From 5177b9180f978baa94a7297111ac60ec4b0251cc Mon Sep 17 00:00:00 2001 From: Alon Zakai Date: Thu, 16 Apr 2020 10:40:16 -0700 Subject: Fix OOB fuzzing (#2769) We should only do weird changes to the fuzz code if we allow out of bounds operations, because the OOB checks are generated as we build the IR, and changing them can remove the checks. (we fuzz 50% of the time with and 50% without OOBs, so this doesn't really hurt us) --- src/tools/fuzzing.h | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) (limited to 'src') diff --git a/src/tools/fuzzing.h b/src/tools/fuzzing.h index c1a81a896..91a808d32 100644 --- a/src/tools/fuzzing.h +++ b/src/tools/fuzzing.h @@ -573,15 +573,21 @@ private: } else { func->body = make(bodyType); } - // Recombinations create duplicate code patterns. - recombine(func); - // Mutations add random small changes, which can subtly break duplicate code - // patterns. - mutate(func); - // TODO: liveness operations on gets, with some prob alter a get to one with - // more possible sets - // Recombination, mutation, etc. can break validation; fix things up after. - fixLabels(func); + // Our OOB checks are already in the code, and if we recombine/mutate we + // may end up breaking them. TODO: do them after the fact, like with the + // hang limit checks. + if (allowOOB) { + // Recombinations create duplicate code patterns. + recombine(func); + // Mutations add random small changes, which can subtly break duplicate + // code patterns. + mutate(func); + // TODO: liveness operations on gets, with some prob alter a get to one + // with more possible sets. + // Recombination, mutation, etc. can break validation; fix things up + // after. + fixLabels(func); + } // Add hang limit checks after all other operations on the function body. if (HANG_LIMIT > 0) { addHangLimitChecks(func); -- cgit v1.2.3