From 5beebc6b249c6393e0dbf69f0ec2374eca5d387b Mon Sep 17 00:00:00 2001
From: Alon Zakai <azakai@google.com>
Date: Mon, 22 May 2023 12:35:23 -0700
Subject: Fuzzer: Limit ArrayNew sizes most of the time (#5738)

---
 src/tools/fuzzing/fuzzing.cpp | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

(limited to 'src/tools/fuzzing/fuzzing.cpp')

diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp
index cfc0d9ed8..54ff3533b 100644
--- a/src/tools/fuzzing/fuzzing.cpp
+++ b/src/tools/fuzzing/fuzzing.cpp
@@ -703,14 +703,23 @@ Function* TranslateToFuzzReader::addFunction() {
 
 void TranslateToFuzzReader::addHangLimitChecks(Function* func) {
   // loop limit
-  FindAll<Loop> loops(func->body);
-  for (auto* loop : loops.list) {
+  for (auto* loop : FindAll<Loop>(func->body).list) {
     loop->body =
       builder.makeSequence(makeHangLimitCheck(), loop->body, loop->type);
   }
   // recursion limit
   func->body =
     builder.makeSequence(makeHangLimitCheck(), func->body, func->getResults());
+  // ArrayNew can hang the fuzzer if the array size is massive. This doesn't
+  // cause an OOM (which the fuzzer knows how to ignore) but it just works for
+  // many seconds on building the array. To avoid that, limit the size with high
+  // probability.
+  for (auto* arrayNew : FindAll<ArrayNew>(func->body).list) {
+    if (!oneIn(100)) {
+      arrayNew->size = builder.makeBinary(
+        AndInt32, arrayNew->size, builder.makeConst(int32_t(1024 - 1)));
+    }
+  }
 }
 
 void TranslateToFuzzReader::recombine(Function* func) {
-- 
cgit v1.2.3