Fuzzer: The table-get/set imports are sensitive to export changes (#7958)

kripken · web-flow · commit 4563696dbe59 · 2025-10-08T14:03:19.000-07:00
Mark them as making the wasm untestable in some cases, as we already
do for related imports.

To avoid too much loss of coverage, export the table less often.
diff --git a/scripts/fuzz_opt.py b/scripts/fuzz_opt.py
@@ -1247,14 +1247,21 @@ def filter_exports(wasm, output, keep, keep_defaults=True):
     run([in_bin('wasm-metadce'), wasm, '-o', output, '--graph-file', 'graph.json'] + FEATURE_OPTS)
 
 
-# Check if a wasm file would notice changes to exports. Normally removing an
-# export that is not called, for example, would not be observable, but if the
-# "call-export*" functions are present then such changes can break us.
+# Check if a wasm file would notice normally-unnoticeable changes to exports,
+# such as removing one that is not called.
 def wasm_notices_export_changes(wasm):
-    # we could be more precise here and disassemble the wasm to look for an
-    # actual import with name "call-export*", but looking for the string should
-    # have practically no false positives.
-    return b'call-export' in open(wasm, 'rb').read()
+    wat = run([in_bin('wasm-dis'), wasm] + FEATURE_OPTS)
+
+    if '(import "fuzzing-support" "call-export' in wat:
+        # The call-export* imports are sensitive to the number and identity of
+        # exports.
+        return True
+
+    if '(import "fuzzing-support" "table-' in wat and '(export "table" (table ' in wat:
+        # The table-get/set imports are sensitive to the "table" export.
+        return True
+
+    return False
 
 
 # Fuzz the interpreter with --fuzz-exec -tnh. The tricky thing with traps-never-
diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp
@@ -1062,6 +1062,14 @@ void TranslateToFuzzReader::addImportTableSupport() {
     return;
   }
 
+  // Do not always export the table even if we can, as it inhibits some things
+  // in the fuzzer (with this export, the wasm becomes more sensitive to
+  // otherwise inconsequential changes: calling the table-get/set imports is
+  // influenced by the existence of this export).
+  if (!random.oneIn(3)) {
+    return;
+  }
+
   // Export the table.
   wasm.addExport(
     builder.makeExport("table", funcrefTableName, ExternalKind::Table));
diff --git a/test/passes/translate-to-fuzz_all-features_metrics_noprint.txt b/test/passes/translate-to-fuzz_all-features_metrics_noprint.txt
@@ -1,54 +1,49 @@
 Metrics
 total
- [exports]      : 8       
- [funcs]        : 12      
+ [exports]      : 12      
+ [funcs]        : 19      
  [globals]      : 26      
- [imports]      : 12      
+ [imports]      : 10      
  [memories]     : 1       
  [memory-data]  : 16      
- [table-data]   : 1       
+ [table-data]   : 14      
  [tables]       : 2       
- [tags]         : 2       
- [total]        : 724     
- [vars]         : 58      
- ArrayNew       : 1       
- ArrayNewFixed  : 4       
- Binary         : 31      
- Block          : 141     
- BrOn           : 1       
- Break          : 9       
- Call           : 28      
- Const          : 166     
- Drop           : 69      
- GlobalGet      : 47      
- GlobalSet      : 34      
+ [tags]         : 1       
+ [total]        : 574     
+ [vars]         : 67      
+ ArrayNewFixed  : 8       
+ Binary         : 26      
+ Block          : 93      
+ BrOn           : 2       
+ Break          : 2       
+ Call           : 24      
+ CallRef        : 1       
+ Const          : 110     
+ Drop           : 18      
+ GlobalGet      : 51      
+ GlobalSet      : 44      
  I31Get         : 2       
- If             : 20      
- Load           : 6       
- LocalGet       : 8       
- LocalSet       : 17      
- Loop           : 5       
- Nop            : 2       
- Pop            : 5       
- RefCast        : 1       
- RefEq          : 5       
- RefFunc        : 2       
- RefI31         : 14      
- RefNull        : 9       
- Return         : 6       
- SIMDExtract    : 1       
- Select         : 3       
- Store          : 1       
- StringConst    : 9       
- StringEncode   : 1       
- StringEq       : 1       
- StringMeasure  : 1       
- StructNew      : 11      
- TableSet       : 1       
- Throw          : 2       
- Try            : 5       
- TryTable       : 5       
- TupleExtract   : 2       
- TupleMake      : 7       
+ If             : 26      
+ Load           : 2       
+ LocalGet       : 7       
+ LocalSet       : 6       
+ Loop           : 3       
+ Nop            : 8       
+ RefAs          : 1       
+ RefEq          : 1       
+ RefFunc        : 16      
+ RefI31         : 3       
+ RefNull        : 18      
+ RefTest        : 3       
+ Return         : 9       
+ Select         : 1       
+ Store          : 2       
+ StringConst    : 13      
+ StringMeasure  : 3       
+ StructNew      : 13      
+ Try            : 2       
+ TryTable       : 3       
+ TupleExtract   : 1       
+ TupleMake      : 5       
  Unary          : 24      
- Unreachable    : 17      
+ Unreachable    : 23      
