[fuzzer] Make GetValueType generate func signatures

Make GetValueType to generate only function signatures to avoid default values in new_object. Bug: v8:11954 Change-Id: Ia6ebdde0a9c10c56afef29d6db3b3266816210e3 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3158222Reviewed-by: Thibaud Michaud <thibaudm@chromium.org> Commit-Queue: Rakhim Khismet <khismet@google.com> Cr-Commit-Position: refs/heads/main@{#76934}

[fuzzer] Make GetValueType generate func signatures
Make GetValueType to generate only function signatures to avoid default values in new_object. Bug: v8:11954 Change-Id: Ia6ebdde0a9c10c56afef29d6db3b3266816210e3 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3158222Reviewed-by: Thibaud Michaud <thibaudm@chromium.org> Commit-Queue: Rakhim Khismet <khismet@google.com> Cr-Commit-Position: refs/heads/main@{#76934}
93191813 · Rakhim Khismet · V8 LUCI CQ · a177503a · 93191813
Commit 93191813 authored Sep 17, 2021 by Rakhim Khismet Committed by V8 LUCI CQ Sep 20, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 39 additions and 26 deletions

wasm-compile.cc test/fuzzer/wasm-compile.cc +39 -26

No files found.
--- a/test/fuzzer/wasm-compile.cc
+++ b/test/fuzzer/wasm-compile.cc
@@ -100,8 +100,9 @@ bool DataRange::get() {
  return get<uint8_t>() % 2;
 }

-ValueType GetValueType(uint32_t num_types, DataRange* data,
-                       bool liftoff_as_reference) {
+ValueType GetValueType(DataRange* data, bool liftoff_as_reference,
+                       const std::vector<uint32_t>& functions,
+                       uint32_t num_structs_and_arrays) {
  constexpr ValueType types[] = {
      kWasmI32,     kWasmI64,
      kWasmF32,     kWasmF64,
@@ -111,12 +112,19 @@ ValueType GetValueType(uint32_t num_types, DataRange* data,
  constexpr int kLiftoffOnlyTypeCount = 3;  // at the end of {types}.

  if (liftoff_as_reference) {
-    // TODO(11954): Only generate signature types that correspond to functions
-    uint32_t id = data->get<uint8_t>() % (arraysize(types) + num_types);
-    if (id >= arraysize(types)) {
-      return ValueType::Ref(id - arraysize(types), kNullable);
+    uint8_t random_byte = data->get<uint8_t>();
+    uint8_t id = random_byte %
+                 (arraysize(types) + num_structs_and_arrays + functions.size());
+    if (id < arraysize(types)) {
+      return types[id];
+    } else if (id - arraysize(types) >= num_structs_and_arrays) {
+      int func_index = id - arraysize(types) - num_structs_and_arrays;
+      uint32_t sig_index = functions[func_index];
+      return ValueType::Ref(sig_index, kNullable);
+    } else {
+      uint32_t type_index = id - arraysize(types);
+      return ValueType::Ref(type_index, kNullable);
    }
-    return types[id];
  }
  return types[data->get<uint8_t>() %
               (arraysize(types) - kLiftoffOnlyTypeCount)];
@@ -523,8 +531,8 @@ class WasmGenerator {
  }

  void drop(DataRange* data) {
-    Generate(GetValueType(builder_->builder()->NumTypes(), data,
-                          liftoff_as_reference_),
+    Generate(GetValueType(data, liftoff_as_reference_, functions_,
+                          num_structs_ + num_arrays_),
             data);
    builder_->Emit(kExprDrop);
  }
@@ -851,7 +859,7 @@ class WasmGenerator {
          return;
        }
      }
-      ref_null(type, data);
+      UNREACHABLE();
    }
  }

@@ -1079,8 +1087,8 @@ class WasmGenerator {
    constexpr uint32_t kMaxLocals = 32;
    locals_.resize(data->get<uint8_t>() % kMaxLocals);
    for (ValueType& local : locals_) {
-      local = GetValueType(builder_->builder()->NumTypes(), data,
-                           liftoff_as_reference_);
+      local = GetValueType(data, liftoff_as_reference_, functions_,
+                           num_structs_ + num_arrays_);
      fn->AddLocal(local);
    }
  }
@@ -1906,11 +1914,9 @@ void WasmGenerator::GenerateOptRef(HeapType type, DataRange* data) {
      break;
    }
    case HeapType::kFunc: {
-      uint32_t num_signatures =
-          builder_->builder()->NumTypes() - num_structs_ - num_arrays_;
-      uint32_t random = data->get<uint32_t>() % (num_signatures + 1);
+      uint32_t random = data->get<uint32_t>() % (functions_.size() + 1);
      if (random > 0) {
-        uint32_t signature_index = random + num_arrays_ + num_structs_ - 1;
+        uint32_t signature_index = functions_[random - 1];
        DCHECK(builder_->builder()->IsSignature(signature_index));
        GenerateOptRef(HeapType(signature_index), data);
        return;
@@ -1947,8 +1953,8 @@ std::vector<ValueType> WasmGenerator::GenerateTypes(DataRange* data) {
  std::vector<ValueType> types;
  int num_params = int{data->get<uint8_t>()} % (kMaxParameters + 1);
  for (int i = 0; i < num_params; ++i) {
-    types.push_back(GetValueType(builder_->builder()->NumTypes(), data,
-                                 liftoff_as_reference_));
+    types.push_back(GetValueType(data, liftoff_as_reference_, functions_,
+                                 num_structs_ + num_arrays_));
  }
  return types;
 }
@@ -2003,7 +2009,9 @@ void WasmGenerator::ConsumeAndGenerate(
 enum SigKind { kFunctionSig, kExceptionSig };

 FunctionSig* GenerateSig(Zone* zone, DataRange* data, SigKind sig_kind,
-                         uint32_t num_types, bool liftoff_as_reference) {
+                         bool liftoff_as_reference,
+                         const std::vector<uint32_t>& functions,
+                         int num_structs_and_arrays) {
  // Generate enough parameters to spill some to the stack.
  int num_params = int{data->get<uint8_t>()} % (kMaxParameters + 1);
  int num_returns = sig_kind == kFunctionSig
@@ -2012,10 +2020,12 @@ FunctionSig* GenerateSig(Zone* zone, DataRange* data, SigKind sig_kind,

  FunctionSig::Builder builder(zone, num_returns, num_params);
  for (int i = 0; i < num_returns; ++i) {
-    builder.AddReturn(GetValueType(num_types, data, liftoff_as_reference));
+    builder.AddReturn(GetValueType(data, liftoff_as_reference, functions,
+                                   num_structs_and_arrays));
  }
  for (int i = 0; i < num_params; ++i) {
-    builder.AddParam(GetValueType(num_types, data, liftoff_as_reference));
+    builder.AddParam(GetValueType(data, liftoff_as_reference, functions,
+                                  num_structs_and_arrays));
  }
  return builder.Build();
 }
@@ -2064,8 +2074,9 @@ class WasmCompileFuzzer : public WasmExecutionFuzzer {
    int num_functions = 1 + (range.get<uint8_t>() % kMaxFunctions);

    for (int i = 1; i < num_functions; ++i) {
-      FunctionSig* sig = GenerateSig(zone, &range, kFunctionSig,
-                                     builder.NumTypes(), liftoff_as_reference);
+      FunctionSig* sig =
+          GenerateSig(zone, &range, kFunctionSig, liftoff_as_reference,
+                      function_signatures, num_structs + num_arrays);
      uint32_t signature_index = builder.AddSignature(sig);
      function_signatures.push_back(signature_index);
    }
@@ -2078,14 +2089,16 @@ class WasmCompileFuzzer : public WasmExecutionFuzzer {

    int num_exceptions = 1 + (range.get<uint8_t>() % kMaxExceptions);
    for (int i = 0; i < num_exceptions; ++i) {
-      FunctionSig* sig = GenerateSig(zone, &range, kExceptionSig,
-                                     builder.NumTypes(), liftoff_as_reference);
+      FunctionSig* sig =
+          GenerateSig(zone, &range, kExceptionSig, liftoff_as_reference,
+                      function_signatures, num_structs + num_arrays);
      builder.AddException(sig);
    }

    for (int i = 0; i < num_globals; ++i) {
      ValueType type =
-          GetValueType(builder.NumTypes(), &range, liftoff_as_reference);
+          GetValueType(&range, liftoff_as_reference, function_signatures,
+                       num_structs + num_arrays);
      // 1/8 of globals are immutable.
      const bool mutability = (range.get<uint8_t>() % 8) != 0;
      builder.AddGlobal(type, mutability, WasmInitExpr());