1 //! Generate a configuration for both Wasmtime and the Wasm module to execute. 2 3 use super::{AsyncConfig, CodegenSettings, InstanceAllocationStrategy, MemoryConfig, ModuleConfig}; 4 use crate::oracles::{StoreLimits, Timeout}; 5 use arbitrary::{Arbitrary, Unstructured}; 6 use std::time::Duration; 7 use wasmtime::Result; 8 use wasmtime::{Enabled, Engine, Module, Store}; 9 use wasmtime_test_util::wast::{WastConfig, WastTest, limits}; 10 11 /// Configuration for `wasmtime::Config` and generated modules for a session of 12 /// fuzzing. 13 /// 14 /// This configuration guides what modules are generated, how wasmtime 15 /// configuration is generated, and is typically itself generated through a call 16 /// to `Arbitrary` which allows for a form of "swarm testing". 17 #[derive(Debug, Clone)] 18 pub struct Config { 19 /// Configuration related to the `wasmtime::Config`. 20 pub wasmtime: WasmtimeConfig, 21 /// Configuration related to generated modules. 22 pub module_config: ModuleConfig, 23 } 24 25 impl Config { 26 /// Indicates that this configuration is being used for differential 27 /// execution. 28 /// 29 /// The purpose of this function is to update the configuration which was 30 /// generated to be compatible with execution in multiple engines. The goal 31 /// is to produce the exact same result in all engines so we need to paper 32 /// over things like nan differences and memory/table behavior differences. set_differential_config(&mut self)33 pub fn set_differential_config(&mut self) { 34 let config = &mut self.module_config.config; 35 36 // Make it more likely that there are types available to generate a 37 // function with. 38 config.min_types = config.min_types.max(1); 39 config.max_types = config.max_types.max(1); 40 41 // Generate at least one function 42 config.min_funcs = config.min_funcs.max(1); 43 config.max_funcs = config.max_funcs.max(1); 44 45 // Allow a memory to be generated, but don't let it get too large. 46 // Additionally require the maximum size to guarantee that the growth 47 // behavior is consistent across engines. 48 config.max_memory32_bytes = 10 << 16; 49 config.max_memory64_bytes = 10 << 16; 50 config.memory_max_size_required = true; 51 52 // If tables are generated make sure they don't get too large to avoid 53 // hitting any engine-specific limit. Additionally ensure that the 54 // maximum size is required to guarantee consistent growth across 55 // engines. 56 // 57 // Note that while reference types are disabled below, only allow one 58 // table. 59 config.max_table_elements = 1_000; 60 config.table_max_size_required = true; 61 62 // Don't allow any imports 63 config.max_imports = 0; 64 65 // Try to get the function and the memory exported 66 config.export_everything = true; 67 68 // NaN is canonicalized at the wasm level for differential fuzzing so we 69 // can paper over NaN differences between engines. 70 config.canonicalize_nans = true; 71 72 // If using the pooling allocator, update the instance limits too 73 if let InstanceAllocationStrategy::Pooling(pooling) = &mut self.wasmtime.strategy { 74 // One single-page memory 75 pooling.total_memories = config.max_memories as u32; 76 pooling.max_memory_size = 10 << 16; 77 pooling.max_memories_per_module = config.max_memories as u32; 78 if pooling.memory_protection_keys == Enabled::Auto 79 && pooling.max_memory_protection_keys > 1 80 { 81 pooling.total_memories = 82 pooling.total_memories * (pooling.max_memory_protection_keys as u32); 83 } 84 85 pooling.total_tables = config.max_tables as u32; 86 pooling.table_elements = 1_000; 87 pooling.max_tables_per_module = config.max_tables as u32; 88 89 pooling.core_instance_size = 1_000_000; 90 91 let cfg = &mut self.wasmtime.memory_config; 92 match &mut cfg.memory_reservation { 93 Some(size) => *size = (*size).max(pooling.max_memory_size as u64), 94 other @ None => *other = Some(pooling.max_memory_size as u64), 95 } 96 } 97 98 // These instructions are explicitly not expected to be exactly the same 99 // across engines. Don't fuzz them. 100 config.relaxed_simd_enabled = false; 101 } 102 103 /// Uses this configuration and the supplied source of data to generate 104 /// a wasm module. 105 /// 106 /// If a `default_fuel` is provided, the resulting module will be configured 107 /// to ensure termination; as doing so will add an additional global to the module, 108 /// the pooling allocator, if configured, will also have its globals limit updated. generate( &self, input: &mut Unstructured<'_>, default_fuel: Option<u32>, ) -> arbitrary::Result<wasm_smith::Module>109 pub fn generate( 110 &self, 111 input: &mut Unstructured<'_>, 112 default_fuel: Option<u32>, 113 ) -> arbitrary::Result<wasm_smith::Module> { 114 self.module_config.generate(input, default_fuel) 115 } 116 117 /// Updates this configuration to be able to run the `test` specified. 118 /// 119 /// This primarily updates `self.module_config` to ensure that it enables 120 /// all features and proposals necessary to execute the `test` specified. 121 /// This will additionally update limits in the pooling allocator to be able 122 /// to execute all tests. make_wast_test_compliant(&mut self, test: &WastTest) -> WastConfig123 pub fn make_wast_test_compliant(&mut self, test: &WastTest) -> WastConfig { 124 let wasmtime_test_util::wast::TestConfig { 125 bulk_memory, 126 memory64, 127 custom_page_sizes, 128 multi_memory, 129 threads, 130 shared_everything_threads, 131 gc, 132 function_references, 133 relaxed_simd, 134 reference_types, 135 tail_call, 136 extended_const, 137 wide_arithmetic, 138 component_model_async, 139 component_model_async_builtins, 140 component_model_async_stackful, 141 component_model_threading, 142 component_model_error_context, 143 component_model_gc, 144 component_model_map, 145 component_model_fixed_length_lists, 146 simd, 147 exceptions, 148 legacy_exceptions: _, 149 custom_descriptors: _, 150 151 hogs_memory: _, 152 nan_canonicalization: _, 153 gc_types: _, 154 stack_switching: _, 155 spec_test: _, 156 } = test.config; 157 158 // Enable/disable some proposals that aren't configurable in wasm-smith 159 // but are configurable in Wasmtime. 160 self.module_config.function_references_enabled = 161 function_references.or(gc).unwrap_or(false); 162 self.module_config.component_model_async = component_model_async.unwrap_or(false); 163 self.module_config.component_model_async_builtins = 164 component_model_async_builtins.unwrap_or(false); 165 self.module_config.component_model_async_stackful = 166 component_model_async_stackful.unwrap_or(false); 167 self.module_config.component_model_threading = component_model_threading.unwrap_or(false); 168 self.module_config.component_model_error_context = 169 component_model_error_context.unwrap_or(false); 170 self.module_config.component_model_gc = component_model_gc.unwrap_or(false); 171 self.module_config.component_model_map = component_model_map.unwrap_or(false); 172 self.module_config.component_model_fixed_length_lists = 173 component_model_fixed_length_lists.unwrap_or(false); 174 175 // Enable/disable proposals that wasm-smith has knobs for which will be 176 // read when creating `wasmtime::Config`. 177 let config = &mut self.module_config.config; 178 config.bulk_memory_enabled = bulk_memory.unwrap_or(false); 179 config.multi_value_enabled = true; 180 config.wide_arithmetic_enabled = wide_arithmetic.unwrap_or(false); 181 config.memory64_enabled = memory64.unwrap_or(false); 182 config.relaxed_simd_enabled = relaxed_simd.unwrap_or(false); 183 config.simd_enabled = config.relaxed_simd_enabled || simd.unwrap_or(false); 184 config.tail_call_enabled = tail_call.unwrap_or(false); 185 config.custom_page_sizes_enabled = custom_page_sizes.unwrap_or(false); 186 config.threads_enabled = threads.unwrap_or(false); 187 config.shared_everything_threads_enabled = shared_everything_threads.unwrap_or(false); 188 config.gc_enabled = gc.unwrap_or(false); 189 config.reference_types_enabled = config.gc_enabled 190 || self.module_config.function_references_enabled 191 || reference_types.unwrap_or(false); 192 config.extended_const_enabled = extended_const.unwrap_or(false); 193 config.exceptions_enabled = exceptions.unwrap_or(false); 194 if multi_memory.unwrap_or(false) { 195 config.max_memories = limits::MEMORIES_PER_MODULE as usize; 196 } else { 197 config.max_memories = 1; 198 } 199 200 if let Some(n) = &mut self.wasmtime.memory_config.memory_reservation { 201 *n = (*n).max(limits::MEMORY_SIZE as u64); 202 } 203 204 // FIXME: it might be more ideal to avoid the need for this entirely 205 // and to just let the test fail. If a test fails due to a pooling 206 // allocator resource limit being met we could ideally detect that and 207 // let the fuzz test case pass. That would avoid the need to hardcode 208 // so much here and in theory wouldn't reduce the usefulness of fuzzers 209 // all that much. At this time though we can't easily test this configuration. 210 if let InstanceAllocationStrategy::Pooling(pooling) = &mut self.wasmtime.strategy { 211 // Clamp protection keys between 1 & 2 to reduce the number of 212 // slots and then multiply the total memories by the number of keys 213 // we have since a single store has access to only one key. 214 pooling.max_memory_protection_keys = pooling.max_memory_protection_keys.max(1).min(2); 215 pooling.total_memories = pooling 216 .total_memories 217 .max(limits::MEMORIES * (pooling.max_memory_protection_keys as u32)); 218 219 // For other limits make sure they meet the minimum threshold 220 // required for our wast tests. 221 pooling.total_component_instances = pooling 222 .total_component_instances 223 .max(limits::COMPONENT_INSTANCES); 224 pooling.total_tables = pooling.total_tables.max(limits::TABLES); 225 pooling.max_tables_per_module = 226 pooling.max_tables_per_module.max(limits::TABLES_PER_MODULE); 227 pooling.max_memories_per_module = pooling 228 .max_memories_per_module 229 .max(limits::MEMORIES_PER_MODULE); 230 pooling.max_memories_per_component = pooling 231 .max_memories_per_component 232 .max(limits::MEMORIES_PER_MODULE); 233 pooling.total_core_instances = pooling.total_core_instances.max(limits::CORE_INSTANCES); 234 pooling.max_memory_size = pooling.max_memory_size.max(limits::MEMORY_SIZE); 235 pooling.table_elements = pooling.table_elements.max(limits::TABLE_ELEMENTS); 236 pooling.core_instance_size = pooling.core_instance_size.max(limits::CORE_INSTANCE_SIZE); 237 pooling.component_instance_size = pooling 238 .component_instance_size 239 .max(limits::CORE_INSTANCE_SIZE); 240 pooling.total_stacks = pooling.total_stacks.max(limits::TOTAL_STACKS); 241 } 242 243 // Return the test configuration that this fuzz configuration represents 244 // which is used afterwards to test if the `test` here is expected to 245 // fail or not. 246 WastConfig { 247 collector: match self.wasmtime.collector { 248 Collector::Null => wasmtime_test_util::wast::Collector::Null, 249 Collector::DeferredReferenceCounting => { 250 wasmtime_test_util::wast::Collector::DeferredReferenceCounting 251 } 252 }, 253 pooling: matches!( 254 self.wasmtime.strategy, 255 InstanceAllocationStrategy::Pooling(_) 256 ), 257 compiler: match self.wasmtime.compiler_strategy { 258 CompilerStrategy::CraneliftNative => { 259 wasmtime_test_util::wast::Compiler::CraneliftNative 260 } 261 CompilerStrategy::CraneliftPulley => { 262 wasmtime_test_util::wast::Compiler::CraneliftPulley 263 } 264 CompilerStrategy::Winch => wasmtime_test_util::wast::Compiler::Winch, 265 }, 266 } 267 } 268 269 /// Converts this to a `wasmtime::Config` object to_wasmtime(&self) -> wasmtime::Config270 pub fn to_wasmtime(&self) -> wasmtime::Config { 271 crate::init_fuzzing(); 272 273 let mut cfg = wasmtime_cli_flags::CommonOptions::default(); 274 cfg.codegen.native_unwind_info = 275 Some(cfg!(target_os = "windows") || self.wasmtime.native_unwind_info); 276 cfg.codegen.parallel_compilation = Some(false); 277 278 cfg.debug.address_map = Some(self.wasmtime.generate_address_map); 279 cfg.opts.opt_level = Some(self.wasmtime.opt_level.to_wasmtime()); 280 cfg.opts.regalloc_algorithm = Some(self.wasmtime.regalloc_algorithm.to_wasmtime()); 281 cfg.opts.signals_based_traps = Some(self.wasmtime.signals_based_traps); 282 cfg.opts.memory_guaranteed_dense_image_size = Some(std::cmp::min( 283 // Clamp this at 16MiB so we don't get huge in-memory 284 // images during fuzzing. 285 16 << 20, 286 self.wasmtime.memory_guaranteed_dense_image_size, 287 )); 288 cfg.wasm.async_stack_zeroing = Some(self.wasmtime.async_stack_zeroing); 289 cfg.wasm.bulk_memory = Some(self.module_config.config.bulk_memory_enabled); 290 cfg.wasm.component_model_async = Some(self.module_config.component_model_async); 291 cfg.wasm.component_model_async_builtins = 292 Some(self.module_config.component_model_async_builtins); 293 cfg.wasm.component_model_async_stackful = 294 Some(self.module_config.component_model_async_stackful); 295 cfg.wasm.component_model_threading = Some(self.module_config.component_model_threading); 296 cfg.wasm.component_model_error_context = 297 Some(self.module_config.component_model_error_context); 298 cfg.wasm.component_model_gc = Some(self.module_config.component_model_gc); 299 cfg.wasm.component_model_map = Some(self.module_config.component_model_map); 300 cfg.wasm.component_model_fixed_length_lists = 301 Some(self.module_config.component_model_fixed_length_lists); 302 cfg.wasm.custom_page_sizes = Some(self.module_config.config.custom_page_sizes_enabled); 303 cfg.wasm.epoch_interruption = Some(self.wasmtime.epoch_interruption); 304 cfg.wasm.extended_const = Some(self.module_config.config.extended_const_enabled); 305 cfg.wasm.fuel = self.wasmtime.consume_fuel.then(|| u64::MAX); 306 cfg.wasm.function_references = Some(self.module_config.function_references_enabled); 307 cfg.wasm.gc = Some(self.module_config.config.gc_enabled); 308 cfg.wasm.memory64 = Some(self.module_config.config.memory64_enabled); 309 cfg.wasm.multi_memory = Some(self.module_config.config.max_memories > 1); 310 cfg.wasm.multi_value = Some(self.module_config.config.multi_value_enabled); 311 cfg.wasm.nan_canonicalization = Some(self.wasmtime.canonicalize_nans); 312 cfg.wasm.reference_types = Some(self.module_config.config.reference_types_enabled); 313 cfg.wasm.simd = Some(self.module_config.config.simd_enabled); 314 cfg.wasm.tail_call = Some(self.module_config.config.tail_call_enabled); 315 cfg.wasm.threads = Some(self.module_config.config.threads_enabled); 316 cfg.wasm.shared_everything_threads = 317 Some(self.module_config.config.shared_everything_threads_enabled); 318 cfg.wasm.wide_arithmetic = Some(self.module_config.config.wide_arithmetic_enabled); 319 cfg.wasm.exceptions = Some(self.module_config.config.exceptions_enabled); 320 cfg.wasm.shared_memory = Some(self.module_config.shared_memory); 321 if !self.module_config.config.simd_enabled { 322 cfg.wasm.relaxed_simd = Some(false); 323 } 324 cfg.codegen.collector = Some(self.wasmtime.collector.to_wasmtime()); 325 326 let compiler_strategy = &self.wasmtime.compiler_strategy; 327 let cranelift_strategy = match compiler_strategy { 328 CompilerStrategy::CraneliftNative | CompilerStrategy::CraneliftPulley => true, 329 CompilerStrategy::Winch => false, 330 }; 331 self.wasmtime.compiler_strategy.configure(&mut cfg); 332 333 self.wasmtime.codegen.configure(&mut cfg); 334 335 cfg.codegen.inlining = self.wasmtime.inlining; 336 337 // Only set cranelift specific flags when the Cranelift strategy is 338 // chosen. 339 if cranelift_strategy { 340 if let Some(option) = self.wasmtime.inlining_intra_module { 341 cfg.codegen.cranelift.push(( 342 "wasmtime_inlining_intra_module".to_string(), 343 Some(option.to_string()), 344 )); 345 } 346 if let Some(size) = self.wasmtime.inlining_small_callee_size { 347 cfg.codegen.cranelift.push(( 348 "wasmtime_inlining_small_callee_size".to_string(), 349 // Clamp to avoid extreme code size blow up. 350 Some(std::cmp::min(1000, size).to_string()), 351 )); 352 } 353 if let Some(size) = self.wasmtime.inlining_sum_size_threshold { 354 cfg.codegen.cranelift.push(( 355 "wasmtime_inlining_sum_size_threshold".to_string(), 356 // Clamp to avoid extreme code size blow up. 357 Some(std::cmp::min(1000, size).to_string()), 358 )); 359 } 360 361 // If the wasm-smith-generated module use nan canonicalization then we 362 // don't need to enable it, but if it doesn't enable it already then we 363 // enable this codegen option. 364 cfg.wasm.nan_canonicalization = Some(!self.module_config.config.canonicalize_nans); 365 366 // Enabling the verifier will at-least-double compilation time, which 367 // with a 20-30x slowdown in fuzzing can cause issues related to 368 // timeouts. If generated modules can have more than a small handful of 369 // functions then disable the verifier when fuzzing to try to lessen the 370 // impact of timeouts. 371 if self.module_config.config.max_funcs > 10 { 372 cfg.codegen.cranelift_debug_verifier = Some(false); 373 } 374 375 if self.wasmtime.force_jump_veneers { 376 cfg.codegen.cranelift.push(( 377 "wasmtime_linkopt_force_jump_veneer".to_string(), 378 Some("true".to_string()), 379 )); 380 } 381 382 if let Some(pad) = self.wasmtime.padding_between_functions { 383 cfg.codegen.cranelift.push(( 384 "wasmtime_linkopt_padding_between_functions".to_string(), 385 Some(pad.to_string()), 386 )); 387 } 388 389 // Eager init is currently only supported on Cranelift, not Winch. 390 cfg.opts.table_lazy_init = Some(self.wasmtime.table_lazy_init); 391 } 392 393 self.wasmtime.strategy.configure(&mut cfg); 394 395 // Vary the memory configuration, but only if threads are not enabled. 396 // When the threads proposal is enabled we might generate shared memory, 397 // which is less amenable to different memory configurations: 398 // - shared memories are required to be "static" so fuzzing the various 399 // memory configurations will mostly result in uninteresting errors. 400 // The interesting part about shared memories is the runtime so we 401 // don't fuzz non-default settings. 402 // - shared memories are required to be aligned which means that the 403 // `CustomUnaligned` variant isn't actually safe to use with a shared 404 // memory. 405 if !self.module_config.config.threads_enabled { 406 let memory_config = self.wasmtime.memory_config.clone(); 407 memory_config.configure(&mut cfg); 408 }; 409 410 // If malloc-based memory is going to be used, which requires these four 411 // options set to specific values (and Pulley auto-sets two of them) 412 // then be sure to cap `memory_reservation_for_growth` at a smaller 413 // value than the default. For malloc-based memory reservation beyond 414 // the end of memory isn't captured by `StoreLimiter` so we need to be 415 // sure it's small enough to not blow OOM limits while fuzzing. 416 if ((cfg.opts.signals_based_traps == Some(true) && cfg.opts.memory_guard_size == Some(0)) 417 || self.wasmtime.compiler_strategy == CompilerStrategy::CraneliftPulley) 418 && cfg.opts.memory_reservation == Some(0) 419 && cfg.opts.memory_init_cow == Some(false) 420 { 421 let growth = &mut cfg.opts.memory_reservation_for_growth; 422 let max = 1 << 20; 423 *growth = match *growth { 424 Some(n) => Some(n.min(max)), 425 None => Some(max), 426 }; 427 } 428 429 log::debug!("creating wasmtime config with CLI options:\n{cfg}"); 430 let mut cfg = cfg.config(None).expect("failed to create wasmtime::Config"); 431 432 if self.wasmtime.async_config != AsyncConfig::Disabled { 433 log::debug!("async config in use {:?}", self.wasmtime.async_config); 434 self.wasmtime.async_config.configure(&mut cfg); 435 } 436 437 // Fuzzing on macOS with mach ports seems to sometimes bypass the mach 438 // port handling thread entirely and go straight to asan's or fuzzing's 439 // signal handler. No idea why and for me at least it's just easier to 440 // disable mach ports when fuzzing because there's no need to use that 441 // over signal handlers. 442 if cfg!(target_vendor = "apple") { 443 cfg.macos_use_mach_ports(false); 444 } 445 446 return cfg; 447 } 448 449 /// Convenience function for generating a `Store<T>` using this 450 /// configuration. to_store(&self) -> Store<StoreLimits>451 pub fn to_store(&self) -> Store<StoreLimits> { 452 let engine = Engine::new(&self.to_wasmtime()).unwrap(); 453 let mut store = Store::new(&engine, StoreLimits::new()); 454 self.configure_store(&mut store); 455 store 456 } 457 458 /// Configures a store based on this configuration. configure_store(&self, store: &mut Store<StoreLimits>)459 pub fn configure_store(&self, store: &mut Store<StoreLimits>) { 460 store.limiter(|s| s as &mut dyn wasmtime::ResourceLimiter); 461 self.configure_store_epoch_and_fuel(store); 462 } 463 464 /// Configures everything unrelated to `T` in a store, such as epochs and 465 /// fuel. configure_store_epoch_and_fuel<T>(&self, store: &mut Store<T>)466 pub fn configure_store_epoch_and_fuel<T>(&self, store: &mut Store<T>) { 467 // Configure the store to never abort by default, that is it'll have 468 // max fuel or otherwise trap on an epoch change but the epoch won't 469 // ever change. 470 // 471 // Afterwards though see what `AsyncConfig` is being used an further 472 // refine the store's configuration based on that. 473 if self.wasmtime.consume_fuel { 474 store.set_fuel(u64::MAX).unwrap(); 475 } 476 if self.wasmtime.epoch_interruption { 477 store.epoch_deadline_trap(); 478 store.set_epoch_deadline(1); 479 } 480 match self.wasmtime.async_config { 481 AsyncConfig::Disabled => {} 482 AsyncConfig::YieldWithFuel(amt) => { 483 assert!(self.wasmtime.consume_fuel); 484 store.fuel_async_yield_interval(Some(amt)).unwrap(); 485 } 486 AsyncConfig::YieldWithEpochs { ticks, .. } => { 487 assert!(self.wasmtime.epoch_interruption); 488 store.set_epoch_deadline(ticks); 489 store.epoch_deadline_async_yield_and_update(ticks); 490 } 491 } 492 } 493 494 /// Generates an arbitrary method of timing out an instance, ensuring that 495 /// this configuration supports the returned timeout. generate_timeout(&mut self, u: &mut Unstructured<'_>) -> arbitrary::Result<Timeout>496 pub fn generate_timeout(&mut self, u: &mut Unstructured<'_>) -> arbitrary::Result<Timeout> { 497 let time_duration = Duration::from_millis(100); 498 let timeout = u 499 .choose(&[Timeout::Fuel(100_000), Timeout::Epoch(time_duration)])? 500 .clone(); 501 match &timeout { 502 Timeout::Fuel(..) => { 503 self.wasmtime.consume_fuel = true; 504 } 505 Timeout::Epoch(..) => { 506 self.wasmtime.epoch_interruption = true; 507 } 508 Timeout::None => unreachable!("Not an option given to choose()"), 509 } 510 Ok(timeout) 511 } 512 513 /// Compiles the `wasm` within the `engine` provided. 514 /// 515 /// This notably will use `Module::{serialize,deserialize_file}` to 516 /// round-trip if configured in the fuzzer. compile(&self, engine: &Engine, wasm: &[u8]) -> Result<Module>517 pub fn compile(&self, engine: &Engine, wasm: &[u8]) -> Result<Module> { 518 // Propagate this error in case the caller wants to handle 519 // valid-vs-invalid wasm. 520 let module = Module::new(engine, wasm)?; 521 if !self.wasmtime.use_precompiled_cwasm { 522 return Ok(module); 523 } 524 525 // Don't propagate these errors to prevent them from accidentally being 526 // interpreted as invalid wasm, these should never fail on a 527 // well-behaved host system. 528 let dir = tempfile::TempDir::new().unwrap(); 529 let file = dir.path().join("module.wasm"); 530 std::fs::write(&file, module.serialize().unwrap()).unwrap(); 531 unsafe { Ok(Module::deserialize_file(engine, &file).unwrap()) } 532 } 533 534 /// Updates this configuration to forcibly enable async support. Only useful 535 /// in fuzzers which do async calls. enable_async(&mut self, u: &mut Unstructured<'_>) -> arbitrary::Result<()>536 pub fn enable_async(&mut self, u: &mut Unstructured<'_>) -> arbitrary::Result<()> { 537 if self.wasmtime.consume_fuel || u.arbitrary()? { 538 self.wasmtime.async_config = 539 AsyncConfig::YieldWithFuel(u.int_in_range(1000..=100_000)?); 540 self.wasmtime.consume_fuel = true; 541 } else { 542 self.wasmtime.async_config = AsyncConfig::YieldWithEpochs { 543 dur: Duration::from_millis(u.int_in_range(1..=10)?), 544 ticks: u.int_in_range(1..=10)?, 545 }; 546 self.wasmtime.epoch_interruption = true; 547 } 548 Ok(()) 549 } 550 } 551 552 impl<'a> Arbitrary<'a> for Config { arbitrary(u: &mut Unstructured<'a>) -> arbitrary::Result<Self>553 fn arbitrary(u: &mut Unstructured<'a>) -> arbitrary::Result<Self> { 554 let mut config = Self { 555 wasmtime: u.arbitrary()?, 556 module_config: u.arbitrary()?, 557 }; 558 559 config 560 .wasmtime 561 .update_module_config(&mut config.module_config, u)?; 562 563 Ok(config) 564 } 565 } 566 567 /// Configuration related to `wasmtime::Config` and the various settings which 568 /// can be tweaked from within. 569 #[derive(Arbitrary, Clone, Debug, Eq, Hash, PartialEq)] 570 pub struct WasmtimeConfig { 571 opt_level: OptLevel, 572 regalloc_algorithm: RegallocAlgorithm, 573 debug_info: bool, 574 canonicalize_nans: bool, 575 interruptible: bool, 576 pub(crate) consume_fuel: bool, 577 pub(crate) epoch_interruption: bool, 578 /// The Wasmtime memory configuration to use. 579 pub memory_config: MemoryConfig, 580 force_jump_veneers: bool, 581 memory_init_cow: bool, 582 memory_guaranteed_dense_image_size: u64, 583 inlining: Option<bool>, 584 inlining_intra_module: Option<IntraModuleInlining>, 585 inlining_small_callee_size: Option<u32>, 586 inlining_sum_size_threshold: Option<u32>, 587 use_precompiled_cwasm: bool, 588 async_stack_zeroing: bool, 589 /// Configuration for the instance allocation strategy to use. 590 pub strategy: InstanceAllocationStrategy, 591 codegen: CodegenSettings, 592 padding_between_functions: Option<u16>, 593 generate_address_map: bool, 594 native_unwind_info: bool, 595 /// Configuration for the compiler to use. 596 pub compiler_strategy: CompilerStrategy, 597 collector: Collector, 598 table_lazy_init: bool, 599 600 /// Configuration for whether wasm is invoked in an async fashion and how 601 /// it's cooperatively time-sliced. 602 pub async_config: AsyncConfig, 603 604 /// Whether or not host signal handlers are enabled for this configuration, 605 /// aka whether signal handlers are supported. 606 signals_based_traps: bool, 607 } 608 609 impl WasmtimeConfig { 610 /// Force `self` to be a configuration compatible with `other`. This is 611 /// useful for differential execution to avoid unhelpful fuzz crashes when 612 /// one engine has a feature enabled and the other does not. make_compatible_with(&mut self, other: &Self)613 pub fn make_compatible_with(&mut self, other: &Self) { 614 // Use the same allocation strategy between the two configs. 615 // 616 // Ideally this wouldn't be necessary, but, during differential 617 // evaluation, if the `lhs` is using ondemand and the `rhs` is using the 618 // pooling allocator (or vice versa), then the module may have been 619 // generated in such a way that is incompatible with the other 620 // allocation strategy. 621 // 622 // We can remove this in the future when it's possible to access the 623 // fields of `wasm_smith::Module` to constrain the pooling allocator 624 // based on what was actually generated. 625 self.strategy = other.strategy.clone(); 626 if let InstanceAllocationStrategy::Pooling { .. } = &other.strategy { 627 // Also use the same memory configuration when using the pooling 628 // allocator. 629 self.memory_config = other.memory_config.clone(); 630 } 631 632 self.make_internally_consistent(); 633 } 634 635 /// Updates `config` to be compatible with `self` and the other way around 636 /// too. update_module_config( &mut self, config: &mut ModuleConfig, _u: &mut Unstructured<'_>, ) -> arbitrary::Result<()>637 pub fn update_module_config( 638 &mut self, 639 config: &mut ModuleConfig, 640 _u: &mut Unstructured<'_>, 641 ) -> arbitrary::Result<()> { 642 match self.compiler_strategy { 643 CompilerStrategy::CraneliftNative => {} 644 645 CompilerStrategy::Winch => { 646 // Winch is not complete on non-x64 targets, so just abandon this test 647 // case. We don't want to force Cranelift because we change what module 648 // config features are enabled based on the compiler strategy, and we 649 // don't want to make the same fuzz input DNA generate different test 650 // cases on different targets. 651 if cfg!(not(any(target_arch = "x86_64", target_arch = "aarch64"))) { 652 log::warn!( 653 "want to compile with Winch but host architecture does not support it" 654 ); 655 return Err(arbitrary::Error::IncorrectFormat); 656 } 657 658 // Winch doesn't support the same set of wasm proposal as Cranelift 659 // at this time, so if winch is selected be sure to disable wasm 660 // proposals in `Config` to ensure that Winch can compile the 661 // module that wasm-smith generates. 662 config.config.relaxed_simd_enabled = false; 663 config.config.gc_enabled = false; 664 config.config.tail_call_enabled = false; 665 config.config.reference_types_enabled = false; 666 config.config.exceptions_enabled = false; 667 config.function_references_enabled = false; 668 669 // Winch's SIMD implementations require AVX and AVX2. 670 if self 671 .codegen_flag("has_avx") 672 .is_some_and(|value| value == "false") 673 || self 674 .codegen_flag("has_avx2") 675 .is_some_and(|value| value == "false") 676 { 677 config.config.simd_enabled = false; 678 } 679 680 // Account for the proposals that are currently only 681 // supported on x64. 682 if cfg!(target_arch = "aarch64") { 683 config.config.simd_enabled = false; 684 config.config.wide_arithmetic_enabled = false; 685 config.config.threads_enabled = false; 686 } 687 688 // Tuning the following engine options is currently not supported 689 // by Winch. 690 self.signals_based_traps = true; 691 self.table_lazy_init = true; 692 self.debug_info = false; 693 } 694 695 CompilerStrategy::CraneliftPulley => { 696 config.config.threads_enabled = false; 697 } 698 } 699 700 // If using the pooling allocator, constrain the memory and module configurations 701 // to the module limits. 702 if let InstanceAllocationStrategy::Pooling(pooling) = &mut self.strategy { 703 // If the pooling allocator is used, do not allow shared memory to 704 // be created. FIXME: see 705 // https://github.com/bytecodealliance/wasmtime/issues/4244. 706 config.config.threads_enabled = false; 707 708 // Ensure the pooling allocator can support the maximal size of 709 // memory, picking the smaller of the two to win. 710 let min_bytes = config 711 .config 712 .max_memory32_bytes 713 // memory64_bytes is a u128, but since we are taking the min 714 // we can truncate it down to a u64. 715 .min( 716 config 717 .config 718 .max_memory64_bytes 719 .try_into() 720 .unwrap_or(u64::MAX), 721 ); 722 let min = min_bytes 723 .min(pooling.max_memory_size as u64) 724 .min(self.memory_config.memory_reservation.unwrap_or(0)); 725 pooling.max_memory_size = min as usize; 726 config.config.max_memory32_bytes = min; 727 config.config.max_memory64_bytes = min as u128; 728 729 // If traps are disallowed then memories must have at least one page 730 // of memory so if we still are only allowing 0 pages of memory then 731 // increase that to one here. 732 if config.config.disallow_traps { 733 if pooling.max_memory_size < (1 << 16) { 734 pooling.max_memory_size = 1 << 16; 735 config.config.max_memory32_bytes = 1 << 16; 736 config.config.max_memory64_bytes = 1 << 16; 737 let cfg = &mut self.memory_config; 738 match &mut cfg.memory_reservation { 739 Some(size) => *size = (*size).max(pooling.max_memory_size as u64), 740 size @ None => *size = Some(pooling.max_memory_size as u64), 741 } 742 } 743 // .. additionally update tables 744 if pooling.table_elements == 0 { 745 pooling.table_elements = 1; 746 } 747 } 748 749 // Don't allow too many linear memories per instance since massive 750 // virtual mappings can fail to get allocated. 751 config.config.min_memories = config.config.min_memories.min(10); 752 config.config.max_memories = config.config.max_memories.min(10); 753 754 // Force this pooling allocator to always be able to accommodate the 755 // module that may be generated. 756 pooling.total_memories = config.config.max_memories as u32; 757 pooling.total_tables = config.config.max_tables as u32; 758 } 759 760 if !self.signals_based_traps { 761 // At this time shared memories require a "static" memory 762 // configuration but when signals-based traps are disabled all 763 // memories are forced to the "dynamic" configuration. This is 764 // fixable with some more work on the bounds-checks side of things 765 // to do a full bounds check even on static memories, but that's 766 // left for a future PR. 767 config.config.threads_enabled = false; 768 769 // Spectre-based heap mitigations require signal handlers so this 770 // must always be disabled if signals-based traps are disabled. 771 self.memory_config 772 .cranelift_enable_heap_access_spectre_mitigations = None; 773 } 774 775 self.make_internally_consistent(); 776 777 Ok(()) 778 } 779 780 /// Returns the codegen flag value, if any, for `name`. codegen_flag(&self, name: &str) -> Option<&str>781 pub(crate) fn codegen_flag(&self, name: &str) -> Option<&str> { 782 self.codegen.flags().iter().find_map(|(n, value)| { 783 if n == name { 784 Some(value.as_str()) 785 } else { 786 None 787 } 788 }) 789 } 790 791 /// Helper method to handle some dependencies between various configuration 792 /// options. This is intended to be called whenever a `Config` is created or 793 /// modified to ensure that the final result is an instantiable `Config`. 794 /// 795 /// Note that in general this probably shouldn't exist and anything here can 796 /// be considered a "TODO" to go implement more stuff in Wasmtime to accept 797 /// these sorts of configurations. For now though it's intended to reflect 798 /// the current state of the engine's development. make_internally_consistent(&mut self)799 fn make_internally_consistent(&mut self) { 800 if !self.signals_based_traps { 801 let cfg = &mut self.memory_config; 802 // Spectre-based heap mitigations require signal handlers so 803 // this must always be disabled if signals-based traps are 804 // disabled. 805 cfg.cranelift_enable_heap_access_spectre_mitigations = None; 806 807 // With configuration settings that match the use of malloc for 808 // linear memories cap the `memory_reservation_for_growth` value 809 // to something reasonable to avoid OOM in fuzzing. 810 if !cfg.memory_init_cow 811 && cfg.memory_guard_size == Some(0) 812 && cfg.memory_reservation == Some(0) 813 { 814 let min = 10 << 20; // 10 MiB 815 if let Some(val) = &mut cfg.memory_reservation_for_growth { 816 *val = (*val).min(min); 817 } else { 818 cfg.memory_reservation_for_growth = Some(min); 819 } 820 } 821 } 822 } 823 } 824 825 #[derive(Arbitrary, Clone, Debug, PartialEq, Eq, Hash)] 826 enum OptLevel { 827 None, 828 Speed, 829 SpeedAndSize, 830 } 831 832 impl OptLevel { to_wasmtime(&self) -> wasmtime::OptLevel833 fn to_wasmtime(&self) -> wasmtime::OptLevel { 834 match self { 835 OptLevel::None => wasmtime::OptLevel::None, 836 OptLevel::Speed => wasmtime::OptLevel::Speed, 837 OptLevel::SpeedAndSize => wasmtime::OptLevel::SpeedAndSize, 838 } 839 } 840 } 841 842 #[derive(Arbitrary, Clone, Debug, PartialEq, Eq, Hash)] 843 enum RegallocAlgorithm { 844 Backtracking, 845 SinglePass, 846 } 847 848 impl RegallocAlgorithm { to_wasmtime(&self) -> wasmtime::RegallocAlgorithm849 fn to_wasmtime(&self) -> wasmtime::RegallocAlgorithm { 850 match self { 851 RegallocAlgorithm::Backtracking => wasmtime::RegallocAlgorithm::Backtracking, 852 RegallocAlgorithm::SinglePass => { 853 // FIXME(#11850) 854 const SINGLE_PASS_KNOWN_BUGGY_AT_THIS_TIME: bool = true; 855 if SINGLE_PASS_KNOWN_BUGGY_AT_THIS_TIME { 856 wasmtime::RegallocAlgorithm::Backtracking 857 } else { 858 wasmtime::RegallocAlgorithm::SinglePass 859 } 860 } 861 } 862 } 863 } 864 865 #[derive(Arbitrary, Clone, Copy, Debug, PartialEq, Eq, Hash)] 866 enum IntraModuleInlining { 867 Yes, 868 No, 869 WhenUsingGc, 870 } 871 872 impl std::fmt::Display for IntraModuleInlining { fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result873 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { 874 match self { 875 IntraModuleInlining::Yes => write!(f, "yes"), 876 IntraModuleInlining::No => write!(f, "no"), 877 IntraModuleInlining::WhenUsingGc => write!(f, "gc"), 878 } 879 } 880 } 881 882 #[derive(Clone, Debug, PartialEq, Eq, Hash)] 883 /// Compiler to use. 884 pub enum CompilerStrategy { 885 /// Cranelift compiler for the native architecture. 886 CraneliftNative, 887 /// Winch compiler. 888 Winch, 889 /// Cranelift compiler for the native architecture. 890 CraneliftPulley, 891 } 892 893 impl CompilerStrategy { 894 /// Configures `config` to use this compilation strategy configure(&self, config: &mut wasmtime_cli_flags::CommonOptions)895 pub fn configure(&self, config: &mut wasmtime_cli_flags::CommonOptions) { 896 match self { 897 CompilerStrategy::CraneliftNative => { 898 config.codegen.compiler = Some(wasmtime::Strategy::Cranelift); 899 } 900 CompilerStrategy::Winch => { 901 config.codegen.compiler = Some(wasmtime::Strategy::Winch); 902 } 903 CompilerStrategy::CraneliftPulley => { 904 config.codegen.compiler = Some(wasmtime::Strategy::Cranelift); 905 config.target = Some("pulley64".to_string()); 906 } 907 } 908 } 909 } 910 911 impl Arbitrary<'_> for CompilerStrategy { arbitrary(u: &mut Unstructured<'_>) -> arbitrary::Result<Self>912 fn arbitrary(u: &mut Unstructured<'_>) -> arbitrary::Result<Self> { 913 // Favor fuzzing native cranelift, but if allowed also enable 914 // winch/pulley. 915 match u.int_in_range(0..=19)? { 916 1 => Ok(Self::CraneliftPulley), 917 2 => Ok(Self::Winch), 918 _ => Ok(Self::CraneliftNative), 919 } 920 } 921 } 922 923 #[derive(Arbitrary, Clone, Debug, PartialEq, Eq, Hash)] 924 pub enum Collector { 925 DeferredReferenceCounting, 926 Null, 927 } 928 929 impl Collector { to_wasmtime(&self) -> wasmtime::Collector930 fn to_wasmtime(&self) -> wasmtime::Collector { 931 match self { 932 Collector::DeferredReferenceCounting => wasmtime::Collector::DeferredReferenceCounting, 933 Collector::Null => wasmtime::Collector::Null, 934 } 935 } 936 } 937