From 3564b71c25d7691267f5f7d8b95f10fd5929090a Mon Sep 17 00:00:00 2001 From: Alon Zakai Date: Tue, 19 Feb 2019 10:14:59 -0800 Subject: NaN fuzzing improvements (#1913) * make DE_NAN avoid creating nan literals in the first place * add a reducer option `--denan` to not introduce nans in destructive reduction * add a `Literal::isNaN()` method * also remove the default exception logging from the fuzzer js glue, which is a source of non-useful VM differences (like nan nondeterminism) * added an option `--no-fuzz-nans` to make it easy to avoid nans when fuzzing (without hacking the source and recompiling). Background: trying to get fuzzing on jsc working despite this open issue: https://bugs.webkit.org/show_bug.cgi?id=175691 --- src/tools/wasm-reduce.cpp | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) (limited to 'src/tools/wasm-reduce.cpp') diff --git a/src/tools/wasm-reduce.cpp b/src/tools/wasm-reduce.cpp index 8b12c0ef1..bd5a0c1b8 100644 --- a/src/tools/wasm-reduce.cpp +++ b/src/tools/wasm-reduce.cpp @@ -221,11 +221,12 @@ static std::unordered_set functionsWeTriedToRemove; struct Reducer : public WalkerPass>> { std::string command, test, working; - bool binary, verbose, debugInfo; + bool binary, deNan, verbose, debugInfo; // test is the file we write to that the command will operate on // working is the current temporary state, the reduction so far - Reducer(std::string command, std::string test, std::string working, bool binary, bool verbose, bool debugInfo) : command(command), test(test), working(working), binary(binary), verbose(verbose), debugInfo(debugInfo) {} + Reducer(std::string command, std::string test, std::string working, bool binary, bool deNan, bool verbose, bool debugInfo) : + command(command), test(test), working(working), binary(binary), deNan(deNan), verbose(verbose), debugInfo(debugInfo) {} // runs passes in order to reduce, until we can't reduce any more // the criterion here is wasm binary size @@ -360,8 +361,22 @@ struct Reducer : public WalkerPassdynCast()) { + if (c->value.isNaN()) { + return false; + } + } + } + return true; + } + // tests a reduction on the current traversal node, and undos if it failed bool tryToReplaceCurrent(Expression* with) { + if (!isOkReplacement(with)) { + return false; + } auto* curr = getCurrent(); //std::cerr << "try " << curr << " => " << with << '\n'; if (curr->type != with->type) return false; @@ -383,6 +398,9 @@ struct Reducer : public WalkerPasstype != with->type) return false; if (!shouldTryToReduce()) return false; auto* before = child; @@ -865,6 +883,7 @@ struct Reducer : public WalkerPass