Fuzzer: Emit fewer null descriptors, which trap (#8030)

kripken · web-flow · commit 8ccb3f6d4576 · 2025-11-10T08:16:06.000-08:00
This was a major source of testcases failing in initialization.
diff --git a/src/tools/fuzzing.h b/src/tools/fuzzing.h
@@ -487,6 +487,7 @@ class TranslateToFuzzReader {
   // used in a place that will trap on null. For example, the reference of a
   // struct.get or array.set would use this.
   Expression* makeTrappingRefUse(HeapType type);
+  Expression* makeTrappingRefUse(Type type);
 
   Expression* buildUnary(const UnaryArgs& args);
   Expression* makeUnary(Type type);
diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp
@@ -3955,7 +3955,7 @@ Expression* TranslateToFuzzReader::makeCompoundRef(Type type) {
       }
       Expression* descriptor = nullptr;
       if (auto descType = heapType.getDescriptorType()) {
-        descriptor = make(Type(*descType, Nullable, Exact));
+        descriptor = makeTrappingRefUse(Type(*descType, Nullable, Exact));
       }
       return builder.makeStructNew(heapType, values, descriptor);
     }
@@ -4079,13 +4079,17 @@ Expression* TranslateToFuzzReader::makeStringGet(Type type) {
 }
 
 Expression* TranslateToFuzzReader::makeTrappingRefUse(HeapType type) {
+  return makeTrappingRefUse(Type(type, Nullable));
+}
+
+Expression* TranslateToFuzzReader::makeTrappingRefUse(Type type) {
   auto percent = upTo(100);
   // Only give a low probability to emit a nullable reference.
   if (percent < 5) {
-    return make(Type(type, Nullable));
+    return make(type.with(Nullable));
   }
   // Otherwise, usually emit a non-nullable one.
-  auto nonNull = Type(type, NonNullable);
+  auto nonNull = type.with(NonNullable);
   if (percent < 70 || !funcContext) {
     return make(nonNull);
   }

Original file line number	Diff line number	Diff line change
`@@ -3955,7 +3955,7 @@ Expression* TranslateToFuzzReader::makeCompoundRef(Type type) {`
`3955`	`3955`	`}`
`3956`	`3956`	`Expression* descriptor = nullptr;`
`3957`	`3957`	`if (auto descType = heapType.getDescriptorType()) {`
`3958`		`- descriptor = make(Type(*descType, Nullable, Exact));`
	`3958`	`+ descriptor = makeTrappingRefUse(Type(*descType, Nullable, Exact));`
`3959`	`3959`	`}`
`3960`	`3960`	`return builder.makeStructNew(heapType, values, descriptor);`
`3961`	`3961`	`}`
`@@ -4079,13 +4079,17 @@ Expression* TranslateToFuzzReader::makeStringGet(Type type) {`
`4079`	`4079`	`}`
`4080`	`4080`
`4081`	`4081`	`Expression* TranslateToFuzzReader::makeTrappingRefUse(HeapType type) {`
	`4082`	`+ return makeTrappingRefUse(Type(type, Nullable));`
	`4083`	`+}`
	`4084`	`+`
	`4085`	`+Expression* TranslateToFuzzReader::makeTrappingRefUse(Type type) {`
`4082`	`4086`	`auto percent = upTo(100);`
`4083`	`4087`	`// Only give a low probability to emit a nullable reference.`
`4084`	`4088`	`if (percent < 5) {`
`4085`		`- return make(Type(type, Nullable));`
	`4089`	`+ return make(type.with(Nullable));`
`4086`	`4090`	`}`
`4087`	`4091`	`// Otherwise, usually emit a non-nullable one.`
`4088`		`- auto nonNull = Type(type, NonNullable);`
	`4092`	`+ auto nonNull = type.with(NonNullable);`
`4089`	`4093`	`if (percent < 70 \|\| !funcContext) {`
`4090`	`4094`	`return make(nonNull);`
`4091`	`4095`	`}`