Merge pull request #1195 from WebAssembly/fuzz

kripken · web-flow · commit b3d9ad57566c · 2017-09-27T16:42:15.000-07:00
Fuzzer improvements and a fuzz fix on negative-zero comparison
diff --git a/src/ast/ExpressionAnalyzer.cpp b/src/ast/ExpressionAnalyzer.cpp
@@ -252,7 +252,9 @@ bool ExpressionAnalyzer::flexibleEqual(Expression* left, Expression* right, Expr
         break;
       }
       case Expression::Id::ConstId: {
-        CHECK(Const, value);
+        if (!left->cast<Const>()->value.bitwiseEqual(right->cast<Const>()->value)) {
+          return false;
+        }
         break;
       }
       case Expression::Id::UnaryId: {
diff --git a/src/tools/translate-to-fuzz.h b/src/tools/translate-to-fuzz.h
@@ -20,7 +20,6 @@
 //
 
 /*
-memory too
 high chance for set at start of loop
   high chance of get of a set local in the scope of that scope
     high chance of a tee in that case => loop var
@@ -90,6 +89,7 @@ class TranslateToFuzzReader {
 
   // the memory that we use, a small portion so that we have a good chance of
   // looking at writes (we also look outside of this region with small probability)
+  // this should be a power of 2
   static const int USABLE_MEMORY = 32;
 
   // the number of runtime iterations (function calls, loop backbranches) we
@@ -158,6 +158,13 @@ class TranslateToFuzzReader {
     wasm.memory.exists = true;
     // use one page
     wasm.memory.initial = wasm.memory.max = 1;
+    // init some data
+    wasm.memory.segments.emplace_back(builder.makeConst(Literal(int32_t(0))));
+    auto num = upTo(USABLE_MEMORY * 2);
+    for (size_t i = 0; i < num; i++) {
+      auto value = upTo(512);
+      wasm.memory.segments[0].data.push_back(value >= 256 ? 0 : (value & 0xff));
+    }
   }
 
   void setupTable() {
@@ -509,6 +516,10 @@ class TranslateToFuzzReader {
         num /= 2;
       }
     }
+    // not likely to have a block of size 1
+    if (num == 0 && !oneIn(10)) {
+      num++;
+    }
     while (num > 0 && !finishedInput) {
       ret->list.push_back(make(none));
       num--;
@@ -540,7 +551,17 @@ class TranslateToFuzzReader {
     ret->name = makeLabel();
     breakableStack.push_back(ret);
     hangStack.push_back(ret);
-    ret->body = makeMaybeBlock(type);
+    // either create random content, or do something more targeted
+    if (oneIn(2)) {
+      ret->body = makeMaybeBlock(type);
+    } else {
+      // ensure a branch back. also optionally create some loop vars
+      std::vector<Expression*> list;
+      list.push_back(makeMaybeBlock(none)); // primary contents
+      list.push_back(builder.makeBreak(ret->name, nullptr, makeCondition())); // possible branch back
+      list.push_back(make(type)); // final element, so we have the right type
+      ret->body = builder.makeBlock(list);
+    }
     breakableStack.pop_back();
     hangStack.pop_back();
     if (HANG_LIMIT > 0) {
@@ -1147,6 +1168,12 @@ class TranslateToFuzzReader {
     return upTo(x) == 0;
   }
 
+  bool onceEvery(Index x) {
+    static int counter = 0;
+    counter++;
+    return counter % x == 0;
+  }
+
   // apply upTo twice, generating a skewed distribution towards
   // low values
   Index upToSquared(Index x) {
diff --git a/src/wasm.h b/src/wasm.h
@@ -654,8 +654,7 @@ class Table {
     Expression* offset;
     std::vector<Name> data;
     Segment() {}
-    Segment(Expression* offset) : offset(offset) {
-    }
+    Segment(Expression* offset) : offset(offset) {}
     Segment(Expression* offset, std::vector<Name>& init) : offset(offset) {
       data.swap(init);
     }
@@ -685,6 +684,7 @@ class Memory {
     Expression* offset;
     std::vector<char> data; // TODO: optimize
     Segment() {}
+    Segment(Expression* offset) : offset(offset) {}
     Segment(Expression* offset, const char* init, Address size) : offset(offset) {
       data.resize(size);
       std::copy_n(init, size, data.begin());
diff --git a/test/passes/code-folding.txt b/test/passes/code-folding.txt
@@ -1,6 +1,7 @@
 (module
  (type $13 (func (param f32)))
  (type $1 (func))
+ (type $2 (func (result f32)))
  (table 282 282 anyfunc)
  (memory $0 1 1)
  (func $0 (type $1)
@@ -21,4 +22,31 @@
    )
   )
  )
+ (func $negative-zero (type $2) (result f32)
+  (if (result f32)
+   (i32.const 0)
+   (block $label$0 (result f32)
+    (f32.const 0)
+   )
+   (block $label$1 (result f32)
+    (f32.const -0)
+   )
+  )
+ )
+ (func $negative-zero-b (type $2) (result f32)
+  (drop
+   (i32.const 0)
+  )
+  (block $label$0 (result f32)
+   (f32.const -0)
+  )
+ )
+ (func $negative-zero-c (type $2) (result f32)
+  (drop
+   (i32.const 0)
+  )
+  (block $label$0 (result f32)
+   (f32.const 0)
+  )
+ )
 )
diff --git a/test/passes/code-folding.wast b/test/passes/code-folding.wast
@@ -19,5 +19,38 @@
    )
   )
  )
+ (func $negative-zero (result f32)
+  (if (result f32)
+   (i32.const 0)
+   (block $label$0 (result f32)
+    (f32.const 0)
+   )
+   (block $label$1 (result f32)
+    (f32.const -0)
+   )
+  )
+ )
+ (func $negative-zero-b (result f32)
+  (if (result f32)
+   (i32.const 0)
+   (block $label$0 (result f32)
+    (f32.const -0)
+   )
+   (block $label$1 (result f32)
+    (f32.const -0)
+   )
+  )
+ )
+ (func $negative-zero-c (result f32)
+  (if (result f32)
+   (i32.const 0)
+   (block $label$0 (result f32)
+    (f32.const 0)
+   )
+   (block $label$1 (result f32)
+    (f32.const 0)
+   )
+  )
+ )
 )
 
diff --git a/test/passes/translate-to-fuzz.txt b/test/passes/translate-to-fuzz.txt

Original file line number	Diff line number	Diff line change
`@@ -252,7 +252,9 @@ bool ExpressionAnalyzer::flexibleEqual(Expression* left, Expression* right, Expr`
`252`	`252`	`break;`
`253`	`253`	`}`
`254`	`254`	`case Expression::Id::ConstId: {`
`255`		`- CHECK(Const, value);`
	`255`	`+ if (!left->cast<Const>()->value.bitwiseEqual(right->cast<Const>()->value)) {`
	`256`	`+ return false;`
	`257`	`+ }`
`256`	`258`	`break;`
`257`	`259`	`}`
`258`	`260`	`case Expression::Id::UnaryId: {`