Adding Wasm + Wasm-asm variant fuzzer.

Adding Wasm + Wasm-asm variant fuzzer.

Fixing a memory leak in CompileAndRunModule.

BUG= https://code.google.com/p/v8/issues/detail?id=4203
TEST=wasm-fuzzer
R=jochen@chromium.org,jarin@chromium.org,kcc@chromium.org,machenbach@chromium.org,titzer@chromium.org
LOG=N

Committed: https://crrev.com/cb028ac0e41f411fb1fa0858cb02928e862a1630
Cr-Commit-Position: refs/heads/master@{#34415}

[bradn, 2016-02-26 06:53:45]

Description was changed from

==========
Adding Wasm + Wasm-asm variant fuzzer.

BUG= https://code.google.com/p/v8/issues/detail?id=4203
TEST=wasm-fuzzer
R=jochen@chromium.org,jarin@chromium.org,kcc@chromium.org,machenbach@chromium...
LOG=N
==========

to

==========
Adding Wasm + Wasm-asm variant fuzzer.

Fixing a memory leak in CompileAndRunModule.

BUG= https://code.google.com/p/v8/issues/detail?id=4203
TEST=wasm-fuzzer
R=jochen@chromium.org,jarin@chromium.org,kcc@chromium.org,machenbach@chromium...
LOG=N
==========

[bradn, 2016-02-26 06:55:35]

bradnelson@google.com changed reviewers:
+ bradnelson@google.com

[Michael Achenbach, 2016-02-26 07:25:13]

infra parts, lgtm

[titzer, 2016-02-26 07:56:16]

lgtm

[jochen (gone - plz use gerrit), 2016-02-26 08:02:01]

could we have a non-empty sample input?

[bradn, 2016-02-26 08:10:19]

I was hoping someone would ask :-)

So it's like a tiny valid one (47 bytes), though now that I think of it I'm
counting the first byte as a way to pick asm, so it's not valid.

There are a ton of options in terms of sample input, but I'm unsure what's
likely to be useful / helpful.

I can put a whole bunch of little ones?, or I have some large ones.

Recommendations?

[jochen (gone - plz use gerrit), 2016-02-26 08:12:39]

the idea is to add regression tests, once libfuzzer finds something. libfuzzer
doesn't look at the sample input, so basically a small sample input to verify
that your function does what you think it does (ie not crash) is enough

[bradn, 2016-02-26 08:13:25]

More follow up questions:

1. Would it be better to try loading each as both asm and non-asm style wasm ?
That would keep the input as a valid wasm module.

2. Would it be better to handle a single function? And or put that in a separate
test?

Thanks

[jochen (gone - plz use gerrit), 2016-02-26 08:19:30]

On 2016/02/26 at 08:13:25, bradnelson wrote:
> More follow up questions:
> 
> 1. Would it be better to try loading each as both asm and non-asm style wasm ?
That would keep the input as a valid wasm module.
> 
> 2. Would it be better to handle a single function? And or put that in a
separate test?
> 
> Thanks

for libfuzzer, it's best if the function runs as fast as possible, so creating
separate tests sounds better

[JF, 2016-02-26 17:26:25]

jfb@chromium.org changed reviewers:
+ jfb@chromium.org

[JF, 2016-02-26 17:26:26]

I have 1200 small .wasm files for sale:
https://storage.googleapis.com/wasm-llvm/builds/git/wasm-torture-s2wasm-sexpr...

Most of them work in d8:
https://github.com/WebAssembly/waterfall/blob/master/src/test/d8_known_gcc_te...

[kcc2, 2016-02-26 18:18:52]

It would be better to not use the first byte to pick the type. 
Instead, I'd recommend e.g. the sum of all bytes.
This way you will not need to remove the 1-st byte from the reproducer to feed
this input into regular tools. 
You will also be able to use JF's test corpus as the seed. 

It would be nice to have 10-100 valid files there initially so that the fuzzer
has an easy start. 
JF's corpus might be to big to put into git (we will put it into the bucket). 
However, we can use the fuzzer itself to extract minimized corpus from JF's one
and put it git. 
./fuzzer DIR_TO_PUT_MINIMAL_CORPUS JFsCORPUS_DIR -merge=1 -max_len=4096

(just to verify: you found the leak independently, or by fuzzing?)

Cool!

[JF, 2016-02-26 19:01:57]

On 2016/02/26 18:18:52, kcc2 wrote:
> It would be better to not use the first byte to pick the type. 
> Instead, I'd recommend e.g. the sum of all bytes.
> This way you will not need to remove the 1-st byte from the reproducer to feed
> this input into regular tools. 
> You will also be able to use JF's test corpus as the seed. 
> 
> It would be nice to have 10-100 valid files there initially so that the fuzzer
> has an easy start. 
> JF's corpus might be to big to put into git (we will put it into the bucket). 
> However, we can use the fuzzer itself to extract minimized corpus from JF's
one
> and put it git. 
> ./fuzzer DIR_TO_PUT_MINIMAL_CORPUS JFsCORPUS_DIR -merge=1 -max_len=4096

The binary format is still changing a lot, so the corpus will often become
invalid and have to be regenerated (so will the fuzzer results). Maybe it's
better to move the corpus to another repo until the binary format stabilizes? I
could do that automatically from the wasm-stat.us waterfall, and then you'd pull
in a pinned version of that repo or something, and augment it with fuzzer-found
bugs?

[kcc2, 2016-02-26 19:04:43]

If the format is not finalized yet, we shouldn't store samples in git for now. 
We can start from simple manual process (unless the format changes too often)

[kcc2, 2016-02-26 19:04:47]

If the format is not finalized yet, we shouldn't store samples in git for now. 
We can start from simple manual process (unless the format changes too often)

[bradn, 2016-03-01 23:20:32]

Discovered leak from asan try run :-(

[bradn, 2016-03-02 00:39:19]

The CQ bit was checked by bradnelson@google.com

[bradn, 2016-03-02 00:39:19]

The patchset sent to the CQ was uploaded after l-g-t-m from
machenbach@chromium.org, titzer@chromium.org
Link to the patchset: https://codereview.chromium.org/1738943004/#ps220001
(title: "fix")

[commit-bot: I haz the power, 2016-03-02 00:39:23]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1738943004/220001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1738943004/220001

[commit-bot: I haz the power, 2016-03-02 00:53:25]

Description was changed from

==========
Adding Wasm + Wasm-asm variant fuzzer.

Fixing a memory leak in CompileAndRunModule.

BUG= https://code.google.com/p/v8/issues/detail?id=4203
TEST=wasm-fuzzer
R=jochen@chromium.org,jarin@chromium.org,kcc@chromium.org,machenbach@chromium...
LOG=N
==========

to

==========
Adding Wasm + Wasm-asm variant fuzzer.

Fixing a memory leak in CompileAndRunModule.

BUG= https://code.google.com/p/v8/issues/detail?id=4203
TEST=wasm-fuzzer
R=jochen@chromium.org,jarin@chromium.org,kcc@chromium.org,machenbach@chromium...
LOG=N
==========

[commit-bot: I haz the power, 2016-03-02 00:53:26]

Committed patchset #13 (id:220001)

[commit-bot: I haz the power, 2016-03-02 00:54:15]

Description was changed from

==========
Adding Wasm + Wasm-asm variant fuzzer.

Fixing a memory leak in CompileAndRunModule.

BUG= https://code.google.com/p/v8/issues/detail?id=4203
TEST=wasm-fuzzer
R=jochen@chromium.org,jarin@chromium.org,kcc@chromium.org,machenbach@chromium...
LOG=N
==========

to

==========
Adding Wasm + Wasm-asm variant fuzzer.

Fixing a memory leak in CompileAndRunModule.

BUG= https://code.google.com/p/v8/issues/detail?id=4203
TEST=wasm-fuzzer
R=jochen@chromium.org,jarin@chromium.org,kcc@chromium.org,machenbach@chromium...
LOG=N

Committed: https://crrev.com/cb028ac0e41f411fb1fa0858cb02928e862a1630
Cr-Commit-Position: refs/heads/master@{#34415}
==========

[commit-bot: I haz the power, 2016-03-02 00:54:17]

Patchset 13 (id:??) landed as
https://crrev.com/cb028ac0e41f411fb1fa0858cb02928e862a1630
Cr-Commit-Position: refs/heads/master@{#34415}