diff options
| author | Alon Zakai <alonzakai@gmail.com> | 2017-09-12 13:37:39 -0700 |
|---|---|---|
| committer | Alon Zakai <alonzakai@gmail.com> | 2017-09-27 13:07:55 -0700 |
| commit | 27af98deb91d1d64be44cdf12f01833b677fbf34 (patch) | |
| tree | 61aa683b01192259297bcc64db092a2e17009ac7 /src | |
| parent | c69253378014ffc451adf916d017d8f21faae77c (diff) | |
| download | binaryen-27af98deb91d1d64be44cdf12f01833b677fbf34.tar.gz binaryen-27af98deb91d1d64be44cdf12f01833b677fbf34.tar.bz2 binaryen-27af98deb91d1d64be44cdf12f01833b677fbf34.zip | |
fuzzing improvements:
* randomize initial memory
* low chance to have tiny blocks
* decent chance to have a branch back to the loop top
Diffstat (limited to 'src')
| -rw-r--r-- | src/tools/translate-to-fuzz.h | 31 | ||||
| -rw-r--r-- | src/wasm.h | 4 |
2 files changed, 31 insertions, 4 deletions
diff --git a/src/tools/translate-to-fuzz.h b/src/tools/translate-to-fuzz.h index 95f2ee79e..821416d87 100644 --- a/src/tools/translate-to-fuzz.h +++ b/src/tools/translate-to-fuzz.h @@ -20,7 +20,6 @@ // /* -memory too high chance for set at start of loop high chance of get of a set local in the scope of that scope high chance of a tee in that case => loop var @@ -90,6 +89,7 @@ private: // the memory that we use, a small portion so that we have a good chance of // looking at writes (we also look outside of this region with small probability) + // this should be a power of 2 static const int USABLE_MEMORY = 32; // the number of runtime iterations (function calls, loop backbranches) we @@ -158,6 +158,13 @@ private: wasm.memory.exists = true; // use one page wasm.memory.initial = wasm.memory.max = 1; + // init some data + wasm.memory.segments.emplace_back(builder.makeConst(Literal(int32_t(0)))); + auto num = upTo(USABLE_MEMORY * 2); + for (size_t i = 0; i < num; i++) { + auto value = upTo(512); + wasm.memory.segments[0].data.push_back(value >= 256 ? 0 : (value & 0xff)); + } } void setupTable() { @@ -509,6 +516,10 @@ private: num /= 2; } } + // not likely to have a block of size 1 + if (num == 0 && !oneIn(10)) { + num++; + } while (num > 0 && !finishedInput) { ret->list.push_back(make(none)); num--; @@ -540,7 +551,17 @@ private: ret->name = makeLabel(); breakableStack.push_back(ret); hangStack.push_back(ret); - ret->body = makeMaybeBlock(type); + // either create random content, or do something more targeted + if (oneIn(2)) { + ret->body = makeMaybeBlock(type); + } else { + // ensure a branch back. also optionally create some loop vars + std::vector<Expression*> list; + list.push_back(makeMaybeBlock(none)); // primary contents + list.push_back(builder.makeBreak(ret->name, nullptr, makeCondition())); // possible branch back + list.push_back(make(type)); // final element, so we have the right type + ret->body = builder.makeBlock(list); + } breakableStack.pop_back(); hangStack.pop_back(); if (HANG_LIMIT > 0) { @@ -1147,6 +1168,12 @@ private: return upTo(x) == 0; } + bool onceEvery(Index x) { + static int counter = 0; + counter++; + return counter % x == 0; + } + // apply upTo twice, generating a skewed distribution towards // low values Index upToSquared(Index x) { diff --git a/src/wasm.h b/src/wasm.h index 50646e39f..c31aac9c1 100644 --- a/src/wasm.h +++ b/src/wasm.h @@ -654,8 +654,7 @@ public: Expression* offset; std::vector<Name> data; Segment() {} - Segment(Expression* offset) : offset(offset) { - } + Segment(Expression* offset) : offset(offset) {} Segment(Expression* offset, std::vector<Name>& init) : offset(offset) { data.swap(init); } @@ -685,6 +684,7 @@ public: Expression* offset; std::vector<char> data; // TODO: optimize Segment() {} + Segment(Expression* offset) : offset(offset) {} Segment(Expression* offset, const char* init, Address size) : offset(offset) { data.resize(size); std::copy_n(init, size, data.begin()); |