Fuzz fixes (#1991)

Get fuzzer to attempt to create almost all features. Pass v8 all the flags to allow that.

Fix fuzz bugs where we read signed_ even when it was irrelevant for that type of load.

Improve wasm-reduce on fuzz testcases, try to replace a node with drops of its children, not just the children themselves.

1 files changed, 15 insertions, 3 deletions

diff --git a/scripts/fuzz_opt.py b/scripts/fuzz_opt.py
index d3d2ea6e2..1cb561289 100644
--- a/scripts/fuzz_opt.py
+++ b/scripts/fuzz_opt.py
@@ -28,9 +28,21 @@ from test.shared import options
 
 NANS = True
 
-FUZZ_OPTS = ['--mvp-features']
+FUZZ_OPTS = ['--all-features', '--disable-simd', '--disable-bulk-memory']
+
+V8_OPTS = [
+  '--experimental-wasm-eh',
+  '--experimental-wasm-mv',
+  '--experimental-wasm-sat-f2i-conversions',
+  '--experimental-wasm-se',
+  '--experimental-wasm-threads',
+  '--experimental-wasm-simd',
+  '--experimental-wasm-anyref',
+  '--experimental-wasm-bulk-memory',
+  '--experimental-wasm-return-call'
+]
 
-INPUT_SIZE_LIMIT = 250 * 1024
+INPUT_SIZE_LIMIT = 150 * 1024
 
 LOG_LIMIT = 125
 
@@ -126,7 +138,7 @@ def run_vms(prefix):
   results = []
   # append to this list to add results from VMs
   results += [fix_output(run_vm([in_bin('wasm-opt'), prefix + 'wasm', '--fuzz-exec-before']))]
-  results += [fix_output(run_vm([os.path.expanduser('d8'), prefix + 'js', '--', prefix + 'wasm']))]
+  results += [fix_output(run_vm([os.path.expanduser('d8'), prefix + 'js'] + V8_OPTS + ['--', prefix + 'wasm']))]
   # results += [fix_output(run_vm([os.path.expanduser('~/.jsvu/jsc'), prefix + 'js', '--', prefix + 'wasm']))]
   # spec has no mechanism to not halt on a trap. so we just check until the first trap, basically
   # run(['../spec/interpreter/wasm', prefix + 'wasm'])