. Bug: 524213342, 517707090 Change-Id: I0d10c4d9123292dd184281de0f0c02a12a199f13 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9425034 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
Bug: 522635668 Change-Id: I56d82eda0050b03c01e7b0af241ef58e2a820fd2 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9393800 Reviewed-by: Leon Bettscheider <bettscheider@chromium.org> Commit-Queue: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Bug: 524213342 Change-Id: Ib5ecc32559db751e8e48460a95ea896cf46d9d50 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9432455 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
This was already fixed once by https://crrev.com/i/8543776 which introduced PropertyFlags.randomWithoutWritable() to prevent generating both accessors and a writable attribute, which is invalid in JS. However, a subsequent large refactoring https://crrev.com/i/8386801 reverted this fix back to PropertyFlags.random(). Bug: 524562043 Change-Id: I8dd52a6c4b15936e7d585482379f5d7768e77316 TAG=agy CONV=6b998cbb-ce46-4ab8-8af9-d1ed0f9a0cf9 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9419396 Reviewed-by: Leon Bettscheider <bettscheider@chromium.org> Commit-Queue: Marja Hölttä <marja@google.com> Reviewed-by: Raphaël Hérouart <rherouart@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This CL adds an optional superType input to the WasmDefineArrayType JS operation. It also extends WasmArrayTypeDescription to take an optional superType parameter that it passes on to the WasmTypeDescription constructor. Bug: 517707090 Change-Id: I70b82608d49514ce29666f3e4d8d2ced5d8dcae0 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9425994 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@chromium.org>
This CL adds an optional superType input to the WasmDefineStructType JS operation. It also extends WasmStructTypeDescription to take an optional superType parameter that it passes on to the WasmTypeDescription constructor. Bug: 517707090 Change-Id: I9c0b3eb323e8251dffae80008df385eb945dc673 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9426034 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Leon Bettscheider <bettscheider@chromium.org> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This CL adds an optional superType input to the WasmDefineSignatureType JS operation. It also extends WasmSignatureTypeDescription to take an optional superType parameter that it passes on to the WasmTypeDescription constructor. Bug: 517707090 Change-Id: I1004b24c3d3df8f0b41ba9bf7ad41df9155770c1 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9425995 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@chromium.org> Reviewed-by: Michael Achenbach <machenbach@google.com>
In both loop headers and simple declarations, Destructuring was only supported with variable declarations (let/const/var keyword); it can now be utilized for re-assigning existing variables. Bug: 515363087 Change-Id: I081689487006a3f63aec5a07df924038d853bf51 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9425996 Commit-Queue: Raphaël Hérouart <rherouart@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Marja Hölttä <marja@google.com>
This change adopts `instr.inouts` first to avoid confusing variables originating from the original and the current program. Now, all inouts are lifted to the current program context, which matches any additional variables that may be added, e.g., by `extendVariadicOperation()`. Finally, the mutated instruction is appended. Bug: 524213342 Change-Id: I35f54adc31adbaaad94cd91de6b3bfcc2fdebdf5 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9449094 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@chromium.org>
This enables subtyping support for arrays. Bug: 517707090 Change-Id: I05a9e409ff643f6effa5da766977208ab2e1ede3 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9408800 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Leon Bettscheider <bettscheider@chromium.org>
Follow Up From https://crrev.com/i/9379120 Bug: 515363087 Change-Id: I8ea35cd8e941ab586b34365462582280dde80f8f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9419397 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Raphaël Hérouart <rherouart@google.com>
The test asserts that we do try to generate the proper input types for a generator even if the it declares its inputs as .preferred(). Change-Id: Iff53d9489140f0f1e1b80cf067186bb839b05987 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9457034 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Marja Hölttä <marja@google.com>
Change-Id: I563425858ed162ab8dbc2699abf6c94cca98d3ca Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9457294 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Raphaël Hérouart <rherouart@google.com> Commit-Queue: Marja Hölttä <marja@google.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
14 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
updating with head