Fuzzer: Adjust parameters by input size, sometimes (#7276)

kripken · web-flow · commit d9fa84a038ba · 2025-02-14T14:26:39.000-08:00
Rather than always have a fixed max of heap types, globals, etc. allow more if
the input size is large. This adds variety.

There is a cost to this variety, we go from 0.89% ignored runs to 1.1% (that is,
slightly more runs contain something that prevents us from doing the work
we want, like hitting a host limitation or seeing the testcase just traps). This
increase seems small enough to be reasonable, and we only do this half the
time, so the old behavior is still being tested at half throughput.
diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp
@@ -36,10 +36,6 @@ TranslateToFuzzReader::TranslateToFuzzReader(Module& wasm,
   : wasm(wasm), closedWorld(closedWorld), builder(wasm),
     random(std::move(input), wasm.features) {
 
-  // Half the time add no unreachable code so that we'll execute the most code
-  // as possible with no early exits.
-  allowAddingUnreachableCode = oneIn(2);
-
   // - funcref cannot be logged because referenced functions can be inlined or
   // removed during optimization
   // - there's no point in logging anyref because it is opaque
@@ -49,7 +45,53 @@ TranslateToFuzzReader::TranslateToFuzzReader(Module& wasm,
     loggableTypes.push_back(Type::v128);
   }
 
+  // Setup params. Start with the defaults.
   globalParams = std::make_unique<FuzzParamsContext>(*this);
+
+  // Some of the time, adjust parameters based on the size, e.g. allowing more
+  // heap types in larger inputs, etc.
+  if (random.oneIn(2)) {
+    // A typical random wasm input from fuzz_opt.py is fairly large (to minimize
+    // the process creation overhead of all the things we run from python), and
+    // the defaults are tuned to that. This corresponds to INPUT_SIZE_MEAN in
+    // scripts/fuzz_opt.py
+    const double MEAN_SIZE = 40 * 1024;
+
+    // As we have not read anything from the input, the remaining size is its
+    // size.
+    double size = random.remaining();
+    auto ratio = size / MEAN_SIZE;
+
+    auto bits = random.get();
+    if (bits & 1) {
+      fuzzParams->MAX_NEW_GC_TYPES *= ratio;
+    }
+    if (bits & 2) {
+      fuzzParams->MAX_GLOBALS *= ratio;
+    }
+    if (bits & 4) {
+      // Only adjust the limit if there is one.
+      if (fuzzParams->HANG_LIMIT) {
+        fuzzParams->HANG_LIMIT *= ratio;
+        // There is a limit, so keep it non-zero to actually prevent hangs.
+        fuzzParams->HANG_LIMIT = std::max(fuzzParams->HANG_LIMIT, 1);
+      }
+    }
+    if (bits & 8) {
+      // Only increase the number of tries. Trying fewer times does not help
+      // find more interesting patterns.
+      if (ratio > 1) {
+        fuzzParams->TRIES *= ratio;
+      }
+    }
+    if (bits & 16) {
+      fuzzParams->MAX_ARRAY_SIZE *= ratio;
+    }
+  }
+
+  // Half the time add no unreachable code so that we'll execute the most code
+  // as possible with no early exits.
+  allowAddingUnreachableCode = oneIn(2);
 }
 
 TranslateToFuzzReader::TranslateToFuzzReader(Module& wasm,
diff --git a/src/tools/fuzzing/random.h b/src/tools/fuzzing/random.h
@@ -63,6 +63,16 @@ class Random {
 
   bool finished() { return finishedInput; }
 
+  // How many bytes of data remain to be used.
+  size_t remaining() {
+    if (finishedInput) {
+      // We finished it and are cycling through it again (using xorFactor to try
+      // to improve the entropy).
+      return 0;
+    }
+    return bytes.size() - pos;
+  }
+
   // Pick from a vector-like container
   template<typename T> const typename T::value_type& pick(const T& vec) {
     assert(!vec.empty());
diff --git a/test/passes/fuzz_metrics_noprint.bin.txt b/test/passes/fuzz_metrics_noprint.bin.txt
@@ -1,35 +1,35 @@
 Metrics
 total
- [exports]      : 84      
- [funcs]        : 115     
- [globals]      : 18      
- [imports]      : 4       
+ [exports]      : 24      
+ [funcs]        : 30      
+ [globals]      : 21      
+ [imports]      : 5       
  [memories]     : 1       
- [memory-data]  : 24      
- [table-data]   : 49      
+ [memory-data]  : 5       
+ [table-data]   : 8       
  [tables]       : 1       
  [tags]         : 0       
- [total]        : 10300   
- [vars]         : 325     
- Binary         : 679     
- Block          : 1736    
- Break          : 323     
- Call           : 340     
- CallIndirect   : 93      
- Const          : 1686    
- Drop           : 129     
- GlobalGet      : 882     
- GlobalSet      : 665     
- If             : 581     
- Load           : 146     
- LocalGet       : 738     
- LocalSet       : 614     
- Loop           : 211     
- Nop            : 156     
- RefFunc        : 49      
- Return         : 111     
- Select         : 67      
- Store          : 83      
- Switch         : 1       
- Unary          : 680     
- Unreachable    : 330     
+ [total]        : 3231    
+ [vars]         : 112     
+ Binary         : 266     
+ Block          : 529     
+ Break          : 115     
+ Call           : 122     
+ CallIndirect   : 3       
+ Const          : 529     
+ Drop           : 31      
+ GlobalGet      : 271     
+ GlobalSet      : 190     
+ If             : 181     
+ Load           : 58      
+ LocalGet       : 233     
+ LocalSet       : 177     
+ Loop           : 65      
+ Nop            : 59      
+ RefFunc        : 8       
+ Return         : 31      
+ Select         : 16      
+ Store          : 29      
+ Switch         : 4       
+ Unary          : 220     
+ Unreachable    : 94      
diff --git a/test/passes/fuzz_metrics_passes_noprint.bin.txt b/test/passes/fuzz_metrics_passes_noprint.bin.txt
@@ -1,35 +1,34 @@
 Metrics
 total
- [exports]      : 46      
- [funcs]        : 62      
- [globals]      : 17      
+ [exports]      : 39      
+ [funcs]        : 53      
+ [globals]      : 7       
  [imports]      : 4       
  [memories]     : 1       
- [memory-data]  : 11      
- [table-data]   : 11      
+ [memory-data]  : 29      
+ [table-data]   : 24      
  [tables]       : 1       
  [tags]         : 0       
- [total]        : 4599    
- [vars]         : 195     
- Binary         : 353     
- Block          : 753     
- Break          : 106     
- Call           : 195     
- CallIndirect   : 39      
- Const          : 776     
- Drop           : 77      
- GlobalGet      : 381     
- GlobalSet      : 299     
- If             : 220     
- Load           : 83      
- LocalGet       : 346     
- LocalSet       : 266     
- Loop           : 83      
- Nop            : 46      
- RefFunc        : 11      
- Return         : 67      
- Select         : 20      
- Store          : 33      
- Switch         : 2       
- Unary          : 299     
- Unreachable    : 144     
+ [total]        : 4272    
+ [vars]         : 162     
+ Binary         : 328     
+ Block          : 670     
+ Break          : 131     
+ Call           : 194     
+ CallIndirect   : 38      
+ Const          : 764     
+ Drop           : 65      
+ GlobalGet      : 364     
+ GlobalSet      : 260     
+ If             : 219     
+ Load           : 80      
+ LocalGet       : 299     
+ LocalSet       : 209     
+ Loop           : 77      
+ Nop            : 41      
+ RefFunc        : 24      
+ Return         : 32      
+ Select         : 34      
+ Store          : 28      
+ Unary          : 284     
+ Unreachable    : 131     
diff --git a/test/passes/translate-to-fuzz_all-features_metrics_noprint.txt b/test/passes/translate-to-fuzz_all-features_metrics_noprint.txt
@@ -1,61 +1,58 @@
 Metrics
 total
- [exports]      : 9       
- [funcs]        : 8       
- [globals]      : 1       
- [imports]      : 11      
+ [exports]      : 21      
+ [funcs]        : 26      
+ [globals]      : 4       
+ [imports]      : 12      
  [memories]     : 1       
- [memory-data]  : 112     
- [table-data]   : 0       
+ [memory-data]  : 17      
+ [table-data]   : 4       
  [tables]       : 2       
- [tags]         : 0       
- [total]        : 738     
- [vars]         : 40      
- ArrayCopy      : 1       
- ArrayFill      : 1       
- ArrayLen       : 3       
- ArrayNew       : 5       
- ArrayNewFixed  : 1       
- AtomicFence    : 2       
+ [tags]         : 3       
+ [total]        : 960     
+ [vars]         : 45      
+ ArrayNew       : 1       
+ ArrayNewFixed  : 9       
  AtomicNotify   : 2       
- AtomicRMW      : 1       
- Binary         : 82      
- Block          : 80      
- BrOn           : 4       
- Break          : 13      
- Call           : 29      
- CallRef        : 1       
- Const          : 134     
+ Binary         : 93      
+ Block          : 156     
+ BrOn           : 2       
+ Break          : 5       
+ Call           : 55      
+ CallIndirect   : 1       
+ Const          : 173     
+ DataDrop       : 1       
  Drop           : 15      
- GlobalGet      : 26      
- GlobalSet      : 26      
- I31Get         : 3       
- If             : 26      
- Load           : 16      
- LocalGet       : 85      
- LocalSet       : 51      
- Loop           : 6       
- MemoryFill     : 2       
- Nop            : 5       
- Pop            : 4       
- RefAs          : 10      
- RefEq          : 1       
- RefFunc        : 2       
- RefI31         : 12      
- RefIsNull      : 1       
- RefNull        : 7       
- RefTest        : 2       
- Return         : 4       
- SIMDExtract    : 7       
- Select         : 7       
- Store          : 1       
- StringConst    : 3       
- StringEncode   : 2       
- StringMeasure  : 1       
- StructGet      : 2       
- StructNew      : 2       
- StructSet      : 2       
- Try            : 6       
+ GlobalGet      : 77      
+ GlobalSet      : 70      
+ If             : 40      
+ Load           : 17      
+ LocalGet       : 48      
+ LocalSet       : 24      
+ Loop           : 10      
+ MemoryFill     : 1       
+ MemoryInit     : 1       
+ Nop            : 12      
+ Pop            : 2       
+ RefEq          : 2       
+ RefFunc        : 4       
+ RefI31         : 3       
+ RefNull        : 9       
+ RefTest        : 1       
+ Return         : 6       
+ SIMDExtract    : 4       
+ Select         : 2       
+ Store          : 3       
+ StringConst    : 8       
+ StringEncode   : 1       
+ StringEq       : 1       
+ StringWTF16Get : 1       
+ StructNew      : 4       
+ TableSet       : 1       
+ Throw          : 4       
+ Try            : 1       
  TryTable       : 5       
- Unary          : 24      
- Unreachable    : 13      
+ TupleExtract   : 1       
+ TupleMake      : 3       
+ Unary          : 45      
+ Unreachable    : 36      
