Improve fuzzing of both closed and open world styles of modules (#7090)

Before, we would simply not export a function that had an e.g. anyref
param. As a result, the modules were effectively "closed", which was
good for testing full closed-world mode, but not for testing degrees of
open world. To improve that, this PR allows the fuzzer to export such
functions, and an "enclose world" pass is added that "closes" the wasm
(makes it more compatible with closed-world) that is run 50% of the
time, giving us coverage of both styles.

2 files changed, 17 insertions, 21 deletions

diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp
index ed653ef6b..135e50393 100644
--- a/src/tools/fuzzing/fuzzing.cpp
+++ b/src/tools/fuzzing/fuzzing.cpp
@@ -62,6 +62,17 @@ void TranslateToFuzzReader::pickPasses(OptimizationOptions& options) {
   // things like ClusterFuzz, where we are using Binaryen to fuzz other things
   // than itself). As a result, the list of passes here is different from
   // fuzz_opt.py.
+
+  // Enclose the world, some of the time. We do this before picking any other
+  // passes so that we make the initial fuzz contents more optimizable by
+  // closed-world passes later. Note that we do this regardless of whether we
+  // are in closed-world mode or not, as it is good to get this variety
+  // regardless.
+  if (oneIn(2)) {
+    options.passes.push_back("enclose-world");
+  }
+
+  // Main selection of passes.
   while (options.passes.size() < 20 && !random.finished() && !oneIn(3)) {
     switch (upTo(42)) {
       case 0:
@@ -1075,30 +1086,14 @@ Function* TranslateToFuzzReader::addFunction() {
   // Add hang limit checks after all other operations on the function body.
   wasm.addFunction(std::move(allocation));
   // Export some functions, but not all (to allow inlining etc.). Try to export
-  // at least one, though, to keep each testcase interesting. Only functions
-  // with valid params and returns can be exported because the trap fuzzer
-  // depends on that (TODO: fix this).
-  auto validExportType = [](Type t) {
-    if (!t.isRef()) {
-      return true;
-    }
-    auto heapType = t.getHeapType();
-    return heapType == HeapType::ext || heapType == HeapType::func ||
-           heapType == HeapType::string;
-  };
+  // at least one, though, to keep each testcase interesting. Avoid non-
+  // nullable params, as those cannot be constructed by the fuzzer on the
+  // outside.
   bool validExportParams =
     std::all_of(paramType.begin(), paramType.end(), [&](Type t) {
-      return validExportType(t) && t.isDefaultable();
+      return t.isDefaultable();
     });
-  // Note: spec discussions around JS API integration are still ongoing, and it
-  // is not clear if we should allow nondefaultable types in exports or not
-  // (in imports, we cannot allow them in the fuzzer anyhow, since it can't
-  // construct such values in JS to send over to the wasm from the fuzzer
-  // harness).
-  bool validExportResults =
-    std::all_of(resultType.begin(), resultType.end(), validExportType);
-  if (validExportParams && validExportResults &&
-      (numAddedFunctions == 0 || oneIn(2)) &&
+  if (validExportParams && (numAddedFunctions == 0 || oneIn(2)) &&
       !wasm.getExportOrNull(func->name)) {
     auto* export_ = new Export;
     export_->name = func->name;
diff --git a/src/tools/wasm-reduce.cpp b/src/tools/wasm-reduce.cpp
index 8d9858b78..026825118 100644
--- a/src/tools/wasm-reduce.cpp
+++ b/src/tools/wasm-reduce.cpp
@@ -275,6 +275,7 @@ struct Reducer
       "--dae-optimizing",
       "--dce",
       "--duplicate-function-elimination",
+      "--enclose-world",
       "--gto",
       "--inlining",
       "--inlining-optimizing",