Fuzzer: Limit array sizes (#5569)

Even with a 1% chance of a huge array, there is a second problem aside from
hitting an allocation failure, which is DoS - building such a huge array of
Literals takes noticeable time in the fuzzer. Instead, just limit array max sizes,
which is consistent with what we do for struct sizes etc.

1 files changed, 1 insertions, 10 deletions

diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp
index 37f596b54..acc760f6b 100644
--- a/src/tools/fuzzing/fuzzing.cpp
+++ b/src/tools/fuzzing/fuzzing.cpp
@@ -2213,16 +2213,7 @@ Expression* TranslateToFuzzReader::makeConstCompoundRef(Type type) {
       // TODO: when in a function context, we don't need to be trivial.
       init = makeTrivial(element.type);
     }
-    Expression* count;
-    if (oneIn(100)) {
-      // With low probability pick a totally random count. This can easily be a
-      // super-high number that immediately causes a host limit error on running
-      // out of memory.
-      count = makeConst(Type::i32);
-    } else {
-      // Otherwise, most of the time pick a reasonable/realistic number.
-      count = builder.makeConst(int32_t(upTo(100)));
-    }
+    auto* count = builder.makeConst(int32_t(upTo(MAX_ARRAY_SIZE)));
     return builder.makeArrayNew(type.getHeapType(), count, init);
   } else {
     WASM_UNREACHABLE("bad user-defined ref type");