diff options
| author | Alon Zakai <azakai@google.com> | 2020-10-27 10:30:24 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-10-27 10:30:24 -0700 |
| commit | 9a174f0ce9dc44b74db0e04728de62e6556176f9 (patch) | |
| tree | 6f8a331eb2a23f795df6e12373bff22d28c1dfdd /test | |
| parent | ca16f7cdc57549333474d7042128d2007bc35fad (diff) | |
| download | binaryen-9a174f0ce9dc44b74db0e04728de62e6556176f9.tar.gz binaryen-9a174f0ce9dc44b74db0e04728de62e6556176f9.tar.bz2 binaryen-9a174f0ce9dc44b74db0e04728de62e6556176f9.zip | |
Fuzzer: Add an option to fuzz with initial wasm contents (#3276)
Previously the fuzzer constructed a new random valid wasm file from
scratch. The new --initial-fuzz=FILENAME option makes it start from
an existing wasm file, and then add random contents on top of that. It
also randomly modifies the existing contents, for example tweaking
a Const, replacing some nodes with other things of the same type, etc.
It also has a chance to replace a drop with a logging (as some of our
tests just drop a result, and we match the optimized output's wasm
instead of the result; by logging, the fuzzer can check things).
The goal is to find bugs by using existing hand-written testcases as
a basis. This PR uses the test suite's testcases as initial fuzz contents.
This can find issues as they often check for corner cases - they are
designed to be "interesting", which random data may be less likely
to find.
This has found several bugs already, see recent fuzz fixes. I mentioned
the first few on Twitter but past 4 I stopped counting...
https://twitter.com/kripken/status/1314323318036602880
This required various changes to the fuzzer's generation to account
for the fact that there can be existing functions and so forth before
it starts to run, so it needs to avoid collisions and so forth.
Diffstat (limited to 'test')
| -rw-r--r-- | test/passes/fuzz_metrics_noprint.bin.txt | 50 | ||||
| -rw-r--r-- | test/passes/translate-to-fuzz_all-features.txt | 1540 | ||||
| -rw-r--r-- | test/unit/input/hello_world.wat | 11 | ||||
| -rw-r--r-- | test/unit/input/random_data.txt | 1 | ||||
| -rw-r--r-- | test/unit/test_initial_fuzz.py | 35 |
5 files changed, 894 insertions, 743 deletions
diff --git a/test/passes/fuzz_metrics_noprint.bin.txt b/test/passes/fuzz_metrics_noprint.bin.txt index da8acec57..ad654067f 100644 --- a/test/passes/fuzz_metrics_noprint.bin.txt +++ b/test/passes/fuzz_metrics_noprint.bin.txt @@ -1,30 +1,30 @@ total [events] : 0 - [exports] : 45 - [funcs] : 72 + [exports] : 35 + [funcs] : 47 [globals] : 7 [imports] : 4 [memory-data] : 4 - [table-data] : 30 - [total] : 5321 - [vars] : 256 - binary : 416 - block : 755 - break : 178 - call : 234 - call_indirect : 49 - const : 970 - drop : 58 - global.get : 461 - global.set : 201 - if : 313 - load : 98 - local.get : 412 - local.set : 301 - loop : 119 - nop : 80 - return : 209 - select : 46 - store : 43 - unary : 375 - unreachable : 3 + [table-data] : 16 + [total] : 6048 + [vars] : 137 + binary : 458 + block : 871 + break : 230 + call : 240 + call_indirect : 52 + const : 1081 + drop : 40 + global.get : 480 + global.set : 204 + if : 356 + load : 108 + local.get : 527 + local.set : 351 + loop : 155 + nop : 120 + return : 233 + select : 51 + store : 58 + unary : 432 + unreachable : 1 diff --git a/test/passes/translate-to-fuzz_all-features.txt b/test/passes/translate-to-fuzz_all-features.txt index 3d4182cba..5a9d9dc7b 100644 --- a/test/passes/translate-to-fuzz_all-features.txt +++ b/test/passes/translate-to-fuzz_all-features.txt @@ -1,35 +1,31 @@ (module (type $none_=>_none (func)) - (type $none_=>_i32 (func (result i32))) - (type $i64_=>_none (func (param i64))) (type $i32_=>_none (func (param i32))) + (type $i64_=>_none (func (param i64))) (type $f32_=>_none (func (param f32))) (type $f64_=>_none (func (param f64))) (type $v128_=>_none (func (param v128))) + (type $funcref_=>_none (func (param funcref))) (type $exnref_=>_none (func (param exnref))) - (type $funcref_f64_=>_i32 (func (param funcref f64) (result i32))) - (type $none_=>_f32 (func (result f32))) - (type $eqref_i32_=>_funcref (func (param eqref i32) (result funcref))) - (type $i32_i32_f32_exnref_=>_externref (func (param i32 i32 f32 exnref) (result externref))) - (type $externref_f64_f32_eqref_i31ref_anyref_=>_externref (func (param externref f64 f32 eqref i31ref anyref) (result externref))) - (type $exnref_f32_i31ref_externref_funcref_i31ref_i64_=>_exnref (func (param exnref f32 i31ref externref funcref i31ref i64) (result exnref))) - (type $none_=>_eqref_i31ref_i64_v128_eqref (func (result eqref i31ref i64 v128 eqref))) - (type $v128_i31ref_=>_eqref_i31ref_i64_v128_eqref (func (param v128 i31ref) (result eqref i31ref i64 v128 eqref))) - (type $none_=>_i31ref (func (result i31ref))) + (type $eqref_=>_none (func (param eqref))) + (type $none_=>_i32 (func (result i32))) + (type $anyref_anyref_externref_eqref_v128_=>_i64 (func (param anyref anyref externref eqref v128) (result i64))) + (type $i31ref_v128_=>_exnref (func (param i31ref v128) (result exnref))) + (type $i31ref_externref_v128_f32_f32_=>_eqref (func (param i31ref externref v128 f32 f32) (result eqref))) (import "fuzzing-support" "log-i32" (func $log-i32 (param i32))) (import "fuzzing-support" "log-i64" (func $log-i64 (param i64))) (import "fuzzing-support" "log-f32" (func $log-f32 (param f32))) (import "fuzzing-support" "log-f64" (func $log-f64 (param f64))) (import "fuzzing-support" "log-v128" (func $log-v128 (param v128))) (import "fuzzing-support" "log-exnref" (func $log-exnref (param exnref))) - (memory $0 (shared 1 1)) + (memory $0 (shared 16 17)) (data (i32.const 0) "N\0fN\f5\f9\b1\ff\fa\eb\e5\fe\a7\ec\fb\fc\f4\a6\e4\ea\f0\ae\e3") - (table $0 5 5 funcref) - (elem (i32.const 0) $func_9 $func_9 $func_9 $func_10 $func_14) - (global $global$5 (mut eqref) (ref.null eq)) - (global $global$4 (mut i32) (i32.const 470177031)) - (global $global$3 (mut f64) (f64.const 2147483647)) - (global $global$2 (mut (eqref f32 eqref funcref funcref i64)) (tuple.make + (table $0 3 funcref) + (elem (i32.const 0) $func_1 $func_1 $func_1) + (global $global$ (mut eqref) (ref.null eq)) + (global $global$_0 (mut i32) (i32.const 470177031)) + (global $global$_1 (mut f64) (f64.const 2147483647)) + (global $global$_2 (mut (eqref f32 eqref funcref funcref i64)) (tuple.make (ref.null eq) (f32.const -2147483648) (ref.null eq) @@ -37,257 +33,274 @@ (ref.null func) (i64.const -32) )) - (global $global$1 (mut f32) (f32.const -32769)) + (global $global$_3 (mut f32) (f32.const -32769)) (global $hangLimit (mut i32) (i32.const 10)) (export "hashMemory" (func $hashMemory)) (export "memory" (memory $0)) - (export "func_7_invoker" (func $func_7_invoker)) - (export "func_9" (func $func_9)) - (export "func_11_invoker" (func $func_11_invoker)) - (export "func_14" (func $func_14)) - (export "func_18" (func $func_18)) - (export "func_19" (func $func_19)) + (export "func" (func $func)) + (export "func_invoker" (func $func_invoker)) + (export "func_1_invoker" (func $func_1_invoker)) + (export "func_2" (func $func_2)) + (export "func_2_invoker" (func $func_2_invoker)) + (export "func_3" (func $func_3)) (export "hangLimitInitializer" (func $hangLimitInitializer)) (func $hashMemory (result i32) (local $0 i32) - (local.set $0 - (i32.const 5381) - ) - (local.set $0 - (i32.xor - (i32.add - (i32.shl - (local.get $0) - (i32.const 5) - ) - (local.get $0) + (block + (if + (i32.eqz + (global.get $hangLimit) ) - (i32.load8_u - (i32.const 0) + (return + (i32.const 69) + ) + ) + (global.set $hangLimit + (i32.sub + (global.get $hangLimit) + (i32.const 1) ) ) ) - (local.set $0 - (i32.xor - (i32.add - (i32.shl + (block (result i32) + (local.set $0 + (i32.const 5381) + ) + (local.set $0 + (i32.xor + (i32.add + (i32.shl + (local.get $0) + (i32.const 5) + ) (local.get $0) - (i32.const 5) ) - (local.get $0) - ) - (i32.load8_u offset=1 - (i32.const 0) + (i32.load8_u + (i32.const 0) + ) ) ) - ) - (local.set $0 - (i32.xor - (i32.add - (i32.shl + (local.set $0 + (i32.xor + (i32.add + (i32.shl + (local.get $0) + (i32.const 5) + ) (local.get $0) - (i32.const 5) ) - (local.get $0) - ) - (i32.load8_u offset=2 - (i32.const 0) + (i32.load8_u offset=1 + (i32.const 0) + ) ) ) - ) - (local.set $0 - (i32.xor - (i32.add - (i32.shl + (local.set $0 + (i32.xor + (i32.add + (i32.shl + (local.get $0) + (i32.const 5) + ) (local.get $0) - (i32.const 5) ) - (local.get $0) - ) - (i32.load8_u offset=3 - (i32.const 0) + (i32.load8_u offset=2 + (i32.const 0) + ) ) ) - ) - (local.set $0 - (i32.xor - (i32.add - (i32.shl + (local.set $0 + (i32.xor + (i32.add + (i32.shl + (local.get $0) + (i32.const 5) + ) (local.get $0) - (i32.const 5) ) - (local.get $0) - ) - (i32.load8_u offset=4 - (i32.const 0) + (i32.load8_u offset=3 + (i32.const 0) + ) ) ) - ) - (local.set $0 - (i32.xor - (i32.add - (i32.shl + (local.set $0 + (i32.xor + (i32.add + (i32.shl + (local.get $0) + (i32.const 5) + ) (local.get $0) - (i32.const 5) ) - (local.get $0) - ) - (i32.load8_u offset=5 - (i32.const 0) + (i32.load8_u offset=4 + (i32.const 0) + ) ) ) - ) - (local.set $0 - (i32.xor - (i32.add - (i32.shl + (local.set $0 + (i32.xor + (i32.add + (i32.shl + (local.get $0) + (i32.const 5) + ) (local.get $0) - (i32.const 5) ) - (local.get $0) - ) - (i32.load8_u offset=6 - (i32.const 0) + (i32.load8_u offset=5 + (i32.const 0) + ) ) ) - ) - (local.set $0 - (i32.xor - (i32.add - (i32.shl + (local.set $0 + (i32.xor + (i32.add + (i32.shl + (local.get $0) + (i32.const 5) + ) (local.get $0) - (i32.const 5) ) - (local.get $0) - ) - (i32.load8_u offset=7 - (i32.const 0) + (i32.load8_u offset=6 + (i32.const 0) + ) ) ) - ) - (local.set $0 - (i32.xor - (i32.add - (i32.shl + (local.set $0 + (i32.xor + (i32.add + (i32.shl + (local.get $0) + (i32.const 5) + ) (local.get $0) - (i32.const 5) ) - (local.get $0) - ) - (i32.load8_u offset=8 - (i32.const 0) + (i32.load8_u offset=7 + (i32.const 0) + ) ) ) - ) - (local.set $0 - (i32.xor - (i32.add - (i32.shl + (local.set $0 + (i32.xor + (i32.add + (i32.shl + (local.get $0) + (i32.const 5) + ) (local.get $0) - (i32.const 5) ) - (local.get $0) - ) - (i32.load8_u offset=9 - (i32.const 0) + (i32.load8_u offset=8 + (i32.const 0) + ) ) ) - ) - (local.set $0 - (i32.xor - (i32.add - (i32.shl + (local.set $0 + (i32.xor + (i32.add + (i32.shl + (local.get $0) + (i32.const 5) + ) (local.get $0) - (i32.const 5) ) - (local.get $0) - ) - (i32.load8_u offset=10 - (i32.const 0) + (i32.load8_u offset=9 + (i32.const 0) + ) ) ) - ) - (local.set $0 - (i32.xor - (i32.add - (i32.shl + (local.set $0 + (i32.xor + (i32.add + (i32.shl + (local.get $0) + (i32.const 5) + ) (local.get $0) - (i32.const 5) ) - (local.get $0) - ) - (i32.load8_u offset=11 - (i32.const 0) + (i32.load8_u offset=10 + (i32.const 0) + ) ) ) - ) - (local.set $0 - (i32.xor - (i32.add - (i32.shl + (local.set $0 + (i32.xor + (i32.add + (i32.shl + (local.get $0) + (i32.const 5) + ) (local.get $0) - (i32.const 5) ) - (local.get $0) - ) - (i32.load8_u offset=12 - (i32.const 0) + (i32.load8_u offset=11 + (i32.const 0) + ) ) ) - ) - (local.set $0 - (i32.xor - (i32.add - (i32.shl + (local.set $0 + (i32.xor + (i32.add + (i32.shl + (local.get $0) + (i32.const 5) + ) (local.get $0) - (i32.const 5) ) - (local.get $0) - ) - (i32.load8_u offset=13 - (i32.const 0) + (i32.load8_u offset=12 + (i32.const 0) + ) ) ) - ) - (local.set $0 - (i32.xor - (i32.add - (i32.shl + (local.set $0 + (i32.xor + (i32.add + (i32.shl + (local.get $0) + (i32.const 5) + ) (local.get $0) - (i32.const 5) ) - (local.get $0) - ) - (i32.load8_u offset=14 - (i32.const 0) + (i32.load8_u offset=13 + (i32.const 0) + ) ) ) - ) - (local.set $0 - (i32.xor - (i32.add - (i32.shl + (local.set $0 + (i32.xor + (i32.add + (i32.shl + (local.get $0) + (i32.const 5) + ) (local.get $0) - (i32.const 5) ) - (local.get $0) + (i32.load8_u offset=14 + (i32.const 0) + ) ) - (i32.load8_u offset=15 - (i32.const 0) + ) + (local.set $0 + (i32.xor + (i32.add + (i32.shl + (local.get $0) + (i32.const 5) + ) + (local.get $0) + ) + (i32.load8_u offset=15 + (i32.const 0) + ) ) ) + (local.get $0) ) - (local.get $0) ) - (func $func_7 (param $0 i32) (param $1 i32) (param $2 f32) (param $3 exnref) (result externref) - (local $4 i32) + (func $func (param $0 i31ref) (param $1 v128) (result exnref) (block (if (i32.eqz (global.get $hangLimit) ) (return - (ref.null extern) + (ref.null exn) ) ) (global.set $hangLimit @@ -297,34 +310,30 @@ ) ) ) - (ref.null extern) + (ref.null exn) ) - (func $func_7_invoker + (func $func_invoker (drop - (call $func_7 - (i32.const -127) - (i32.const -268435456) - (f32.const 1179405440) - (ref.null exn) + (call $func + (i31.new + (i32.const 1633240409) + ) + (v128.const i32x4 0xcf800000 0x4c816020 0x3e1a1a1a 0x00000000) ) ) - (call $log-i32 - (call $hashMemory) - ) ) - (func $func_9 (result f32) - (local $0 anyref) - (local $1 f64) - (local $2 (anyref anyref)) - (local $3 eqref) - (local $4 externref) + (func $func_0 (param $0 anyref) (param $1 anyref) (param $2 externref) (param $3 eqref) (param $4 v128) (result i64) + (local $5 eqref) + (local $6 (funcref externref i32 f64 f32 i64)) + (local $7 (f32 funcref eqref i32 i31ref i32)) + (local $8 v128) (block (if (i32.eqz (global.get $hangLimit) ) (return - (f32.const 1.4949444621624858e-31) + (i64.const 2147483647) ) ) (global.set $hangLimit @@ -334,35 +343,30 @@ ) ) ) - (block $label$0 + (block $label$0 (result i64) (nop) - (block $label$1 - (nop) - (return - (f32.const 7.396028525772014e-24) + (br_if $label$0 + (tuple.extract 1 + (tuple.make + (f64.const -255) + (i64.const -127) + (ref.null func) + ) ) + (i32.const -24) ) ) ) - (func $func_10 (param $0 externref) (param $1 f64) (param $2 f32) (param $3 eqref) (param $4 i31ref) (param $5 anyref) (result externref) - (local $6 i64) - (local $7 (anyref exnref f32 f64 f64)) - (local $8 eqref) - (local $9 exnref) - (local $10 i64) - (local $11 f64) - (local $12 f32) - (local $13 v128) - (local $14 exnref) - (local $15 (funcref funcref v128 i31ref v128)) - (local $16 anyref) + (func $func_1 (param $0 i31ref) (param $1 externref) (param $2 v128) (param $3 f32) (param $4 f32) (result eqref) + (local $5 v128) + (local $6 (exnref externref i64 i32 f64 funcref)) (block (if (i32.eqz (global.get $hangLimit) ) (return - (ref.null extern) + (ref.null eq) ) ) (global.set $hangLimit @@ -372,121 +376,75 @@ ) ) ) - (ref.null extern) + (ref.null eq) ) - (func $func_11 (param $0 exnref) (param $1 f32) (param $2 i31ref) (param $3 externref) (param $4 funcref) (param $5 i31ref) (param $6 i64) (result exnref) - (local $7 (i32 i64 anyref externref externref eqref)) - (block - (if - (i32.eqz - (global.get $hangLimit) - ) - (return - (ref.null exn) - ) - ) - (global.set $hangLimit - (i32.sub - (global.get $hangLimit) - (i32.const 1) + (func $func_1_invoker + (drop + (call $func_1 + (i31.new + (i32.const 16777216) ) + (ref.null extern) + (v128.const i32x4 0x5d455846 0xcf800000 0x42aa0000 0x46b2a800) + (f32.const -17592186044416) + (f32.const -4294967296) ) ) - (ref.null exn) - ) - (func $func_11_invoker + (call $log-i32 + (call $hashMemory) + ) (drop - (call $func_11 - (ref.null exn) - (f32.const -1022.1400146484375) + (call $func_1 (i31.new - (i32.const -32766) + (i32.const 73) ) (ref.null extern) - (ref.null func) - (i31.new - (i32.const -65535) - ) - (i64.const 3) + (v128.const i32x4 0xffff8001 0xffffffff 0x184c764c 0x10105676) + (f32.const -9223372036854775808) + (f32.const 129) ) ) (call $log-i32 (call $hashMemory) ) - ) - (func $func_13 (result i31ref) - (local $0 i31ref) - (local $1 (funcref f32 anyref f32 externref)) - (local $2 f64) - (local $3 f64) - (local $4 (i32 v128)) - (local $5 (anyref i64 v128 eqref funcref exnref)) - (local $6 i32) - (block - (if - (i32.eqz - (global.get $hangLimit) - ) - (return - (i31.new - (i32.const -28) - ) - ) - ) - (global.set $hangLimit - (i32.sub - (global.get $hangLimit) - (i32.const 1) + (drop + (call $func_1 + (i31.new + (i32.const -4096) ) + (ref.null extern) + (v128.const i32x4 0x00000000 0x00000020 0x00000001 0xffc00000) + (f32.const -nan:0x7fffbd) + (f32.const -255.8040008544922) ) ) - (i31.new - (i32.const 64) + (call $log-i32 + (call $hashMemory) ) - ) - (func $func_14 (result i32) - (local $0 i32) - (local $1 funcref) - (local $2 (anyref externref)) - (local $3 funcref) - (local $4 i64) - (local $5 externref) - (local $6 (exnref f64)) - (local $7 (anyref f64 f64)) - (local $8 (i64 i32 eqref exnref)) - (local $9 (v128 i64 funcref i32 anyref anyref)) - (local $10 (i32 eqref f64 funcref)) - (local $11 eqref) - (block - (if - (i32.eqz - (global.get $hangLimit) - ) - (return - (local.get $0) - ) - ) - (global.set $hangLimit - (i32.sub - (global.get $hangLimit) - (i32.const 1) + (drop + (call $func_1 + (i31.new + (i32.const 1936946035) ) + (ref.null extern) + (v128.const i32x4 0xff010001 0x4e07ffff 0x00060002 0xff00001f) + (f32.const 6918) + (f32.const 4.921484278772694e-25) ) ) - (block $label$0 (result i32) - (nop) - (local.get $0) + (call $log-i32 + (call $hashMemory) ) ) - (func $func_15 (result i32) + (func $func_2 (param $0 funcref) + (local $1 exnref) + (local $2 (f64 externref f32 f32 v128 eqref)) (block (if (i32.eqz (global.get $hangLimit) ) - (return - (i32.const 32768) - ) + (return) ) (global.set $hangLimit (i32.sub @@ -495,89 +453,26 @@ ) ) ) - (global.get $global$4) - ) - (func $func_16 (param $0 eqref) (param $1 i32) (result funcref) - (local $2 v128) - (local $3 funcref) - (local $4 eqref) - (block - (if - (i32.eqz - (global.get $hangLimit) - ) - (return - (local.get $3) - ) - ) - (global.set $hangLimit - (i32.sub - (global.get $hangLimit) - (i32.const 1) + (block $label$0 + (f32.store offset=3 align=2 + (i32.and + (i32.const 15) + (i32.const 15) ) + (f32.const 66) ) + (return) ) - (loop $label$1 (result funcref) - (block - (if - (i32.eqz - (global.get $hangLimit) - ) - (return - (local.get $3) - ) - ) - (global.set $hangLimit - (i32.sub - (global.get $hangLimit) - (i32.const 1) - ) - ) - ) - (block (result funcref) - (block $label$2 - (br_if $label$2 - (i32.eqz - (block $label$3 - (global.set $global$4 - (local.tee $1 - (local.get $1) - ) - ) - (block $label$4 - (nop) - (br_if $label$1 - (i32.eqz - (i31.get_u - (i31.new - (i32.const -90) - ) - ) - ) - ) - ) - (br $label$1) - ) - ) - ) - (memory.init 0 - (i32.and - (local.get $1) - (i32.const 15) - ) - (i32.const 16) - (i32.const 3) - ) - ) - (br_if $label$1 - (i32.const 131071) - ) - (local.get $3) - ) + ) + (func $func_2_invoker + (call $func_2 + (ref.null func) ) ) - (func $func_17 (param $0 i64) - (local $1 externref) + (func $func_3 (param $0 eqref) + (local $1 eqref) + (local $2 funcref) + (local $3 funcref) (block (if (i32.eqz @@ -593,249 +488,214 @@ ) ) (block $label$0 - (call $log-i32 - (call $hashMemory) - ) + (atomic.fence) (if - (i32.eqz - (f64.gt - (f64.const 103) - (f64.max - (f64.const 8388607.124) - (if - (i32.eqz - (global.get $global$4) - ) - (block $label$1 - (call $log-v128 - (f64x2.replace_lane 0 - (f32x4.neg - (i8x16.shr_u - (v128.load offset=3 - (i32.const 65535) + (i64.gt_s + (i64.const 379) + (i64.add + (i32.atomic.load offset=22 + (i32.and + (i32.atomic.load offset=22 + (i32.and + (select + (block $label$1 (result i32) + (block $label$2 + (memory.init 0 + (i32.and + (ref.eq + (ref.null eq) + (local.get $0) + ) + (i32.const 15) + ) + (i32.const 8) + (i32.const 9) ) - (loop $label$2 (result i32) - (block - (if - (i32.eqz - (global.get $hangLimit) - ) - (return) + (if + (i32.eqz + (i32.const -75) + ) + (block $label$3 + (nop) + (nop) + ) + (nop) + ) + ) + (i32.const 1903327608) + ) + (select + (loop $label$6 (result i32) + (block + (if + (i32.eqz + (global.get $hangLimit) ) - (global.set $hangLimit - (i32.sub - (global.get $hangLimit) - (i32.const 1) - ) + (return) + ) + (global.set $hangLimit + (i32.sub + (global.get $hangLimit) + (i32.const 1) ) ) - (block (result i32) - (block $label$3 - (call $log-exnref - (ref.null exn) + ) + (block $label$7 (result i32) + (loop $label$8 + (block + (if + (i32.eqz + (global.get $hangLimit) + ) + (return) ) - (call $log-i32 - (i32.atomic.rmw8.sub_u offset=22 - (i32.and - (i32.const 6) - (i32.const 15) - ) - (i32.const 1852667194) + (global.set $hangLimit + (i32.sub + (global.get $hangLimit) + (i32.const 1) ) ) ) - (br_if $label$2 - (tuple.extract 0 - (tuple.make + (block + (nop) + (br_if $label$8 + (i32.eqz (i32.const -2147483648) - (i31.new - (i32.const -32767) - ) ) ) + (nop) ) - (i32.const -2147483648) ) + (i32.const 76) ) ) - ) - (f64.const -nan:0xffffffffffff3) - ) - ) - (br $label$0) - ) - (block $label$4 - (br_if $label$0 - (i32.eqz - (tuple.extract 2 - (block $label$5 - (call $log-i32 - (call $hashMemory) + (global.get $global$_0) + (if + (i32.const -96) + (block $label$4 + (f32.store offset=3 + (i32.and + (i32.const 4124) + (i32.const 15) + ) + (f32.const -8192.1474609375) + ) + (return) + ) + (block $label$5 + (memory.copy + (i32.and + (i32.const 32768) + (i32.const 15) + ) + (i32.and + (i32.const 2087520520) + (i32.const 15) + ) + (i32.const -131072) + ) + (return) ) - (br $label$0) ) ) + (i32.const 85) ) + (i32.const 15) ) - (br $label$0) ) + (i32.const 15) ) ) + (i64.const 125) ) ) - (block $label$6 - (call $log-i32 - (call $hashMemory) - ) - (call $log-i32 - (call $hashMemory) - ) - ) - (if - (i32.eqz - (i32.or - (i32.const 65535) - (i32.const 8) - ) - ) - (call $log-i32 - (i32.const 608321884) - ) - (atomic.fence) - ) - ) - ) - ) - (func $func_18 (param $0 v128) (param $1 i31ref) (result eqref i31ref i64 v128 eqref) - (local $2 i64) - (local $3 v128) - (local $4 f32) - (block - (if - (i32.eqz - (global.get $hangLimit) - ) - (return - (tuple.make - (ref.null eq) - (i31.new - (i32.const -2147483648) - ) - (i64.const 369041285507055655) - (v128.const i32x4 0xffffffd1 0xffffffff 0x25312936 0x5455263f) - (ref.null eq) - ) - ) - ) - (global.set $hangLimit - (i32.sub - (global.get $hangLimit) - (i32.const 1) - ) - ) - ) - (tuple.make - (ref.null eq) - (local.get $1) - (i64.const -32766) - (v128.bitselect - (local.get $3) - (block $label$2 - (atomic.fence) - (return - (tuple.make - (ref.null eq) - (i31.new - (i32.const 19521) + (block $label$9 + (loop $label$10 + (block + (if + (i32.eqz + (global.get $hangLimit) + ) + (return) + ) + (global.set $hangLimit + (i32.sub + (global.get $hangLimit) + (i32.const 1) + ) ) - (i64.const -32766) - (v128.const i32x4 0x4f800000 0x3e116873 0x46ca0800 0x54000000) - (ref.null eq) - ) - ) - ) - (tuple.extract 2 - (tuple.make - (i31.new - (i32.const 1684216173) ) - (ref.null eq) - (v128.const i32x4 0xffa20004 0x00000000 0x2b25ffa6 0x005b0080) - (ref.null eq) - ) - ) - ) - (global.get $global$5) - ) - ) - (func $func_19 (param $0 funcref) (param $1 f64) (result i32) - (local $2 (funcref f32 exnref exnref externref)) - (local $3 externref) - (local $4 v128) - (local $5 f64) - (local $6 i32) - (local $7 (f64 i31ref eqref eqref)) - (local $8 anyref) - (local $9 (eqref i31ref i32 i31ref anyref)) - (local $10 eqref) - (local $11 exnref) - (local $12 externref) - (local $13 externref) - (local $14 externref) - (local $15 i31ref) - (block - (if - (i32.eqz - (global.get $hangLimit) - ) - (return - (i32.const -131072) - ) - ) - (global.set $hangLimit - (i32.sub - (global.get $hangLimit) - (i32.const 1) - ) - ) - ) - (select - (i32.atomic.load8_u offset=22 - (i32.and - (local.get $6) - (i32.const 15) - ) - ) - (local.tee $6 - (select - (i16x8.extract_lane_s 4 - (v128.const i32x4 0xfffffff8 0x00008001 0xffffffa0 0x180b1217) - ) - (if (result i32) - (if (result i32) - (i32.eqz - (i32.const 524287) + (block + (local.set $1 + (tuple.extract 2 + (tuple.make + (f32.const 353703200) + (f32.const 31868) + (ref.null eq) + (v128.const i32x4 0x56565656 0xff7fffff 0x41000000 0x41300000) + (i32.const 135290122) + (i31.new + (i32.const 1396855106) + ) + ) + ) + ) + (br_if $label$10 + (i32.eqz + (i32.const -2147483646) + ) ) - (block $label$1 - (memory.init 0 + (i32.atomic.store offset=22 + (i32.and + (i32.load16_u offset=22 + (i32.and + (i32.const 521404930) + (i32.const 15) + ) + ) + (i32.const 15) + ) + (i32.atomic.load offset=3 (i32.and - (f32.ge - (block $label$2 (result f32) - (call $log-i32 - (call $hashMemory) - ) - (if (result f32) - (if (result i32) - (i32.eqz - (loop $label$3 (result i32) + (atomic.notify offset=4 + (i32.and + (if (result i32) + (i32.eqz + (i32.const 1) + ) + (block $label$11 + (br $label$10) + ) + (block $label$12 (result i32) + (i32.store16 offset=2 + (i32.and + (i32.const 65535) + (i32.const 15) + ) + (select + (i32.const -2147483648) + (i32.const 16) + (i32.const 8) + ) + ) + (i64.le_u + (if (result i64) + (i32.const 1464489052) + (i64.atomic.load8_u offset=2 + (i32.and + (global.get $global$_0) + (i32.const 15) + ) + ) + (i64.const 942112219034230640) + ) + (loop $label$13 (result i64) (block (if (i32.eqz (global.get $hangLimit) ) - (return - (i32.const -83) - ) + (return) ) (global.set $hangLimit (i32.sub @@ -844,170 +704,414 @@ ) ) ) - (block (result i32) - (br_if $label$3 - (local.get $6) + (block (result i64) + (if + (i32.eqz + (i32.const 134217728) + ) + (block $label$14 + (nop) + (f64.store offset=22 align=4 + (i32.and + (loop $label$15 (result i32) + (block + (if + (i32.eqz + (global.get $hangLimit) + ) + (return) + ) + (global.set $hangLimit + (i32.sub + (global.get $hangLimit) + (i32.const 1) + ) + ) + ) + (block (result i32) + (nop) + (br_if $label$15 + (i32.const 101189382) + ) + (i32.const -127) + ) + ) + (i32.const 15) + ) + (select + (f64.const -nan:0xfffffffffffa1) + (f64.const -0.394) + (i32.const -127) + ) + ) + ) + (block $label$16 + (f32.store offset=4 align=1 + (i32.and + (block $label$17 + (nop) + (br $label$16) + ) + (i32.const 15) + ) + (f32.const -2048) + ) + (loop $label$18 + (block + (if + (i32.eqz + (global.get $hangLimit) + ) + (return) + ) + (global.set $hangLimit + (i32.sub + (global.get $hangLimit) + (i32.const 1) + ) + ) + ) + (block + (block $label$19 + (local.set $2 + (ref.null func) + ) + (nop) + ) + (br_if $label$18 + (i32.eqz + (i32.const 1246300445) + ) + ) + (drop + (tuple.make + (ref.null func) + (ref.null extern) + (ref.null any) + (v128.const i32x4 0x6c15621e 0x74813332 0x00f8da01 0x001644ae) + (ref.null exn) + ) + ) + ) + ) + ) ) - (br_if $label$3 - (local.get $6) + (br_if $label$13 + (i32.eqz + (global.get $global$_0) + ) ) - (i32.const -33) + (i64.const -4611686018427387904) ) ) ) - (i32.const 2147483647) - (if (result i32) - (i32.eqz - (i32.const 32768) - ) - (i32.const 16404) - (i32.const -1024) - ) ) - (f32.const -nan:0x7fffa8) - (block $label$4 (result f32) - (call $log-i32 - (call $hashMemory) - ) - (f32.const 18446744073709551615) + ) + (i32.const 15) + ) + (i32.const 1111245614) + ) + (i32.const 15) + ) + ) + ) + ) + ) + (return) + ) + (block $label$20 + (nop) + (i64.shr_u + (loop $label$40 + (block + (if + (i32.eqz + (global.get $hangLimit) + ) + (return) + ) + (global.set $hangLimit + (i32.sub + (global.get $hangLimit) + (i32.const 1) + ) + ) + ) + (block + (block $label$41 + (call $log-i32 + (i32.const -66) + ) + ) + (br_if $label$40 + (i32.eqz + (loop $label$42 (result i32) + (block + (if + (i32.eqz + (global.get $hangLimit) + ) + (return) + ) + (global.set $hangLimit + (i32.sub + (global.get $hangLimit) + (i32.const 1) ) ) ) - (if (result f32) - (i32.eqz - (ref.is_null - (if (result externref) + (block (result i32) + (block $label$43 + (nop) + (drop + (if (result f64) (i32.eqz - (i32.const -65535) + (block $label$44 + (call $log-i32 + (call $hashMemory) + ) + (br $label$40) + ) + ) + (tuple.extract 0 + (tuple.make + (f64.const 18446744073709551615) + (i64.const 4294967222) + (i32.const 847216455) + ) + ) + (block $label$45 + (br $label$40) ) - (ref.null extern) - (local.get $12) ) ) ) - (block $label$5 (result f32) - (call $log-f32 - (select - (f32.const 4096) - (f32.const -nan:0x7fffa1) - (i32.const 2097640319) + (br_if $label$42 + (i32.eqz + (if (result i32) + (loop $label$46 + (block + (if + (i32.eqz + (global.get $hangLimit) + ) + (return) + ) + (global.set $hangLimit + (i32.sub + (global.get $hangLimit) + (i32.const 1) + ) + ) + ) + (block $label$47 + (nop) + (br $label$42) + ) + ) + (i32.const 0) + (i32.const 2376257) ) ) - (f32.const 8192) ) - (f32.const -1125899906842624) + (i8x16.all_true + (v128.const i32x4 0xff7fff7f 0x00ffffff 0xfdff0c03 0xffe5fff7) + ) ) ) - (i32.const 15) ) - (i32.const 1) - (i32.const 2) ) - (return - (local.get $6) + (block $label$48 + (br_if $label$40 + (i32.const -32768) + ) + (return) ) ) - (block $label$6 (result i32) - (loop $label$7 - (block - (if - (i32.eqz - (global.get $hangLimit) - ) - (return - (i32.const -4096) - ) - ) - (global.set $hangLimit - (i32.sub - (global.get $hangLimit) - (i32.const 1) - ) - ) + ) + (loop $label$49 + (block + (if + (i32.eqz + (global.get $hangLimit) ) - (block $label$8 - (nop) - (memory.fill - (i32.and - (i8x16.extract_lane_s 11 - (i8x16.max_s - (local.get $4) - (i16x8.add_saturate_u - (v128.const i32x4 0xffea0f4a 0xfdffffec 0xdfff0512 0x1910ffff) - (local.get $4) - ) - ) - ) - (i32.const 15) + (return) + ) + (global.set $hangLimit + (i32.sub + (global.get $hangLimit) + (i32.const 1) + ) + ) + ) + (block + (block $label$50 + (nop) + (block $label$51 + (drop + (ref.func $func_2) + ) + (br_if $label$51 + (f64.eq + (f64.const 4398046511104) + (global.get $global$_1) ) - (i32.const 1326258715) - (local.get $6) ) ) ) - (local.get $6) - ) - ) - (block $label$9 (result i32) - (i32.const 10353) - ) - (local.get $6) - ) - (select - (i32.const 33554433) - (i32.trunc_f64_s - (f64.const 3402823466385288598117041e14) - ) - (local.tee $6 - (select - (local.get $6) - (ref.eq - (loop $label$0 (result i31ref) - (block - (if - (i32.eqz - (global.get $hangLimit) - ) - (return - (i32.const -32768) + (br_if $label$49 + (i32.eqz + (loop $label$52 (result i32) + (block + (if + (i32.eqz + (global.get $hangLimit) + ) + (return) ) - ) - (global.set $hangLimit - (i32.sub - (global.get $hangLimit) - (i32.const 1) + (global.set $hangLimit + (i32.sub + (global.get $hangLimit) + (i32.const 1) + ) ) ) - ) - (block (result i31ref) - (local.set $5 - (f64.const 371920655) - ) - (br_if $label$0 - (i32.eqz - (local.tee $6 - (local.tee $6 - (local.tee $6 - (local.tee $6 - (local.get $6) + (block (result i32) + (block $label$53 + (if + (i32.eqz + (i31.get_s + (i31.new + (i32.const -93) + ) + ) + ) + (br_if $label$49 + (i32.eqz + (i32.const 353711929) + ) + ) + (block $label$54 + (call $log-i32 + (call $hashMemory) + ) + (if + (i32.eqz + (i32.const 511508602) + ) + (block $label$55 + (br_if $label$53 + (i32.eqz + (i31.get_u + (i31.new + (i32.const -512) + ) + ) + ) + ) + (loop $label$56 + (block + (if + (i32.eqz + (global.get $hangLimit) + ) + (return) + ) + (global.set $hangLimit + (i32.sub + (global.get $hangLimit) + (i32.const 1) + ) + ) + ) + (block + (call $log-i32 + (loop $label$57 (result i32) + (block + (if + (i32.eqz + (global.get $hangLimit) + ) + (return) + ) + (global.set $hangLimit + (i32.sub + (global.get $hangLimit) + (i32.const 1) + ) + ) + ) + (block $label$58 (result i32) + (ref.eq + (i31.new + (i32.const -28) + ) + (local.tee $1 + (local.get $1) + ) + ) + ) + ) + ) + (br_if $label$56 + (i32.eqz + (loop $label$59 (result i32) + (block + (if + (i32.eqz + (global.get $hangLimit) + ) + (return) + ) + (global.set $hangLimit + (i32.sub + (global.get $hangLimit) + (i32.const 1) + ) + ) + ) + (block (result i32) + (br_if $label$54 + (i32.eqz + (i32.const 3) + ) + ) + (br_if $label$59 + (i32.const -32769) + ) + (i32.const 337444946) + ) + ) + ) + ) + (nop) + ) + ) + ) + (block $label$60 + (nop) ) ) ) ) + (nop) + ) + (br_if $label$52 + (i32.eqz + (i32.const 127) + ) ) + (i32.const 524288) ) - (local.get $15) ) ) - (local.get $10) ) - (local.get $6) + (return) ) ) ) ) ) - (global.get $global$4) ) ) (func $hangLimitInitializer diff --git a/test/unit/input/hello_world.wat b/test/unit/input/hello_world.wat new file mode 100644 index 000000000..680ee809a --- /dev/null +++ b/test/unit/input/hello_world.wat @@ -0,0 +1,11 @@ +(module + (type $i32_i32_=>_i32 (func (param i32 i32) (result i32))) + (memory $0 256 256) + (export "add" (func $add)) + (func $add (param $x i32) (param $y i32) (result i32) + (i32.add + (local.get $x) + (local.get $y) + ) + ) +) diff --git a/test/unit/input/random_data.txt b/test/unit/input/random_data.txt new file mode 100644 index 000000000..d5000bfbd --- /dev/null +++ b/test/unit/input/random_data.txt @@ -0,0 +1 @@ +6sgkjdfghk34589n-947-vn98f2yr-nb8f7t08b7gv*~&!%&^@}{PASD kjgsdf768 diff --git a/test/unit/test_initial_fuzz.py b/test/unit/test_initial_fuzz.py new file mode 100644 index 000000000..2ddc29884 --- /dev/null +++ b/test/unit/test_initial_fuzz.py @@ -0,0 +1,35 @@ +import subprocess +from scripts.test import shared +from . import utils + + +class InitialFuzzTest(utils.BinaryenTestCase): + def test_empty_initial(self): + # generate fuzz from random data + data = self.input_path('random_data.txt') + a = shared.run_process(shared.WASM_OPT + ['-ttf', '--print', data], + stdout=subprocess.PIPE).stdout + + # generate fuzz from random data with initial empty wasm + empty_wasm = self.input_path('empty.wasm') + b = shared.run_process( + shared.WASM_OPT + ['-ttf', '--print', data, + '--initial-fuzz=' + empty_wasm], + stdout=subprocess.PIPE).stdout + + # an empty initial wasm causes no changes + self.assertEqual(a, b) + + def test_small_initial(self): + data = self.input_path('random_data.txt') + hello_wat = self.input_path('hello_world.wat') + out = shared.run_process(shared.WASM_OPT + ['-ttf', '--print', data, + '--initial-fuzz=' + hello_wat], + stdout=subprocess.PIPE).stdout + + # the function should be there (perhaps with modified contents - don't + # check that) + self.assertIn('(export "add" (func $add))', out) + + # there should be other fuzz contents added as well + self.assertGreater(out.count('(export '), 1) |