[fuzzer] Generate arbitrary struct and array types

Generate arbitrary struct and array types based on the fuzzer random input stream. They replace the hard-coded types. Generated types include nested reference types and recursive types. Bug: v8:11954 Change-Id: I2e40697f2ace3eb818360213e8a4dd40037e580e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3173683 Commit-Queue: Maria Tîmbur <mtimbur@google.com> Reviewed-by: Manos Koukoutos <manoskouk@chromium.org> Reviewed-by: Thibaud Michaud <thibaudm@chromium.org> Cr-Commit-Position: refs/heads/main@{#77010}

[fuzzer] Generate arbitrary struct and array types
Generate arbitrary struct and array types based on the fuzzer random input stream. They replace the hard-coded types. Generated types include nested reference types and recursive types. Bug: v8:11954 Change-Id: I2e40697f2ace3eb818360213e8a4dd40037e580e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3173683 Commit-Queue: Maria Tîmbur <mtimbur@google.com> Reviewed-by: Manos Koukoutos <manoskouk@chromium.org> Reviewed-by: Thibaud Michaud <thibaudm@chromium.org> Cr-Commit-Position: refs/heads/main@{#77010}
e910fc75 · Maria Tîmbur · V8 LUCI CQ · 750923bd · e910fc75
Commit e910fc75 authored Sep 23, 2021 by Maria Tîmbur Committed by V8 LUCI CQ Sep 23, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 38 additions and 23 deletions

wasm-compile.cc test/fuzzer/wasm-compile.cc +38 -23

No files found.
--- a/test/fuzzer/wasm-compile.cc
+++ b/test/fuzzer/wasm-compile.cc
@@ -30,6 +30,9 @@ namespace fuzzer {

 namespace {

+constexpr int kMaxArrays = 4;
+constexpr int kMaxStructs = 4;
+constexpr int kMaxStructFields = 4;
 constexpr int kMaxFunctions = 4;
 constexpr int kMaxGlobals = 64;
 constexpr int kMaxParameters = 15;
@@ -1504,7 +1507,6 @@ void WasmGenerator::Generate<kI64>(DataRange* data) {
      &WasmGenerator::try_block<kI64>,

      &WasmGenerator::struct_get<kI64>,
-
      &WasmGenerator::array_get<kI64>};

  GenerateOneOf(alternatives, data);
@@ -1907,6 +1909,12 @@ void WasmGenerator::Generate(ValueType type, DataRange* data) {
 }

 void WasmGenerator::GenerateOptRef(HeapType type, DataRange* data) {
+  GeneratorRecursionScope rec_scope(this);
+  if (recursion_limit_reached() || data->size() == 0) {
+    ref_null(type, data);
+    return;
+  }
+
  switch (type.representation()) {
    // For abstract types, generate one of their subtypes, or fall back to the
    // default case.
@@ -2072,31 +2080,38 @@ class WasmCompileFuzzer : public WasmExecutionFuzzer {
    // these types in function signatures.
    // Currently, WasmGenerator assumes this order for struct/array/signature
    // definitions.
-    uint32_t num_structs = 0, num_arrays = 0;
+
+    uint8_t num_structs = 0;
+    uint8_t num_arrays = 0;
+    static_assert(kMaxFunctions >= 1, "need min. 1 function");
+    uint8_t num_functions = 1 + (range.get<uint8_t>() % kMaxFunctions);
+
    if (liftoff_as_reference) {
-      num_structs = 1;
-      num_arrays = 4;
-      uint32_t count = 4;
-      StructType::Builder struct_builder(zone, count);
-      struct_builder.AddField(kWasmI32, true);
-      struct_builder.AddField(kWasmI64, true);
-      struct_builder.AddField(kWasmF32, true);
-      struct_builder.AddField(kWasmF64, true);
-      StructType* struct_fuz = struct_builder.Build();
-      builder.AddStructType(struct_fuz);
-      ArrayType* array_fuzI32 = zone->New<ArrayType>(kWasmI32, true);
-      ArrayType* array_fuzI64 = zone->New<ArrayType>(kWasmI64, true);
-      ArrayType* array_fuzF32 = zone->New<ArrayType>(kWasmF32, true);
-      ArrayType* array_fuzF64 = zone->New<ArrayType>(kWasmF64, true);
-      builder.AddArrayType(array_fuzI32);
-      builder.AddArrayType(array_fuzI64);
-      builder.AddArrayType(array_fuzF32);
-      builder.AddArrayType(array_fuzF64);
+      num_structs = range.get<uint8_t>() % (kMaxStructs + 1);
+      num_arrays = range.get<uint8_t>() % (kMaxArrays + 1);
+      uint16_t num_types = num_structs + num_arrays;
+
+      for (int struct_index = 0; struct_index < num_structs; struct_index++) {
+        uint8_t num_fields = range.get<uint8_t>() % (kMaxStructFields + 1);
+        StructType::Builder struct_builder(zone, num_fields);
+        for (int field_index = 0; field_index < num_fields; field_index++) {
+          // TODO(v8:11954): Allow GetValueType to generate function signatures.
+          ValueType type = GetValueType(&range, true, {}, num_types);
+          bool mutability = range.get<uint8_t>() < 127;
+          struct_builder.AddField(type, mutability);
+        }
+        StructType* struct_fuz = struct_builder.Build();
+        builder.AddStructType(struct_fuz);
+      }
+
+      for (int array_index = 0; array_index < num_arrays; array_index++) {
+        ValueType type = GetValueType(&range, true, {}, num_types);
+        ArrayType* array_fuz = zone->New<ArrayType>(type, true);
+        builder.AddArrayType(array_fuz);
+      }
    }
-    function_signatures.push_back(builder.AddSignature(sigs.i_iii()));

-    static_assert(kMaxFunctions >= 1, "need min. 1 function");
-    int num_functions = 1 + (range.get<uint8_t>() % kMaxFunctions);
+    function_signatures.push_back(builder.AddSignature(sigs.i_iii()));

    for (int i = 1; i < num_functions; ++i) {
      FunctionSig* sig =