From cd60e11168b830020ab1c1eb4591cc095bfd088f Mon Sep 17 00:00:00 2001 From: Alon Zakai Date: Wed, 1 Nov 2023 10:34:11 -0700 Subject: [PATCH 01/11] better --- src/tools/fuzzing.h | 2 + src/tools/fuzzing/fuzzing.cpp | 20 ++++- test/passes/fuzz_metrics_noprint.bin.txt | 56 +++++++------- ...e-to-fuzz_all-features_metrics_noprint.txt | 76 +++++++++---------- 4 files changed, 83 insertions(+), 71 deletions(-) diff --git a/src/tools/fuzzing.h b/src/tools/fuzzing.h index a40a76106a4..3fe2505741b 100644 --- a/src/tools/fuzzing.h +++ b/src/tools/fuzzing.h @@ -289,8 +289,10 @@ class TranslateToFuzzReader { Expression* makeCallRef(Type type); Expression* makeLocalGet(Type type); Expression* makeLocalSet(Type type); + // Some globals are for internal use, and should not be modified by random // fuzz code. + std::unordered_set invalidGlobals; bool isValidGlobal(Name name); Expression* makeGlobalGet(Type type); diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp index ef7b3a5b72a..0d20f9ac7b3 100644 --- a/src/tools/fuzzing/fuzzing.cpp +++ b/src/tools/fuzzing/fuzzing.cpp @@ -379,6 +379,21 @@ void TranslateToFuzzReader::setupGlobals() { } } } + + // Randomly assign some globals from initial content to be invalid for the + // fuzzer to use. Such globals will only be used from initial content. This is + // important to preserve some real-world patterns, like the "once" pattern in + // which a global is used in one function only. (If we randomly emitted gets + // and sets of such globals, we'd with very high probability end up breaking + // that pattern, and not fuzzing it at all.) + auto percent = upTo(100); + for (auto& global : wasm.globals) { + if (upTo(100) < percent) { + invalidGlobals.insert(global->name); + } + } + + // Create new random globals. for (size_t index = upTo(MAX_GLOBALS); index > 0; --index) { auto type = getConcreteType(); auto* init = makeConst(type); @@ -491,6 +506,9 @@ void TranslateToFuzzReader::finalizeTable() { void TranslateToFuzzReader::prepareHangLimitSupport() { HANG_LIMIT_GLOBAL = Names::getValidGlobalName(wasm, "hangLimit"); + + // We don't want random fuzz code to use the hang limit global. + invalidGlobals.insert(HANG_LIMIT_GLOBAL); } void TranslateToFuzzReader::addHangLimitSupport() { @@ -1697,7 +1715,7 @@ Expression* TranslateToFuzzReader::makeLocalSet(Type type) { } bool TranslateToFuzzReader::isValidGlobal(Name name) { - return name != HANG_LIMIT_GLOBAL; + return !invalidGlobals.count(name); } Expression* TranslateToFuzzReader::makeGlobalGet(Type type) { diff --git a/test/passes/fuzz_metrics_noprint.bin.txt b/test/passes/fuzz_metrics_noprint.bin.txt index 703c2aeb411..2f6230d81c4 100644 --- a/test/passes/fuzz_metrics_noprint.bin.txt +++ b/test/passes/fuzz_metrics_noprint.bin.txt @@ -1,34 +1,34 @@ total - [exports] : 29 - [funcs] : 39 - [globals] : 9 + [exports] : 35 + [funcs] : 54 + [globals] : 20 [imports] : 4 [memories] : 1 [memory-data] : 2 - [table-data] : 6 + [table-data] : 14 [tables] : 1 [tags] : 0 - [total] : 5494 - [vars] : 119 - Binary : 400 - Block : 892 - Break : 210 - Call : 232 - CallIndirect : 12 - Const : 898 - Drop : 49 - GlobalGet : 421 - GlobalSet : 333 - If : 289 - Load : 113 - LocalGet : 434 - LocalSet : 306 - Loop : 118 - Nop : 85 - RefFunc : 6 - Return : 62 - Select : 52 - Store : 45 - Switch : 1 - Unary : 380 - Unreachable : 156 + [total] : 6037 + [vars] : 143 + Binary : 453 + Block : 989 + Break : 189 + Call : 300 + CallIndirect : 48 + Const : 974 + Drop : 50 + GlobalGet : 463 + GlobalSet : 360 + If : 329 + Load : 109 + LocalGet : 468 + LocalSet : 355 + Loop : 120 + Nop : 82 + RefFunc : 14 + Return : 72 + Select : 38 + Store : 42 + Switch : 2 + Unary : 404 + Unreachable : 176 diff --git a/test/passes/translate-to-fuzz_all-features_metrics_noprint.txt b/test/passes/translate-to-fuzz_all-features_metrics_noprint.txt index 6f507890946..62658d3ab3d 100644 --- a/test/passes/translate-to-fuzz_all-features_metrics_noprint.txt +++ b/test/passes/translate-to-fuzz_all-features_metrics_noprint.txt @@ -1,55 +1,47 @@ total [exports] : 3 [funcs] : 6 - [globals] : 1 + [globals] : 17 [imports] : 5 [memories] : 1 [memory-data] : 20 [table-data] : 1 [tables] : 1 [tags] : 2 - [total] : 643 - [vars] : 36 - ArrayCopy : 1 - ArrayFill : 1 - ArrayGet : 1 - ArrayLen : 5 + [total] : 494 + [vars] : 63 + ArrayGet : 2 + ArrayLen : 4 ArrayNew : 7 - ArraySet : 1 - AtomicNotify : 1 - AtomicRMW : 1 - Binary : 84 - Block : 58 - Break : 9 - Call : 22 - CallRef : 2 - Const : 144 - Drop : 2 - GlobalGet : 16 - GlobalSet : 16 - I31Get : 2 - If : 20 - Load : 20 - LocalGet : 75 - LocalSet : 48 - Loop : 4 - MemoryInit : 1 - Nop : 4 + ArraySet : 3 + AtomicFence : 2 + Binary : 72 + Block : 47 + Break : 6 + Call : 2 + CallRef : 1 + Const : 100 + DataDrop : 1 + GlobalGet : 18 + GlobalSet : 18 + If : 17 + Load : 18 + LocalGet : 60 + LocalSet : 40 + Loop : 5 + Nop : 5 Pop : 4 - RefAs : 4 - RefFunc : 6 - RefI31 : 3 - RefNull : 11 - RefTest : 1 - Return : 7 + RefAs : 3 + RefFunc : 4 + RefI31 : 1 + RefIsNull : 1 + RefNull : 6 + Return : 4 SIMDExtract : 1 - Select : 5 - Store : 3 - StructGet : 3 - StructNew : 7 - StructSet : 1 + Select : 2 + StructNew : 4 Try : 3 - TupleExtract : 7 - TupleMake : 10 - Unary : 14 - Unreachable : 8 + TupleExtract : 1 + TupleMake : 3 + Unary : 18 + Unreachable : 11 From 314b54bd882555ef7f740bdf5e0ce716777b7533 Mon Sep 17 00:00:00 2001 From: Alon Zakai Date: Wed, 1 Nov 2023 10:45:28 -0700 Subject: [PATCH 02/11] undo --- src/tools/fuzzing/fuzzing.cpp | 11 ++- test/passes/fuzz_metrics_noprint.bin.txt | 56 +++++++------- ...e-to-fuzz_all-features_metrics_noprint.txt | 76 ++++++++++--------- 3 files changed, 77 insertions(+), 66 deletions(-) diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp index 0d20f9ac7b3..05ad1f990d9 100644 --- a/src/tools/fuzzing/fuzzing.cpp +++ b/src/tools/fuzzing/fuzzing.cpp @@ -386,10 +386,13 @@ void TranslateToFuzzReader::setupGlobals() { // which a global is used in one function only. (If we randomly emitted gets // and sets of such globals, we'd with very high probability end up breaking // that pattern, and not fuzzing it at all.) - auto percent = upTo(100); - for (auto& global : wasm.globals) { - if (upTo(100) < percent) { - invalidGlobals.insert(global->name); + if (!wasm.globals.empty()) { +abort(); + auto percent = upTo(100); + for (auto& global : wasm.globals) { + if (upTo(100) < percent) { + invalidGlobals.insert(global->name); + } } } diff --git a/test/passes/fuzz_metrics_noprint.bin.txt b/test/passes/fuzz_metrics_noprint.bin.txt index 2f6230d81c4..703c2aeb411 100644 --- a/test/passes/fuzz_metrics_noprint.bin.txt +++ b/test/passes/fuzz_metrics_noprint.bin.txt @@ -1,34 +1,34 @@ total - [exports] : 35 - [funcs] : 54 - [globals] : 20 + [exports] : 29 + [funcs] : 39 + [globals] : 9 [imports] : 4 [memories] : 1 [memory-data] : 2 - [table-data] : 14 + [table-data] : 6 [tables] : 1 [tags] : 0 - [total] : 6037 - [vars] : 143 - Binary : 453 - Block : 989 - Break : 189 - Call : 300 - CallIndirect : 48 - Const : 974 - Drop : 50 - GlobalGet : 463 - GlobalSet : 360 - If : 329 - Load : 109 - LocalGet : 468 - LocalSet : 355 - Loop : 120 - Nop : 82 - RefFunc : 14 - Return : 72 - Select : 38 - Store : 42 - Switch : 2 - Unary : 404 - Unreachable : 176 + [total] : 5494 + [vars] : 119 + Binary : 400 + Block : 892 + Break : 210 + Call : 232 + CallIndirect : 12 + Const : 898 + Drop : 49 + GlobalGet : 421 + GlobalSet : 333 + If : 289 + Load : 113 + LocalGet : 434 + LocalSet : 306 + Loop : 118 + Nop : 85 + RefFunc : 6 + Return : 62 + Select : 52 + Store : 45 + Switch : 1 + Unary : 380 + Unreachable : 156 diff --git a/test/passes/translate-to-fuzz_all-features_metrics_noprint.txt b/test/passes/translate-to-fuzz_all-features_metrics_noprint.txt index 62658d3ab3d..6f507890946 100644 --- a/test/passes/translate-to-fuzz_all-features_metrics_noprint.txt +++ b/test/passes/translate-to-fuzz_all-features_metrics_noprint.txt @@ -1,47 +1,55 @@ total [exports] : 3 [funcs] : 6 - [globals] : 17 + [globals] : 1 [imports] : 5 [memories] : 1 [memory-data] : 20 [table-data] : 1 [tables] : 1 [tags] : 2 - [total] : 494 - [vars] : 63 - ArrayGet : 2 - ArrayLen : 4 + [total] : 643 + [vars] : 36 + ArrayCopy : 1 + ArrayFill : 1 + ArrayGet : 1 + ArrayLen : 5 ArrayNew : 7 - ArraySet : 3 - AtomicFence : 2 - Binary : 72 - Block : 47 - Break : 6 - Call : 2 - CallRef : 1 - Const : 100 - DataDrop : 1 - GlobalGet : 18 - GlobalSet : 18 - If : 17 - Load : 18 - LocalGet : 60 - LocalSet : 40 - Loop : 5 - Nop : 5 + ArraySet : 1 + AtomicNotify : 1 + AtomicRMW : 1 + Binary : 84 + Block : 58 + Break : 9 + Call : 22 + CallRef : 2 + Const : 144 + Drop : 2 + GlobalGet : 16 + GlobalSet : 16 + I31Get : 2 + If : 20 + Load : 20 + LocalGet : 75 + LocalSet : 48 + Loop : 4 + MemoryInit : 1 + Nop : 4 Pop : 4 - RefAs : 3 - RefFunc : 4 - RefI31 : 1 - RefIsNull : 1 - RefNull : 6 - Return : 4 + RefAs : 4 + RefFunc : 6 + RefI31 : 3 + RefNull : 11 + RefTest : 1 + Return : 7 SIMDExtract : 1 - Select : 2 - StructNew : 4 + Select : 5 + Store : 3 + StructGet : 3 + StructNew : 7 + StructSet : 1 Try : 3 - TupleExtract : 1 - TupleMake : 3 - Unary : 18 - Unreachable : 11 + TupleExtract : 7 + TupleMake : 10 + Unary : 14 + Unreachable : 8 From f64aca90ac9e86d145e903065cf507ab799e1aed Mon Sep 17 00:00:00 2001 From: Alon Zakai Date: Wed, 1 Nov 2023 11:01:58 -0700 Subject: [PATCH 03/11] bettr --- src/tools/fuzzing/fuzzing.cpp | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp index 05ad1f990d9..58c28eca48d 100644 --- a/src/tools/fuzzing/fuzzing.cpp +++ b/src/tools/fuzzing/fuzzing.cpp @@ -387,7 +387,6 @@ void TranslateToFuzzReader::setupGlobals() { // and sets of such globals, we'd with very high probability end up breaking // that pattern, and not fuzzing it at all.) if (!wasm.globals.empty()) { -abort(); auto percent = upTo(100); for (auto& global : wasm.globals) { if (upTo(100) < percent) { @@ -412,12 +411,16 @@ abort(); auto mutability = oneIn(2) ? Builder::Mutable : Builder::Immutable; auto global = builder.makeGlobal( Names::getValidGlobalName(wasm, "global$"), type, init, mutability); - globalsByType[type].push_back(global->name); - if (mutability == Builder::Mutable) { - mutableGlobalsByType[type].push_back(global->name); - } wasm.addGlobal(std::move(global)); } + + // Set up data structures for picking globals later for get/set operations. + for (auto& global : wasm.globals) { + globalsByType[global->type].push_back(global->name); + if (global->mutable_) { + mutableGlobalsByType[global->type].push_back(global->name); + } + } } void TranslateToFuzzReader::setupTags() { From e9740e96c10ae22184e8e676e317db484c22f124 Mon Sep 17 00:00:00 2001 From: Alon Zakai Date: Wed, 1 Nov 2023 12:25:49 -0700 Subject: [PATCH 04/11] better --- src/tools/fuzzing.h | 6 ----- src/tools/fuzzing/fuzzing.cpp | 48 +++++++++++++++-------------------- 2 files changed, 21 insertions(+), 33 deletions(-) diff --git a/src/tools/fuzzing.h b/src/tools/fuzzing.h index 3fe2505741b..837713dceaa 100644 --- a/src/tools/fuzzing.h +++ b/src/tools/fuzzing.h @@ -289,12 +289,6 @@ class TranslateToFuzzReader { Expression* makeCallRef(Type type); Expression* makeLocalGet(Type type); Expression* makeLocalSet(Type type); - - // Some globals are for internal use, and should not be modified by random - // fuzz code. - std::unordered_set invalidGlobals; - bool isValidGlobal(Name name); - Expression* makeGlobalGet(Type type); Expression* makeGlobalSet(Type type); Expression* makeTupleMake(Type type); diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp index 58c28eca48d..a1bfa96de3c 100644 --- a/src/tools/fuzzing/fuzzing.cpp +++ b/src/tools/fuzzing/fuzzing.cpp @@ -386,13 +386,11 @@ void TranslateToFuzzReader::setupGlobals() { // which a global is used in one function only. (If we randomly emitted gets // and sets of such globals, we'd with very high probability end up breaking // that pattern, and not fuzzing it at all.) - if (!wasm.globals.empty()) { - auto percent = upTo(100); - for (auto& global : wasm.globals) { - if (upTo(100) < percent) { - invalidGlobals.insert(global->name); - } - } + auto numInitialGlobals = wasm.globals.size(); + unsigned percentInvalidInitialGlobals = 0; + if (numInitialGlobals) { + // Only generate this random number if it will be used. + percentInvalidInitialGlobals = upTo(100); } // Create new random globals. @@ -415,7 +413,20 @@ void TranslateToFuzzReader::setupGlobals() { } // Set up data structures for picking globals later for get/set operations. - for (auto& global : wasm.globals) { + for (Index i = 0; i < wasm.globals.size(); i++) { + auto& global = wasm.globals[i]; + + // We don't want random fuzz code to use the hang limit global. + if (global->name == HANG_LIMIT_GLOBAL) { + continue; + } + + // Apply the chance for initial globals to be ignored, see above + if (i < numInitialGlobals && upTo(100) < percentInvalidInitialGlobals) { + continue; + } + + // This is a global we can use later, note it. globalsByType[global->type].push_back(global->name); if (global->mutable_) { mutableGlobalsByType[global->type].push_back(global->name); @@ -512,9 +523,6 @@ void TranslateToFuzzReader::finalizeTable() { void TranslateToFuzzReader::prepareHangLimitSupport() { HANG_LIMIT_GLOBAL = Names::getValidGlobalName(wasm, "hangLimit"); - - // We don't want random fuzz code to use the hang limit global. - invalidGlobals.insert(HANG_LIMIT_GLOBAL); } void TranslateToFuzzReader::addHangLimitSupport() { @@ -1720,21 +1728,12 @@ Expression* TranslateToFuzzReader::makeLocalSet(Type type) { } } -bool TranslateToFuzzReader::isValidGlobal(Name name) { - return !invalidGlobals.count(name); -} - Expression* TranslateToFuzzReader::makeGlobalGet(Type type) { auto it = globalsByType.find(type); if (it == globalsByType.end() || it->second.empty()) { - return makeConst(type); - } - auto name = pick(it->second); - if (isValidGlobal(name)) { - return builder.makeGlobalGet(name, type); - } else { return makeTrivial(type); } + return builder.makeGlobalGet(pick(it->second), type); } Expression* TranslateToFuzzReader::makeGlobalSet(Type type) { @@ -1744,12 +1743,7 @@ Expression* TranslateToFuzzReader::makeGlobalSet(Type type) { if (it == mutableGlobalsByType.end() || it->second.empty()) { return makeTrivial(Type::none); } - auto name = pick(it->second); - if (isValidGlobal(name)) { - return builder.makeGlobalSet(name, make(type)); - } else { - return makeTrivial(Type::none); - } + return builder.makeGlobalSet(pick(it->second), make(type)); } Expression* TranslateToFuzzReader::makeTupleMake(Type type) { From f606f9512436b2b2ff5b5ab867ba8a539db8253e Mon Sep 17 00:00:00 2001 From: Alon Zakai Date: Wed, 1 Nov 2023 12:26:16 -0700 Subject: [PATCH 05/11] update --- test/passes/fuzz_metrics_noprint.bin.txt | 50 ++++++------ ...e-to-fuzz_all-features_metrics_noprint.txt | 77 ++++++++----------- 2 files changed, 57 insertions(+), 70 deletions(-) diff --git a/test/passes/fuzz_metrics_noprint.bin.txt b/test/passes/fuzz_metrics_noprint.bin.txt index 703c2aeb411..ebb43e44646 100644 --- a/test/passes/fuzz_metrics_noprint.bin.txt +++ b/test/passes/fuzz_metrics_noprint.bin.txt @@ -1,6 +1,6 @@ total - [exports] : 29 - [funcs] : 39 + [exports] : 18 + [funcs] : 27 [globals] : 9 [imports] : 4 [memories] : 1 @@ -8,27 +8,27 @@ total [table-data] : 6 [tables] : 1 [tags] : 0 - [total] : 5494 - [vars] : 119 - Binary : 400 - Block : 892 - Break : 210 - Call : 232 - CallIndirect : 12 - Const : 898 - Drop : 49 - GlobalGet : 421 - GlobalSet : 333 - If : 289 - Load : 113 - LocalGet : 434 - LocalSet : 306 - Loop : 118 - Nop : 85 + [total] : 6170 + [vars] : 84 + Binary : 464 + Block : 989 + Break : 209 + Call : 256 + CallIndirect : 42 + Const : 977 + Drop : 35 + GlobalGet : 471 + GlobalSet : 357 + If : 332 + Load : 125 + LocalGet : 520 + LocalSet : 363 + Loop : 143 + Nop : 89 RefFunc : 6 - Return : 62 - Select : 52 - Store : 45 - Switch : 1 - Unary : 380 - Unreachable : 156 + Return : 89 + Select : 63 + Store : 54 + Switch : 2 + Unary : 413 + Unreachable : 171 diff --git a/test/passes/translate-to-fuzz_all-features_metrics_noprint.txt b/test/passes/translate-to-fuzz_all-features_metrics_noprint.txt index 6f507890946..9697da8bd15 100644 --- a/test/passes/translate-to-fuzz_all-features_metrics_noprint.txt +++ b/test/passes/translate-to-fuzz_all-features_metrics_noprint.txt @@ -8,48 +8,35 @@ total [table-data] : 1 [tables] : 1 [tags] : 2 - [total] : 643 - [vars] : 36 - ArrayCopy : 1 - ArrayFill : 1 - ArrayGet : 1 - ArrayLen : 5 - ArrayNew : 7 - ArraySet : 1 - AtomicNotify : 1 - AtomicRMW : 1 - Binary : 84 - Block : 58 - Break : 9 - Call : 22 - CallRef : 2 - Const : 144 - Drop : 2 - GlobalGet : 16 - GlobalSet : 16 - I31Get : 2 - If : 20 - Load : 20 - LocalGet : 75 - LocalSet : 48 - Loop : 4 - MemoryInit : 1 - Nop : 4 - Pop : 4 - RefAs : 4 - RefFunc : 6 - RefI31 : 3 - RefNull : 11 - RefTest : 1 - Return : 7 - SIMDExtract : 1 - Select : 5 - Store : 3 - StructGet : 3 - StructNew : 7 - StructSet : 1 - Try : 3 - TupleExtract : 7 - TupleMake : 10 - Unary : 14 - Unreachable : 8 + [total] : 314 + [vars] : 38 + ArrayNew : 2 + ArrayNewFixed : 1 + AtomicFence : 1 + Binary : 58 + Block : 28 + Break : 6 + Call : 10 + Const : 72 + Drop : 3 + GlobalGet : 10 + GlobalSet : 10 + I31Get : 1 + If : 7 + Load : 18 + LocalGet : 36 + LocalSet : 21 + Loop : 1 + Nop : 2 + RefEq : 1 + RefFunc : 2 + RefI31 : 2 + RefNull : 1 + Return : 2 + Select : 1 + Store : 1 + StructGet : 1 + StructNew : 3 + TupleMake : 2 + Unary : 6 + Unreachable : 5 From 45308279a442979aa4c65bc74f193e5dd52df828 Mon Sep 17 00:00:00 2001 From: Alon Zakai Date: Wed, 1 Nov 2023 12:30:20 -0700 Subject: [PATCH 06/11] assert --- src/tools/fuzzing/fuzzing.cpp | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp index a1bfa96de3c..666fa2a1700 100644 --- a/src/tools/fuzzing/fuzzing.cpp +++ b/src/tools/fuzzing/fuzzing.cpp @@ -416,11 +416,6 @@ void TranslateToFuzzReader::setupGlobals() { for (Index i = 0; i < wasm.globals.size(); i++) { auto& global = wasm.globals[i]; - // We don't want random fuzz code to use the hang limit global. - if (global->name == HANG_LIMIT_GLOBAL) { - continue; - } - // Apply the chance for initial globals to be ignored, see above if (i < numInitialGlobals && upTo(100) < percentInvalidInitialGlobals) { continue; @@ -431,6 +426,9 @@ void TranslateToFuzzReader::setupGlobals() { if (global->mutable_) { mutableGlobalsByType[global->type].push_back(global->name); } + + // We don't want random fuzz code to use the hang limit global. + assert(global->name != HANG_LIMIT_GLOBAL); } } From a6b3c2d05e54894be3654974274c167973d890eb Mon Sep 17 00:00:00 2001 From: Alon Zakai Date: Wed, 1 Nov 2023 12:40:00 -0700 Subject: [PATCH 07/11] more --- src/tools/fuzzing/fuzzing.cpp | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp index 666fa2a1700..29d1f70bc8f 100644 --- a/src/tools/fuzzing/fuzzing.cpp +++ b/src/tools/fuzzing/fuzzing.cpp @@ -380,17 +380,20 @@ void TranslateToFuzzReader::setupGlobals() { } } - // Randomly assign some globals from initial content to be invalid for the + // Randomly assign some globals from initial content to be ignored for the // fuzzer to use. Such globals will only be used from initial content. This is // important to preserve some real-world patterns, like the "once" pattern in // which a global is used in one function only. (If we randomly emitted gets // and sets of such globals, we'd with very high probability end up breaking // that pattern, and not fuzzing it at all.) + // + // Pick a percentage of initial globals to ignore later down when we decide + // which to allow uses from. auto numInitialGlobals = wasm.globals.size(); - unsigned percentInvalidInitialGlobals = 0; + unsigned percentIgnoredInitialGlobals = 0; if (numInitialGlobals) { // Only generate this random number if it will be used. - percentInvalidInitialGlobals = upTo(100); + percentIgnoredInitialGlobals = upTo(100); } // Create new random globals. @@ -417,7 +420,7 @@ void TranslateToFuzzReader::setupGlobals() { auto& global = wasm.globals[i]; // Apply the chance for initial globals to be ignored, see above - if (i < numInitialGlobals && upTo(100) < percentInvalidInitialGlobals) { + if (i < numInitialGlobals && upTo(100) < percentIgnoredInitialGlobals) { continue; } From f6e2b379ee66d35bc7199fa11ce1121296c8fa27 Mon Sep 17 00:00:00 2001 From: Alon Zakai Date: Wed, 1 Nov 2023 12:40:41 -0700 Subject: [PATCH 08/11] more --- src/tools/fuzzing/fuzzing.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp index 29d1f70bc8f..9e37621ded0 100644 --- a/src/tools/fuzzing/fuzzing.cpp +++ b/src/tools/fuzzing/fuzzing.cpp @@ -419,7 +419,7 @@ void TranslateToFuzzReader::setupGlobals() { for (Index i = 0; i < wasm.globals.size(); i++) { auto& global = wasm.globals[i]; - // Apply the chance for initial globals to be ignored, see above + // Apply the chance for initial globals to be ignored, see above. if (i < numInitialGlobals && upTo(100) < percentIgnoredInitialGlobals) { continue; } From 022123335b753637b948d2626d74f06829a0d615 Mon Sep 17 00:00:00 2001 From: Alon Zakai Date: Wed, 1 Nov 2023 12:50:21 -0700 Subject: [PATCH 09/11] work --- src/tools/fuzzing/fuzzing.cpp | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp index 9e37621ded0..38a65a3af10 100644 --- a/src/tools/fuzzing/fuzzing.cpp +++ b/src/tools/fuzzing/fuzzing.cpp @@ -429,9 +429,6 @@ void TranslateToFuzzReader::setupGlobals() { if (global->mutable_) { mutableGlobalsByType[global->type].push_back(global->name); } - - // We don't want random fuzz code to use the hang limit global. - assert(global->name != HANG_LIMIT_GLOBAL); } } @@ -1734,7 +1731,11 @@ Expression* TranslateToFuzzReader::makeGlobalGet(Type type) { if (it == globalsByType.end() || it->second.empty()) { return makeTrivial(type); } - return builder.makeGlobalGet(pick(it->second), type); + + auto name = pick(it->second); + // We don't want random fuzz code to use the hang limit global. + assert(name != HANG_LIMIT_GLOBAL); + return builder.makeGlobalGet(name, type); } Expression* TranslateToFuzzReader::makeGlobalSet(Type type) { @@ -1744,7 +1745,11 @@ Expression* TranslateToFuzzReader::makeGlobalSet(Type type) { if (it == mutableGlobalsByType.end() || it->second.empty()) { return makeTrivial(Type::none); } - return builder.makeGlobalSet(pick(it->second), make(type)); + + auto name = pick(it->second); + // We don't want random fuzz code to use the hang limit global. + assert(name != HANG_LIMIT_GLOBAL); + return builder.makeGlobalSet(name, make(type)); } Expression* TranslateToFuzzReader::makeTupleMake(Type type) { From 2d871a2973712c34274ba1d09e8c54b41f184b1b Mon Sep 17 00:00:00 2001 From: Alon Zakai Date: Wed, 1 Nov 2023 12:50:29 -0700 Subject: [PATCH 10/11] clean --- src/tools/fuzzing/fuzzing.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp index 38a65a3af10..d9e0f6baf77 100644 --- a/src/tools/fuzzing/fuzzing.cpp +++ b/src/tools/fuzzing/fuzzing.cpp @@ -1731,7 +1731,7 @@ Expression* TranslateToFuzzReader::makeGlobalGet(Type type) { if (it == globalsByType.end() || it->second.empty()) { return makeTrivial(type); } - + auto name = pick(it->second); // We don't want random fuzz code to use the hang limit global. assert(name != HANG_LIMIT_GLOBAL); From 007f9578b46bb5094de63fcbdd8d7868bfd672b5 Mon Sep 17 00:00:00 2001 From: Alon Zakai Date: Wed, 1 Nov 2023 12:54:01 -0700 Subject: [PATCH 11/11] fix --- test/passes/fuzz_metrics_noprint.bin.txt | 50 ++++++++++++------------ 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/test/passes/fuzz_metrics_noprint.bin.txt b/test/passes/fuzz_metrics_noprint.bin.txt index ebb43e44646..703c2aeb411 100644 --- a/test/passes/fuzz_metrics_noprint.bin.txt +++ b/test/passes/fuzz_metrics_noprint.bin.txt @@ -1,6 +1,6 @@ total - [exports] : 18 - [funcs] : 27 + [exports] : 29 + [funcs] : 39 [globals] : 9 [imports] : 4 [memories] : 1 @@ -8,27 +8,27 @@ total [table-data] : 6 [tables] : 1 [tags] : 0 - [total] : 6170 - [vars] : 84 - Binary : 464 - Block : 989 - Break : 209 - Call : 256 - CallIndirect : 42 - Const : 977 - Drop : 35 - GlobalGet : 471 - GlobalSet : 357 - If : 332 - Load : 125 - LocalGet : 520 - LocalSet : 363 - Loop : 143 - Nop : 89 + [total] : 5494 + [vars] : 119 + Binary : 400 + Block : 892 + Break : 210 + Call : 232 + CallIndirect : 12 + Const : 898 + Drop : 49 + GlobalGet : 421 + GlobalSet : 333 + If : 289 + Load : 113 + LocalGet : 434 + LocalSet : 306 + Loop : 118 + Nop : 85 RefFunc : 6 - Return : 89 - Select : 63 - Store : 54 - Switch : 2 - Unary : 413 - Unreachable : 171 + Return : 62 + Select : 52 + Store : 45 + Switch : 1 + Unary : 380 + Unreachable : 156