Fuzzer: Limit array sizes (#5569)

Even with a 1% chance of a huge array, there is a second problem aside from
hitting an allocation failure, which is DoS - building such a huge array of
Literals takes noticeable time in the fuzzer. Instead, just limit array max sizes,
which is consistent with what we do for struct sizes etc.

2 files changed, 4 insertions, 10 deletions

diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp
index 37f596b54..acc760f6b 100644
--- a/src/tools/fuzzing/fuzzing.cpp
+++ b/src/tools/fuzzing/fuzzing.cpp
@@ -2213,16 +2213,7 @@ Expression* TranslateToFuzzReader::makeConstCompoundRef(Type type) {
       // TODO: when in a function context, we don't need to be trivial.
       init = makeTrivial(element.type);
     }
-    Expression* count;
-    if (oneIn(100)) {
-      // With low probability pick a totally random count. This can easily be a
-      // super-high number that immediately causes a host limit error on running
-      // out of memory.
-      count = makeConst(Type::i32);
-    } else {
-      // Otherwise, most of the time pick a reasonable/realistic number.
-      count = builder.makeConst(int32_t(upTo(100)));
-    }
+    auto* count = builder.makeConst(int32_t(upTo(MAX_ARRAY_SIZE)));
     return builder.makeArrayNew(type.getHeapType(), count, init);
   } else {
     WASM_UNREACHABLE("bad user-defined ref type");
diff --git a/src/tools/fuzzing/parameters.h b/src/tools/fuzzing/parameters.h
index 9e5cefd9a..dd5c8d82c 100644
--- a/src/tools/fuzzing/parameters.h
+++ b/src/tools/fuzzing/parameters.h
@@ -38,6 +38,9 @@ constexpr int MAX_TUPLE_SIZE = 6;
 // The maximum number of struct fields.
 static const int MAX_STRUCT_SIZE = 6;
 
+// The maximum number of elements in an array.
+static const int MAX_ARRAY_SIZE = 100;
+
 // The number of nontrivial heap types to generate.
 constexpr int MIN_HEAPTYPES = 4;
 constexpr int MAX_HEAPTYPES = 20;