From e5847dd82ae591bd3ba2d3d3dd42a9a73158a548 Mon Sep 17 00:00:00 2001
From: Clemens Hammacher <clemensh@chromium.org>
Date: Thu, 15 Nov 2018 16:08:32 +0100
Subject: [PATCH] [fuzzer] Improve wasm-compile fuzzer

For short inputs (<= size of the type we want to generate), we fell back
to just generating constants. This CL changes that to only fall back to
constants once a single byte remains, and adds options to use constants
already before that.

R=ahaas@chromium.org

Bug: v8:894307
Change-Id: Ic4bf05d06090f52b67de2b322a9d5dcab6bbbe39
Reviewed-on: https://chromium-review.googlesource.com/c/1337739
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57573}
---
 test/fuzzer/wasm-compile.cc | 33 +++++++++++++++++++++++++++++----
 1 file changed, 29 insertions(+), 4 deletions(-)

diff --git a/test/fuzzer/wasm-compile.cc b/test/fuzzer/wasm-compile.cc
index 590f4834b1..310bb45204 100644
--- a/test/fuzzer/wasm-compile.cc
+++ b/test/fuzzer/wasm-compile.cc
@@ -61,14 +61,15 @@ class DataRange {
     return split;
   }
 
-  template <typename T>
+  template <typename T, size_t max_bytes = sizeof(T)>
   T get() {
+    STATIC_ASSERT(max_bytes <= sizeof(T));
     // We want to support the case where we have less than sizeof(T) bytes
     // remaining in the slice. For example, if we emit an i32 constant, it's
     // okay if we don't have a full four bytes available, we'll just use what
     // we have. We aren't concerned about endianness because we are generating
     // arbitrary expressions.
-    const size_t num_bytes = std::min(sizeof(T), data_.size());
+    const size_t num_bytes = std::min(max_bytes, data_.size());
     T result = T();
     memcpy(&result, data_.start(), num_bytes);
     data_ += num_bytes;
@@ -342,6 +343,16 @@ class WasmGenerator {
     local_op<wanted_type>(data, kExprTeeLocal);
   }
 
+  template <size_t num_bytes>
+  void i32_const(DataRange& data) {
+    builder_->EmitI32Const(data.get<int32_t, num_bytes>());
+  }
+
+  template <size_t num_bytes>
+  void i64_const(DataRange& data) {
+    builder_->EmitI64Const(data.get<int64_t, num_bytes>());
+  }
+
   Var GetRandomGlobal(DataRange& data, bool ensure_mutable) {
     uint32_t index;
     if (ensure_mutable) {
@@ -507,12 +518,17 @@ void WasmGenerator::Generate<kWasmStmt>(DataRange& data) {
 template <>
 void WasmGenerator::Generate<kWasmI32>(DataRange& data) {
   GeneratorRecursionScope rec_scope(this);
-  if (recursion_limit_reached() || data.size() <= sizeof(uint32_t)) {
+  if (recursion_limit_reached() || data.size() <= 1) {
     builder_->EmitI32Const(data.get<uint32_t>());
     return;
   }
 
   constexpr generate_fn alternates[] = {
+      &WasmGenerator::i32_const<1>,
+      &WasmGenerator::i32_const<2>,
+      &WasmGenerator::i32_const<3>,
+      &WasmGenerator::i32_const<4>,
+
       &WasmGenerator::sequence<kWasmI32, kWasmStmt>,
       &WasmGenerator::sequence<kWasmStmt, kWasmI32>,
       &WasmGenerator::sequence<kWasmStmt, kWasmI32, kWasmStmt>,
@@ -598,12 +614,21 @@ void WasmGenerator::Generate<kWasmI32>(DataRange& data) {
 template <>
 void WasmGenerator::Generate<kWasmI64>(DataRange& data) {
   GeneratorRecursionScope rec_scope(this);
-  if (recursion_limit_reached() || data.size() <= sizeof(uint64_t)) {
+  if (recursion_limit_reached() || data.size() <= 1) {
     builder_->EmitI64Const(data.get<int64_t>());
     return;
   }
 
   constexpr generate_fn alternates[] = {
+      &WasmGenerator::i64_const<1>,
+      &WasmGenerator::i64_const<2>,
+      &WasmGenerator::i64_const<3>,
+      &WasmGenerator::i64_const<4>,
+      &WasmGenerator::i64_const<5>,
+      &WasmGenerator::i64_const<6>,
+      &WasmGenerator::i64_const<7>,
+      &WasmGenerator::i64_const<8>,
+
       &WasmGenerator::sequence<kWasmI64, kWasmStmt>,
       &WasmGenerator::sequence<kWasmStmt, kWasmI64>,
       &WasmGenerator::sequence<kWasmStmt, kWasmI64, kWasmStmt>,