Open
Conversation
V8 side change: https://crrev.com/c/7137442 Bug: 457866804 Change-Id: Id01597d3194e4c88d38623f646c1671330e63b43 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8753396 Reviewed-by: Michael Achenbach <machenbach@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
This replaces the separate logic for lastFunctionVariable with the generic runtimeData approach. This doesn't change behavior. Change-Id: I9cc988879638b423dabc99d4598028caacb6a3de Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8714836 Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Similarly to objects as disposable variables, this enables generating instances of classes as disposable variables, used with both: `using` and `await using`. The generators have the new style and provide a class with a computed method with Symbol.dispose or Symbol.asyncDispose. As a fly-by, this also makes use of `b.runtimeData` to store the symbol of the existing generator for disposable objects. Bug: 446632644 Change-Id: I433ce357e4649230b803361e6fba15ca2cb954e2 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8715016 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
V8-side change: https://crrev.com/c/7137292 Bug: 455552707 Change-Id: Ifd5f44b69ef62f18ecfa03525e988bd2f43253cc Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8756377 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Victor Gomes <victorgomes@google.com>
Many (all?) JS engines have optimizations for string concatenations. To make it more likely having such concatenated strings (ConsString in V8), add a code generator for string concatenation. Fixed: 455552707 Change-Id: I0a9bf66a5f721d38f34327f7acd8c5344086cf10 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8756756 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Dominik Klemba <tacet@google.com> Reviewed-by: Victor Gomes <victorgomes@google.com>
So far this will only fuzz the definition of these signatures as there aren't any operations registered which would make use of these definitions, yet. Bug: 445356784 Change-Id: I1c6b99e863bf359e4c505605d2d7f64533553f19 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8753596 Reviewed-by: Pawel Krawczyk <pawkra@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Change-Id: Ib70851f9cd9d11f39501815280d6ea641c6df40e Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8764020 Reviewed-by: Carl Smith <cffsmith@google.com> Commit-Queue: Carl Smith <cffsmith@google.com> Auto-Submit: Pawel Krawczyk <pawkra@google.com>
Bug: 458429784 Change-Id: If21b4e7bd0670939f0413c11e8d6c8ef1b5e5823 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8783156 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com> Auto-Submit: Darius Mercadier <dmercadier@google.com>
type for input requirements and output guarantees. Bug: 445356784 Change-Id: Ib1319c8e42e33688c7c0921b166e46e50b031748 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8760696 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Carl Smith <cffsmith@google.com>
Bug: 429332174 Change-Id: Ic644ce211f96e1bd2c3044bc14fa12ee4410fa24 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8783696 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Dominik Klemba <tacet@google.com>
V8-side-change: https://crrev.com/c/7178541 Right now this probably doesn't change much as the ProgramTemplate from commit 9e2e2a3 uses multiple assignments and other instructions will never emit the correct bytecode due to how expression inlining is implemented for assignments right now. Still, it doesn't hurt to add this flag to Fuzzilli as well. Bug: 429332174 Change-Id: I7a4318ba434d701c530fef72a31bce1497f51529 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8792496 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Raphaël Hérouart <rherouart@google.com> Reviewed-by: Raphaël Hérouart <rherouart@google.com>
Change-Id: Ib196ad69f5a3a09620b82da5e60694777a024aef Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8783856 Reviewed-by: Dominik Klemba <tacet@google.com> Commit-Queue: Pawel Krawczyk <pawkra@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Pawel Krawczyk <pawkra@google.com>
This way the new code generation logic can resolve dependencies when it requires a Wasm struct, array, or signature type. In theory, these could all be registered as separate code generators, however it seems simpler having one that just generates all 3 types. We need the separate generator and can't rely on the "inner" generators like the "ArrayTypeGenerator" as these can only run inside the `.wasmTypeGroup` context. Bug: 445356784 Change-Id: I5c2b9e37aeb9b3ab50f05a37e49147efff4acaa7 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8767377 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Pawel Krawczyk <pawkra@google.com>
Change-Id: I9f502e7d70fcccbb335f424391bebfdb6561f3e0 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8764022 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Pawel Krawczyk <pawkra@google.com>
V8-side-change: https://crrev.com/c/7198340 Change-Id: I423361da98643dcde469b8a13c6b7df44114d8c6 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8793536 Reviewed-by: Dominik Klemba <tacet@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Dominik Klemba <tacet@google.com>
…function To allow defining a block with a wasm-gc signature while already being in the .wasmFunction context, this change adds a new operation WasmDefineAdHocSignature. This way statements requiring a signature type input can directly embed this signature definition inside the function. Bug: 445356784 Change-Id: I56754224551ea82883c71410f4aca957b7bf24d4 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8787096 Reviewed-by: Pawel Krawczyk <pawkra@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
To ensure that this function is correctly detected as a crash in both regular fuzzing and sandbox fuzzing configurations Change-Id: I22eae385d08d343926624d5e6f33b7e6dbf72993 Bug: 461681036 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8796176 Commit-Queue: Samuel Groß <saelo@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This change increases the probability of accessing the length of rest parameters and rest elements to improve fuzzing coverage of V8's optimizations for RestLength (rest.length). With a 20% probability, FuzzIL variable is created for the "length" property of a newly created rest parameter or element. This affects all function types and array destructuring generators. For function generators and 'ForOfWithDestructLoopGenerator', we do not need to check if outputs are empty: 'hasRestParameter' implies the existence of parameters, and loop generation logic guarantees non-empty indices. For 'DestructArrayGenerator' and 'DestructArrayAndReassignGenerator', we now ensure that 'lastIsRest' is only true when the variable list is non-empty. Assertions were also added to the DestructArray instructions to enforce this invariant. Bug: 456162872 Change-Id: I37b78cc892aac5bb5e5164864863dc51dba40f51 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8741996 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Dominik Klemba <tacet@google.com>
Change-Id: I02ac85b1f90e3a21a6310157457d2e0c0ec364d3 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8796658 Auto-Submit: Pawel Krawczyk <pawkra@google.com> Commit-Queue: Dominik Klemba <tacet@google.com> Reviewed-by: Dominik Klemba <tacet@google.com>
Bug: 455512155,455513417 Change-Id: I52dc1b9d27d02ee1e5d905eca3705d9a9c4a6661 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8796096 Commit-Queue: Pawel Krawczyk <pawkra@google.com> Reviewed-by: Dominik Klemba <tacet@google.com>
This adds a stand-alone python script that with the following properties: * Mimic various test configs from V8 (for now test262 without staging) * List all supported tests from a config * Transpile all tests in parallel (i.e. compile to FuzzIL and lift back to JS) * Print statistics and return relevant results as a json file * The results contain stats that we can track as a metric, e.g. the percentage of properly transpiled tests. The script is tested with a Python unit tests that runs the script E2E, also hooked up through a presubmit script so that it's tested on updates. Bug: 442444727 Change-Id: I29c89cede59aef885e45a0ae0821d3388bc51e8f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8787097 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
This makes the executor look for Node.js in the CWD, which makes it easy to bundle both together when porting the FuzzILTool to another machine. Bug: 442444727 Change-Id: I80adcde79fb6d773f3f47817da24188bbbe5431e Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8796659 Reviewed-by: Pawel Krawczyk <pawkra@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Generating shared ref variables to be done in following CLs. See https://github.com/WebAssembly/shared-everything-threads/blob/main/proposals/shared-everything-threads/Overview.md. Bug: 448349112 Change-Id: I3358ce9cdd528147b66f1954ef1a008b048e06df Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8734256 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Dominik Klemba <tacet@google.com> Commit-Queue: Pawel Krawczyk <pawkra@google.com>
This reverts commit e35cbb5. Reason for revert: Crashes and not reviewed yet. Original change's description: > Add support for shared references. > > Generating shared ref variables to be done in following CLs. > > See https://github.com/WebAssembly/shared-everything-threads/blob/main/proposals/shared-everything-threads/Overview.md. > > Bug: 448349112 > Change-Id: I3358ce9cdd528147b66f1954ef1a008b048e06df > Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8734256 > Commit-Queue: Matthias Liedtke <mliedtke@google.com> > Reviewed-by: Dominik Klemba <tacet@google.com> > Commit-Queue: Pawel Krawczyk <pawkra@google.com> Bug: 448349112 No-Presubmit: true No-Tree-Checks: true No-Try: true Change-Id: I8bc73bef53d053078db9318de6408d4dbf2f4cda Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8810396 Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
This change allows the JavaScriptLifter to inline arrow functions (e.g., 'foo(() => 42)') by treating them as expressions.
- Adds ArrowFunctionExpression to JSExpressions.
- Updates JavaScriptLifter to detect recursive arrow functions and block boundaries.
- Non-recursive arrow functions are buffered and assigned as expressions.
- Recursive arrow functions retain the original variable declaration strategy.
- Implements concise body syntax ('() => expr') for single-line returns without comments.
- Updates JavaScriptWriter to use emitBlock for multi-line inlined expressions.
Bug: 464228572, 456164925
Change-Id: Ic4618c2ba92ad96d95303e83f8551c13beef508c
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8808456
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Dominik Klemba <tacet@google.com>
Auto-Submit: Dominik Klemba <tacet@google.com>
This is a mini-fuzzer for the new BytecodeVerifier in V8. It uses %GetBytecode to obtain a JS representation of the BytecodeArray of an existing function, mutates it, then installs it back on the function using %InstallBytecode and finally executes the function. As the verifier only ensures that the bytecode does not cause a sandbox breakout (not general memory corruption), the mini-fuzzer is also specific to the V8Sandbox fuzzing profile. Bug: 461681036 Change-Id: Iac64f3c9532f47455c57cf4251197771b0663612 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8814316 Commit-Queue: Samuel Groß <saelo@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This enables calling the script with the arguments --num-shards and --shard-index. The former defines on how many shards (bots) the overall task gets distributed, the latter the index n to deterministically determined the sub-task for the n'th shard. The test order is deterministic and we assume that this script is called from different shards with the same test archive. The sub task is then evenly divided with a simple modulo algorithm. Bug: 442444727 Change-Id: I32803d2bae14f9387e445b627363f4de7ac7efe4 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8817538 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
…bility)." This reverts commit 8a542af. Reason for revert: V8/d8 is not seeded, therefore crashes are not reproducible (and the code is unstable). Original change's description: > Throw exception in TryCatchFinally blocks (with certain probability). > > Bug: 455512155,455513417 > Change-Id: I52dc1b9d27d02ee1e5d905eca3705d9a9c4a6661 > Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8796096 > Commit-Queue: Pawel Krawczyk <pawkra@google.com> > Reviewed-by: Dominik Klemba <tacet@google.com> Bug: 455512155,455513417 Change-Id: I17514fcc50b60232faccd0a7b418fad0b187174d Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8821316 Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Commit-Queue: Dominik Klemba <tacet@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com> Auto-Submit: Dominik Klemba <tacet@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
This makes it possible to call the script from some nested work dir. Bug: 442444727 Change-Id: I5f6f4313b652cb09e4d168785e78a2334495ccd9 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8821322 Auto-Submit: Michael Achenbach <machenbach@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
This allows using parameter types which are indexed types (things like `(ref null 1)`). Implementation: - Each WasmLoop instruction now takes its signature as the first input. - The static signature types are removed from the begin and endLoop. - The loop code generator emits an "ad hoc" signature in order to emit signatures for which we already have corresponding inputs available. Bug: 445356784 Change-Id: Ic58ab7d6a092a39de77c974142dd7f976786e8e1 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8792956 Reviewed-by: Pawel Krawczyk <pawkra@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Change the loop condition to compare the iteration index against 'indices.count - 1' instead of 'indices.last!'. Also added regression test testDestructuringSimplificationWithRest, which reproduces the original bug using sparse indices with 'lastIsRest' set to true, ensuring that DestructArray is simplified into GetElement and a residual DestructArray for the rest elements. Change-Id: Ic630615bb85231d703046be4dc669e4314927db2 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9027276 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Dominik Klemba <tacet@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com>
While this feature is disabled by default, it is a non-experimental feature and other fuzzers already create exposure of this feature (see https://source.chromium.org/chromium/chromium/src/+/main:v8/tools/clusterfuzz/trials/clusterfuzz_trials_config.json;l=60;drc=84a1682b877e88c8912cebf44a8513c7d84206ed) Bug: 485657212 Change-Id: I899357c64d4e2dfd9385d3da5f445f0edc447765 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9035976 Reviewed-by: Darius Mercadier <dmercadier@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Change-Id: Icee437b92f284e7f9f7dc339d31ee157c6f876ae Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9032277 Reviewed-by: Samuel Groß <saelo@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bug: 465497343 Change-Id: I81b857dc9dac3fb95f8cd3b0f45be04b396626d8 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9043816 Commit-Queue: Michael Achenbach <machenbach@google.com> Auto-Submit: Michael Achenbach <machenbach@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
Change-Id: I7351c40670430f5b21ecff521eb5d419dc3ce2ac Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9051356 Reviewed-by: Dominik Klemba <tacet@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Dominik Klemba <tacet@google.com>
This is needed for a tool that uses the JavaScriptExecutor and produces a large amount of output (the list of all builtins available in the global scope). Bug: 487347678 Change-Id: Ib83ee2ae33a609e5b8ce1598b14892a8cedfd0a4 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9047637 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/constructor Change-Id: Iaa324d06653a8dfeb2cc5e48b8357f5e4d2670c2 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9051196 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Fuzzilli functionality for ref.cast added similarly to ref.test Bug: 474940922 Change-Id: I7cd3a28b05b7289c8ea0836be0c6d1024556e24c Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8995238 Commit-Queue: Doga Yüksel <dyuksel@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
…d instance type See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/DisposableStack Bug: 487347678 Change-Id: I85e523864482d16d5b1f2a1c9d0cd3ba0cb77613 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9051796 Commit-Queue: Rezvan Mahdavi Hezaveh <rezvan@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Rezvan Mahdavi Hezaveh <rezvan@google.com>
…ds and instance types See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/AsyncDisposableStack Bug: 487347678 Change-Id: I6a0506f0e09c8597c8f24a22833083a99c0c4472 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9051797 Reviewed-by: Rezvan Mahdavi Hezaveh <rezvan@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
getBigInt64 and getBigUin64 also take an optional second parameter which is a bool to mark if little-endian encoding should be used. Bug: 487347678 Change-Id: I352e74c7e5d74bd72f5c7ae35c8114bceba297d6 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9050878 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Bug: 487347678 Change-Id: Ide8f3c5d4439981c729f14ecc96e4e54e4cfbe6f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9050879 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
This also requires some refactoring: 1) We need to extend createPrototypeObjectGroup() to also allow additional properties as BYTES_PER_ELEMENT appears on the TypedArray builtin (the constructor) and on its prototype (and due to the prototype also on any instance of such typed array). 2) Merge Uint8Array (which is somewhat special due to base64) with the other typed arrays to reduce the amount of duplication. Bug: 487347678 Change-Id: I795b16468ec9b52108dd41fee3ff54d74604df18 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9050880 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
With this change we support defining methods on classes and objects with non-identifier names, like number and string literals. Internally, all method names remain strings, reusing any type information. At lifting, we approximate simple identifiers and use them unquoted for method definition and for usage in dot notation. For definitions, we also support quoted strings and unquoted index values. At call sites, we ensure bracket notation where needed, supporting index access without quotes. This covers method names for plain objects and classes. This does not cover properties, getters and setters yet. We also add 2 custom method names to the environment that don't follow the previous identifier naming. Instructions that define such methods currently are: ObjectLiteralMethod ClassInstanceMethod ClassStaticMethod Instructions that use such methods are: CallMethod CallMethodWithSpread CallSuperMethod BindMethod We ignore definitions and calls of private methods. They also reuse the same typer logic, but naming rules are more strict here, non-identifiers are not supported and should never be produced. We need to separate now identifiers for private and other method names in the JS environment. This also extends the compiler to enable importing the new method types. Bug: 446634535 Change-Id: I2b8fbb8306e4b6bd901b61952c6da91d4210ae3f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9047716 Reviewed-by: Dominik Klemba <tacet@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Michael Achenbach <machenbach@google.com>
Bug: 487347678 Change-Id: I37f8126dbd08e989f229246f68675540cfc8c9f4 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9052178 Commit-Queue: Danylo Mocherniuk <mdanylo@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Bug: 487347678 Change-Id: I312d4574513d40fc0ecb43218ee62dcd8eada091 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9052179 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
The added properties are deprecated, but in the end it matters what we ship, not if it's deprecated. Bug: 487347678 Change-Id: I3e027d8a1ece8a6bdf31929fd3952d2589cc0bfa Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9052180 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
Bug: 487347678 Change-Id: I11dd214d888556ded07b3d41afe387ae5c4c79cc Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9052181 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Bug: 487347678 Change-Id: I08a1e7346eb50d85832e4d4df798ba5b52348382 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9052182 Commit-Queue: Danylo Mocherniuk <mdanylo@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
Change-Id: I13e3653837dbc4502252cbe2ac25e8b4dbb7c44f Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9058297 Commit-Queue: Doga Yüksel <dyuksel@google.com> Reviewed-by: Doga Yüksel <dyuksel@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Bug: 487347678 Change-Id: I5fdc080270ee713b71c46faf867a800180c1ec22 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9058836 Commit-Queue: Danylo Mocherniuk <mdanylo@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Bug: 487347678 Change-Id: I649849a5e3d9511e82e5e47a5ffc61433ca8822e Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9058837 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
- Proxy.revocabale - Promise.withResolvers - Number.parseFloat - Number.parseInt - Object.groupBy - Object.hasOwn Bug: 487347678 Change-Id: I67c3c1c0b0d517dc61cc8a26c69031b81cf9eccc Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9058838 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
Change-Id: I539c771195a5c9a5242c9650815496f8c255cdba Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064096 Commit-Queue: Doga Yüksel <dyuksel@google.com> Auto-Submit: Danylo Mocherniuk <mdanylo@google.com> Reviewed-by: Doga Yüksel <dyuksel@google.com>
and add a custom generator for Intl.DisplayNames.prototype.of() as it contains a tight coupling between the constructor arguments and the code provided to the "of" function as an argument. Bug: 487347678 Change-Id: Ia0ffd3f51599b501a6855b07931249abcf777984 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9063878 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Manish Goregaokar <manishearth@google.com>
Bug: 487347678 Change-Id: I92fa5d5dccfcd3b5f5590ecea134265bb10d1190 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064297 Reviewed-by: Manish Goregaokar <manishearth@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
- <Error>.name for all builtin error types - <Error>.prototype.mesage and <Error>.prototype.name for all builtin error types - ArrayBuffer.prototype.sliceToImmutable - Date.prototype.toLocaleDateString - Date.prototype.toLocaleTimeString Bug: 487347678 Change-Id: I766290ca1e2ced9556448bf31dbbd4d8f6656576 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064298 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
Bug: 487347678 Change-Id: Ib8ecc8268ef60847919abe2dc6f081665930fde3 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064299 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
V8-side change: https://crrev.com/c/7623762 Bug: 487620644 Change-Id: Iee848582cf8ed19085daea8c7715bf8c3f54f3d9 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064480 Reviewed-by: Michael Achenbach <machenbach@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Change-Id: I95e6e68e0ce4d2051f3c267667aedef63207b6c2 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9064377 Commit-Queue: Michael Achenbach <machenbach@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Michael Achenbach <machenbach@google.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
updating with head