wasm-smith: add a "no trapping" mode #266

fitzgen · 2021-04-22T18:50:13Z

I think we could do this with a post-processing pass, similar to what we do with ensure_termination.

We'd walk over each instruction and potentially insert some code right before it:

We would insert a couple instructions to ensure that a division instruction's denominator is never zero
We would insert a couple instructions to mask heap addresses to ensure they are within the memory's minimum size
Similar for table.get and table.set
Similar for trapping floating point conversion instructions
Every unreachable would be replaced with code to create dummy result values (ie zeroes) and then br out of the current control frame

We would also have to make sure that active data/elem segments were always in bounds of their memories/tables.

I think that's everything? I might be missing some trapping cases, but I think the approach would work for everything.

The text was updated successfully, but these errors were encountered:

alexcrichton · 2022-12-02T02:05:14Z

Done in #769

alexcrichton added the wasm-smith Related to the wasm-smith crate and creating wasm modules for fuzzing label May 16, 2022

alexcrichton mentioned this issue Jun 27, 2022

Differential fuzzing with wasm-smith isn't the most effective bytecodealliance/wasmtime#4322

Closed

itsrainy mentioned this issue Jun 29, 2022

🪤 Non-trapping mode for wasm-smith #659

Merged

itsrainy mentioned this issue Sep 22, 2022

🏗️ Move wasm-smith's non-trapping mode logic to CodeBuilder #769

Merged

1 task

alexcrichton closed this as completed Dec 2, 2022

Provide feedback