[wasm] Create a new fuzzer for wasm code.

The new fuzzer constructs a dummy module header and uses the fuzzer
data only as function code.

R=titzer@chromium.org, jochen@chromium.org

Review-Url: https://codereview.chromium.org/2280623002
Cr-Commit-Position: refs/heads/master@{#38983}
diff --git a/BUILD.gn b/BUILD.gn
index e5bc012..866d817 100644
--- a/BUILD.gn
+++ b/BUILD.gn
@@ -2584,3 +2584,18 @@
 
 v8_fuzzer("wasm_asmjs_fuzzer") {
 }
+
+v8_source_set("wasm_code_fuzzer") {
+  sources = [
+    "test/fuzzer/wasm-code.cc",
+  ]
+
+  deps = [
+    ":fuzzer_support",
+  ]
+
+  configs = [ ":internal_config" ]
+}
+
+v8_fuzzer("wasm_code_fuzzer") {
+}
diff --git a/test/fuzzer/fuzzer.gyp b/test/fuzzer/fuzzer.gyp
index c7c4cb4..78ca8e3 100644
--- a/test/fuzzer/fuzzer.gyp
+++ b/test/fuzzer/fuzzer.gyp
@@ -139,6 +139,32 @@
       ],
     },
     {
+      'target_name': 'v8_simple_wasm_code_fuzzer',
+      'type': 'executable',
+      'dependencies': [
+        'wasm_code_fuzzer_lib',
+      ],
+      'include_dirs': [
+        '../..',
+      ],
+      'sources': [
+        'fuzzer.cc',
+      ],
+    },
+    {
+      'target_name': 'wasm_code_fuzzer_lib',
+      'type': 'static_library',
+      'dependencies': [
+        'fuzzer_support',
+      ],
+      'include_dirs': [
+        '../..',
+      ],
+      'sources': [  ### gcmole(all) ###
+        'wasm-code.cc',
+      ],
+    },
+    {
       'target_name': 'fuzzer_support',
       'type': 'static_library',
       'dependencies': [
diff --git a/test/fuzzer/fuzzer.isolate b/test/fuzzer/fuzzer.isolate
index 2611c72..a261a10 100644
--- a/test/fuzzer/fuzzer.isolate
+++ b/test/fuzzer/fuzzer.isolate
@@ -10,6 +10,7 @@
       '<(PRODUCT_DIR)/v8_simple_regexp_fuzzer<(EXECUTABLE_SUFFIX)',
       '<(PRODUCT_DIR)/v8_simple_wasm_fuzzer<(EXECUTABLE_SUFFIX)',
       '<(PRODUCT_DIR)/v8_simple_wasm_asmjs_fuzzer<(EXECUTABLE_SUFFIX)',
+      '<(PRODUCT_DIR)/v8_simple_wasm_code_fuzzer<(EXECUTABLE_SUFFIX)',
       './fuzzer.status',
       './testcfg.py',
       './json/',
@@ -17,6 +18,7 @@
       './regexp/',
       './wasm/',
       './wasm_asmjs/',
+      './wasm_code/',
     ],
   },
   'includes': [
diff --git a/test/fuzzer/testcfg.py b/test/fuzzer/testcfg.py
index 85a38ed..0017035 100644
--- a/test/fuzzer/testcfg.py
+++ b/test/fuzzer/testcfg.py
@@ -18,7 +18,7 @@
 
 
 class FuzzerTestSuite(testsuite.TestSuite):
-  SUB_TESTS = ( 'json', 'parser', 'regexp', 'wasm', 'wasm_asmjs', )
+  SUB_TESTS = ( 'json', 'parser', 'regexp', 'wasm', 'wasm_asmjs', 'wasm_code' )
 
   def __init__(self, name, root):
     super(FuzzerTestSuite, self).__init__(name, root)
diff --git a/test/fuzzer/wasm-code.cc b/test/fuzzer/wasm-code.cc
new file mode 100644
index 0000000..ae1ec4a
--- /dev/null
+++ b/test/fuzzer/wasm-code.cc
@@ -0,0 +1,54 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "include/v8.h"
+#include "src/isolate.h"
+#include "src/wasm/encoder.h"
+#include "src/wasm/wasm-js.h"
+#include "src/wasm/wasm-module.h"
+#include "test/cctest/wasm/test-signatures.h"
+#include "test/fuzzer/fuzzer-support.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  v8_fuzzer::FuzzerSupport* support = v8_fuzzer::FuzzerSupport::Get();
+  v8::Isolate* isolate = support->GetIsolate();
+  v8::internal::Isolate* i_isolate =
+      reinterpret_cast<v8::internal::Isolate*>(isolate);
+
+  // Clear any pending exceptions from a prior run.
+  if (i_isolate->has_pending_exception()) {
+    i_isolate->clear_pending_exception();
+  }
+
+  v8::Isolate::Scope isolate_scope(isolate);
+  v8::HandleScope handle_scope(isolate);
+  v8::Context::Scope context_scope(support->GetContext());
+  v8::TryCatch try_catch(isolate);
+
+  v8::base::AccountingAllocator allocator;
+  v8::internal::Zone zone(&allocator);
+
+  v8::internal::wasm::TestSignatures sigs;
+
+  v8::internal::wasm::WasmModuleBuilder builder(&zone);
+
+  uint16_t f1_index = builder.AddFunction();
+  v8::internal::wasm::WasmFunctionBuilder* f = builder.FunctionAt(f1_index);
+  f->SetSignature(sigs.i_iii());
+  f->EmitCode(data, static_cast<uint32_t>(size));
+  f->SetExported();
+  f->SetName("main", 4);
+
+  v8::internal::wasm::ZoneBuffer buffer(&zone);
+  builder.WriteTo(buffer);
+
+  v8::internal::WasmJs::InstallWasmFunctionMap(i_isolate,
+                                               i_isolate->native_context());
+  v8::internal::wasm::testing::CompileAndRunWasmModule(
+      i_isolate, buffer.begin(), buffer.end(), false);
+  return 0;
+}
diff --git a/test/fuzzer/wasm_code/foo b/test/fuzzer/wasm_code/foo
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/test/fuzzer/wasm_code/foo