diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/ir/effects.h | 9 | ||||
| -rw-r--r-- | src/tools/fuzzing.h | 3 | ||||
| -rw-r--r-- | src/tools/fuzzing/fuzzing.cpp | 34 |
3 files changed, 34 insertions, 12 deletions
diff --git a/src/ir/effects.h b/src/ir/effects.h index 3ecb54641..ef9aceb37 100644 --- a/src/ir/effects.h +++ b/src/ir/effects.h @@ -989,7 +989,14 @@ private: // traps when an input is null. parent.implicitTrap = true; } - void visitStringEq(StringEq* curr) {} + void visitStringEq(StringEq* curr) { + if (curr->op == StringEqCompare) { + // traps when either input is null. + if (curr->left->type.isNullable() || curr->right->type.isNullable()) { + parent.implicitTrap = true; + } + } + } void visitStringAs(StringAs* curr) { // traps when ref is null. parent.implicitTrap = true; diff --git a/src/tools/fuzzing.h b/src/tools/fuzzing.h index dc17f7c91..c60744dea 100644 --- a/src/tools/fuzzing.h +++ b/src/tools/fuzzing.h @@ -327,6 +327,7 @@ private: Expression* makeStringNewArray(); Expression* makeStringNewCodePoint(); Expression* makeStringConcat(); + Expression* makeStringEq(Type type); Expression* makeStringEncode(Type type); // Similar to makeBasic/CompoundRef, but indicates that this value will be @@ -398,7 +399,7 @@ private: Nullability getSuperType(Nullability nullability); HeapType getSuperType(HeapType type); Type getSuperType(Type type); - Type getArrayTypeForString(); + HeapType getArrayTypeForString(); // Utilities Name getTargetName(Expression* target); diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp index 541b58b0f..add0494ea 100644 --- a/src/tools/fuzzing/fuzzing.cpp +++ b/src/tools/fuzzing/fuzzing.cpp @@ -1368,7 +1368,8 @@ Expression* TranslateToFuzzReader::_makeConcrete(Type type) { &Self::makeI31Get); options.add(FeatureSet::ReferenceTypes | FeatureSet::GC | FeatureSet::Strings, - &Self::makeStringEncode); + &Self::makeStringEncode, + &Self::makeStringEq); } if (type.isTuple()) { options.add(FeatureSet::Multivalue, &Self::makeTupleMake); @@ -2755,7 +2756,7 @@ Expression* TranslateToFuzzReader::makeCompoundRef(Type type) { } Expression* TranslateToFuzzReader::makeStringNewArray() { - auto* array = make(getArrayTypeForString()); + auto* array = makeTrappingRefUse(getArrayTypeForString()); auto* start = make(Type::i32); auto* end = make(Type::i32); return builder.makeStringNew(StringNewWTF16Array, array, start, end, false); @@ -2812,11 +2813,26 @@ Expression* TranslateToFuzzReader::makeStringConst() { } Expression* TranslateToFuzzReader::makeStringConcat() { - auto* left = make(Type(HeapType::string, getNullability())); - auto* right = make(Type(HeapType::string, getNullability())); + auto* left = makeTrappingRefUse(HeapType::string); + auto* right = makeTrappingRefUse(HeapType::string); return builder.makeStringConcat(left, right); } +Expression* TranslateToFuzzReader::makeStringEq(Type type) { + assert(type == Type::i32); + + if (oneIn(2)) { + auto* left = make(Type(HeapType::string, getNullability())); + auto* right = make(Type(HeapType::string, getNullability())); + return builder.makeStringEq(StringEqEqual, left, right); + } + + // string.compare may trap if the either input is null. + auto* left = makeTrappingRefUse(HeapType::string); + auto* right = makeTrappingRefUse(HeapType::string); + return builder.makeStringEq(StringEqCompare, left, right); +} + Expression* TranslateToFuzzReader::makeTrappingRefUse(HeapType type) { auto percent = upTo(100); // Only give a low probability to emit a nullable reference. @@ -3920,8 +3936,8 @@ Expression* TranslateToFuzzReader::makeArrayBulkMemoryOp(Type type) { Expression* TranslateToFuzzReader::makeStringEncode(Type type) { assert(type == Type::i32); - auto* ref = make(Type(HeapType::string, getNullability())); - auto* array = make(getArrayTypeForString()); + auto* ref = makeTrappingRefUse(HeapType::string); + auto* array = makeTrappingRefUse(getArrayTypeForString()); auto* start = make(Type::i32); // Only rarely emit without a bounds check, which might trap. See related @@ -4307,12 +4323,10 @@ Type TranslateToFuzzReader::getSuperType(Type type) { return superType; } -Type TranslateToFuzzReader::getArrayTypeForString() { +HeapType TranslateToFuzzReader::getArrayTypeForString() { // Emit an array that can be used with JS-style strings, containing 16-bit // elements. For now, this must be a mutable type as that is all V8 accepts. - auto arrayHeapType = HeapType(Array(Field(Field::PackedType::i16, Mutable))); - auto nullability = getNullability(); - return Type(arrayHeapType, nullability); + return HeapType(Array(Field(Field::PackedType::i16, Mutable))); } Name TranslateToFuzzReader::getTargetName(Expression* target) { |