fuzz: Add a fuzz target for table.{get,set} operations

This new fuzz target exercises sequences of `table.get`s, `table.set`s, and GCs. It already found a couple bugs: * Some leaks due to ref count cycles between stores and host-defined functions closing over those stores. * If there are no live references for a PC, Cranelift can avoid emiting an associated stack map. This was running afoul of a debug assertion.
2020-06-26 16:13:55 -07:00
parent 8c5f59c0cf
commit 98e899f6b3
10 changed files with 253 additions and 30 deletions
--- a/crates/runtime/src/externref.rs
+++ b/crates/runtime/src/externref.rs
@@ -901,18 +901,14 @@ impl StackMapRegistry {
            // Exact hit.
            Ok(i) => i,

-            Err(n) => {
-                // `Err(0)` means that the associated stack map would have been
-                // the first element in the array if this pc had an associated
-                // stack map, but this pc does not have an associated stack
-                // map. That doesn't make sense since every call and trap inside
-                // Wasm is a GC safepoint and should have a stack map, and the
-                // only way to have Wasm frames under this native frame is if we
-                // are at a call or a trap.
-                debug_assert!(n != 0);
+            // `Err(0)` means that the associated stack map would have been the
+            // first element in the array if this pc had an associated stack
+            // map, but this pc does not have an associated stack map. This can
+            // only happen inside a Wasm frame if there are no live refs at this
+            // pc.
+            Err(0) => return None,

-                n - 1
-            }
+            Err(n) => n - 1,
        };

        let stack_map = stack_maps.pc_to_stack_map[index].1.clone();