Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fuzzer: Allow using initial content with V8 #6327

Merged
merged 14 commits into from
Feb 22, 2024
Merged

Conversation

kripken
Copy link
Member

@kripken kripken commented Feb 21, 2024

One problem was that spec testcases had exports with names that are not
valid to write as JS exports.name. For example an export with a - in the
name would end up as exports.foo-bar etc. Since #6310 that is fixed as
we do not emit such JS (we use the generic fuzz_shell.js script which iterates
over the keys in exports with exports[name]).

Also fix a few trivial fuzzer issues that initial content uncovered:

  • Ignore a wat file with invalid utf-8.
  • Print string literals in the same way from JS as from C++.
  • Enable the stringref flag in V8.
  • Remove tag imports (the same as we do for global and function and other imports).

@kripken kripken requested a review from tlively February 21, 2024 00:57
@kripken kripken marked this pull request as draft February 21, 2024 01:11
@kripken kripken removed the request for review from tlively February 21, 2024 01:12
@kripken
Copy link
Member Author

kripken commented Feb 21, 2024

Ah, there are other issues preventing this, the fuzzer found one. Converted to draft for now.

@kripken kripken marked this pull request as ready for review February 21, 2024 23:53
@kripken
Copy link
Member Author

kripken commented Feb 21, 2024

This looks ready now. I added a few trivial fuzzer fixes (see updated top comment) and with those I can fuzz over 6,000 iterations without issue.

@kripken kripken requested a review from tlively February 21, 2024 23:54
@kripken
Copy link
Member Author

kripken commented Feb 21, 2024

(Also the nontrivial fix in #6331 needed to land first.)

@@ -311,6 +311,8 @@ def is_git_repo():
'exception-handling.wast',
'translate-eh-old-to-new.wast',
'rse-eh.wast',
# Non-UTF8 strings trap in V8
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Trap or validation failure? Should we make them validation failures in Binaryen as well?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, I think it was a trap actually but I'd need to find the testcase again to check.

But I don't think these should fail to validate - non-utf8 strings are ok in the stringref proposal, as you can use other encodings there. It should only trap if you use the utf8 encoding I think.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to the overivew, the string literals must be valid WTF-8, although it doesn't say what happens (presumably a decoding error) if they're not: https://github.com/WebAssembly/stringref/blob/main/proposals/stringref/Overview.md#string-literal-section

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, good catch... but then why does the proposal also support other encodings elsewhere?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Presumably they want to support encoding and decoding to all kinds of formats for interoperability with other systems, but there's no need to support more than one format for literals because they can be encoded correctly, whatever correctly means, during compilation.

@kripken
Copy link
Member Author

kripken commented Feb 22, 2024

Landing, though this may keep finding new bugs for a while, like #6336 for example. But the frequency of them seems low (multiples of 10K iterations to find one) which seems acceptable on main.

@kripken kripken merged commit 212f7c3 into WebAssembly:main Feb 22, 2024
14 checks passed
@kripken kripken deleted the fuzz.moar branch February 22, 2024 18:56
radekdoulik pushed a commit to dotnet/binaryen that referenced this pull request Jul 12, 2024
One problem was that spec testcases had exports with names that are not
valid to write as JS exports.name. For example an export with a - in the
name would end up as exports.foo-bar etc. Since WebAssembly#6310 that is fixed as
we do not emit such JS (we use the generic fuzz_shell.js script which iterates
over the keys in exports with exports[name]).

Also fix a few trivial fuzzer issues that initial content uncovered:

- Ignore a wat file with invalid utf-8.
- Print string literals in the same way from JS as from C++.
- Enable the stringref flag in V8.
- Remove tag imports (the same as we do for global and function and other imports).
@gkdn gkdn mentioned this pull request Aug 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants