1 //! Generate a configuration for both Wasmtime and the Wasm module to execute. 2 3 use super::{AsyncConfig, CodegenSettings, InstanceAllocationStrategy, MemoryConfig, ModuleConfig}; 4 use crate::oracles::{StoreLimits, Timeout}; 5 use anyhow::Result; 6 use arbitrary::{Arbitrary, Unstructured}; 7 use std::time::Duration; 8 use wasmtime::{Enabled, Engine, Module, Store}; 9 use wasmtime_test_util::wast::{WastConfig, WastTest, limits}; 10 11 /// Configuration for `wasmtime::Config` and generated modules for a session of 12 /// fuzzing. 13 /// 14 /// This configuration guides what modules are generated, how wasmtime 15 /// configuration is generated, and is typically itself generated through a call 16 /// to `Arbitrary` which allows for a form of "swarm testing". 17 #[derive(Debug, Clone)] 18 pub struct Config { 19 /// Configuration related to the `wasmtime::Config`. 20 pub wasmtime: WasmtimeConfig, 21 /// Configuration related to generated modules. 22 pub module_config: ModuleConfig, 23 } 24 25 impl Config { 26 /// Indicates that this configuration is being used for differential 27 /// execution. 28 /// 29 /// The purpose of this function is to update the configuration which was 30 /// generated to be compatible with execution in multiple engines. The goal 31 /// is to produce the exact same result in all engines so we need to paper 32 /// over things like nan differences and memory/table behavior differences. 33 pub fn set_differential_config(&mut self) { 34 let config = &mut self.module_config.config; 35 36 // Make it more likely that there are types available to generate a 37 // function with. 38 config.min_types = config.min_types.max(1); 39 config.max_types = config.max_types.max(1); 40 41 // Generate at least one function 42 config.min_funcs = config.min_funcs.max(1); 43 config.max_funcs = config.max_funcs.max(1); 44 45 // Allow a memory to be generated, but don't let it get too large. 46 // Additionally require the maximum size to guarantee that the growth 47 // behavior is consistent across engines. 48 config.max_memory32_bytes = 10 << 16; 49 config.max_memory64_bytes = 10 << 16; 50 config.memory_max_size_required = true; 51 52 // If tables are generated make sure they don't get too large to avoid 53 // hitting any engine-specific limit. Additionally ensure that the 54 // maximum size is required to guarantee consistent growth across 55 // engines. 56 // 57 // Note that while reference types are disabled below, only allow one 58 // table. 59 config.max_table_elements = 1_000; 60 config.table_max_size_required = true; 61 62 // Don't allow any imports 63 config.max_imports = 0; 64 65 // Try to get the function and the memory exported 66 config.export_everything = true; 67 68 // NaN is canonicalized at the wasm level for differential fuzzing so we 69 // can paper over NaN differences between engines. 70 config.canonicalize_nans = true; 71 72 // If using the pooling allocator, update the instance limits too 73 if let InstanceAllocationStrategy::Pooling(pooling) = &mut self.wasmtime.strategy { 74 // One single-page memory 75 pooling.total_memories = config.max_memories as u32; 76 pooling.max_memory_size = 10 << 16; 77 pooling.max_memories_per_module = config.max_memories as u32; 78 if pooling.memory_protection_keys == Enabled::Auto 79 && pooling.max_memory_protection_keys > 1 80 { 81 pooling.total_memories = 82 pooling.total_memories * (pooling.max_memory_protection_keys as u32); 83 } 84 85 pooling.total_tables = config.max_tables as u32; 86 pooling.table_elements = 1_000; 87 pooling.max_tables_per_module = config.max_tables as u32; 88 89 pooling.core_instance_size = 1_000_000; 90 91 let cfg = &mut self.wasmtime.memory_config; 92 match &mut cfg.memory_reservation { 93 Some(size) => *size = (*size).max(pooling.max_memory_size as u64), 94 other @ None => *other = Some(pooling.max_memory_size as u64), 95 } 96 } 97 98 // These instructions are explicitly not expected to be exactly the same 99 // across engines. Don't fuzz them. 100 config.relaxed_simd_enabled = false; 101 } 102 103 /// Uses this configuration and the supplied source of data to generate 104 /// a wasm module. 105 /// 106 /// If a `default_fuel` is provided, the resulting module will be configured 107 /// to ensure termination; as doing so will add an additional global to the module, 108 /// the pooling allocator, if configured, will also have its globals limit updated. 109 pub fn generate( 110 &self, 111 input: &mut Unstructured<'_>, 112 default_fuel: Option<u32>, 113 ) -> arbitrary::Result<wasm_smith::Module> { 114 self.module_config.generate(input, default_fuel) 115 } 116 117 /// Updates this configuration to be able to run the `test` specified. 118 /// 119 /// This primarily updates `self.module_config` to ensure that it enables 120 /// all features and proposals necessary to execute the `test` specified. 121 /// This will additionally update limits in the pooling allocator to be able 122 /// to execute all tests. 123 pub fn make_wast_test_compliant(&mut self, test: &WastTest) -> WastConfig { 124 let wasmtime_test_util::wast::TestConfig { 125 memory64, 126 custom_page_sizes, 127 multi_memory, 128 threads, 129 shared_everything_threads, 130 gc, 131 function_references, 132 relaxed_simd, 133 reference_types, 134 tail_call, 135 extended_const, 136 wide_arithmetic, 137 component_model_async, 138 component_model_async_builtins, 139 component_model_async_stackful, 140 component_model_error_context, 141 component_model_gc, 142 simd, 143 exceptions, 144 legacy_exceptions, 145 146 hogs_memory: _, 147 nan_canonicalization: _, 148 gc_types: _, 149 stack_switching: _, 150 spec_test: _, 151 } = test.config; 152 153 // Enable/disable some proposals that aren't configurable in wasm-smith 154 // but are configurable in Wasmtime. 155 self.module_config.function_references_enabled = 156 function_references.or(gc).unwrap_or(false); 157 self.module_config.component_model_async = component_model_async.unwrap_or(false); 158 self.module_config.component_model_async_builtins = 159 component_model_async_builtins.unwrap_or(false); 160 self.module_config.component_model_async_stackful = 161 component_model_async_stackful.unwrap_or(false); 162 self.module_config.component_model_error_context = 163 component_model_error_context.unwrap_or(false); 164 self.module_config.legacy_exceptions = legacy_exceptions.unwrap_or(false); 165 self.module_config.component_model_gc = component_model_gc.unwrap_or(false); 166 167 // Enable/disable proposals that wasm-smith has knobs for which will be 168 // read when creating `wasmtime::Config`. 169 let config = &mut self.module_config.config; 170 config.bulk_memory_enabled = true; 171 config.multi_value_enabled = true; 172 config.wide_arithmetic_enabled = wide_arithmetic.unwrap_or(false); 173 config.memory64_enabled = memory64.unwrap_or(false); 174 config.relaxed_simd_enabled = relaxed_simd.unwrap_or(false); 175 config.simd_enabled = config.relaxed_simd_enabled || simd.unwrap_or(false); 176 config.tail_call_enabled = tail_call.unwrap_or(false); 177 config.custom_page_sizes_enabled = custom_page_sizes.unwrap_or(false); 178 config.threads_enabled = threads.unwrap_or(false); 179 config.shared_everything_threads_enabled = shared_everything_threads.unwrap_or(false); 180 config.gc_enabled = gc.unwrap_or(false); 181 config.reference_types_enabled = config.gc_enabled 182 || self.module_config.function_references_enabled 183 || reference_types.unwrap_or(false); 184 config.extended_const_enabled = extended_const.unwrap_or(false); 185 config.exceptions_enabled = exceptions.unwrap_or(false); 186 if multi_memory.unwrap_or(false) { 187 config.max_memories = limits::MEMORIES_PER_MODULE as usize; 188 } else { 189 config.max_memories = 1; 190 } 191 192 if let Some(n) = &mut self.wasmtime.memory_config.memory_reservation { 193 *n = (*n).max(limits::MEMORY_SIZE as u64); 194 } 195 196 // FIXME: it might be more ideal to avoid the need for this entirely 197 // and to just let the test fail. If a test fails due to a pooling 198 // allocator resource limit being met we could ideally detect that and 199 // let the fuzz test case pass. That would avoid the need to hardcode 200 // so much here and in theory wouldn't reduce the usefulness of fuzzers 201 // all that much. At this time though we can't easily test this configuration. 202 if let InstanceAllocationStrategy::Pooling(pooling) = &mut self.wasmtime.strategy { 203 // Clamp protection keys between 1 & 2 to reduce the number of 204 // slots and then multiply the total memories by the number of keys 205 // we have since a single store has access to only one key. 206 pooling.max_memory_protection_keys = pooling.max_memory_protection_keys.max(1).min(2); 207 pooling.total_memories = pooling 208 .total_memories 209 .max(limits::MEMORIES * (pooling.max_memory_protection_keys as u32)); 210 211 // For other limits make sure they meet the minimum threshold 212 // required for our wast tests. 213 pooling.total_component_instances = pooling 214 .total_component_instances 215 .max(limits::COMPONENT_INSTANCES); 216 pooling.total_tables = pooling.total_tables.max(limits::TABLES); 217 pooling.max_tables_per_module = 218 pooling.max_tables_per_module.max(limits::TABLES_PER_MODULE); 219 pooling.max_memories_per_module = pooling 220 .max_memories_per_module 221 .max(limits::MEMORIES_PER_MODULE); 222 pooling.max_memories_per_component = pooling 223 .max_memories_per_component 224 .max(limits::MEMORIES_PER_MODULE); 225 pooling.total_core_instances = pooling.total_core_instances.max(limits::CORE_INSTANCES); 226 pooling.max_memory_size = pooling.max_memory_size.max(limits::MEMORY_SIZE); 227 pooling.table_elements = pooling.table_elements.max(limits::TABLE_ELEMENTS); 228 pooling.core_instance_size = pooling.core_instance_size.max(limits::CORE_INSTANCE_SIZE); 229 pooling.component_instance_size = pooling 230 .component_instance_size 231 .max(limits::CORE_INSTANCE_SIZE); 232 pooling.total_stacks = pooling.total_stacks.max(limits::TOTAL_STACKS); 233 } 234 235 // Return the test configuration that this fuzz configuration represents 236 // which is used afterwards to test if the `test` here is expected to 237 // fail or not. 238 WastConfig { 239 collector: match self.wasmtime.collector { 240 Collector::Null => wasmtime_test_util::wast::Collector::Null, 241 Collector::DeferredReferenceCounting => { 242 wasmtime_test_util::wast::Collector::DeferredReferenceCounting 243 } 244 }, 245 pooling: matches!( 246 self.wasmtime.strategy, 247 InstanceAllocationStrategy::Pooling(_) 248 ), 249 compiler: match self.wasmtime.compiler_strategy { 250 CompilerStrategy::CraneliftNative => { 251 wasmtime_test_util::wast::Compiler::CraneliftNative 252 } 253 CompilerStrategy::CraneliftPulley => { 254 wasmtime_test_util::wast::Compiler::CraneliftPulley 255 } 256 CompilerStrategy::Winch => wasmtime_test_util::wast::Compiler::Winch, 257 }, 258 } 259 } 260 261 /// Converts this to a `wasmtime::Config` object 262 pub fn to_wasmtime(&self) -> wasmtime::Config { 263 crate::init_fuzzing(); 264 265 let mut cfg = wasmtime_cli_flags::CommonOptions::default(); 266 cfg.codegen.native_unwind_info = 267 Some(cfg!(target_os = "windows") || self.wasmtime.native_unwind_info); 268 cfg.codegen.parallel_compilation = Some(false); 269 270 cfg.debug.address_map = Some(self.wasmtime.generate_address_map); 271 cfg.opts.opt_level = Some(self.wasmtime.opt_level.to_wasmtime()); 272 cfg.opts.regalloc_algorithm = Some(self.wasmtime.regalloc_algorithm.to_wasmtime()); 273 cfg.opts.signals_based_traps = Some(self.wasmtime.signals_based_traps); 274 cfg.opts.memory_guaranteed_dense_image_size = Some(std::cmp::min( 275 // Clamp this at 16MiB so we don't get huge in-memory 276 // images during fuzzing. 277 16 << 20, 278 self.wasmtime.memory_guaranteed_dense_image_size, 279 )); 280 cfg.wasm.async_stack_zeroing = Some(self.wasmtime.async_stack_zeroing); 281 cfg.wasm.bulk_memory = Some(true); 282 cfg.wasm.component_model_async = Some(self.module_config.component_model_async); 283 cfg.wasm.component_model_async_builtins = 284 Some(self.module_config.component_model_async_builtins); 285 cfg.wasm.component_model_async_stackful = 286 Some(self.module_config.component_model_async_stackful); 287 cfg.wasm.component_model_error_context = 288 Some(self.module_config.component_model_error_context); 289 cfg.wasm.component_model_gc = Some(self.module_config.component_model_gc); 290 cfg.wasm.custom_page_sizes = Some(self.module_config.config.custom_page_sizes_enabled); 291 cfg.wasm.epoch_interruption = Some(self.wasmtime.epoch_interruption); 292 cfg.wasm.extended_const = Some(self.module_config.config.extended_const_enabled); 293 cfg.wasm.fuel = self.wasmtime.consume_fuel.then(|| u64::MAX); 294 cfg.wasm.function_references = Some(self.module_config.function_references_enabled); 295 cfg.wasm.gc = Some(self.module_config.config.gc_enabled); 296 cfg.wasm.memory64 = Some(self.module_config.config.memory64_enabled); 297 cfg.wasm.multi_memory = Some(self.module_config.config.max_memories > 1); 298 cfg.wasm.multi_value = Some(self.module_config.config.multi_value_enabled); 299 cfg.wasm.nan_canonicalization = Some(self.wasmtime.canonicalize_nans); 300 cfg.wasm.reference_types = Some(self.module_config.config.reference_types_enabled); 301 cfg.wasm.simd = Some(self.module_config.config.simd_enabled); 302 cfg.wasm.tail_call = Some(self.module_config.config.tail_call_enabled); 303 cfg.wasm.threads = Some(self.module_config.config.threads_enabled); 304 cfg.wasm.shared_everything_threads = 305 Some(self.module_config.config.shared_everything_threads_enabled); 306 cfg.wasm.wide_arithmetic = Some(self.module_config.config.wide_arithmetic_enabled); 307 cfg.wasm.exceptions = Some(self.module_config.config.exceptions_enabled); 308 cfg.wasm.legacy_exceptions = Some(self.module_config.legacy_exceptions); 309 if !self.module_config.config.simd_enabled { 310 cfg.wasm.relaxed_simd = Some(false); 311 } 312 cfg.codegen.collector = Some(self.wasmtime.collector.to_wasmtime()); 313 314 let compiler_strategy = &self.wasmtime.compiler_strategy; 315 let cranelift_strategy = match compiler_strategy { 316 CompilerStrategy::CraneliftNative | CompilerStrategy::CraneliftPulley => true, 317 CompilerStrategy::Winch => false, 318 }; 319 self.wasmtime.compiler_strategy.configure(&mut cfg); 320 321 self.wasmtime.codegen.configure(&mut cfg); 322 323 // Determine whether we will actually enable PCC -- this is 324 // disabled if the module requires memory64, which is not yet 325 // compatible (due to the need for dynamic checks). 326 let pcc = cfg!(feature = "fuzz-pcc") 327 && self.wasmtime.pcc 328 && !self.module_config.config.memory64_enabled; 329 330 cfg.codegen.inlining = self.wasmtime.inlining; 331 332 // Only set cranelift specific flags when the Cranelift strategy is 333 // chosen. 334 if cranelift_strategy { 335 if let Some(option) = self.wasmtime.inlining_intra_module { 336 cfg.codegen.cranelift.push(( 337 "wasmtime_inlining_intra_module".to_string(), 338 Some(option.to_string()), 339 )); 340 } 341 if let Some(size) = self.wasmtime.inlining_small_callee_size { 342 cfg.codegen.cranelift.push(( 343 "wasmtime_inlining_small_callee_size".to_string(), 344 // Clamp to avoid extreme code size blow up. 345 Some(std::cmp::min(1000, size).to_string()), 346 )); 347 } 348 if let Some(size) = self.wasmtime.inlining_sum_size_threshold { 349 cfg.codegen.cranelift.push(( 350 "wasmtime_inlining_sum_size_threshold".to_string(), 351 // Clamp to avoid extreme code size blow up. 352 Some(std::cmp::min(1000, size).to_string()), 353 )); 354 } 355 356 // If the wasm-smith-generated module use nan canonicalization then we 357 // don't need to enable it, but if it doesn't enable it already then we 358 // enable this codegen option. 359 cfg.wasm.nan_canonicalization = Some(!self.module_config.config.canonicalize_nans); 360 361 // Enabling the verifier will at-least-double compilation time, which 362 // with a 20-30x slowdown in fuzzing can cause issues related to 363 // timeouts. If generated modules can have more than a small handful of 364 // functions then disable the verifier when fuzzing to try to lessen the 365 // impact of timeouts. 366 if self.module_config.config.max_funcs > 10 { 367 cfg.codegen.cranelift_debug_verifier = Some(false); 368 } 369 370 if self.wasmtime.force_jump_veneers { 371 cfg.codegen.cranelift.push(( 372 "wasmtime_linkopt_force_jump_veneer".to_string(), 373 Some("true".to_string()), 374 )); 375 } 376 377 if let Some(pad) = self.wasmtime.padding_between_functions { 378 cfg.codegen.cranelift.push(( 379 "wasmtime_linkopt_padding_between_functions".to_string(), 380 Some(pad.to_string()), 381 )); 382 } 383 384 cfg.codegen.pcc = Some(pcc); 385 386 // Eager init is currently only supported on Cranelift, not Winch. 387 cfg.opts.table_lazy_init = Some(self.wasmtime.table_lazy_init); 388 } 389 390 self.wasmtime.strategy.configure(&mut cfg); 391 392 // Vary the memory configuration, but only if threads are not enabled. 393 // When the threads proposal is enabled we might generate shared memory, 394 // which is less amenable to different memory configurations: 395 // - shared memories are required to be "static" so fuzzing the various 396 // memory configurations will mostly result in uninteresting errors. 397 // The interesting part about shared memories is the runtime so we 398 // don't fuzz non-default settings. 399 // - shared memories are required to be aligned which means that the 400 // `CustomUnaligned` variant isn't actually safe to use with a shared 401 // memory. 402 if !self.module_config.config.threads_enabled { 403 // If PCC is enabled, force other options to be compatible: PCC is currently only 404 // supported when bounds checks are elided. 405 let memory_config = if pcc { 406 MemoryConfig { 407 memory_reservation: Some(4 << 30), // 4 GiB 408 memory_guard_size: Some(2 << 30), // 2 GiB 409 memory_reservation_for_growth: Some(0), 410 guard_before_linear_memory: false, 411 memory_init_cow: true, 412 // Doesn't matter, only using virtual memory. 413 cranelift_enable_heap_access_spectre_mitigations: None, 414 } 415 } else { 416 self.wasmtime.memory_config.clone() 417 }; 418 419 memory_config.configure(&mut cfg); 420 }; 421 422 // If malloc-based memory is going to be used, which requires these four 423 // options set to specific values (and Pulley auto-sets two of them) 424 // then be sure to cap `memory_reservation_for_growth` at a smaller 425 // value than the default. For malloc-based memory reservation beyond 426 // the end of memory isn't captured by `StoreLimiter` so we need to be 427 // sure it's small enough to not blow OOM limits while fuzzing. 428 if ((cfg.opts.signals_based_traps == Some(true) && cfg.opts.memory_guard_size == Some(0)) 429 || self.wasmtime.compiler_strategy == CompilerStrategy::CraneliftPulley) 430 && cfg.opts.memory_reservation == Some(0) 431 && cfg.opts.memory_init_cow == Some(false) 432 { 433 let growth = &mut cfg.opts.memory_reservation_for_growth; 434 let max = 1 << 20; 435 *growth = match *growth { 436 Some(n) => Some(n.min(max)), 437 None => Some(max), 438 }; 439 } 440 441 log::debug!("creating wasmtime config with CLI options:\n{cfg}"); 442 let mut cfg = cfg.config(None).expect("failed to create wasmtime::Config"); 443 444 if self.wasmtime.async_config != AsyncConfig::Disabled { 445 log::debug!("async config in use {:?}", self.wasmtime.async_config); 446 self.wasmtime.async_config.configure(&mut cfg); 447 } 448 449 return cfg; 450 } 451 452 /// Convenience function for generating a `Store<T>` using this 453 /// configuration. 454 pub fn to_store(&self) -> Store<StoreLimits> { 455 let engine = Engine::new(&self.to_wasmtime()).unwrap(); 456 let mut store = Store::new(&engine, StoreLimits::new()); 457 self.configure_store(&mut store); 458 store 459 } 460 461 /// Configures a store based on this configuration. 462 pub fn configure_store(&self, store: &mut Store<StoreLimits>) { 463 store.limiter(|s| s as &mut dyn wasmtime::ResourceLimiter); 464 465 // Configure the store to never abort by default, that is it'll have 466 // max fuel or otherwise trap on an epoch change but the epoch won't 467 // ever change. 468 // 469 // Afterwards though see what `AsyncConfig` is being used an further 470 // refine the store's configuration based on that. 471 if self.wasmtime.consume_fuel { 472 store.set_fuel(u64::MAX).unwrap(); 473 } 474 if self.wasmtime.epoch_interruption { 475 store.epoch_deadline_trap(); 476 store.set_epoch_deadline(1); 477 } 478 match self.wasmtime.async_config { 479 AsyncConfig::Disabled => {} 480 AsyncConfig::YieldWithFuel(amt) => { 481 assert!(self.wasmtime.consume_fuel); 482 store.fuel_async_yield_interval(Some(amt)).unwrap(); 483 } 484 AsyncConfig::YieldWithEpochs { ticks, .. } => { 485 assert!(self.wasmtime.epoch_interruption); 486 store.set_epoch_deadline(ticks); 487 store.epoch_deadline_async_yield_and_update(ticks); 488 } 489 } 490 } 491 492 /// Generates an arbitrary method of timing out an instance, ensuring that 493 /// this configuration supports the returned timeout. 494 pub fn generate_timeout(&mut self, u: &mut Unstructured<'_>) -> arbitrary::Result<Timeout> { 495 let time_duration = Duration::from_millis(100); 496 let timeout = u 497 .choose(&[Timeout::Fuel(100_000), Timeout::Epoch(time_duration)])? 498 .clone(); 499 match &timeout { 500 Timeout::Fuel(..) => { 501 self.wasmtime.consume_fuel = true; 502 } 503 Timeout::Epoch(..) => { 504 self.wasmtime.epoch_interruption = true; 505 } 506 Timeout::None => unreachable!("Not an option given to choose()"), 507 } 508 Ok(timeout) 509 } 510 511 /// Compiles the `wasm` within the `engine` provided. 512 /// 513 /// This notably will use `Module::{serialize,deserialize_file}` to 514 /// round-trip if configured in the fuzzer. 515 pub fn compile(&self, engine: &Engine, wasm: &[u8]) -> Result<Module> { 516 // Propagate this error in case the caller wants to handle 517 // valid-vs-invalid wasm. 518 let module = Module::new(engine, wasm)?; 519 if !self.wasmtime.use_precompiled_cwasm { 520 return Ok(module); 521 } 522 523 // Don't propagate these errors to prevent them from accidentally being 524 // interpreted as invalid wasm, these should never fail on a 525 // well-behaved host system. 526 let dir = tempfile::TempDir::new().unwrap(); 527 let file = dir.path().join("module.wasm"); 528 std::fs::write(&file, module.serialize().unwrap()).unwrap(); 529 unsafe { Ok(Module::deserialize_file(engine, &file).unwrap()) } 530 } 531 532 /// Updates this configuration to forcibly enable async support. Only useful 533 /// in fuzzers which do async calls. 534 pub fn enable_async(&mut self, u: &mut Unstructured<'_>) -> arbitrary::Result<()> { 535 if self.wasmtime.consume_fuel || u.arbitrary()? { 536 self.wasmtime.async_config = 537 AsyncConfig::YieldWithFuel(u.int_in_range(1000..=100_000)?); 538 self.wasmtime.consume_fuel = true; 539 } else { 540 self.wasmtime.async_config = AsyncConfig::YieldWithEpochs { 541 dur: Duration::from_millis(u.int_in_range(1..=10)?), 542 ticks: u.int_in_range(1..=10)?, 543 }; 544 self.wasmtime.epoch_interruption = true; 545 } 546 Ok(()) 547 } 548 } 549 550 impl<'a> Arbitrary<'a> for Config { 551 fn arbitrary(u: &mut Unstructured<'a>) -> arbitrary::Result<Self> { 552 let mut config = Self { 553 wasmtime: u.arbitrary()?, 554 module_config: u.arbitrary()?, 555 }; 556 557 config 558 .wasmtime 559 .update_module_config(&mut config.module_config, u)?; 560 561 Ok(config) 562 } 563 } 564 565 /// Configuration related to `wasmtime::Config` and the various settings which 566 /// can be tweaked from within. 567 #[derive(Arbitrary, Clone, Debug, Eq, Hash, PartialEq)] 568 pub struct WasmtimeConfig { 569 opt_level: OptLevel, 570 regalloc_algorithm: RegallocAlgorithm, 571 debug_info: bool, 572 canonicalize_nans: bool, 573 interruptable: bool, 574 pub(crate) consume_fuel: bool, 575 pub(crate) epoch_interruption: bool, 576 /// The Wasmtime memory configuration to use. 577 pub memory_config: MemoryConfig, 578 force_jump_veneers: bool, 579 memory_init_cow: bool, 580 memory_guaranteed_dense_image_size: u64, 581 inlining: Option<bool>, 582 inlining_intra_module: Option<IntraModuleInlining>, 583 inlining_small_callee_size: Option<u32>, 584 inlining_sum_size_threshold: Option<u32>, 585 use_precompiled_cwasm: bool, 586 async_stack_zeroing: bool, 587 /// Configuration for the instance allocation strategy to use. 588 pub strategy: InstanceAllocationStrategy, 589 codegen: CodegenSettings, 590 padding_between_functions: Option<u16>, 591 generate_address_map: bool, 592 native_unwind_info: bool, 593 /// Configuration for the compiler to use. 594 pub compiler_strategy: CompilerStrategy, 595 collector: Collector, 596 table_lazy_init: bool, 597 598 /// Whether or not fuzzing should enable PCC. 599 pcc: bool, 600 601 /// Configuration for whether wasm is invoked in an async fashion and how 602 /// it's cooperatively time-sliced. 603 pub async_config: AsyncConfig, 604 605 /// Whether or not host signal handlers are enabled for this configuration, 606 /// aka whether signal handlers are supported. 607 signals_based_traps: bool, 608 } 609 610 impl WasmtimeConfig { 611 /// Force `self` to be a configuration compatible with `other`. This is 612 /// useful for differential execution to avoid unhelpful fuzz crashes when 613 /// one engine has a feature enabled and the other does not. 614 pub fn make_compatible_with(&mut self, other: &Self) { 615 // Use the same allocation strategy between the two configs. 616 // 617 // Ideally this wouldn't be necessary, but, during differential 618 // evaluation, if the `lhs` is using ondemand and the `rhs` is using the 619 // pooling allocator (or vice versa), then the module may have been 620 // generated in such a way that is incompatible with the other 621 // allocation strategy. 622 // 623 // We can remove this in the future when it's possible to access the 624 // fields of `wasm_smith::Module` to constrain the pooling allocator 625 // based on what was actually generated. 626 self.strategy = other.strategy.clone(); 627 if let InstanceAllocationStrategy::Pooling { .. } = &other.strategy { 628 // Also use the same memory configuration when using the pooling 629 // allocator. 630 self.memory_config = other.memory_config.clone(); 631 } 632 633 self.make_internally_consistent(); 634 } 635 636 /// Updates `config` to be compatible with `self` and the other way around 637 /// too. 638 pub fn update_module_config( 639 &mut self, 640 config: &mut ModuleConfig, 641 _u: &mut Unstructured<'_>, 642 ) -> arbitrary::Result<()> { 643 match self.compiler_strategy { 644 CompilerStrategy::CraneliftNative => {} 645 646 CompilerStrategy::Winch => { 647 // Winch is not complete on non-x64 targets, so just abandon this test 648 // case. We don't want to force Cranelift because we change what module 649 // config features are enabled based on the compiler strategy, and we 650 // don't want to make the same fuzz input DNA generate different test 651 // cases on different targets. 652 if cfg!(not(target_arch = "x86_64")) { 653 log::warn!( 654 "want to compile with Winch but host architecture does not support it" 655 ); 656 return Err(arbitrary::Error::IncorrectFormat); 657 } 658 659 // Winch doesn't support the same set of wasm proposal as Cranelift 660 // at this time, so if winch is selected be sure to disable wasm 661 // proposals in `Config` to ensure that Winch can compile the 662 // module that wasm-smith generates. 663 config.config.relaxed_simd_enabled = false; 664 config.config.gc_enabled = false; 665 config.config.tail_call_enabled = false; 666 config.config.reference_types_enabled = false; 667 config.function_references_enabled = false; 668 669 // Winch's SIMD implementations require AVX and AVX2. 670 if self 671 .codegen_flag("has_avx") 672 .is_some_and(|value| value == "false") 673 || self 674 .codegen_flag("has_avx2") 675 .is_some_and(|value| value == "false") 676 { 677 config.config.simd_enabled = false; 678 } 679 680 // Tuning the following engine options is currently not supported 681 // by Winch. 682 self.signals_based_traps = true; 683 self.table_lazy_init = true; 684 self.debug_info = false; 685 } 686 687 CompilerStrategy::CraneliftPulley => { 688 config.config.threads_enabled = false; 689 } 690 } 691 692 // If using the pooling allocator, constrain the memory and module configurations 693 // to the module limits. 694 if let InstanceAllocationStrategy::Pooling(pooling) = &mut self.strategy { 695 // If the pooling allocator is used, do not allow shared memory to 696 // be created. FIXME: see 697 // https://github.com/bytecodealliance/wasmtime/issues/4244. 698 config.config.threads_enabled = false; 699 700 // Ensure the pooling allocator can support the maximal size of 701 // memory, picking the smaller of the two to win. 702 let min_bytes = config 703 .config 704 .max_memory32_bytes 705 // memory64_bytes is a u128, but since we are taking the min 706 // we can truncate it down to a u64. 707 .min( 708 config 709 .config 710 .max_memory64_bytes 711 .try_into() 712 .unwrap_or(u64::MAX), 713 ); 714 let min = min_bytes 715 .min(pooling.max_memory_size as u64) 716 .min(self.memory_config.memory_reservation.unwrap_or(0)); 717 pooling.max_memory_size = min as usize; 718 config.config.max_memory32_bytes = min; 719 config.config.max_memory64_bytes = min as u128; 720 721 // If traps are disallowed then memories must have at least one page 722 // of memory so if we still are only allowing 0 pages of memory then 723 // increase that to one here. 724 if config.config.disallow_traps { 725 if pooling.max_memory_size < (1 << 16) { 726 pooling.max_memory_size = 1 << 16; 727 config.config.max_memory32_bytes = 1 << 16; 728 config.config.max_memory64_bytes = 1 << 16; 729 let cfg = &mut self.memory_config; 730 match &mut cfg.memory_reservation { 731 Some(size) => *size = (*size).max(pooling.max_memory_size as u64), 732 size @ None => *size = Some(pooling.max_memory_size as u64), 733 } 734 } 735 // .. additionally update tables 736 if pooling.table_elements == 0 { 737 pooling.table_elements = 1; 738 } 739 } 740 741 // Don't allow too many linear memories per instance since massive 742 // virtual mappings can fail to get allocated. 743 config.config.min_memories = config.config.min_memories.min(10); 744 config.config.max_memories = config.config.max_memories.min(10); 745 746 // Force this pooling allocator to always be able to accommodate the 747 // module that may be generated. 748 pooling.total_memories = config.config.max_memories as u32; 749 pooling.total_tables = config.config.max_tables as u32; 750 } 751 752 if !self.signals_based_traps { 753 // At this time shared memories require a "static" memory 754 // configuration but when signals-based traps are disabled all 755 // memories are forced to the "dynamic" configuration. This is 756 // fixable with some more work on the bounds-checks side of things 757 // to do a full bounds check even on static memories, but that's 758 // left for a future PR. 759 config.config.threads_enabled = false; 760 761 // Spectre-based heap mitigations require signal handlers so this 762 // must always be disabled if signals-based traps are disabled. 763 self.memory_config 764 .cranelift_enable_heap_access_spectre_mitigations = None; 765 } 766 767 self.make_internally_consistent(); 768 769 Ok(()) 770 } 771 772 /// Returns the codegen flag value, if any, for `name`. 773 pub(crate) fn codegen_flag(&self, name: &str) -> Option<&str> { 774 self.codegen.flags().iter().find_map(|(n, value)| { 775 if n == name { 776 Some(value.as_str()) 777 } else { 778 None 779 } 780 }) 781 } 782 783 /// Helper method to handle some dependencies between various configuration 784 /// options. This is intended to be called whenever a `Config` is created or 785 /// modified to ensure that the final result is an instantiable `Config`. 786 /// 787 /// Note that in general this probably shouldn't exist and anything here can 788 /// be considered a "TODO" to go implement more stuff in Wasmtime to accept 789 /// these sorts of configurations. For now though it's intended to reflect 790 /// the current state of the engine's development. 791 fn make_internally_consistent(&mut self) { 792 if !self.signals_based_traps { 793 let cfg = &mut self.memory_config; 794 // Spectre-based heap mitigations require signal handlers so 795 // this must always be disabled if signals-based traps are 796 // disabled. 797 cfg.cranelift_enable_heap_access_spectre_mitigations = None; 798 799 // With configuration settings that match the use of malloc for 800 // linear memories cap the `memory_reservation_for_growth` value 801 // to something reasonable to avoid OOM in fuzzing. 802 if !cfg.memory_init_cow 803 && cfg.memory_guard_size == Some(0) 804 && cfg.memory_reservation == Some(0) 805 { 806 let min = 10 << 20; // 10 MiB 807 if let Some(val) = &mut cfg.memory_reservation_for_growth { 808 *val = (*val).min(min); 809 } else { 810 cfg.memory_reservation_for_growth = Some(min); 811 } 812 } 813 } 814 } 815 } 816 817 #[derive(Arbitrary, Clone, Debug, PartialEq, Eq, Hash)] 818 enum OptLevel { 819 None, 820 Speed, 821 SpeedAndSize, 822 } 823 824 impl OptLevel { 825 fn to_wasmtime(&self) -> wasmtime::OptLevel { 826 match self { 827 OptLevel::None => wasmtime::OptLevel::None, 828 OptLevel::Speed => wasmtime::OptLevel::Speed, 829 OptLevel::SpeedAndSize => wasmtime::OptLevel::SpeedAndSize, 830 } 831 } 832 } 833 834 #[derive(Arbitrary, Clone, Debug, PartialEq, Eq, Hash)] 835 enum RegallocAlgorithm { 836 Backtracking, 837 SinglePass, 838 } 839 840 impl RegallocAlgorithm { 841 fn to_wasmtime(&self) -> wasmtime::RegallocAlgorithm { 842 match self { 843 RegallocAlgorithm::Backtracking => wasmtime::RegallocAlgorithm::Backtracking, 844 // Note: we have disabled `single_pass` for now because of 845 // its limitations w.r.t. exception handling 846 // (https://github.com/bytecodealliance/regalloc2/issues/217). To 847 // avoid breaking all existing fuzzbugs by changing the 848 // `arbitrary` mappings, we keep the `RegallocAlgorithm` 849 // enum as it is and remap here to `Backtracking`. 850 RegallocAlgorithm::SinglePass => wasmtime::RegallocAlgorithm::Backtracking, 851 } 852 } 853 } 854 855 #[derive(Arbitrary, Clone, Copy, Debug, PartialEq, Eq, Hash)] 856 enum IntraModuleInlining { 857 Yes, 858 No, 859 WhenUsingGc, 860 } 861 862 impl std::fmt::Display for IntraModuleInlining { 863 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { 864 match self { 865 IntraModuleInlining::Yes => write!(f, "yes"), 866 IntraModuleInlining::No => write!(f, "no"), 867 IntraModuleInlining::WhenUsingGc => write!(f, "gc"), 868 } 869 } 870 } 871 872 #[derive(Clone, Debug, PartialEq, Eq, Hash)] 873 /// Compiler to use. 874 pub enum CompilerStrategy { 875 /// Cranelift compiler for the native architecture. 876 CraneliftNative, 877 /// Winch compiler. 878 Winch, 879 /// Cranelift compiler for the native architecture. 880 CraneliftPulley, 881 } 882 883 impl CompilerStrategy { 884 /// Configures `config` to use this compilation strategy 885 pub fn configure(&self, config: &mut wasmtime_cli_flags::CommonOptions) { 886 match self { 887 CompilerStrategy::CraneliftNative => { 888 config.codegen.compiler = Some(wasmtime::Strategy::Cranelift); 889 } 890 CompilerStrategy::Winch => { 891 config.codegen.compiler = Some(wasmtime::Strategy::Winch); 892 } 893 CompilerStrategy::CraneliftPulley => { 894 config.codegen.compiler = Some(wasmtime::Strategy::Cranelift); 895 config.target = Some("pulley64".to_string()); 896 } 897 } 898 } 899 } 900 901 impl Arbitrary<'_> for CompilerStrategy { 902 fn arbitrary(u: &mut Unstructured<'_>) -> arbitrary::Result<Self> { 903 // Favor fuzzing native cranelift, but if allowed also enable 904 // winch/pulley. 905 match u.int_in_range(0..=19)? { 906 1 => Ok(Self::CraneliftPulley), 907 2 => Ok(Self::Winch), 908 _ => Ok(Self::CraneliftNative), 909 } 910 } 911 } 912 913 #[derive(Arbitrary, Clone, Debug, PartialEq, Eq, Hash)] 914 pub enum Collector { 915 DeferredReferenceCounting, 916 Null, 917 } 918 919 impl Collector { 920 fn to_wasmtime(&self) -> wasmtime::Collector { 921 match self { 922 Collector::DeferredReferenceCounting => wasmtime::Collector::DeferredReferenceCounting, 923 Collector::Null => wasmtime::Collector::Null, 924 } 925 } 926 } 927