| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
| |
This finds out which locals are live at call sites that might pause/resume,
which is the set of locals we need to actually save/load. That is, if a local
is not alive at any call site in the function, then it's value doesn't need to
stay alive while sleeping.
This saves about 10% of locals that are saved/loaded, and about 1.5%
in final code size.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Necessary preparations for a later PR that adds bulk memory
support to wasm2js (splitting this out so the next PR is less big):
* Fix logging of print functions in wasm2js spec tests, there
was an extra space in the output (which console.log adds
automatically between items).
* Don't assume the output is always empty, as some tests
(like bulk memory) do have expected output.
* Rename test/bulk-memory.wast as it "conflicts" with
test/spec/bulk-memory.wast - the problem is that we scan
both places, and emit files in test/wasm2js/*, so those
would collide if the names overlap.
* Extend the parsing and emitting of JS for (assert.. ) lines such as
(assert_return (invoke "foo" (i32.const 1)) (i32.const 2))
to also handle
(invoke "foo" (i32.const 1)) (i32.const 2))
Without this, we skip (invoke ..) lines in spec tests, which normally is
fine, but in bulk memory at least they have side effects we need - we
must run them before the later assertions.
|
| |
|
| |
fixes #2915
|
| |
|
|
| |
To avoid the conditional trailing comma.
|
| |
|
|
|
|
|
| |
anyref future semantics were changed to only represent opaque host values, and thus renamed to externref.
[Chromium](https://bugs.chromium.org/p/v8/issues/detail?id=7748#c360) was just updated to today (not yet released). I couldn't find a Mozilla bugzilla ticket mentioning externref so I don't immediately know if they've updated yet.
https://github.com/WebAssembly/reference-types/pull/87
|
| |
|
| |
As specified in https://github.com/WebAssembly/simd/pull/232.
|
| |
|
|
|
|
|
|
|
| |
When the fuzzer script is given a wasm we don't create a new
one from scratch. But we should still apply --denan and other
things so that we preserve those properties while reducing.
Without this it's possible for reduction to start with a wasm with
no nans but to lose the property eventually, and end up with a
reduced testcase which is not quite what you want.
|
| |
|
|
|
| |
We already avoid that in CompareVMs but Asyncify has the
same issue, as it also can optimize in binaryen but run in
another VM (with different nondeterministic NaN behavior).
|
| |
|
|
|
|
|
| |
FUZZ_OPTS are things like --denan which affect generation of
the original wasm. We were passing those to testcase handlers,
which meant that in addition to the random optimizations we picked
they were also running --denan etc. again. That can be confusing,
so remove it.
|
| |
|
|
|
|
| |
This moves the fuzzer de-NaN logic out into a separate pass. This is
cleaner and also better since the old way would de-NaN once, but then
the reducer could generate code with nans. The new way lets us de-NaN
while reducing.
|
| | |
|
| |
|
|
| |
We need the memory to be exported in order to read and
write stuff for the asyncify data structure.
|
| |
|
|
|
|
| |
Push and Pop have been superseded by tuples for their original
intended purpose of supporting multivalue. Pop is still used to
represent block arguments for exception handling, but there are no
plans to use Push for anything now or in the future.
|
| |
|
|
| |
This is the only instruction in the current spec proposal that had not
yet been implemnented in the tools.
|
| |
|
|
|
| |
This test verifies that functions in the llvm input source that
do stack pointer manipulation get correctly handled by
`wasm-emscripten-finalize --check-stack-overflow` (StackLimitEnforcer)
|
| |
|
| |
As specified in https://github.com/WebAssembly/simd/pull/122.
|
| |
|
|
|
|
|
| |
Currently the fuzzer only generate a script for wasm-reduce only when it
first discovers a case and doesn't do that when a seed is given. But
when you get a bug report with a seed or you want to reproduce the
situation, is still helpful if the fuzzer generates a reduce script for
you.
|
| |
|
|
|
|
|
| |
Use --emit-target-features and --detect-features.
Rename Asyncify handler temp files (I happened to notice they overwrote other files, which was annoying.
Fixes #2831
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
With this, when it finds a bug all you need to do is copy-paste
a single line and it runs the reducer. To do that, it creates a
reducer script and fills it out for you. The script has all the docs
we used to print out to the console, so the console output is
more focused and concise now.
In most cases just running the single line it suggests should
work, however I found that it doesn't always. One reason is
#2831
Also add a missing sys.exit(1), without which we returned 0
despite printing out an error on a failing testcase.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Don't run wasm2c2wasm on large wasm files, as it can OOM the VM.
I've seen this happen on a single wasm on multiple engines, so it's not
a specific engine bug. Sticking to below-average wasm sizes seems ok.
That change means that we check if a vm can run on a per-wasm basis.
That required some refactoring as it means we may be able to run on
the "before" wasm but not the "after" one, or vice versa.
Fix a tiny nondeterminism issue with iterating on a set().
Some tiny docs improvements to the error shown when a bug is found.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This builds on recent work for deterministic reproduction of fuzzer
testcases using IDs. With that, we can remove all the old auto-reduction
code and make something very similar possible for all* things the
fuzzer script checks for.
The idea is simple: if you run the fuzzer script and it finds a bug,
it prints out the ID it found it with. If you then run
fuzz_opt.py ID
then it runs that exact testcase again, deterministically, making
all the same random choices it made before. The new addition
in this PR is that you can do
fuzz_opt.py ID WASM
which also adds a wasm file. If provided, we still randomly
generate one in the fuzzer script (so that later random numbers
are the same) but we swap in that provided wasm. This then
lets wasm-reduce drive fuzz_opt.py itself as a whole. No more
extracting a testcase and all its commands, it's all done for you.
The fuzzer script will print out hopefully-useful text when it finds
a bug, something like this:
================================================================================
You found a bug! Please report it with
seed: 4671273171120144526
and the exact version of Binaryen you found it on, plus the exact Python
version (hopefully deterministic random numbers will be identical).
You can run that testcase again with "fuzz_opt.py 4671273171120144526"
The initial wasm file used here is saved as /home/username/binaryen/out/test/original.wasm
You can try to reduce the testcase with
wasm-reduce /home/username/binaryen/out/test/original.wasm '--command=bash reduce.sh' -t /home/username/binaryen/out/test/t.wasm -w /home/username/binaryen/out/test/w.wasm
where "reduce.sh" is something like
# check the input is even a valid wasm file
bin/wasm-opt /home/username/binaryen/out/test/t.wasm
echo $?
# run the command
./scripts/fuzz_opt.py 4671273171120144526 /home/username/binaryen/out/test/t.wasm > o 2> e
cat o | tail -n 10
echo $?
You may want to adjust what is printed there: in the example we save stdout
and stderr separately and then print (so that wasm-reduce can see it) what we
think is the relevant part of that output. Make sure that includes the right
details, and preferably no more (less details allow more reduction, but raise
the risk of it reducing to something you don't quite want).
You may also need to add --timeout 5 or such if the testcase is a slow one.
================================================================================
The text has full instructions to run the reducer, which should
work in almost all cases - see (*) note below. Because of that
corner case I think it's safer to not run the reducer automatically,
but it's just a quick copy-paste away, and the user can then adjust
the reduce.sh script if necessary.
(*) Well, almost any. There are some corner cases, such as if the
fuzzer generator includes bounds checks in the wasm, reduction
might remove them. We can fix this eventually by making the
bounds checks additions a pass that can be run after the fuzzer
generator, but meanwhile you can work around this by making the
reduction script look for the right thing (i.e. if all it looks for is a
failing return code, that won't be enough as a removed bounds
check will fail but on something else).
|
| |
|
|
|
| |
Just like the parent wasm2c, with NaNs don't compare to self before
and after optimizations. The binaryen optimizer does different things than the
LLVM optimizer there, and NaN bits can change.
|
| |
|
|
|
|
| |
Avoid pass-debug when fuzzing emcc, as it can be slow and isn't
what we care about.
Clean up a loop.
|
| |
|
|
|
|
| |
These tests are now optional. However, if you run them and the
build is not found they will now error out, in order to avoid silently
failing.
|
| |
|
| |
Since the --roundtrip pass is more general than --fuzz-binary anyways. Also reimplements `ModuleUtils::clearModule` to use the module destructor and placement new to ensure that no members are missed.
|
| |
|
|
|
|
|
|
|
| |
This adds a variant on wasm2c that uses emcc instead of a
native compiler. This helps us fuzz emcc.
To make that practical, rewrite the setjmp glue to only use one
setjmp. The wasm backend ends up doing linear work per setjmp,
so it's quadratic with many setjmps. Instead, do a big switch-loop
construct around a single setjmp.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds support for fuzzing with wabt's wasm2c that @binji wrote.
Basically we compile the wasm to C, then compile the C to a native
executable with a custom main() to wrap around it. The executable
should then print exactly the same as that wasm when run in either
the binaryen interpreter or in a JS VM with our wrapper JS for that
wasm. In other words, compiling the wasm to C is another way to
run that wasm.
The main reasons I want this are to fuzz wasm2c itself, and to
have another option for fuzzing emcc. For the latter, we do fuzz
wasm-opt quite a lot, but that doesn't fuzz the non-wasm-opt
parts of emcc. And using wasm2c for that is nice since the
starting point is always a wasm file, which means we
can use tools like wasm-reduce and so forth, which can be
integrated with this fuzzer.
This also:
Refactors the fuzzer harness a little to make it easier to
add more "VMs" to run wasms in.
Do not autoreduce when re-running a testcase, which I hit
while developing this.
|
| |
|
|
|
|
| |
The intention is to move away from travis and appveyor which have
become very slow.
See: #2356
|
| |
|
|
|
|
|
|
|
| |
1. Only emit exnref as part of a subtype if exception-handling is
enabled in the fuzzer.
2. Correctly report that funcref and nullref require reference-types
to be enabled.
3. Re-enable multivalue as a normal feature in the fuzzer.
Possibly fixes #2770.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Emit tuple.make, tuple.extract, and multivalue control flow, and tuple locals
and globals when multivalue is enabled. Also slightly refactors the top-level
`makeConcrete` function to be more selective about what it tries to
make based on the requested type to reduce the number of trivial nodes
created because the requested type is incompatible with the requested
node.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The main benefit here is comparing VMs, instead of just comparing
each VM to itself after opts. Comparing VMs is a little tricky since there
is room for nondeterminism with how results are printed and other
annoying things, which is why that didn't work well earlier.
With this PR I can run 10's of thousands of iterations without finding
any issues between v8 and the binaryen interpreter. That's after
fixing the various issues over the last few days as found by this:
#2760 #2757 #2750 #2752
Aside from that main benefit I ended up adding more improvements
to make it practical to do all that testing:
Randomize global fuzz settings like whether we allow NaNs and
out-of-bounds memory accesses. (This was necessary here since
we have to disable cross-VM comparisons if NaNs are enabled.)
Better logging of statistics like how many times each handler
was run.
Remove redundant FuzzExecImmediately handler (looks like
after past refactorings it was no longer adding any value).
Deterministic testcase handling: if you run e.g. fuzz_opt.py 42 it
will run one testcase and exactly the same one. If you run without
an argument it will run forever until it fails, and if it fails, it prints out
that ID so that you can easily reproduce it (I guess, on the same
binaryen + same python, not sure how python's deterministic
RNG changes between versions and builds).
Upgrade to Python 3.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In wasm2js we ignore things that trap in wasm that we can't
really handle, like a load from memory out of bounds would
trap in wasm, but in JS we don't want to emit a bounds check
on each load. So wasm2js focuses on programs that don't
trap.
However, this is annoying in the fuzzer as it turns out that
our behavior for places where wasm would trap was not
deterministic. That is, wasm would trap, wasm2js would not
trap and do behavior X, and wasm2js with optimizations
would also not trap but do behavior Y != X. This produced
false positives in the fuzzer (and might be annoying in
manual debugging too).
As a workaround, this adds a --deterministic flag to wasm2js,
which tries to be deterministic about what it does for cases
where wasm would trap. This handles the case of an int
division by 0 which traps in wasm but without this flag could
have different behavior in wasm2js with or without opts
(see details in the patch).
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These are no all driven by only by the two top level scripts:
check.py
auto_update_tests.py
What is more all of them were broken when run isolation due to
relative import rules in python3. e.g.:
```
$ scripts/test/binaryenjs.py
Traceback (most recent call last):
File "scripts/test/binaryenjs.py", line 21, in <module>
from . import shared
ImportError: cannot import name 'shared' from '__main__' (scripts/test/binaryenjs.py)
```
|
| |
|
|
| |
Also, factor out auto-updating of binaryenjs testing so it lives
alongside the actual test code.
|
| |
|
|
|
| |
It looks like these were only uses as part of the vanilla tests
which were removed back in #2482.
|
| |
|
|
|
| |
If wasm-emscripten-finalize is given the BigInt flag, then we will
be using BigInts on the JS side, and need no legalization at all
since i64s will just be BigInts.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now that we update the dylink section properly, we can
do the same optimization in side modules as in main ones:
if the module provides a function, don't call an $fp method
during startup, instead add it to the table ourselves and use
the relative offset to the table base.
Fix an issue when the table has no segments initially: the
code just added an offset of 0, but that's not right. Instead,
an a __table_base import and use that as the offset. As
this is ABI-specific I did it on wasm-emscripten-finalize,
leaving TableUtils to just assert on having a singleton
segment.
Add a test of a wasm file with a dylink section to the lld tests.
|
| |
|
|
|
|
| |
Adds full support for the {i8x16,i16x8,i32x4}.abs instructions merged
to the SIMD proposal in https://github.com/WebAssembly/simd/pull/128
as well as the {i8x16,i16x8,i32x4}.bitmask instructions proposed in
https://github.com/WebAssembly/simd/pull/201.
|
| |
|
|
|
|
|
|
| |
Tuple operations lower to stacky code, so round tripping from IR to
binary and back is a lossy operation. To help make diagnosing bugs
uncovered by the fuzzer easier, this change writes the original IR
generated by the fuzzer and the IR produced by optimizations to files
that can be inspected after a crash to determine exactly what IR was
emitted.
|
| |
|
|
|
|
|
|
|
| |
Implements parsing and emitting of tuple creation and extraction and tuple-typed control flow for both the text and binary formats.
TODO:
- Extend Precompute/interpreter to handle tuple values
- C and JS API support/testing
- Figure out how to lower in stack IR
- Fuzzing
|
| |
|
| |
An attempt to fix the node-esm-loader related [issues](https://travis-ci.org/WebAssembly/binaryen/jobs/649056649#L22931) seen on CI currently, apparently due to CI automatically picking up a newer node LTS (12.16.0 released 2020/02/11) where the API changed.
|
| | |
|
| |
|
|
| |
fail_if_not_identical_to_file() (#2649)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds EH support to `EffectAnalyzer`. Before `throw` and `rethrow`
conservatively set property. Now `EffectAnalyzer` has a new property
`throws` to represent an expression that can throw, and expression that
can throw sets `throws` correctly.
When EH is enabled, any calls can throw too, so we cannot reorder them
with another expression with any side effects, meaning all calls should
be treated in the same way as branches when evaluating `invalidate`.
This prevents many reorderings, so this patch sets `throws` for calls
only when the exception handling features is enabled. This is also why I
passed `--disable-exception-handling` to `wasm2js` tests. Most of code
changes outside of `EffectAnalyzer` class was made in order to pass
`FeatureSet` to it.
`throws` isn't always set whenever an expression contains a throwable
instruction. When an throwable instruction is within an inner try, it
will be caught by the corresponding inner catch, so it does not set
`throws`.
|
| |
|
|
|
| |
This reverts commit 132daae1e9154782bb1afa5df80dfe7ea35f0369.
This change is the same as before but the fix in #2619 should now make it safe.
|
