Fuzzer: Fix up rethrows after changes (#7207)

kripken · web-flow · commit 3f6831c0bd14 · 2025-01-13T16:34:21.000-08:00
We may move a rethrow into an invalid position when we mutate() etc. This finds
such invalid rethrows and replaces them with something trivial so that we validate.

To do so, use an expression stack rather than a control flow stack in the fixer,
as we need to see which child of a try the rethrow ends up being (so we need the
full path from it to the try).
diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp
@@ -1568,7 +1568,7 @@ void TranslateToFuzzReader::mutate(Function* func) {
 
 void TranslateToFuzzReader::fixAfterChanges(Function* func) {
   struct Fixer
-    : public ControlFlowWalker<Fixer, UnifiedExpressionVisitor<Fixer>> {
+    : public ExpressionStackWalker<Fixer, UnifiedExpressionVisitor<Fixer>> {
     Module& wasm;
     TranslateToFuzzReader& parent;
 
@@ -1606,12 +1606,15 @@ void TranslateToFuzzReader::fixAfterChanges(Function* func) {
     void replace() { replaceCurrent(parent.makeTrivial(getCurrent()->type)); }
 
     bool hasBreakTarget(Name name) {
-      if (controlFlowStack.empty()) {
+      // The break must be on top.
+      assert(!expressionStack.empty());
+      if (expressionStack.size() < 2) {
+        // There must be a scope for this break to be valid.
         return false;
       }
-      Index i = controlFlowStack.size() - 1;
+      Index i = expressionStack.size() - 2;
       while (1) {
-        auto* curr = controlFlowStack[i];
+        auto* curr = expressionStack[i];
         bool has = false;
         BranchUtils::operateOnScopeNameDefs(curr, [&](Name& def) {
           if (def == name) {
@@ -1627,6 +1630,43 @@ void TranslateToFuzzReader::fixAfterChanges(Function* func) {
         i--;
       }
     }
+
+    void visitRethrow(Rethrow* curr) {
+      if (!isValidRethrow(curr->target)) {
+        replace();
+      }
+    }
+
+    bool isValidRethrow(Name target) {
+      // The rethrow must be on top.
+      assert(!expressionStack.empty());
+      assert(expressionStack.back()->is<Rethrow>());
+      if (expressionStack.size() < 2) {
+        // There must be a try for this rethrow to be valid.
+        return false;
+      }
+      Index i = expressionStack.size() - 2;
+      while (1) {
+        auto* curr = expressionStack[i];
+        if (auto* tryy = curr->dynCast<Try>()) {
+          // The rethrow must target a try, and must be nested in a catch of
+          // that try (not the body). Look at the child above us to check, when
+          // we find the proper try.
+          if (tryy->name == target) {
+            if (i + 1 >= expressionStack.size()) {
+              return false;
+            }
+            auto* child = expressionStack[i + 1];
+            return child != tryy->body;
+          }
+        }
+        if (i == 0) {
+          // We never found our try.
+          return false;
+        }
+        i--;
+      }
+    }
   };
   Fixer fixer(wasm, *this);
   fixer.walk(func->body);
