diff options
| author | Alon Zakai <azakai@google.com> | 2020-10-12 14:54:26 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-10-12 14:54:26 -0700 |
| commit | d38ddda4c299a40ee48efb777ec69c823312c9dd (patch) | |
| tree | 40426b25c3f97c01c0a6a0db2c29020a1c6dae51 | |
| parent | 9d6413cd2d504684d026bdec27e2d030d4c60598 (diff) | |
| download | binaryen-d38ddda4c299a40ee48efb777ec69c823312c9dd.tar.gz binaryen-d38ddda4c299a40ee48efb777ec69c823312c9dd.tar.bz2 binaryen-d38ddda4c299a40ee48efb777ec69c823312c9dd.zip | |
Fuzzer: Do not emit random global.get/sets of the hang limit global (#3229)
That global is for internal use. If we emit random sets to it, we could prevent
it from doing its job of preventing an infinite loop (normally it decreases each
time a loop runs or we recurse, until we reach 0 - if we set it to a nonzero
value in that code, that would be bad).
Random gets are less of a problem, but may be confusing when debugging
a testcase.
| -rw-r--r-- | src/tools/fuzzing.h | 19 | ||||
| -rw-r--r-- | test/passes/fuzz_metrics_noprint.bin.txt | 50 | ||||
| -rw-r--r-- | test/passes/translate-to-fuzz_all-features.txt | 612 |
3 files changed, 555 insertions, 126 deletions
diff --git a/src/tools/fuzzing.h b/src/tools/fuzzing.h index 4fe356931..d2cdb7a7f 100644 --- a/src/tools/fuzzing.h +++ b/src/tools/fuzzing.h @@ -1261,12 +1261,21 @@ private: } } + // Some globals are for internal use, and should not be modified by random + // fuzz code. + bool isValidGlobal(Name name) { return name != HANG_LIMIT_GLOBAL; } + Expression* makeGlobalGet(Type type) { auto it = globalsByType.find(type); if (it == globalsByType.end() || it->second.empty()) { return makeConst(type); } - return builder.makeGlobalGet(pick(it->second), type); + auto name = pick(it->second); + if (isValidGlobal(name)) { + return builder.makeGlobalGet(name, type); + } else { + return makeTrivial(type); + } } Expression* makeGlobalSet(Type type) { @@ -1276,8 +1285,12 @@ private: if (it == globalsByType.end() || it->second.empty()) { return makeTrivial(Type::none); } - auto* value = make(type); - return builder.makeGlobalSet(pick(it->second), value); + auto name = pick(it->second); + if (isValidGlobal(name)) { + return builder.makeGlobalSet(name, make(type)); + } else { + return makeTrivial(Type::none); + } } Expression* makeTupleMake(Type type) { diff --git a/test/passes/fuzz_metrics_noprint.bin.txt b/test/passes/fuzz_metrics_noprint.bin.txt index efa390f23..a79ff8f26 100644 --- a/test/passes/fuzz_metrics_noprint.bin.txt +++ b/test/passes/fuzz_metrics_noprint.bin.txt @@ -1,30 +1,30 @@ total [events] : 0 - [exports] : 69 - [funcs] : 101 + [exports] : 18 + [funcs] : 22 [globals] : 7 [imports] : 4 [memory-data] : 4 - [table-data] : 39 - [total] : 7276 - [vars] : 287 - binary : 555 - block : 1075 - break : 250 - call : 433 - call_indirect : 75 - const : 1310 - drop : 111 - global.get : 606 - global.set : 263 - if : 415 - load : 137 - local.get : 465 - local.set : 364 - loop : 166 - nop : 110 - return : 300 - select : 46 - store : 61 - unary : 531 - unreachable : 3 + [table-data] : 9 + [total] : 4993 + [vars] : 58 + binary : 397 + block : 736 + break : 204 + call : 173 + call_indirect : 32 + const : 823 + drop : 42 + global.get : 421 + global.set : 190 + if : 292 + load : 95 + local.get : 392 + local.set : 297 + loop : 146 + nop : 97 + return : 189 + select : 39 + store : 55 + switch : 1 + unary : 372 diff --git a/test/passes/translate-to-fuzz_all-features.txt b/test/passes/translate-to-fuzz_all-features.txt index ab8ac7ca2..7ebc6d070 100644 --- a/test/passes/translate-to-fuzz_all-features.txt +++ b/test/passes/translate-to-fuzz_all-features.txt @@ -1,20 +1,20 @@ (module (type $none_=>_none (func)) (type $none_=>_i32 (func (result i32))) - (type $i32_=>_none (func (param i32))) (type $i64_=>_none (func (param i64))) + (type $i32_=>_none (func (param i32))) (type $f32_=>_none (func (param f32))) (type $f64_=>_none (func (param f64))) (type $v128_=>_none (func (param v128))) (type $exnref_=>_none (func (param exnref))) - (type $none_=>_i64 (func (result i64))) - (type $externref_eqref_funcref_=>_i64 (func (param externref eqref funcref) (result i64))) + (type $funcref_f64_=>_i32 (func (param funcref f64) (result i32))) (type $none_=>_f32 (func (result f32))) + (type $eqref_i32_=>_funcref (func (param eqref i32) (result funcref))) (type $i32_i32_f32_exnref_=>_externref (func (param i32 i32 f32 exnref) (result externref))) (type $externref_f64_f32_eqref_i31ref_anyref_=>_externref (func (param externref f64 f32 eqref i31ref anyref) (result externref))) (type $exnref_f32_i31ref_externref_funcref_i31ref_i64_=>_exnref (func (param exnref f32 i31ref externref funcref i31ref i64) (result exnref))) - (type $none_=>_exnref_anyref_v128 (func (result exnref anyref v128))) - (type $externref_i32_eqref_v128_=>_exnref_anyref_v128 (func (param externref i32 eqref v128) (result exnref anyref v128))) + (type $none_=>_eqref_i31ref_i64_v128_eqref (func (result eqref i31ref i64 v128 eqref))) + (type $v128_i31ref_=>_eqref_i31ref_i64_v128_eqref (func (param v128 i31ref) (result eqref i31ref i64 v128 eqref))) (type $none_=>_i31ref (func (result i31ref))) (import "fuzzing-support" "log-i32" (func $log-i32 (param i32))) (import "fuzzing-support" "log-i64" (func $log-i64 (param i64))) @@ -25,7 +25,7 @@ (memory $0 (shared 1 1)) (data (i32.const 0) "N\0fN\f5\f9\b1\ff\fa\eb\e5\fe\a7\ec\fb\fc\f4\a6\e4\ea\f0\ae\e3") (table $0 5 5 funcref) - (elem (i32.const 0) $func_9 $func_9 $func_9 $func_10 $func_16) + (elem (i32.const 0) $func_9 $func_9 $func_9 $func_10 $func_14) (global $global$5 (mut eqref) (ref.null eq)) (global $global$4 (mut i32) (i32.const 470177031)) (global $global$3 (mut f64) (f64.const 2147483647)) @@ -44,8 +44,8 @@ (export "func_7_invoker" (func $func_7_invoker)) (export "func_9" (func $func_9)) (export "func_11_invoker" (func $func_11_invoker)) - (export "func_14_invoker" (func $func_14_invoker)) - (export "func_17" (func $func_17)) + (export "func_14" (func $func_14)) + (export "func_18" (func $func_18)) (export "hangLimitInitializer" (func $hangLimitInitializer)) (func $hashMemory (result i32) (local $0 i32) @@ -462,7 +462,7 @@ (global.get $hangLimit) ) (return - (i32.const 471818526) + (local.get $0) ) ) (global.set $hangLimit @@ -477,59 +477,112 @@ (local.get $0) ) ) - (func $func_14_invoker - (drop - (call $func_14) - ) - (call $log-i32 - (call $hashMemory) - ) - (drop - (call $func_14) - ) - (drop - (call $func_14) - ) - (drop - (call $func_14) - ) - (drop - (call $func_14) - ) - (drop - (call $func_14) - ) - (call $log-i32 - (call $hashMemory) - ) - (drop - (call $func_14) - ) - (call $log-i32 - (call $hashMemory) + (func $func_15 (result i32) + (block + (if + (i32.eqz + (global.get $hangLimit) + ) + (return + (i32.const 32768) + ) + ) + (global.set $hangLimit + (i32.sub + (global.get $hangLimit) + (i32.const 1) + ) + ) ) + (global.get $global$4) ) - (func $func_16 (param $0 externref) (param $1 i32) (param $2 eqref) (param $3 v128) (result exnref anyref v128) - (local $4 exnref) - (local $5 i31ref) - (local $6 eqref) - (local $7 funcref) - (local $8 (i31ref eqref f64)) - (local $9 v128) - (local $10 eqref) - (local $11 exnref) + (func $func_16 (param $0 eqref) (param $1 i32) (result funcref) + (local $2 v128) + (local $3 funcref) + (local $4 eqref) (block (if (i32.eqz (global.get $hangLimit) ) (return - (tuple.make - (ref.null exn) - (ref.null any) - (v128.const i32x4 0x0c1f021d 0x00020814 0x4742fffc 0x007f252c) + (local.get $3) + ) + ) + (global.set $hangLimit + (i32.sub + (global.get $hangLimit) + (i32.const 1) + ) + ) + ) + (loop $label$1 (result funcref) + (block + (if + (i32.eqz + (global.get $hangLimit) + ) + (return + (local.get $3) + ) + ) + (global.set $hangLimit + (i32.sub + (global.get $hangLimit) + (i32.const 1) + ) + ) + ) + (block (result funcref) + (block $label$2 + (br_if $label$2 + (i32.eqz + (block $label$3 + (global.set $global$4 + (local.tee $1 + (local.get $1) + ) + ) + (block $label$4 + (nop) + (br_if $label$1 + (i32.eqz + (i31.get_u + (i31.new + (i32.const -90) + ) + ) + ) + ) + ) + (br $label$1) + ) + ) + ) + (memory.init 0 + (i32.and + (local.get $1) + (i32.const 15) + ) + (i32.const 16) + (i32.const 3) ) ) + (br_if $label$1 + (i32.const 131071) + ) + (local.get $3) + ) + ) + ) + (func $func_17 (param $0 i64) + (local $1 externref) + (block + (if + (i32.eqz + (global.get $hangLimit) + ) + (return) ) (global.set $hangLimit (i32.sub @@ -540,25 +593,137 @@ ) (block $label$0 (call $log-i32 - (local.get $1) + (call $hashMemory) ) - (return - (tuple.make - (ref.null exn) - (ref.null any) - (v128.const i32x4 0x00010001 0xfff00000 0xffff8001 0x00000202) + (if + (i32.eqz + (f64.gt + (f64.const 103) + (f64.max + (f64.const 8388607.124) + (if + (i32.eqz + (global.get $global$4) + ) + (block $label$1 + (call $log-v128 + (f64x2.replace_lane 0 + (f32x4.neg + (i8x16.shr_u + (v128.load offset=3 + (i32.const 65535) + ) + (loop $label$2 (result i32) + (block + (if + (i32.eqz + (global.get $hangLimit) + ) + (return) + ) + (global.set $hangLimit + (i32.sub + (global.get $hangLimit) + (i32.const 1) + ) + ) + ) + (block (result i32) + (block $label$3 + (call $log-exnref + (ref.null exn) + ) + (call $log-i32 + (i32.atomic.rmw8.sub_u offset=22 + (i32.and + (i32.const 6) + (i32.const 15) + ) + (i32.const 1852667194) + ) + ) + ) + (br_if $label$2 + (tuple.extract 0 + (tuple.make + (i32.const -2147483648) + (i31.new + (i32.const -32767) + ) + ) + ) + ) + (i32.const -2147483648) + ) + ) + ) + ) + (f64.const -nan:0xffffffffffff3) + ) + ) + (br $label$0) + ) + (block $label$4 + (br_if $label$0 + (i32.eqz + (tuple.extract 2 + (block $label$5 + (call $log-i32 + (call $hashMemory) + ) + (br $label$0) + ) + ) + ) + ) + (br $label$0) + ) + ) + ) + ) + ) + (block $label$6 + (call $log-i32 + (call $hashMemory) + ) + (call $log-i32 + (call $hashMemory) + ) + ) + (if + (i32.eqz + (i32.or + (i32.const 65535) + (i32.const 8) + ) + ) + (call $log-i32 + (i32.const 608321884) + ) + (atomic.fence) ) ) ) ) - (func $func_17 (result i64) + (func $func_18 (param $0 v128) (param $1 i31ref) (result eqref i31ref i64 v128 eqref) + (local $2 i64) + (local $3 v128) + (local $4 f32) (block (if (i32.eqz (global.get $hangLimit) ) (return - (i64.const 590056222575119631) + (tuple.make + (ref.null eq) + (i31.new + (i32.const -2147483648) + ) + (i64.const 369041285507055655) + (v128.const i32x4 0xffffffd1 0xffffffff 0x25312936 0x5455263f) + (ref.null eq) + ) ) ) (global.set $hangLimit @@ -568,19 +733,62 @@ ) ) ) - (i64.const 650238098827575305) + (tuple.make + (ref.null eq) + (local.get $1) + (i64.const -32766) + (v128.bitselect + (local.get $3) + (block $label$2 + (atomic.fence) + (return + (tuple.make + (ref.null eq) + (i31.new + (i32.const 19521) + ) + (i64.const -32766) + (v128.const i32x4 0x4f800000 0x3e116873 0x46ca0800 0x54000000) + (ref.null eq) + ) + ) + ) + (tuple.extract 2 + (tuple.make + (i31.new + (i32.const 1684216173) + ) + (ref.null eq) + (v128.const i32x4 0xffa20004 0x00000000 0x2b25ffa6 0x005b0080) + (ref.null eq) + ) + ) + ) + (global.get $global$5) + ) ) - (func $func_18 (param $0 externref) (param $1 eqref) (param $2 funcref) (result i64) - (local $3 f32) - (local $4 eqref) - (local $5 exnref) + (func $func_19 (param $0 funcref) (param $1 f64) (result i32) + (local $2 (funcref f32 exnref exnref externref)) + (local $3 externref) + (local $4 v128) + (local $5 f64) + (local $6 i32) + (local $7 (f64 i31ref eqref eqref)) + (local $8 anyref) + (local $9 (eqref i31ref i32 i31ref anyref)) + (local $10 eqref) + (local $11 exnref) + (local $12 externref) + (local $13 externref) + (local $14 externref) + (local $15 i31ref) (block (if (i32.eqz (global.get $hangLimit) ) (return - (i64.const -1) + (i32.const 2147483647) ) ) (global.set $hangLimit @@ -590,52 +798,260 @@ ) ) ) - (block $label$0 (result i64) - (nop) - (local.set $5 - (local.get $5) - ) - (br_if $label$0 - (if (result i64) - (i32.const 0) - (block $label$2 (result i64) + (select + (i32.atomic.load8_u offset=22 + (i32.and + (block (result i32) (nop) - (br_if $label$2 - (i64.or - (i64.const -2147483648) - (i64.const 3088) + (nop) + (i32.const -33) + ) + (i32.const 15) + ) + ) + (local.tee $6 + (select + (i16x8.extract_lane_s 4 + (v128.const i32x4 0xfffffff8 0x00008001 0xffffffa0 0x180b1217) + ) + (if (result i32) + (i32.eqz + (if (result i32) + (i32.eqz + (loop $label$3 (result i32) + (block + (if + (i32.eqz + (global.get $hangLimit) + ) + (return + (i32.const 2151) + ) + ) + (global.set $hangLimit + (i32.sub + (global.get $hangLimit) + (i32.const 1) + ) + ) + ) + (block (result i32) + (br_if $label$3 + (local.get $6) + ) + (br_if $label$3 + (local.get $6) + ) + (i32.const -33) + ) + ) + ) + (i32.const 2147483647) + (if (result i32) + (i32.eqz + (i32.const 32768) + ) + (i32.const 16404) + (i32.const -1024) + ) ) - (i32.const -17) ) + (block $label$9 (result i32) + (i32.const 4935) + ) + (local.get $6) ) - (block $label$11 (result i64) - (nop) - (call $log-f64 - (f64.const 3848309694063512128130702e64) + (select + (i32.const 33554433) + (i32.trunc_f64_s + (f64.const 3402823466385288598117041e14) ) - (loop $label$12 (result i64) - (block - (if - (i32.eqz - (global.get $hangLimit) + (local.tee $6 + (select + (local.get $6) + (select + (i16x8.extract_lane_s 4 + (v128.const i32x4 0xfffffff8 0x00008001 0xffffffa0 0x180b1217) ) - (return - (i64.const -32768) + (if (result i32) + (i32.eqz + (if (result i32) + (i32.eqz + (i32.const 524287) + ) + (block $label$1 + (memory.init 0 + (i32.and + (f32.ge + (block $label$2 (result f32) + (call $log-i32 + (call $hashMemory) + ) + (if (result f32) + (if (result i32) + (i32.eqz + (i32.const -129) + ) + (i32.const 2147483647) + (if (result i32) + (i32.eqz + (i32.const 32768) + ) + (i32.const 16404) + (i32.const -1024) + ) + ) + (f32.const -nan:0x7fffa8) + (block $label$4 (result f32) + (call $log-i32 + (call $hashMemory) + ) + (f32.const 18446744073709551615) + ) + ) + ) + (if (result f32) + (i32.eqz + (ref.is_null + (if (result externref) + (i32.eqz + (i32.const -65535) + ) + (ref.null extern) + (local.get $12) + ) + ) + ) + (block $label$5 (result f32) + (call $log-f32 + (select + (f32.const 4096) + (f32.const -nan:0x7fffa1) + (i32.const 2097640319) + ) + ) + (f32.const 8192) + ) + (f32.const -1125899906842624) + ) + ) + (i32.const 15) + ) + (i32.const 1) + (i32.const 2) + ) + (return + (local.get $6) + ) + ) + (block $label$6 (result i32) + (loop $label$7 + (block + (if + (i32.eqz + (global.get $hangLimit) + ) + (return + (local.get $6) + ) + ) + (global.set $hangLimit + (i32.sub + (global.get $hangLimit) + (i32.const 1) + ) + ) + ) + (block $label$8 + (nop) + (memory.fill + (i32.and + (i8x16.extract_lane_s 11 + (i8x16.max_s + (local.get $4) + (i16x8.add_saturate_u + (v128.const i32x4 0xffea0f4a 0xfdffffec 0xdfff0512 0x1910ffff) + (local.get $4) + ) + ) + ) + (i32.const 15) + ) + (i32.and + (i32.const 1326258715) + (i32.const 15) + ) + (local.get $6) + ) + ) + ) + (i32.const -10) + ) + ) + ) + (local.get $6) + (local.get $6) ) - ) - (global.set $hangLimit - (i32.sub - (global.get $hangLimit) - (i32.const 1) + (select + (i32.const 33554433) + (i32.trunc_f64_s + (f64.const 3402823466385288598117041e14) + ) + (local.tee $6 + (select + (local.get $6) + (ref.eq + (loop $label$0 (result i31ref) + (block + (if + (i32.eqz + (global.get $hangLimit) + ) + (return + (i32.const 268435455) + ) + ) + (global.set $hangLimit + (i32.sub + (global.get $hangLimit) + (i32.const 1) + ) + ) + ) + (block (result i31ref) + (local.set $5 + (f64.const 371920655) + ) + (br_if $label$0 + (i32.eqz + (local.tee $6 + (local.tee $6 + (local.tee $6 + (local.tee $6 + (local.get $6) + ) + ) + ) + ) + ) + ) + (local.get $15) + ) + ) + (local.get $10) + ) + (local.get $6) + ) + ) ) ) + (local.get $6) ) - (i64.const 4883) ) ) ) - (i32.const 8) ) + (global.get $global$4) ) ) (func $hangLimitInitializer |