Skip to content

Fuzzer: Randomly pick which functions to use in RefFunc #6503

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kripken merged 4 commits into from
Apr 15, 2024
Merged

Fuzzer: Randomly pick which functions to use in RefFunc #6503

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
21857c1
work
kripken Apr 15, 2024
226d3f1
fix
kripken Apr 15, 2024
2710adf
updae
kripken Apr 15, 2024
6f21639
Update src/tools/fuzzing/fuzzing.cpp
kripken Apr 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
work
  • Loading branch information
@kripken
kripken committed Apr 15, 2024
commit 21857c1b8c1c3d6c6109aabd0915e39b5dd0f6fb
19 changes: 11 additions & 8 deletions src/tools/fuzzing/fuzzing.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1195,7 +1195,6 @@ void TranslateToFuzzReader::modifyInitialFunctions() {
if (upTo(RESOLUTION) >= chance) {
dropToLog(func);
// TODO add some locals? and the rest of addFunction's operations?
// TODO: interposition, replace initial a(b) with a(RANDOM_THING(b))
// TODO: if we add OOB checks after creation, then we can do it on
// initial contents too, and it may be nice to *not* run these
// passes, like we don't run them on new functions. But, we may
Expand Down Expand Up @@ -1383,7 +1382,6 @@ Expression* TranslateToFuzzReader::_makeConcrete(Type type) {
&Self::makeArrayGet);
}
}
// TODO: struct.get and other GC things
return (this->*pick(options))(type);
}

Expand Down Expand Up @@ -2450,12 +2448,20 @@ Expression* TranslateToFuzzReader::makeRefFuncConst(Type type) {
// had generic 'func' here.
heapType = Signature(Type::none, Type::none);
}
// TODO: randomize the order
for (auto& func : wasm.functions) {
// Look for a proper function starting from a random location, and loop from
// there, wrapping around to 0.
Index start = upTo(wasm.functions.size());
Index i = start;
do {
auto& func = wasm.functions[i];
if (Type::isSubType(Type(func->type, NonNullable), type)) {
return builder.makeRefFunc(func->name, func->type);
}
}
i++;
if (i == wasm.functions.size()) {
i == 0;
}
} while (i != start);
// We don't have a matching function. Create a null some of the time here,
// but only rarely if the type is non-nullable (because in that case we'd need
// to add a ref.as_non_null to validate, and the code will trap when we get
Expand Down Expand Up @@ -3788,7 +3794,6 @@ Expression* TranslateToFuzzReader::makeArraySet(Type type) {
// Only rarely emit a plain get which might trap. See related logic in
// ::makePointer().
if (allowOOB && oneIn(10)) {
// TODO: fuzz signed and unsigned, and also below
return builder.makeArraySet(ref, index, value);
}
// To avoid a trap, check the length dynamically using this pattern:
Expand Down Expand Up @@ -3816,7 +3821,6 @@ Expression* TranslateToFuzzReader::makeArrayBulkMemoryOp(Type type) {
// Only rarely emit a plain get which might trap. See related logic in
// ::makePointer().
if (allowOOB && oneIn(10)) {
// TODO: fuzz signed and unsigned, and also below
return builder.makeArrayFill(ref, index, value, length);
}
auto check =
Expand All @@ -3841,7 +3845,6 @@ Expression* TranslateToFuzzReader::makeArrayBulkMemoryOp(Type type) {
auto* srcRef = makeTrappingRefUse(srcArrayType);
auto* length = make(Type::i32);
if (allowOOB && oneIn(10)) {
// TODO: fuzz signed and unsigned, and also below
return builder.makeArrayCopy(ref, index, srcRef, srcIndex, length);
}
auto check =
Expand Down