Fuzzer: Fix wasm2js trap handling (#7206)

kripken · web-flow · commit b6eacd7b3b05 · 2025-01-10T11:39:07.000-08:00
wasm2js fuzzing must stop looking at code after a trap (since we trap
differently than wasm semantics, e.g. no trap on load/store out of
bounds). We must look at the fixed-up names of exports to properly
find the place to stop. To do so, just move the trap-handling code to
after we run fix_output_for_js().
diff --git a/scripts/fuzz_opt.py b/scripts/fuzz_opt.py
@@ -1048,24 +1048,6 @@ def handle_pair(self, input, before_wasm, after_wasm, opts):
             # with NaNs we can't compare the output, as a reinterpret through
             # memory might end up different in JS than wasm
             return
-        # we also cannot compare if the wasm hits a trap, as wasm2js does not
-        # trap on many things wasm would, and in those cases it can do weird
-        # undefined things. in such a case, at least compare up until before
-        # the trap, which lets us compare at least some results in some cases.
-        # (this is why wasm2js is not in CompareVMs, which does full
-        # comparisons - we need to limit the comparison in a special way here)
-        interpreter = run_bynterp(before_wasm_temp, ['--fuzz-exec-before'])
-        if TRAP_PREFIX in interpreter:
-            trap_index = interpreter.index(TRAP_PREFIX)
-            # we can't test this function, which the trap is in the middle of.
-            # erase everything from this function's output and onward, so we
-            # only compare the previous trap-free code
-            call_start = interpreter.rindex(FUZZ_EXEC_CALL_PREFIX, 0, trap_index)
-            call_end = interpreter.index('\n', call_start)
-            call_line = interpreter[call_start:call_end]
-            before = before[:before.index(call_line)]
-            after = after[:after.index(call_line)]
-            interpreter = interpreter[:interpreter.index(call_line)]
 
         def fix_output_for_js(x):
             # start with the normal output fixes that all VMs need
@@ -1117,6 +1099,28 @@ def fix_number(x):
 
         before = fix_output_for_js(before)
         after = fix_output_for_js(after)
+
+        # we must not compare if the wasm hits a trap, as wasm2js does not
+        # trap on many things wasm would, and in those cases it can do weird
+        # undefined things. in such a case, at least compare up until before
+        # the trap, which lets us compare at least some results in some cases.
+        # (this is why wasm2js is not in CompareVMs, which does full
+        # comparisons - we need to limit the comparison in a special way here)
+        interpreter = run_bynterp(before_wasm_temp, ['--fuzz-exec-before'])
+        if TRAP_PREFIX in interpreter:
+            trap_index = interpreter.index(TRAP_PREFIX)
+            # we can't test this function, which the trap is in the middle of.
+            # erase everything from this function's output and onward, so we
+            # only compare the previous trap-free code
+            call_start = interpreter.rindex(FUZZ_EXEC_CALL_PREFIX, 0, trap_index)
+            call_end = interpreter.index('\n', call_start)
+            call_line = interpreter[call_start:call_end]
+            # fix up the call line so it matches the JS
+            fixed_call_line = fix_output_for_js(call_line)
+            before = before[:before.index(fixed_call_line)]
+            after = after[:after.index(fixed_call_line)]
+            interpreter = interpreter[:interpreter.index(call_line)]
+
         if compare_before_to_after:
             compare_between_vms(before, after, 'Wasm2JS (before/after)')
             if compare_to_interpreter:
