wasm: add fuzzer test files
Using the following invocations:
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64 --mode=debug --no-presubmit --extra-flags="--dump-wasm-module --dump-wasm-module-path=./test/fuzzer/wasm/" unittests
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64 --mode=debug --no-presubmit --extra-flags="--dump-wasm-module --dump-wasm-module-path=./test/fuzzer/wasm/" mjsunit/wasm/*
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64 --mode=debug --no-presubmit --extra-flags="--dump-wasm-module --dump-wasm-module-path=./test/fuzzer/wasm/" $(cd test/; ls cctest/wasm/test-*.cc | sed -es/wasm\\///g | sed -es/[.]cc/\\/\\*/g)
find ./test/fuzzer/wasm/ -type f -size +20k | xargs rm
The files will need to be regenerated as we change the binary format.
R=bradnelson@chromium.org, titzer@chromium.org, kcc@chromium.org, aizatsky@chromium.org, jochen@chromium.org
4 years, 9 months ago
(2016-03-22 18:22:00 UTC)
#1
JF
Description was changed from ========== wasm: add fuzzer test files Files generated using the new ...
4 years, 9 months ago
(2016-03-22 18:23:27 UTC)
#2
Description was changed from
==========
wasm: add fuzzer test files
Files generated using the new run-tests.py option added in:
https://codereview.chromium.org/1828433002
Using the following invocations:
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64
--mode=debug --no-presubmit --dump-wasm-module
--dump-wasm-module-path=test/fuzzer/wasm/ unittests
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64
--mode=debug --no-presubmit --dump-wasm-module
--dump-wasm-module-path=test/fuzzer/wasm/ mjsunit/wasm/*
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64
--mode=debug --no-presubmit --dump-wasm-module
--dump-wasm-module-path=test/fuzzer/wasm/ $(cd test/; ls cctest/wasm/test-*.cc |
sed -es/wasm\\///g | sed -es/[.]cc/\\/\\*/g)
The files will need to be regenerated as we change the binary format.
R=bradnelson@chromium.org, titzer@chromium.org, kcc@chromium.org
==========
to
==========
wasm: add fuzzer test files
Files generated using the new run-tests.py option added in:
https://codereview.chromium.org/1828433002
Using the following invocations:
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64
--mode=debug --no-presubmit --dump-wasm-module
--dump-wasm-module-path=test/fuzzer/wasm/ unittests
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64
--mode=debug --no-presubmit --dump-wasm-module
--dump-wasm-module-path=test/fuzzer/wasm/ mjsunit/wasm/*
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64
--mode=debug --no-presubmit --dump-wasm-module
--dump-wasm-module-path=test/fuzzer/wasm/ $(cd test/; ls cctest/wasm/test-*.cc |
sed -es/wasm\\///g | sed -es/[.]cc/\\/\\*/g)
The files will need to be regenerated as we change the binary format.
R=bradnelson@chromium.org, titzer@chromium.org, kcc@chromium.org,
aizatsky@chromium.org
==========
4 years, 9 months ago
(2016-03-22 18:23:47 UTC)
#4
Added aizatsky at kcc's request.
aizatsky
This is what we need. lgtm
4 years, 9 months ago
(2016-03-22 18:28:03 UTC)
#5
This is what we need.
lgtm
JF
Description was changed from ========== wasm: add fuzzer test files Files generated using the new ...
4 years, 9 months ago
(2016-03-22 18:31:10 UTC)
#6
Description was changed from
==========
wasm: add fuzzer test files
Files generated using the new run-tests.py option added in:
https://codereview.chromium.org/1828433002
Using the following invocations:
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64
--mode=debug --no-presubmit --dump-wasm-module
--dump-wasm-module-path=test/fuzzer/wasm/ unittests
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64
--mode=debug --no-presubmit --dump-wasm-module
--dump-wasm-module-path=test/fuzzer/wasm/ mjsunit/wasm/*
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64
--mode=debug --no-presubmit --dump-wasm-module
--dump-wasm-module-path=test/fuzzer/wasm/ $(cd test/; ls cctest/wasm/test-*.cc |
sed -es/wasm\\///g | sed -es/[.]cc/\\/\\*/g)
The files will need to be regenerated as we change the binary format.
R=bradnelson@chromium.org, titzer@chromium.org, kcc@chromium.org,
aizatsky@chromium.org
==========
to
==========
wasm: add fuzzer test files
Files generated using the new run-tests.py option added in:
https://codereview.chromium.org/1828433002
Using the following invocations:
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64
--mode=debug --no-presubmit --dump-wasm-module
--dump-wasm-module-path=test/fuzzer/wasm/ unittests
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64
--mode=debug --no-presubmit --dump-wasm-module
--dump-wasm-module-path=test/fuzzer/wasm/ mjsunit/wasm/*
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64
--mode=debug --no-presubmit --dump-wasm-module
--dump-wasm-module-path=test/fuzzer/wasm/ $(cd test/; ls cctest/wasm/test-*.cc |
sed -es/wasm\\///g | sed -es/[.]cc/\\/\\*/g)
The files will need to be regenerated as we change the binary format.
R=bradnelson@chromium.org, titzer@chromium.org, kcc@chromium.org,
aizatsky@chromium.org, jochen@chromium.org
==========
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1826513002/1 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1826513002/1
4 years, 9 months ago
(2016-03-22 18:32:37 UTC)
#10
Dry run: Try jobs failed on following builders: v8_android_arm_compile_rel on tryserver.v8 (JOB_FAILED, http://build.chromium.org/p/tryserver.v8/builders/v8_android_arm_compile_rel/builds/15309) v8_linux64_asan_rel on ...
4 years, 9 months ago
(2016-03-22 18:34:27 UTC)
#12
up to 20k is probably fine if this is what it takes for input to ...
4 years, 9 months ago
(2016-03-22 18:54:24 UTC)
#14
up to 20k is probably fine if this is what it takes for input to be interesting.
Megabytes is definitely too excessive, but it will not be used unless you define
max_len that big (which we won't).
Just to clarify, landing these here is the right place to feed things? Also, we ...
4 years, 9 months ago
(2016-03-22 20:07:39 UTC)
#16
Just to clarify, landing these here is the right place to feed things?
Also, we have a second mode of operation in the wasm_asmjs directory, but
probably could start with the same seed data, as it's a similar format. Should
be produce separate date for this, or is there a way to share for both?
aizatsky
> Just to clarify, landing these here is the right place to feed things? I ...
4 years, 9 months ago
(2016-03-22 20:39:32 UTC)
#17
> Just to clarify, landing these here is the right place to feed things?
I think having these next to fuzzers is a good idea.
bradn
Sorry, not being clear in my questions :-) Is this a location that we can ...
4 years, 9 months ago
(2016-03-22 20:45:44 UTC)
#18
Sorry, not being clear in my questions :-)
Is this a location that we can put seed data that will get automatically picked
up in the future when the format changes, or is there a manual step on your end?
(I.e. is there somewhere in src/chrome/src/testing/fuzzing that we need to
reference this data)
Also any thoughts on sharing these for the wasm_asmjs fuzzer target?
Thanks!
JF
Description was changed from ========== wasm: add fuzzer test files Files generated using the new ...
4 years, 9 months ago
(2016-03-22 20:45:45 UTC)
#19
Description was changed from
==========
wasm: add fuzzer test files
Files generated using the new run-tests.py option added in:
https://codereview.chromium.org/1828433002
Using the following invocations:
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64
--mode=debug --no-presubmit --dump-wasm-module
--dump-wasm-module-path=test/fuzzer/wasm/ unittests
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64
--mode=debug --no-presubmit --dump-wasm-module
--dump-wasm-module-path=test/fuzzer/wasm/ mjsunit/wasm/*
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64
--mode=debug --no-presubmit --dump-wasm-module
--dump-wasm-module-path=test/fuzzer/wasm/ $(cd test/; ls cctest/wasm/test-*.cc |
sed -es/wasm\\///g | sed -es/[.]cc/\\/\\*/g)
The files will need to be regenerated as we change the binary format.
R=bradnelson@chromium.org, titzer@chromium.org, kcc@chromium.org,
aizatsky@chromium.org, jochen@chromium.org
==========
to
==========
wasm: add fuzzer test files
Files generated using the new run-tests.py option added in:
https://codereview.chromium.org/1828433002
Using the following invocations:
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64
--mode=debug --no-presubmit --dump-wasm-module
--dump-wasm-module-path=test/fuzzer/wasm/ unittests
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64
--mode=debug --no-presubmit --dump-wasm-module
--dump-wasm-module-path=test/fuzzer/wasm/ mjsunit/wasm/*
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64
--mode=debug --no-presubmit --dump-wasm-module
--dump-wasm-module-path=test/fuzzer/wasm/ $(cd test/; ls cctest/wasm/test-*.cc |
sed -es/wasm\\///g | sed -es/[.]cc/\\/\\*/g)
find ./test/fuzzer/wasm/ -type f -size +20k | xargs rm
The files will need to be regenerated as we change the binary format.
R=bradnelson@chromium.org, titzer@chromium.org, kcc@chromium.org,
aizatsky@chromium.org, jochen@chromium.org
==========
JF
On 2016/03/22 18:54:24, aizatsky wrote: > up to 20k is probably fine if this is ...
4 years, 9 months ago
(2016-03-22 20:47:24 UTC)
#20
On 2016/03/22 18:54:24, aizatsky wrote:
> up to 20k is probably fine if this is what it takes for input to be
interesting.
> Megabytes is definitely too excessive, but it will not be used unless you
define
> max_len that big (which we won't).
Done, I removed the 5 files that were larger:
find ./test/fuzzer/wasm/ -type f -size +20k | xargs rm
I updated the CL description to reflect this. I can add a shell script to a
future CL if we end up re-generating this often (the format will eventually be
stable, we're only churning it before stable launch).
JF
The CQ bit was checked by jfb@chromium.org to run a CQ dry run
4 years, 9 months ago
(2016-03-22 20:47:51 UTC)
#21
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1826513002/20001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1826513002/20001
4 years, 9 months ago
(2016-03-22 20:48:05 UTC)
#22
Dry run: Try jobs failed on following builders: v8_linux64_asan_rel on tryserver.v8 (JOB_FAILED, http://build.chromium.org/p/tryserver.v8/builders/v8_linux64_asan_rel/builds/15693) v8_linux64_avx2_rel on ...
4 years, 9 months ago
(2016-03-22 21:01:56 UTC)
#24
Ha, looks like some of the bots already run these tests and are finding issues! ...
4 years, 9 months ago
(2016-03-22 21:16:30 UTC)
#25
Ha, looks like some of the bots already run these tests and are finding issues!
We won't be able to commit this CL before fixing the issues. I'm happy to look
into some of them.
JF
Description was changed from ========== wasm: add fuzzer test files Files generated using the new ...
4 years, 9 months ago
(2016-03-23 19:31:26 UTC)
#26
Description was changed from
==========
wasm: add fuzzer test files
Files generated using the new run-tests.py option added in:
https://codereview.chromium.org/1828433002
Using the following invocations:
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64
--mode=debug --no-presubmit --dump-wasm-module
--dump-wasm-module-path=test/fuzzer/wasm/ unittests
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64
--mode=debug --no-presubmit --dump-wasm-module
--dump-wasm-module-path=test/fuzzer/wasm/ mjsunit/wasm/*
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64
--mode=debug --no-presubmit --dump-wasm-module
--dump-wasm-module-path=test/fuzzer/wasm/ $(cd test/; ls cctest/wasm/test-*.cc |
sed -es/wasm\\///g | sed -es/[.]cc/\\/\\*/g)
find ./test/fuzzer/wasm/ -type f -size +20k | xargs rm
The files will need to be regenerated as we change the binary format.
R=bradnelson@chromium.org, titzer@chromium.org, kcc@chromium.org,
aizatsky@chromium.org, jochen@chromium.org
==========
to
==========
wasm: add fuzzer test files
Using the following invocations:
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64 --mode=debug
--no-presubmit --extra-flags="--dump-wasm-module
--dump-wasm-module-path=./test/fuzzer/wasm/" unittests
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64 --mode=debug
--no-presubmit --extra-flags="--dump-wasm-module
--dump-wasm-module-path=./test/fuzzer/wasm/" mjsunit/wasm/*
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64 --mode=debug
--no-presubmit --extra-flags="--dump-wasm-module
--dump-wasm-module-path=./test/fuzzer/wasm/" $(cd test/; ls
cctest/wasm/test-*.cc | sed -es/wasm\\///g | sed -es/[.]cc/\\/\\*/g)
find ./test/fuzzer/wasm/ -type f -size +20k | xargs rm
The files will need to be regenerated as we change the binary format.
R=bradnelson@chromium.org, titzer@chromium.org, kcc@chromium.org,
aizatsky@chromium.org, jochen@chromium.org
==========
JF
Talked to titzer and bradnelson: we'll fix the bugs in the near future, but not ...
4 years, 9 months ago
(2016-03-23 19:32:38 UTC)
#27
Talked to titzer and bradnelson: we'll fix the bugs in the near future, but not
now since we have a few other pressing matters.
I'll therefore put this CL on ice for now, but should get back to it before 52
branches because it's needed for asm2wasm testing.
JF
The CQ bit was checked by jfb@chromium.org to run a CQ dry run
4 years, 7 months ago
(2016-05-05 17:59:33 UTC)
#28
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1826513002/60001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1826513002/60001
4 years, 7 months ago
(2016-05-05 17:59:43 UTC)
#29
Description was changed from ========== wasm: add fuzzer test files Using the following invocations: ./tools/run-tests.py ...
4 years, 7 months ago
(2016-05-05 18:00:00 UTC)
#30
Description was changed from
==========
wasm: add fuzzer test files
Using the following invocations:
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64 --mode=debug
--no-presubmit --extra-flags="--dump-wasm-module
--dump-wasm-module-path=./test/fuzzer/wasm/" unittests
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64 --mode=debug
--no-presubmit --extra-flags="--dump-wasm-module
--dump-wasm-module-path=./test/fuzzer/wasm/" mjsunit/wasm/*
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64 --mode=debug
--no-presubmit --extra-flags="--dump-wasm-module
--dump-wasm-module-path=./test/fuzzer/wasm/" $(cd test/; ls
cctest/wasm/test-*.cc | sed -es/wasm\\///g | sed -es/[.]cc/\\/\\*/g)
find ./test/fuzzer/wasm/ -type f -size +20k | xargs rm
The files will need to be regenerated as we change the binary format.
R=bradnelson@chromium.org, titzer@chromium.org, kcc@chromium.org,
aizatsky@chromium.org, jochen@chromium.org
==========
to
==========
wasm: add fuzzer test files
Using the following invocations:
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64 --mode=debug
--no-presubmit --extra-flags="--dump-wasm-module
--dump-wasm-module-path=./test/fuzzer/wasm/" unittests
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64 --mode=debug
--no-presubmit --extra-flags="--dump-wasm-module
--dump-wasm-module-path=./test/fuzzer/wasm/" mjsunit/wasm/*
./tools/run-tests.py -j8 --variants=default --timeout=10 --arch=x64 --mode=debug
--no-presubmit --extra-flags="--dump-wasm-module
--dump-wasm-module-path=./test/fuzzer/wasm/" $(cd test/; ls
cctest/wasm/test-*.cc | sed -es/wasm\\///g | sed -es/[.]cc/\\/\\*/g)
find ./test/fuzzer/wasm/ -type f -size +20k | xargs rm
The files will need to be regenerated as we change the binary format.
R=bradnelson@chromium.org, titzer@chromium.org, kcc@chromium.org,
aizatsky@chromium.org, jochen@chromium.org
==========
commit-bot: I haz the power
The CQ bit was unchecked by commit-bot@chromium.org
4 years, 7 months ago
(2016-05-05 18:18:05 UTC)
#31
Dry run: Try jobs failed on following builders: v8_linux64_avx2_rel_ng on tryserver.v8 (JOB_FAILED, http://build.chromium.org/p/tryserver.v8/builders/v8_linux64_avx2_rel_ng/builds/1211) v8_linux64_avx2_rel_ng_triggered on ...
4 years, 7 months ago
(2016-05-05 18:18:08 UTC)
#32
Dry run: Try jobs failed on following builders: v8_linux64_avx2_rel_ng on tryserver.v8 (JOB_FAILED, http://build.chromium.org/p/tryserver.v8/builders/v8_linux64_avx2_rel_ng/builds/3386) v8_linux64_avx2_rel_ng_triggered on ...
4 years, 6 months ago
(2016-06-17 20:54:33 UTC)
#37
The two interesting logs from the Linux run: https://build.chromium.org/p/tryserver.v8/builders/v8_linux_dbg_ng_triggered/builds/6923/steps/Check/logs/d88cff7166ed466f.ok.w.. Command: /tmp/isolated_run47s5C7/out/Debug/v8_simple_wasm_fuzzer --random-seed=-1038184575 fuzzer/wasm/d88cff7166ed466f.ok.wasm Build environment: ...
4 years, 6 months ago
(2016-06-17 21:06:08 UTC)
#38
The two interesting logs from the Linux run:
https://build.chromium.org/p/tryserver.v8/builders/v8_linux_dbg_ng_triggered/....
Command: /tmp/isolated_run47s5C7/out/Debug/v8_simple_wasm_fuzzer
--random-seed=-1038184575 fuzzer/wasm/d88cff7166ed466f.ok.wasm
Build environment:
GYP_DEFINES: dcheck_always_on=1 fastbuild=1 target_arch=ia32
test_isolation_mode=prepare use_goma=1 v8_enable_slow_dchecks=1
v8_optimized_debug=1 v8_target_arch=ia32
GYP_GENERATORS: ninja
Run #1
Exit code: -11
Result: CRASH
https://build.chromium.org/p/tryserver.v8/builders/v8_linux_dbg_ng_triggered/....
Command: /tmp/isolated_runL844gm/out/Debug/v8_simple_wasm_fuzzer
--random-seed=-1038184575 fuzzer/wasm/de466929fe7c6001.ok.wasm
Build environment:
GYP_DEFINES: dcheck_always_on=1 fastbuild=1 target_arch=ia32
test_isolation_mode=prepare use_goma=1 v8_enable_slow_dchecks=1
v8_optimized_debug=1 v8_target_arch=ia32
GYP_GENERATORS: ninja
Run #1
Exit code: -6
Result: FAIL
Stderr:
/b/build/slave/linux/build/v8/build/linux/debian_wheezy_i386-sysroot/usr/lib/gcc/i486-linux-gnu/4.6/../../../../include/c++/4.6313:
error: attempt to subscript container with out-of-bounds index 0, but
container only holds 0 elements.
Objects involved in the operation:
sequence "this" @ 0x0xfff1ae44 {
}
JF
I looked at the out of bounds thing, and it looks like the fuzzer isn't ...
4 years, 6 months ago
(2016-06-17 21:41:18 UTC)
#39
I looked at the out of bounds thing, and it looks like the fuzzer isn't set up
the same way as main code so it ends up with an import_table but without the
corresponding import_code.
InstantiateModuleCommon calls WasmModule::Instantiate which does a bunch of the
heavy lifting, but the fuzzer goes through CompileAndRunWasmModule which seems
to duplicate a bunch of Instantiate but forgets to call
CompileWrappersToImportedFunctions (which should be empty when fuzzing, and
should therefore fail, but we may want to also fuzz it non-empty). Why are
things duplicated this way?
JF
The crash is stack exhaustion. bradnelson says he'll add the explicit stack checks, off by ...
4 years, 6 months ago
(2016-06-17 21:59:59 UTC)
#40
The crash is stack exhaustion. bradnelson says he'll add the explicit stack
checks, off by default, and on for fuzzing only. This will fix itself with trap
handler.
bradn
The CQ bit was checked by bradnelson@google.com to run a CQ dry run
4 years, 3 months ago
(2016-08-24 23:23:06 UTC)
#41
Issue 1826513002: wasm: add fuzzer test files
(Closed)
Created 4 years, 9 months ago by JF
Modified 4 years, 3 months ago
Reviewers: bradnelson, kcc2, aizatsky, jochen (gone - plz use gerrit), bradn
Base URL: https://chromium.googlesource.com/v8/v8.git@master
Comments: 0
Chromium Code Reviews
Issue
1826513002:
wasm: add fuzzer test files (Closed)
