diff options
| author | Alon Zakai <azakai@google.com> | 2024-11-07 13:19:25 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-11-07 13:19:25 -0800 |
| commit | d01620f88748825e136495824ce7f7312d90966d (patch) | |
| tree | cb7ee8cbfa4f8af890c756d79e74a6c06df09ec4 /src/tools | |
| parent | 88b36f5bbb0882f4861f3874d3a50cf7e8f2c7c2 (diff) | |
| download | binaryen-d01620f88748825e136495824ce7f7312d90966d.tar.gz binaryen-d01620f88748825e136495824ce7f7312d90966d.tar.bz2 binaryen-d01620f88748825e136495824ce7f7312d90966d.zip | |
[wasm64] Fuzz wasm64 memories (#7064)
* Remove the code that prevented fuzzing wasm64 test files.
* Ignore a run that hits the V8 implementation limit on memory size.
* Disable wasm64 fuzzing in wasm2js (like almost all post-MVP features).
* Add fuzzer logic to emit a 64-bit memory sometimes.
* Fix various places in the fuzzer that assumed 32-bit indexes
Diffstat (limited to 'src/tools')
| -rw-r--r-- | src/tools/fuzzing.h | 1 | ||||
| -rw-r--r-- | src/tools/fuzzing/fuzzing.cpp | 34 |
2 files changed, 27 insertions, 8 deletions
diff --git a/src/tools/fuzzing.h b/src/tools/fuzzing.h index 0ecc751a4..6f73feca9 100644 --- a/src/tools/fuzzing.h +++ b/src/tools/fuzzing.h @@ -26,7 +26,6 @@ high chance for set at start of loop */ #include "ir/branch-utils.h" -#include "ir/memory-utils.h" #include "ir/struct-utils.h" #include "support/insert_ordered.h" #include "tools/fuzzing/random.h" diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp index 5dcdc66d5..26c321961 100644 --- a/src/tools/fuzzing/fuzzing.cpp +++ b/src/tools/fuzzing/fuzzing.cpp @@ -199,8 +199,24 @@ void TranslateToFuzzReader::build() { } void TranslateToFuzzReader::setupMemory() { - // Add memory itself - MemoryUtils::ensureExists(&wasm); + // Add a memory, if one does not already exist. + if (wasm.memories.empty()) { + auto memory = Builder::makeMemory("0"); + // Add at least one page of memory. + memory->initial = 1 + upTo(10); + // Make the max potentially higher, or unlimited. + if (oneIn(2)) { + memory->max = memory->initial + upTo(4); + } else { + memory->max = Memory::kUnlimitedSize; + } + // Fuzz wasm64 when possible, sometimes. + if (wasm.features.hasMemory64() && oneIn(2)) { + memory->indexType = Type::i64; + } + wasm.addMemory(std::move(memory)); + } + auto& memory = wasm.memories[0]; if (wasm.features.hasBulkMemory()) { size_t memCovered = 0; @@ -217,7 +233,8 @@ void TranslateToFuzzReader::setupMemory() { segment->data[j] = upTo(512); } if (!segment->isPassive) { - segment->offset = builder.makeConst(int32_t(memCovered)); + segment->offset = builder.makeConst( + Literal::makeFromInt32(memCovered, memory->indexType)); memCovered += segSize; segment->memory = memory->name; } @@ -227,7 +244,8 @@ void TranslateToFuzzReader::setupMemory() { // init some data auto segment = builder.makeDataSegment(); segment->memory = memory->name; - segment->offset = builder.makeConst(int32_t(0)); + segment->offset = + builder.makeConst(Literal::makeFromInt32(0, memory->indexType)); segment->setName(Names::getValidDataSegmentName(wasm, Name::fromInt(0)), false); auto num = upTo(USABLE_MEMORY * 2); @@ -364,10 +382,11 @@ void TranslateToFuzzReader::setupTables() { [&](auto& segment) { return segment->table.is() && segment->type == funcref; }); + auto indexType = wasm.getTable(funcrefTableName)->indexType; if (!hasFuncrefElemSegment) { // TODO: use a random table auto segment = std::make_unique<ElementSegment>( - table->name, builder.makeConst(int32_t(0))); + table->name, builder.makeConst(Literal::makeFromInt32(0, indexType))); segment->setName(Names::getValidElementSegmentName(wasm, "elem$"), false); wasm.addElementSegment(std::move(segment)); } @@ -1988,11 +2007,12 @@ Expression* TranslateToFuzzReader::makeCallIndirect(Type type) { } // with high probability, make sure the type is valid otherwise, most are // going to trap + auto indexType = wasm.getTable(funcrefTableName)->indexType; Expression* target; if (!allowOOB || !oneIn(10)) { - target = builder.makeConst(int32_t(i)); + target = builder.makeConst(Literal::makeFromInt32(i, indexType)); } else { - target = make(Type::i32); + target = make(indexType); } std::vector<Expression*> args; for (const auto& type : targetFn->getParams()) { |