From 747cc40eb77979260b2cff6bee0ce759f6f7edd1 Mon Sep 17 00:00:00 2001 From: Alon Zakai Date: Fri, 8 May 2026 08:16:53 -0700 Subject: [PATCH 1/2] fix --- src/tools/fuzzing/fuzzing.cpp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp index f5c332ad6d3..07ceedd783a 100644 --- a/src/tools/fuzzing/fuzzing.cpp +++ b/src/tools/fuzzing/fuzzing.cpp @@ -2473,7 +2473,9 @@ void TranslateToFuzzReader::mutateJSBoundary() { // interestingHeapSubTypes on the top. if (newHeapType.isBottom()) { for (auto type : interestingHeapSubTypes[newHeapType.getTop()]) { - options.push_back(type); + if (HeapType::isSubType(type, oldHeapType)) { + options.push_back(type); + } } break; } From 5421686f9d451e3d527c03171ddd302836c2fb9a Mon Sep 17 00:00:00 2001 From: Alon Zakai Date: Fri, 8 May 2026 08:19:56 -0700 Subject: [PATCH 2/2] fix --- src/tools/fuzzing/fuzzing.cpp | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp index 07ceedd783a..7dc4a9051f7 100644 --- a/src/tools/fuzzing/fuzzing.cpp +++ b/src/tools/fuzzing/fuzzing.cpp @@ -2470,12 +2470,10 @@ void TranslateToFuzzReader::mutateJSBoundary() { options.push_back(newHeapType); // We cannot look at a bottom type's supers (there can be many, and the // getSuperType() API doesn't return them), but can use - // interestingHeapSubTypes on the top. + // interestingHeapSubTypes: any subtype of old is valid. if (newHeapType.isBottom()) { - for (auto type : interestingHeapSubTypes[newHeapType.getTop()]) { - if (HeapType::isSubType(type, oldHeapType)) { - options.push_back(type); - } + for (auto type : interestingHeapSubTypes[oldHeapType]) { + options.push_back(type); } break; }