Fuzz fixes (#1991)

Get fuzzer to attempt to create almost all features. Pass v8 all the flags to allow that.

Fix fuzz bugs where we read signed_ even when it was irrelevant for that type of load.

Improve wasm-reduce on fuzz testcases, try to replace a node with drops of its children, not just the children themselves.

3 files changed, 15 insertions, 5 deletions

diff --git a/src/ir/ExpressionManipulator.cpp b/src/ir/ExpressionManipulator.cpp
index 578d35e3f..2b648e077 100644
--- a/src/ir/ExpressionManipulator.cpp
+++ b/src/ir/ExpressionManipulator.cpp
@@ -14,6 +14,7 @@
  * limitations under the License.
  */
 
+#include "ir/load-utils.h"
 #include "ir/utils.h"
 #include "support/hash.h"
 
@@ -91,7 +92,7 @@ Expression* flexibleCopy(Expression* original, Module& wasm, CustomCopier custom
         return builder.makeAtomicLoad(curr->bytes, curr->offset,
                                       copy(curr->ptr), curr->type);
       }
-      return builder.makeLoad(curr->bytes, curr->signed_, curr->offset, curr->align, copy(curr->ptr), curr->type);
+      return builder.makeLoad(curr->bytes, LoadUtils::isSignRelevant(curr) ? curr->signed_ : false, curr->offset, curr->align, copy(curr->ptr), curr->type);
     }
     Expression* visitStore(Store *curr) {
       if (curr->isAtomic) {
diff --git a/src/passes/SafeHeap.cpp b/src/passes/SafeHeap.cpp
index 3cc1021ed..852af0c16 100644
--- a/src/passes/SafeHeap.cpp
+++ b/src/passes/SafeHeap.cpp
@@ -28,6 +28,7 @@
 #include "ir/bits.h"
 #include "ir/function-type-utils.h"
 #include "ir/import-utils.h"
+#include "ir/load-utils.h"
 
 namespace wasm {
 
@@ -39,7 +40,7 @@ static Name getLoadName(Load* curr) {
   std::string ret = "SAFE_HEAP_LOAD_";
   ret += printType(curr->type);
   ret += "_" + std::to_string(curr->bytes) + "_";
-  if (!isFloatType(curr->type) && !curr->signed_) {
+  if (LoadUtils::isSignRelevant(curr) && !curr->signed_) {
     ret += "U_";
   }
   if (curr->isAtomic) {
@@ -219,8 +220,10 @@ struct SafeHeap : public Pass {
 
   // creates a function for a particular style of load
   void addLoadFunc(Load style, Module* module) {
+    auto name = getLoadName(&style);
+    if (module->getFunctionOrNull(name)) return;
     auto* func = new Function;
-    func->name = getLoadName(&style);
+    func->name = name;
     func->params.push_back(i32); // pointer
     func->params.push_back(i32); // offset
     func->vars.push_back(i32); // pointer + offset
@@ -265,8 +268,10 @@ struct SafeHeap : public Pass {
 
   // creates a function for a particular type of store
   void addStoreFunc(Store style, Module* module) {
+    auto name = getStoreName(&style);
+    if (module->getFunctionOrNull(name)) return;
     auto* func = new Function;
-    func->name = getStoreName(&style);
+    func->name = name;
     func->params.push_back(i32); // pointer
     func->params.push_back(i32); // offset
     func->params.push_back(style.valueType); // value
diff --git a/src/tools/wasm-reduce.cpp b/src/tools/wasm-reduce.cpp
index bd5a0c1b8..36a44b056 100644
--- a/src/tools/wasm-reduce.cpp
+++ b/src/tools/wasm-reduce.cpp
@@ -508,7 +508,11 @@ struct Reducer : public WalkerPass<PostWalker<Reducer, UnifiedExpressionVisitor<
     }
     // Finally, try to replace with a child.
     for (auto* child : ChildIterator(curr)) {
-      if (tryToReplaceCurrent(child)) return;
+      if (isConcreteType(child->type) && curr->type == none) {
+        if (tryToReplaceCurrent(builder->makeDrop(child))) return;
+      } else {
+        if (tryToReplaceCurrent(child)) return;
+      }
     }
     // If that didn't work, try to replace with a child + a unary conversion
     if (isConcreteType(curr->type) &&