summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rwxr-xr-xscripts/fuzz_opt.py6
-rw-r--r--src/tools/fuzzing.h1
-rw-r--r--src/tools/fuzzing/fuzzing.cpp34
-rw-r--r--test/passes/fuzz_metrics_noprint.bin.txt57
-rw-r--r--test/passes/translate-to-fuzz_all-features_metrics_noprint.txt75
5 files changed, 93 insertions, 80 deletions
diff --git a/scripts/fuzz_opt.py b/scripts/fuzz_opt.py
index 433bc189f..c465fbcf3 100755
--- a/scripts/fuzz_opt.py
+++ b/scripts/fuzz_opt.py
@@ -416,8 +416,6 @@ def pick_initial_contents():
global FEATURE_OPTS
FEATURE_OPTS += [
- # has not been fuzzed in general yet
- '--disable-memory64',
# avoid multivalue for now due to bad interactions with gc non-nullable
# locals in stacky code. for example, this fails to roundtrip as the
# tuple code ends up creating stacky binary code that needs to spill
@@ -692,6 +690,8 @@ def run_vm(cmd):
# (https://github.com/WebAssembly/binaryen/pull/6574)
'expected (ref stringview_wtf16), got nullref',
'expected type (ref stringview_wtf16), found ref.null of type nullref',
+ # wasm64 memories have a V8 limit
+ 'larger than implementation limit',
]
for issue in known_issues:
if issue in output:
@@ -1175,7 +1175,7 @@ class Wasm2JS(TestCaseHandler):
# specifically for growth here
if INITIAL_CONTENTS:
return False
- return all_disallowed(['exception-handling', 'simd', 'threads', 'bulk-memory', 'nontrapping-float-to-int', 'tail-call', 'sign-ext', 'reference-types', 'multivalue', 'gc', 'multimemory'])
+ return all_disallowed(['exception-handling', 'simd', 'threads', 'bulk-memory', 'nontrapping-float-to-int', 'tail-call', 'sign-ext', 'reference-types', 'multivalue', 'gc', 'multimemory', 'memory64'])
# given a wasm, find all the exports of particular kinds (for example, kinds
diff --git a/src/tools/fuzzing.h b/src/tools/fuzzing.h
index 0ecc751a4..6f73feca9 100644
--- a/src/tools/fuzzing.h
+++ b/src/tools/fuzzing.h
@@ -26,7 +26,6 @@ high chance for set at start of loop
*/
#include "ir/branch-utils.h"
-#include "ir/memory-utils.h"
#include "ir/struct-utils.h"
#include "support/insert_ordered.h"
#include "tools/fuzzing/random.h"
diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp
index 5dcdc66d5..26c321961 100644
--- a/src/tools/fuzzing/fuzzing.cpp
+++ b/src/tools/fuzzing/fuzzing.cpp
@@ -199,8 +199,24 @@ void TranslateToFuzzReader::build() {
}
void TranslateToFuzzReader::setupMemory() {
- // Add memory itself
- MemoryUtils::ensureExists(&wasm);
+ // Add a memory, if one does not already exist.
+ if (wasm.memories.empty()) {
+ auto memory = Builder::makeMemory("0");
+ // Add at least one page of memory.
+ memory->initial = 1 + upTo(10);
+ // Make the max potentially higher, or unlimited.
+ if (oneIn(2)) {
+ memory->max = memory->initial + upTo(4);
+ } else {
+ memory->max = Memory::kUnlimitedSize;
+ }
+ // Fuzz wasm64 when possible, sometimes.
+ if (wasm.features.hasMemory64() && oneIn(2)) {
+ memory->indexType = Type::i64;
+ }
+ wasm.addMemory(std::move(memory));
+ }
+
auto& memory = wasm.memories[0];
if (wasm.features.hasBulkMemory()) {
size_t memCovered = 0;
@@ -217,7 +233,8 @@ void TranslateToFuzzReader::setupMemory() {
segment->data[j] = upTo(512);
}
if (!segment->isPassive) {
- segment->offset = builder.makeConst(int32_t(memCovered));
+ segment->offset = builder.makeConst(
+ Literal::makeFromInt32(memCovered, memory->indexType));
memCovered += segSize;
segment->memory = memory->name;
}
@@ -227,7 +244,8 @@ void TranslateToFuzzReader::setupMemory() {
// init some data
auto segment = builder.makeDataSegment();
segment->memory = memory->name;
- segment->offset = builder.makeConst(int32_t(0));
+ segment->offset =
+ builder.makeConst(Literal::makeFromInt32(0, memory->indexType));
segment->setName(Names::getValidDataSegmentName(wasm, Name::fromInt(0)),
false);
auto num = upTo(USABLE_MEMORY * 2);
@@ -364,10 +382,11 @@ void TranslateToFuzzReader::setupTables() {
[&](auto& segment) {
return segment->table.is() && segment->type == funcref;
});
+ auto indexType = wasm.getTable(funcrefTableName)->indexType;
if (!hasFuncrefElemSegment) {
// TODO: use a random table
auto segment = std::make_unique<ElementSegment>(
- table->name, builder.makeConst(int32_t(0)));
+ table->name, builder.makeConst(Literal::makeFromInt32(0, indexType)));
segment->setName(Names::getValidElementSegmentName(wasm, "elem$"), false);
wasm.addElementSegment(std::move(segment));
}
@@ -1988,11 +2007,12 @@ Expression* TranslateToFuzzReader::makeCallIndirect(Type type) {
}
// with high probability, make sure the type is valid otherwise, most are
// going to trap
+ auto indexType = wasm.getTable(funcrefTableName)->indexType;
Expression* target;
if (!allowOOB || !oneIn(10)) {
- target = builder.makeConst(int32_t(i));
+ target = builder.makeConst(Literal::makeFromInt32(i, indexType));
} else {
- target = make(Type::i32);
+ target = make(indexType);
}
std::vector<Expression*> args;
for (const auto& type : targetFn->getParams()) {
diff --git a/test/passes/fuzz_metrics_noprint.bin.txt b/test/passes/fuzz_metrics_noprint.bin.txt
index fab2ccc9d..cf3692a1f 100644
--- a/test/passes/fuzz_metrics_noprint.bin.txt
+++ b/test/passes/fuzz_metrics_noprint.bin.txt
@@ -1,35 +1,34 @@
Metrics
total
- [exports] : 50
- [funcs] : 72
- [globals] : 9
+ [exports] : 14
+ [funcs] : 17
+ [globals] : 10
[imports] : 4
[memories] : 1
- [memory-data] : 2
- [table-data] : 25
+ [memory-data] : 24
+ [table-data] : 3
[tables] : 1
[tags] : 0
- [total] : 4381
- [vars] : 218
- Binary : 335
- Block : 725
- Break : 120
- Call : 210
- CallIndirect : 23
- Const : 692
- Drop : 64
- GlobalGet : 391
- GlobalSet : 298
- If : 236
- Load : 71
- LocalGet : 285
- LocalSet : 209
- Loop : 76
- Nop : 63
- RefFunc : 25
- Return : 60
- Select : 23
- Store : 29
- Switch : 2
- Unary : 293
- Unreachable : 151
+ [total] : 8422
+ [vars] : 42
+ Binary : 633
+ Block : 1449
+ Break : 335
+ Call : 123
+ CallIndirect : 40
+ Const : 1247
+ Drop : 85
+ GlobalGet : 707
+ GlobalSet : 526
+ If : 490
+ Load : 156
+ LocalGet : 627
+ LocalSet : 520
+ Loop : 235
+ Nop : 126
+ RefFunc : 3
+ Return : 87
+ Select : 82
+ Store : 70
+ Unary : 622
+ Unreachable : 259
diff --git a/test/passes/translate-to-fuzz_all-features_metrics_noprint.txt b/test/passes/translate-to-fuzz_all-features_metrics_noprint.txt
index 3189277b0..9d2b4e3da 100644
--- a/test/passes/translate-to-fuzz_all-features_metrics_noprint.txt
+++ b/test/passes/translate-to-fuzz_all-features_metrics_noprint.txt
@@ -1,51 +1,46 @@
Metrics
total
- [exports] : 4
- [funcs] : 3
+ [exports] : 8
+ [funcs] : 9
[globals] : 26
[imports] : 8
[memories] : 1
- [memory-data] : 20
+ [memory-data] : 112
[table-data] : 0
[tables] : 1
[tags] : 2
- [total] : 534
- [vars] : 21
+ [total] : 487
+ [vars] : 37
+ ArrayFill : 1
ArrayGet : 1
- ArrayLen : 1
- ArrayNew : 13
- ArrayNewFixed : 2
- AtomicNotify : 2
- Binary : 68
- Block : 53
- BrOn : 1
- Break : 8
- Call : 11
- CallRef : 1
- Const : 117
- DataDrop : 1
- Drop : 7
- GlobalGet : 27
- GlobalSet : 16
+ ArrayLen : 2
+ ArrayNew : 7
+ ArrayNewFixed : 5
+ Binary : 69
+ Block : 42
+ Break : 2
+ Call : 9
+ Const : 103
+ Drop : 3
+ GlobalGet : 30
+ GlobalSet : 20
If : 13
- Load : 19
- LocalGet : 56
- LocalSet : 39
- Loop : 6
- Nop : 2
- Pop : 3
- RefAs : 4
- RefFunc : 2
- RefNull : 7
- RefTest : 1
- Return : 3
- SIMDExtract : 3
- Store : 2
- StringConst : 2
- StringWTF16Get : 1
- StructNew : 11
- Try : 3
- TryTable : 1
- TupleMake : 3
- Unary : 14
+ Load : 18
+ LocalGet : 41
+ LocalSet : 24
+ Loop : 2
+ Nop : 1
+ Pop : 1
+ RefFunc : 21
+ RefNull : 5
+ Return : 5
+ Select : 2
+ StringConst : 3
+ StringEq : 1
+ StructNew : 27
+ Try : 1
+ TryTable : 2
+ TupleExtract : 1
+ TupleMake : 4
+ Unary : 11
Unreachable : 10
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-06 10:22:24 +0000