diff options
| author | Alon Zakai <azakai@google.com> | 2022-05-16 16:16:47 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-05-16 16:16:47 -0700 |
| commit | bfa956c250e0aa9c9dcedc2287ab74e72a2deeb5 (patch) | |
| tree | 6035a29a04a71aed9aef837233e0d0c5c7350ccd /src/tools/fuzzing/fuzzing.cpp | |
| parent | cc0d5fcfcdc4740793816531c89e30ec56823777 (diff) | |
| download | binaryen-bfa956c250e0aa9c9dcedc2287ab74e72a2deeb5.tar.gz binaryen-bfa956c250e0aa9c9dcedc2287ab74e72a2deeb5.tar.bz2 binaryen-bfa956c250e0aa9c9dcedc2287ab74e72a2deeb5.zip | |
[Fuzzer] Reduce trap probability in function ref fallback code (#4653)
Also improve comments.
As suggested in #4647
Diffstat (limited to 'src/tools/fuzzing/fuzzing.cpp')
| -rw-r--r-- | src/tools/fuzzing/fuzzing.cpp | 25 |
1 files changed, 15 insertions, 10 deletions
diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp index a5f00d8ef..5b75d859c 100644 --- a/src/tools/fuzzing/fuzzing.cpp +++ b/src/tools/fuzzing/fuzzing.cpp @@ -1883,22 +1883,27 @@ Expression* TranslateToFuzzReader::makeRefFuncConst(Type type) { return builder.makeRefFunc(func->name, func->type); } } - // We don't have a matching function, so create a null with high probability - // if the type is nullable or otherwise create and cast a null with low - // probability. - if ((type.isNullable() && !oneIn(8)) || oneIn(8)) { + // We don't have a matching function. Create a null some of the time here, + // but only rarely if the type is non-nullable (because in that case we'd need + // to add a ref.as_non_null to validate, and the code will trap when we get + // here). + if ((type.isNullable() && oneIn(2)) || (type.isNonNullable() && oneIn(16))) { Expression* ret = builder.makeRefNull(Type(heapType, Nullable)); if (!type.isNullable()) { ret = builder.makeRefAs(RefAsNonNull, ret); } return ret; } - // As a final option, create a new function with the correct signature. - auto* func = wasm.addFunction( - builder.makeFunction(Names::getValidFunctionName(wasm, "ref_func_target"), - heapType, - {}, - builder.makeUnreachable())); + // As a final option, create a new function with the correct signature. If it + // returns a value, write a trap as we do not want to create any more code + // here (we might end up recursing). Note that a trap in the function lets us + // execute more code then the ref.as_non_null path just before us, which traps + // even if we never call the function. + auto* body = heapType.getSignature().results == Type::none + ? (Expression*)builder.makeNop() + : (Expression*)builder.makeUnreachable(); + auto* func = wasm.addFunction(builder.makeFunction( + Names::getValidFunctionName(wasm, "ref_func_target"), heapType, {}, body)); return builder.makeRefFunc(func->name, heapType); } |