diff options
| author | Alon Zakai <azakai@google.com> | 2023-02-16 14:36:02 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-02-16 14:36:02 -0800 |
| commit | e3c923554ce6f586b5fa9fe4fc76cf8780e287b0 (patch) | |
| tree | 22390de26d2623ba3194810ff92144ea23e46692 /src | |
| parent | 70f51822318231214c435567edfbd54158097261 (diff) | |
| download | binaryen-e3c923554ce6f586b5fa9fe4fc76cf8780e287b0.tar.gz binaryen-e3c923554ce6f586b5fa9fe4fc76cf8780e287b0.tar.bz2 binaryen-e3c923554ce6f586b5fa9fe4fc76cf8780e287b0.zip | |
Fuzzer: Be more careful with unreachable code (#5498)
Half the time, never add any unreachable code. This ensures we run the
most code we possibly can half the time, at least.
Diffstat (limited to 'src')
| -rw-r--r-- | src/tools/fuzzing.h | 5 | ||||
| -rw-r--r-- | src/tools/fuzzing/fuzzing.cpp | 12 |
2 files changed, 14 insertions, 3 deletions
diff --git a/src/tools/fuzzing.h b/src/tools/fuzzing.h index bdadaba5a..5529a14a8 100644 --- a/src/tools/fuzzing.h +++ b/src/tools/fuzzing.h @@ -89,6 +89,11 @@ private: // of bounds (which traps in wasm, and is undefined behavior in C). bool allowOOB = true; + // Whether we allow the fuzzer to add unreachable code when generating changes + // to existing code. This is randomized during startup, but could be an option + // like the above options eventually if we find that useful. + bool allowAddingUnreachableCode; + // Whether to emit atomic waits (which in single-threaded mode, may hang...) static const bool ATOMIC_WAITS = false; diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp index af2a34078..37de3d1da 100644 --- a/src/tools/fuzzing/fuzzing.cpp +++ b/src/tools/fuzzing/fuzzing.cpp @@ -31,6 +31,11 @@ namespace { TranslateToFuzzReader::TranslateToFuzzReader(Module& wasm, std::vector<char>&& input) : wasm(wasm), builder(wasm), random(std::move(input), wasm.features) { + + // Half the time add no unreachable code so that we'll execute the most code + // as possible with no early exits. + allowAddingUnreachableCode = oneIn(2); + // - funcref cannot be logged because referenced functions can be inlined or // removed during optimization // - there's no point in logging anyref because it is opaque @@ -724,9 +729,10 @@ void TranslateToFuzzReader::mutate(Function* func) { Modder(Module& wasm, TranslateToFuzzReader& parent) : wasm(wasm), parent(parent) { - // Half the time, never replace with an unreachable. The other half, do it - // sometimes (but even so, only rarely, see below). - allowUnreachable = parent.oneIn(2); + // If the parent allows it then sometimes replace with an unreachable, and + // sometimes not. Even if we allow it, only do it in certain functions + // (half the time) and only do it rarely (see below). + allowUnreachable = parent.allowAddingUnreachableCode && parent.oneIn(2); } void visitExpression(Expression* curr) { |