Skip to content

Fuzzer: Randomly pick which functions to use in RefFunc #6503

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Apr 15, 2024
Merged

Fuzzer: Randomly pick which functions to use in RefFunc #6503

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
21857c1
work
kripken Apr 15, 2024
226d3f1
fix
kripken Apr 15, 2024
2710adf
updae
kripken Apr 15, 2024
6f21639
Update src/tools/fuzzing/fuzzing.cpp
kripken Apr 15, 2024
File filter

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 12 additions & 10 deletions src/tools/fuzzing/fuzzing.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1195,7 +1195,6 @@ void TranslateToFuzzReader::modifyInitialFunctions() {
if (upTo(RESOLUTION) >= chance) {
dropToLog(func);
// TODO add some locals? and the rest of addFunction's operations?
// TODO: interposition, replace initial a(b) with a(RANDOM_THING(b))
// TODO: if we add OOB checks after creation, then we can do it on
// initial contents too, and it may be nice to *not* run these
// passes, like we don't run them on new functions. But, we may
Expand Down Expand Up @@ -1383,7 +1382,6 @@ Expression* TranslateToFuzzReader::_makeConcrete(Type type) {
&Self::makeArrayGet);
}
}
// TODO: struct.get and other GC things
return (this->*pick(options))(type);
}

Expand Down Expand Up @@ -2450,11 +2448,18 @@ Expression* TranslateToFuzzReader::makeRefFuncConst(Type type) {
// had generic 'func' here.
heapType = Signature(Type::none, Type::none);
}
// TODO: randomize the order
for (auto& func : wasm.functions) {
if (Type::isSubType(Type(func->type, NonNullable), type)) {
return builder.makeRefFunc(func->name, func->type);
}
// Look for a proper function starting from a random location, and loop from
// there, wrapping around to 0.
if (!wasm.functions.empty()) {
Index start = upTo(wasm.functions.size());
Index i = start;
do {
auto& func = wasm.functions[i];
if (Type::isSubType(Type(func->type, NonNullable), type)) {
return builder.makeRefFunc(func->name, func->type);
}
i = (i + 1) % wasm.functions.size();
} while (i != start);
}
// We don't have a matching function. Create a null some of the time here,
// but only rarely if the type is non-nullable (because in that case we'd need
Expand Down Expand Up @@ -3788,7 +3793,6 @@ Expression* TranslateToFuzzReader::makeArraySet(Type type) {
// Only rarely emit a plain get which might trap. See related logic in
// ::makePointer().
if (allowOOB && oneIn(10)) {
// TODO: fuzz signed and unsigned, and also below
return builder.makeArraySet(ref, index, value);
}
// To avoid a trap, check the length dynamically using this pattern:
Expand Down Expand Up @@ -3816,7 +3820,6 @@ Expression* TranslateToFuzzReader::makeArrayBulkMemoryOp(Type type) {
// Only rarely emit a plain get which might trap. See related logic in
// ::makePointer().
if (allowOOB && oneIn(10)) {
// TODO: fuzz signed and unsigned, and also below
return builder.makeArrayFill(ref, index, value, length);
}
auto check =
Expand All @@ -3841,7 +3844,6 @@ Expression* TranslateToFuzzReader::makeArrayBulkMemoryOp(Type type) {
auto* srcRef = makeTrappingRefUse(srcArrayType);
auto* length = make(Type::i32);
if (allowOOB && oneIn(10)) {
// TODO: fuzz signed and unsigned, and also below
return builder.makeArrayCopy(ref, index, srcRef, srcIndex, length);
}
auto check =
Expand Down
59 changes: 28 additions & 31 deletions test/passes/translate-to-fuzz_all-features_metrics_noprint.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
total
[exports] : 4
[funcs] : 7
[exports] : 5
[funcs] : 8
[globals] : 1
[imports] : 5
[memories] : 1
Expand All @@ -9,49 +9,46 @@ total
[tables] : 1
[tags] : 2
[total] : 674
[vars] : 37
[vars] : 41
ArrayCopy : 1
ArrayGet : 3
ArrayLen : 3
ArrayNew : 4
ArrayLen : 4
ArrayNew : 5
ArrayNewFixed : 1
ArraySet : 1
AtomicCmpxchg : 1
AtomicFence : 1
AtomicNotify : 3
AtomicRMW : 1
Binary : 81
Binary : 84
Block : 75
Break : 12
Call : 25
CallRef : 1
Const : 121
Drop : 5
Call : 21
Const : 133
Drop : 6
GlobalGet : 24
GlobalSet : 24
I31Get : 2
If : 23
Load : 19
LocalGet : 75
I31Get : 3
If : 21
Load : 22
LocalGet : 65
LocalSet : 50
Loop : 7
MemoryFill : 1
Loop : 6
Nop : 4
Pop : 6
RefAs : 9
RefCast : 5
RefEq : 2
RefFunc : 3
RefI31 : 6
Pop : 7
RefAs : 7
RefCast : 3
RefFunc : 2
RefI31 : 7
RefIsNull : 2
RefNull : 12
RefTest : 3
Return : 6
SIMDExtract : 2
Select : 4
RefNull : 11
RefTest : 2
Return : 8
Select : 3
StructGet : 1
StructNew : 1
StructSet : 1
StructNew : 3
StructSet : 2
Try : 5
TupleExtract : 3
TupleMake : 4
Unary : 20
Unary : 21
Unreachable : 13