Add a fuzzer option to not emit code with OOB loads/indirect calls (#2113)

kripken · web-flow · commit 1095ef96673f · 2019-05-17T09:09:17.000-07:00
This is useful for wasm2js, as we don't emit traps for OOB loads etc. like wasm (like we don't trap on bad float-to-int, as it's too hard in JS, and it's undefined behavior in C anyhow). It may also help general fuzzing, as those traps may make other interesting patterns less likely.

Also add more wasm2js support in the fuzzer, which includes using this no-OOB option.
diff --git a/scripts/fuzz_opt.py b/scripts/fuzz_opt.py
@@ -48,6 +48,8 @@
 
 LOG_LIMIT = 125
 
+WASM2JS = False
+
 
 # utilities
 
@@ -145,7 +147,10 @@ def run_bynterp(wasm):
 
 def run_wasm2js(wasm):
   wrapper = run([in_bin('wasm-opt'), wasm, '--emit-js-wrapper=/dev/stdout'] + FEATURE_OPTS)
-  main = run([in_bin('wasm2js'), wasm, '--emscripten'] + FEATURE_OPTS)
+  cmd = [in_bin('wasm2js'), wasm, '--emscripten']
+  if random.random() < 0.5:
+    cmd += ['-O']
+  main = run(cmd + FEATURE_OPTS)
   with open(os.path.join(options.binaryen_root, 'scripts', 'wasm2js.js')) as f:
     glue = f.read()
   with open('js.js', 'w') as f:
@@ -164,7 +169,8 @@ def run_vms(prefix):
   results = []
   results.append(run_bynterp(wasm))
   results.append(fix_output(run_vm([os.path.expanduser('d8'), prefix + 'js'] + V8_OPTS + ['--', wasm])))
-  # results.append(run_wasm2js(wasm))
+  if WASM2JS:
+    results.append(run_wasm2js(wasm))
 
   # append to add results from VMs
   # results += [fix_output(run_vm([os.path.expanduser('d8'), prefix + 'js'] + V8_OPTS + ['--', prefix + 'wasm']))]
@@ -292,6 +298,12 @@ def get_multiple_opt_choices():
 if not NANS:
   FUZZ_OPTS += ['--no-fuzz-nans']
 
+if WASM2JS:
+  # wasm2js does not handle nans precisely, and does not
+  # handle oob loads etc. with traps
+  FUZZ_OPTS += ['--no-fuzz-nans']
+  FUZZ_OPTS += ['--no-fuzz-oob']
+
 if __name__ == '__main__':
   print('checking infinite random inputs')
   random.seed(time.time() * os.getpid())
diff --git a/src/tools/fuzzing.h b/src/tools/fuzzing.h
@@ -189,6 +189,8 @@ class TranslateToFuzzReader {
 
   void setAllowMemory(bool allowMemory_) { allowMemory = allowMemory_; }
 
+  void setAllowOOB(bool allowOOB_) { allowOOB = allowOOB_; }
+
   void build() {
     if (allowMemory) {
       setupMemory();
@@ -252,6 +254,10 @@ class TranslateToFuzzReader {
   // Whether to emit memory operations like loads and stores.
   bool allowMemory = true;
 
+  // Whether to emit loads, stores, and call_indirects that may be out
+  // of bounds (which traps in wasm, and is undefined behavior in C).
+  bool allowOOB = true;
+
   // Whether to emit atomic waits (which in single-threaded mode, may hang...)
   static const bool ATOMIC_WAITS = false;
 
@@ -1212,7 +1218,7 @@ class TranslateToFuzzReader {
     // with high probability, make sure the type is valid  otherwise, most are
     // going to trap
     Expression* target;
-    if (!oneIn(10)) {
+    if (!allowOOB || !oneIn(10)) {
       target = builder.makeConst(Literal(int32_t(i)));
     } else {
       target = make(i32);
@@ -1277,7 +1283,7 @@ class TranslateToFuzzReader {
     // with high probability, mask the pointer so it's in a reasonable
     // range. otherwise, most pointers are going to be out of range and
     // most memory ops will just trap
-    if (!oneIn(10)) {
+    if (!allowOOB || !oneIn(10)) {
       ret = builder.makeBinary(
         AndInt32, ret, builder.makeConst(Literal(int32_t(USABLE_MEMORY - 1))));
     }
diff --git a/src/tools/wasm-opt.cpp b/src/tools/wasm-opt.cpp
@@ -73,6 +73,7 @@ int main(int argc, const char* argv[]) {
   bool fuzzPasses = false;
   bool fuzzNaNs = true;
   bool fuzzMemory = true;
+  bool fuzzOOB = true;
   std::string emitJSWrapper;
   std::string emitSpecWrapper;
   std::string inputSourceMapFilename;
@@ -157,6 +158,11 @@ int main(int argc, const char* argv[]) {
          "don't emit memory ops when fuzzing",
          Options::Arguments::Zero,
          [&](Options* o, const std::string& arguments) { fuzzMemory = false; })
+    .add("--no-fuzz-oob",
+         "",
+         "don't emit out-of-bounds loads/stores/indirect calls when fuzzing",
+         Options::Arguments::Zero,
+         [&](Options* o, const std::string& arguments) { fuzzOOB = false; })
     .add("--emit-js-wrapper",
          "-ejw",
          "Emit a JavaScript wrapper file that can run the wasm with some test "
@@ -242,6 +248,7 @@ int main(int argc, const char* argv[]) {
     }
     reader.setAllowNaNs(fuzzNaNs);
     reader.setAllowMemory(fuzzMemory);
+    reader.setAllowOOB(fuzzOOB);
     reader.build();
     if (options.passOptions.validate) {
       if (!WasmValidator().validate(wasm)) {
