Handle extended const segment offsets in the fuzzer (#6382)

tlively · web-flow · commit adca3a1366f6 · 2024-03-07T08:57:14.000-08:00
The fuzzer already had logic to remove all references to non-imported globals
from global initializers and data segment offsets, but it was missing for
element segment offsets. Add it, and also add a missing check line for the new
test that uncovered this bug as initial fuzzer input.
diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp
@@ -465,15 +465,12 @@ void TranslateToFuzzReader::finalizeMemory() {
         // definition to what used to be an imported global in initial contents.
         // To fix that, replace such invalid offsets with a constant.
         for (auto* get : FindAll<GlobalGet>(segment->offset).list) {
-          // N.B: We never currently encounter imported globals here, but we do
-          // the check for robustness.
-          if (!wasm.getGlobal(get->name)->imported()) {
-            // TODO: It would be better to avoid segment overlap so that
-            //       MemoryPacking can run.
-            segment->offset =
-              builder.makeConst(Literal::makeFromInt32(0, Type::i32));
-            break;
-          }
+          // No imported globals should remain.
+          assert(!wasm.getGlobal(get->name)->imported());
+          // TODO: It would be better to avoid segment overlap so that
+          //       MemoryPacking can run.
+          segment->offset =
+            builder.makeConst(Literal::makeFromInt32(0, Type::i32));
         }
       }
       if (auto* offset = segment->offset->dynCast<Const>()) {
@@ -507,10 +504,13 @@ void TranslateToFuzzReader::finalizeTable() {
   for (auto& table : wasm.tables) {
     ModuleUtils::iterTableSegments(
       wasm, table->name, [&](ElementSegment* segment) {
-        // If the offset is a global that was imported (which is ok) but no
-        // longer is (not ok) we need to change that.
-        if (auto* offset = segment->offset->dynCast<GlobalGet>()) {
-          if (!wasm.getGlobal(offset->name)->imported()) {
+        // If the offset contains a global that was imported (which is ok) but
+        // no longer is (not ok unless GC is enabled), we may need to change
+        // that.
+        if (!wasm.features.hasGC()) {
+          for (auto* get : FindAll<GlobalGet>(segment->offset).list) {
+            // No imported globals should remain.
+            assert(!wasm.getGlobal(get->name)->imported());
             // TODO: the segments must not overlap...
             segment->offset =
               builder.makeConst(Literal::makeFromInt32(0, Type::i32));
diff --git a/test/lit/validation/extended-const.wast b/test/lit/validation/extended-const.wast
@@ -5,6 +5,7 @@
 
 ;; NO-EXTENDED: unexpected false: global init must be constant
 ;; NO-EXTENDED: unexpected false: memory segment offset should be constant
+;; NO-EXTENDED: unexpected false: table segment offset should be constant
 
 ;; EXTENDED: (import "env" "global" (global $gimport$0 i32))
 ;; EXTENDED: (global $1 i32 (i32.add
