diff options
| author | Alon Zakai <azakai@google.com> | 2023-02-23 11:23:21 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-02-23 11:23:21 -0800 |
| commit | f2596c7300ad4933529471e30008bdc2eafbc538 (patch) | |
| tree | 8e5e0f92cad4f503755b6532e5572017f7595507 /src/tools/spec-wrapper.h | |
| parent | 549b0f45be3749fd5f612a2eb225ca1cc40081a6 (diff) | |
| download | binaryen-f2596c7300ad4933529471e30008bdc2eafbc538.tar.gz binaryen-f2596c7300ad4933529471e30008bdc2eafbc538.tar.bz2 binaryen-f2596c7300ad4933529471e30008bdc2eafbc538.zip | |
[Fuzzer] Simplify the hang limit mechanism (#5513)
Previously the idea was that we started with HANG_LIMIT = 10 or so, and we'd decrement
it by one in each potentially-recursive call and loop entry. When we reached 0 we'd start
to unwind the stack. Then, after we unwound it all the way, we'd reset HANG_LIMIT before
calling the next export.
That approach adds complexity that each "execution wrapper", like for JS or for --fuzz-exec,
had to manually reset HANG_LIMIT. That was done by calling an export. Calls to those
exports had to appear in various places, which is sort of a hack.
The new approach here does the following when the hang limit reaches zero: It resets
HANG_LIMIT, and it traps. The trap unwinds the call stack all the way out. When the next
export is called, it will have a fresh hang limit since we reset it before the trap.
This does have downsides. Before, we did not always trap when we hit the hang limit but
rather we'd emit something unreachable, like a return. The idea was that we'd leave the
current function scope at least, so we don't hang forever. That let us still execute a small
amount of code "on the way out" as we unwind the stack. I'm not sure it's worth the
complexity for that.
The advantages of this PR are to simplify the code, and also it makes more fuzzing
approaches easy to implement. I'd like to add a wasm-ctor-eval fuzzer, and having to add
hacks to call the hang limit init export in it would be tricky. With this PR, the execution
model is simple in the fuzzer: The exports are called one by one, in order, and that's it -
no extra magic execution needs to be done.
Also bump the hang limit from 10 to 100, just to give some more chance for code to run.
Diffstat (limited to 'src/tools/spec-wrapper.h')
| -rw-r--r-- | src/tools/spec-wrapper.h | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/src/tools/spec-wrapper.h b/src/tools/spec-wrapper.h index 95ead4739..5c0b8cfc8 100644 --- a/src/tools/spec-wrapper.h +++ b/src/tools/spec-wrapper.h @@ -31,8 +31,7 @@ inline std::string generateSpecWrapper(Module& wasm) { if (!func) { continue; // something exported other than a function } - ret += std::string("(invoke \"hangLimitInitializer\") (invoke \"") + - exp->name.toString() + "\" "; + ret += std::string("(invoke \"") + exp->name.toString() + "\" "; for (const auto& param : func->getParams()) { // zeros in arguments TODO more? TODO_SINGLE_COMPOUND(param); |