Fuzzer: Emit signed Struct/ArrayGet operations (#6486)

kripken · web-flow · commit 81f72e8e77e9 · 2024-04-11T14:17:56.000-07:00
diff --git a/src/tools/fuzzing.h b/src/tools/fuzzing.h
@@ -345,6 +345,11 @@ class TranslateToFuzzReader {
   Expression* makeRefEq(Type type);
   Expression* makeRefTest(Type type);
   Expression* makeRefCast(Type type);
+
+  // Decide to emit a signed Struct/ArrayGet sometimes, when the field is
+  // packed.
+  bool maybeSignedGet(const Field& field);
+
   Expression* makeStructGet(Type type);
   Expression* makeStructSet(Type type);
   Expression* makeArrayGet(Type type);
diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp
@@ -3681,13 +3681,20 @@ Expression* TranslateToFuzzReader::makeRefCast(Type type) {
   return builder.makeRefCast(make(refType), type);
 }
 
+bool TranslateToFuzzReader::maybeSignedGet(const Field& field) {
+  if (field.isPacked()) {
+    return oneIn(2);
+  }
+  return false;
+}
+
 Expression* TranslateToFuzzReader::makeStructGet(Type type) {
   auto& structFields = typeStructFields[type];
   assert(!structFields.empty());
   auto [structType, fieldIndex] = pick(structFields);
   auto* ref = makeTrappingRefUse(structType);
-  // TODO: fuzz signed and unsigned
-  return builder.makeStructGet(fieldIndex, ref, type);
+  auto signed_ = maybeSignedGet(structType.getStruct().fields[fieldIndex]);
+  return builder.makeStructGet(fieldIndex, ref, type, signed_);
 }
 
 Expression* TranslateToFuzzReader::makeStructSet(Type type) {
@@ -3752,18 +3759,18 @@ Expression* TranslateToFuzzReader::makeArrayGet(Type type) {
   auto arrayType = pick(arrays);
   auto* ref = makeTrappingRefUse(arrayType);
   auto* index = make(Type::i32);
+  auto signed_ = maybeSignedGet(arrayType.getArray().element);
   // Only rarely emit a plain get which might trap. See related logic in
   // ::makePointer().
   if (allowOOB && oneIn(10)) {
-    // TODO: fuzz signed and unsigned, and also below
-    return builder.makeArrayGet(ref, index, type);
+    return builder.makeArrayGet(ref, index, type, signed_);
   }
   // To avoid a trap, check the length dynamically using this pattern:
   //
   //   index < array.len ? array[index] : ..some fallback value..
   //
   auto check = makeArrayBoundsCheck(ref, index, funcContext->func, builder);
-  auto* get = builder.makeArrayGet(check.getRef, check.getIndex, type);
+  auto* get = builder.makeArrayGet(check.getRef, check.getIndex, type, signed_);
   auto* fallback = makeTrivial(type);
   return builder.makeIf(check.condition, get, fallback);
 }
diff --git a/test/passes/translate-to-fuzz_all-features_metrics_noprint.txt b/test/passes/translate-to-fuzz_all-features_metrics_noprint.txt
@@ -1,56 +1,57 @@
 total
- [exports]      : 3       
- [funcs]        : 5       
+ [exports]      : 4       
+ [funcs]        : 7       
  [globals]      : 1       
  [imports]      : 5       
  [memories]     : 1       
  [memory-data]  : 20      
  [table-data]   : 1       
  [tables]       : 1       
  [tags]         : 2       
- [total]        : 661     
- [vars]         : 21      
- ArrayGet       : 1       
- ArrayLen       : 1       
+ [total]        : 674     
+ [vars]         : 37      
+ ArrayCopy      : 1       
+ ArrayGet       : 3       
+ ArrayLen       : 3       
  ArrayNew       : 4       
- ArrayNewFixed  : 6       
- AtomicFence    : 1       
+ ArraySet       : 1       
+ AtomicCmpxchg  : 1       
+ AtomicNotify   : 3       
  AtomicRMW      : 1       
- Binary         : 87      
- Block          : 78      
- Break          : 17      
- Call           : 11      
- Const          : 125     
- DataDrop       : 1       
- Drop           : 7       
- GlobalGet      : 26      
- GlobalSet      : 26      
- I31Get         : 1       
- If             : 24      
- Load           : 22      
- LocalGet       : 65      
- LocalSet       : 38      
- Loop           : 9       
- MemoryCopy     : 1       
- Nop            : 9       
- RefAs          : 8       
- RefCast        : 1       
+ Binary         : 81      
+ Block          : 75      
+ Break          : 12      
+ Call           : 25      
+ CallRef        : 1       
+ Const          : 121     
+ Drop           : 5       
+ GlobalGet      : 24      
+ GlobalSet      : 24      
+ I31Get         : 2       
+ If             : 23      
+ Load           : 19      
+ LocalGet       : 75      
+ LocalSet       : 50      
+ Loop           : 7       
+ MemoryFill     : 1       
+ Nop            : 4       
+ Pop            : 6       
+ RefAs          : 9       
+ RefCast        : 5       
  RefEq          : 2       
- RefFunc        : 1       
- RefI31         : 3       
+ RefFunc        : 3       
+ RefI31         : 6       
  RefIsNull      : 2       
- RefNull        : 13      
- RefTest        : 1       
- Return         : 4       
- SIMDExtract    : 3       
- SIMDLoad       : 1       
- Select         : 2       
- Store          : 4       
- StructGet      : 2       
- StructNew      : 3       
- Throw          : 1       
- Try            : 1       
- TupleExtract   : 2       
- TupleMake      : 5       
- Unary          : 28      
+ RefNull        : 12      
+ RefTest        : 3       
+ Return         : 6       
+ SIMDExtract    : 2       
+ Select         : 4       
+ StructGet      : 1       
+ StructNew      : 1       
+ StructSet      : 1       
+ Try            : 5       
+ TupleExtract   : 3       
+ TupleMake      : 4       
+ Unary          : 20      
  Unreachable    : 13      
