Add per-input timeout to fuzzer to prevent infinite VM loops

dylan-sutton-chavez · dylan-sutton-chavez · commit 554400436b2d · 2026-06-03T00:36:13.000-06:00
diff --git a/compiler/src/bin/fuzz.rs b/compiler/src/bin/fuzz.rs
@@ -2,12 +2,13 @@ use compiler::modules::lexer::{lex, TokenType};
 use compiler::modules::lexer::tables::token_to_str;
 use compiler::modules::parser::{Parser, SSAChunk};
 use compiler::modules::vm::{VM, Val};
-use std::{panic, time::{Duration, Instant, SystemTime}};
+use std::{panic, sync::mpsc, thread, time::{Duration, Instant, SystemTime}};
 
 const MAX_LEN: usize = 2048;
 const SAVE_DIR: &str = "crashes";
 const PRINT_INTERVAL: u64 = 10_000;
-const MAX_SECS: u64 = 600; // 60 seconds
+const MAX_SECS: u64 = 600; // 10 minutes
+const VM_TIMEOUT: Duration = Duration::from_millis(200);
 const SLOW_THRESHOLD: Duration = Duration::from_millis(50);
 
 struct Rng(u64);
@@ -275,32 +276,37 @@ impl Perf {
     }
 }
 
-enum Outcome { Crash, ParseErr, VmErr, Clean(u128, Duration, Duration, Duration) }
+enum Outcome { Crash, ParseErr, VmErr, Timeout, Clean(u128, Duration, Duration, Duration) }
 
 fn run_once(src: &str) -> Outcome {
-    let src = if src.len() > MAX_LEN { &src[..MAX_LEN] } else { src };
-    match panic::catch_unwind(panic::AssertUnwindSafe(|| {
-        let t0 = Instant::now();
-        let (tokens, _) = lex(src);
-        let t_lex = t0.elapsed();
-
-        let t1 = Instant::now();
-        let (chunk, errs) = Parser::new(src, tokens.into_iter()).parse();
-        let t_parse = t1.elapsed();
-
-        let bm = opcode_bitmap(&chunk);
-
-        let t2 = Instant::now();
-        let ok = VM::new(&chunk).run().is_ok();
-        let t_vm = t2.elapsed();
-
-        (errs.is_empty(), ok, bm, t_lex, t_parse, t_vm)
-    })) {
-        Err(_) => Outcome::Crash,
-        Ok((false, ..)) => Outcome::ParseErr,
-        Ok((true, false, ..)) => Outcome::VmErr,
-        Ok((true, true, bm, tl, tp, tv)) => Outcome::Clean(bm, tl, tp, tv),
-    }
+    let src = if src.len() > MAX_LEN { src[..MAX_LEN].to_string() } else { src.to_string() };
+    let (tx, rx) = mpsc::channel();
+    thread::spawn(move || {
+        let outcome = match panic::catch_unwind(panic::AssertUnwindSafe(|| {
+            let t0 = Instant::now();
+            let (tokens, _) = lex(&src);
+            let t_lex = t0.elapsed();
+
+            let t1 = Instant::now();
+            let (chunk, errs) = Parser::new(&src, tokens.into_iter()).parse();
+            let t_parse = t1.elapsed();
+
+            let bm = opcode_bitmap(&chunk);
+
+            let t2 = Instant::now();
+            let ok = VM::new(&chunk).run().is_ok();
+            let t_vm = t2.elapsed();
+
+            (errs.is_empty(), ok, bm, t_lex, t_parse, t_vm)
+        })) {
+            Err(_) => Outcome::Crash,
+            Ok((false, ..)) => Outcome::ParseErr,
+            Ok((true, false, ..)) => Outcome::VmErr,
+            Ok((true, true, bm, tl, tp, tv)) => Outcome::Clean(bm, tl, tp, tv),
+        };
+        let _ = tx.send(outcome);
+    });
+    rx.recv_timeout(VM_TIMEOUT).unwrap_or(Outcome::Timeout)
 }
 
 struct Corpus { entries: Vec<String>, seen: u128 }
@@ -318,14 +324,14 @@ impl Corpus {
     }
 }
 
-struct Stats { iters: u64, crashes: u64, adds: u64, start: Instant }
+struct Stats { iters: u64, crashes: u64, adds: u64, timeouts: u64, start: Instant }
 
 impl Stats {
-    fn new() -> Self { Self { iters: 0, crashes: 0, adds: 0, start: Instant::now() } }
+    fn new() -> Self { Self { iters: 0, crashes: 0, adds: 0, timeouts: 0, start: Instant::now() } }
     fn print(&self, corpus: usize, perf: &Perf) {
         let s = self.start.elapsed().as_secs_f64().max(0.001);
-        eprintln!("[{:7.1}s] iters={:<9} {:.0}/s  crashes={}  corpus={}  new_cov={}",
-            s, self.iters, self.iters as f64 / s, self.crashes, corpus, self.adds);
+        eprintln!("[{:7.1}s] iters={:<9} {:.0}/s  crashes={}  timeouts={}  corpus={}  new_cov={}",
+            s, self.iters, self.iters as f64 / s, self.crashes, self.timeouts, corpus, self.adds);
         perf.print();
     }
 }
@@ -362,6 +368,7 @@ fn main() {
                 }
                 if corpus.add(input, bm) { stats.adds += 1; }
             }
+            Outcome::Timeout => { stats.timeouts += 1; }
             _ => {}
         }
 
diff --git a/docs/pages/implementation/fuzzing.md b/docs/pages/implementation/fuzzing.md
@@ -18,9 +18,10 @@ corpus -> mutate -> lex + parse + vm -> catch_unwind -> [crash | new coverage |
 | `Crash`       | panic anywhere in the pipeline               | save to `crashes/crash_NNNNNN.py`      |
 | `ParseErr`    | parser emitted one or more diagnostics       | discard                                |
 | `VmErr`       | VM returned a typed error                    | discard                                |
+| `Timeout`     | VM did not finish within 200 ms              | discard, increment timeout counter     |
 | `Clean(bm)`   | compiled and executed without panic          | admit to corpus if `bm` covers new opcodes |
 
-`ParseErr` and `VmErr` are expected outcomes — typed errors are not bugs. Only an unhandled panic indicates a defect.
+`ParseErr`, `VmErr`, and `Timeout` are expected outcomes — typed errors and infinite loops are not bugs. Only an unhandled panic indicates a defect.
 
 ## Coverage
 
@@ -30,7 +31,7 @@ An input is admitted to the corpus only when its bitmap introduces at least one
 
 ## Iteration
 
-Some sstrategies are applied uniformly at random: `byte_flip` (XOR a random byte), `insert_keyword`, `drop_line`, `duplicate_line`, `splice` (join two corpus halves), `inject_boundary` (i64 boundary literals targeting VM overflow), `deep_nest` (100–220 bracket levels, attacks `MAX_EXPR_DEPTH`), `token_shuffle`, `indent_bomb` (50–110 nested `if True:` blocks), and `add_comment`.
+Some strategies are applied uniformly at random: `byte_flip` (XOR a random byte), `insert_keyword`, `drop_line`, `duplicate_line`, `splice` (join two corpus halves), `inject_boundary` (i64 boundary literals targeting VM overflow), `deep_nest` (100–220 bracket levels, attacks `MAX_EXPR_DEPTH`), `token_shuffle`, `indent_bomb` (50–110 nested `if True:` blocks), and `add_comment`.
 
 ## Known Targets
 
@@ -57,7 +58,7 @@ The `fuzz` profile inherits from `release` with two overrides: `panic = "unwind"
 Output is written to stderr every 10 000 iterations:
 
 ```txt
-[5.3s]  iters=10000  1886/s  crashes=0  corpus=24  new_cov=4
+[5.3s]  iters=10000  1886/s  crashes=0  timeouts=2  corpus=24  new_cov=4
 ```
 
 Crashes are saved immediately on detection. To reproduce a crash against the standard compiler binary:
