diff options
| author | Thomas Lively <tlively@google.com> | 2024-07-15 21:50:06 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-07-15 18:50:06 -0700 |
| commit | 5bdc0f40934a8b6b9887f345a5779dc8faa7660a (patch) | |
| tree | bfe4b4cdc76c754be9df06dcb81d4c8cb9037c53 /src/tools/fuzzing | |
| parent | 503fc4bb767d4f1861feba71b127799b89d9d663 (diff) | |
| download | binaryen-5bdc0f40934a8b6b9887f345a5779dc8faa7660a.tar.gz binaryen-5bdc0f40934a8b6b9887f345a5779dc8faa7660a.tar.bz2 binaryen-5bdc0f40934a8b6b9887f345a5779dc8faa7660a.zip | |
Simplify fuzzer generation of function references (#6745)
When creating a reference to `func`, fix the probability of choosing to
continue on to choose some function other than the last one rather than
making it depend on the number of functions. Then, do not eagerly pick
from the rest of the candidate functions. Instead, fall through to the
more general logic that will already pick a random candidate function.
Also move the logic for coming up with a concrete signature down to
where it is needed.
These simplifications will make it easier to update the code to handle
shared types.
Diffstat (limited to 'src/tools/fuzzing')
| -rw-r--r-- | src/tools/fuzzing/fuzzing.cpp | 28 |
1 files changed, 11 insertions, 17 deletions
diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp index 555de5db1..8e699fe13 100644 --- a/src/tools/fuzzing/fuzzing.cpp +++ b/src/tools/fuzzing/fuzzing.cpp @@ -2468,26 +2468,15 @@ Literal TranslateToFuzzReader::makeLiteral(Type type) { Expression* TranslateToFuzzReader::makeRefFuncConst(Type type) { auto heapType = type.getHeapType(); - if (heapType == HeapType::func) { - // First set to target to the last created function, and try to select - // among other existing function if possible. - Function* target = funcContext ? funcContext->func : nullptr; - // If there is no last function, and we have others, pick between them. Also - // pick between them with some random probability even if there is a last - // function. - if (!wasm.functions.empty() && (!target || !oneIn(wasm.functions.size()))) { - target = pick(wasm.functions).get(); - } - if (target) { + if (heapType.isBasic()) { + assert(heapType.getBasic(Unshared) == HeapType::func); + // With high probability, use the last created function if possible. + // Otherwise, continue on to select some other function. + if (funcContext && !oneIn(4)) { + auto* target = funcContext->func; return builder.makeRefFunc(target->name, target->type); } } - if (heapType == HeapType::func) { - // From here on we need a specific signature type, as we want to create a - // RefFunc or even a Function out of it. Pick an arbitrary one if we only - // had generic 'func' here. - heapType = Signature(Type::none, Type::none); - } // Look for a proper function starting from a random location, and loop from // there, wrapping around to 0. if (!wasm.functions.empty()) { @@ -2519,6 +2508,11 @@ Expression* TranslateToFuzzReader::makeRefFuncConst(Type type) { // here (we might end up recursing). Note that a trap in the function lets us // execute more code then the ref.as_non_null path just before us, which traps // even if we never call the function. + if (heapType.isBasic()) { + // We need a specific signature type to create a function. Pick an arbitrary + // signature if we only had generic 'func' here. + heapType = Signature(Type::none, Type::none); + } auto* body = heapType.getSignature().results == Type::none ? (Expression*)builder.makeNop() : (Expression*)builder.makeUnreachable(); |