1 //! Utilities for testing and fuzzing out-of-memory handling. 2 //! 3 //! Inspired by SpiderMonkey's `oomTest()` helper: 4 //! https://firefox-source-docs.mozilla.org/js/hacking_tips.html#how-to-debug-oomtest-failures 5 6 use backtrace::Backtrace; 7 use std::{alloc::GlobalAlloc, cell::Cell, mem, ptr, time}; 8 use wasmtime_error::{Error, OutOfMemory, Result, bail}; 9 10 /// An allocator for use with `OomTest`. 11 #[non_exhaustive] 12 pub struct OomTestAllocator; 13 14 impl OomTestAllocator { 15 /// Create a new OOM test allocator. 16 pub const fn new() -> Self { 17 OomTestAllocator 18 } 19 } 20 21 #[derive(Clone, Debug, Default, PartialEq, Eq)] 22 enum OomState { 23 /// We are in code that is not part of an OOM test. 24 #[default] 25 OutsideOomTest, 26 27 /// We are inside an OOM test and should inject an OOM when the counter 28 /// reaches zero. 29 OomOnAlloc(u32), 30 31 /// We are inside an OOM test and we already injected an OOM. 32 DidOom, 33 } 34 35 thread_local! { 36 static OOM_STATE: Cell<OomState> = const { Cell::new(OomState::OutsideOomTest) }; 37 } 38 39 /// Set the new OOM state, returning the old state. 40 fn set_oom_state(state: OomState) -> OomState { 41 OOM_STATE.with(|s| s.replace(state)) 42 } 43 44 /// RAII helper to set the OOM state within a block of code and reset it upon 45 /// exiting that block (even if exiting via panic unwinding). 46 struct ScopedOomState { 47 prev_state: OomState, 48 } 49 50 impl ScopedOomState { 51 fn new(state: OomState) -> Self { 52 ScopedOomState { 53 prev_state: set_oom_state(state), 54 } 55 } 56 57 /// Finish this OOM state scope early, resetting the OOM state to what it 58 /// was before this scope was created, and returning the previous state that 59 /// was just overwritten by the reset. 60 fn finish(&self) -> OomState { 61 set_oom_state(self.prev_state.clone()) 62 } 63 } 64 65 impl Drop for ScopedOomState { 66 fn drop(&mut self) { 67 set_oom_state(mem::take(&mut self.prev_state)); 68 } 69 } 70 71 unsafe impl GlobalAlloc for OomTestAllocator { 72 unsafe fn alloc(&self, layout: std::alloc::Layout) -> *mut u8 { 73 let old_state = set_oom_state(OomState::OutsideOomTest); 74 75 let new_state; 76 let ptr; 77 { 78 // NB: It's okay to log/backtrace/etc... in this block because the 79 // current state is `OutsideOomTest`, so any re-entrant allocations 80 // will be passed through to the system allocator. 81 82 match old_state { 83 OomState::OutsideOomTest => { 84 new_state = OomState::OutsideOomTest; 85 ptr = unsafe { std::alloc::System.alloc(layout) }; 86 } 87 OomState::OomOnAlloc(0) => { 88 log::trace!( 89 "injecting OOM for allocation: {layout:?}\nAllocation backtrace:\n{:?}", 90 Backtrace::new(), 91 ); 92 new_state = OomState::DidOom; 93 ptr = ptr::null_mut(); 94 } 95 OomState::OomOnAlloc(c) => { 96 new_state = OomState::OomOnAlloc(c - 1); 97 ptr = unsafe { std::alloc::System.alloc(layout) }; 98 } 99 OomState::DidOom => { 100 panic!("OOM test attempted to allocate after OOM: {layout:?}") 101 } 102 } 103 } 104 105 set_oom_state(new_state); 106 ptr 107 } 108 109 unsafe fn dealloc(&self, ptr: *mut u8, layout: std::alloc::Layout) { 110 unsafe { 111 std::alloc::System.dealloc(ptr, layout); 112 } 113 } 114 } 115 116 /// A test helper that checks that some code handles OOM correctly. 117 /// 118 /// `OomTest` will only work correctly when `OomTestAllocator` is configured as 119 /// the global allocator. 120 /// 121 /// `OomTest` does not support reentrancy, so you cannot run an `OomTest` within 122 /// an `OomTest`. 123 /// 124 /// # Example 125 /// 126 /// ```no_run 127 /// use std::time::Duration; 128 /// use wasmtime::Result; 129 /// use wasmtime_fuzzing::oom::{OomTest, OomTestAllocator}; 130 /// 131 /// #[global_allocator] 132 /// static GLOBAL_ALOCATOR: OomTestAllocator = OomTestAllocator::new(); 133 /// 134 /// #[test] 135 /// fn my_oom_test() -> Result<()> { 136 /// OomTest::new() 137 /// .max_iters(1_000_000) 138 /// .max_duration(Duration::from_secs(5)) 139 /// .test(|| { 140 /// todo!("insert code here that should handle OOM here...") 141 /// }) 142 /// } 143 /// ``` 144 pub struct OomTest { 145 max_iters: Option<u32>, 146 max_duration: Option<time::Duration>, 147 } 148 149 impl OomTest { 150 /// Create a new OOM test. 151 /// 152 /// By default there is no iteration or time limit, tests will be executed 153 /// until the pass (or fail). 154 pub fn new() -> Self { 155 let _ = env_logger::try_init(); 156 157 // NB: `std::backtrace::Backtrace` doesn't have ways to handle 158 // OOM. Ideally we would just disable the `"backtrace"` cargo feature, 159 // but workspace feature resolution doesn't play nice with that. 160 wasmtime_error::disable_backtrace(); 161 162 OomTest { 163 max_iters: None, 164 max_duration: None, 165 } 166 } 167 168 /// Configure the maximum number of times to run an OOM test. 169 pub fn max_iters(&mut self, max_iters: u32) -> &mut Self { 170 self.max_iters = Some(max_iters); 171 self 172 } 173 174 /// Configure the maximum duration of time to run an OOM text. 175 pub fn max_duration(&mut self, max_duration: time::Duration) -> &mut Self { 176 self.max_duration = Some(max_duration); 177 self 178 } 179 180 /// Repeatedly run the given test function, injecting OOMs at different 181 /// times and checking that it correctly handles them. 182 /// 183 /// The test function should not use threads, or else allocations may not be 184 /// tracked correctly and OOM injection may be incorrect. 185 /// 186 /// The test function should return an `Err(_)` if and only if it encounters 187 /// an OOM. 188 /// 189 /// Returns early once the test function returns `Ok(())` before an OOM has 190 /// been injected. 191 pub fn test(&self, test_func: impl Fn() -> Result<()>) -> Result<()> { 192 let start = time::Instant::now(); 193 194 for i in 0.. { 195 if self.max_iters.is_some_and(|n| i >= n) 196 || self.max_duration.is_some_and(|d| start.elapsed() >= d) 197 { 198 break; 199 } 200 201 log::trace!("=== Injecting OOM after {i} allocations ==="); 202 let (result, old_state) = { 203 let guard = ScopedOomState::new(OomState::OomOnAlloc(i)); 204 assert_eq!(guard.prev_state, OomState::OutsideOomTest); 205 206 let result = test_func(); 207 208 (result, guard.finish()) 209 }; 210 211 match (result, old_state) { 212 (_, OomState::OutsideOomTest) => unreachable!(), 213 214 // The test function completed successfully before we ran out of 215 // allocation fuel, so we're done. 216 (Ok(()), OomState::OomOnAlloc(_)) => break, 217 218 // We injected an OOM and the test function handled it 219 // correctly; continue to the next iteration. 220 (Err(e), OomState::DidOom) if self.is_oom_error(&e) => {} 221 222 // Missed OOMs. 223 (Ok(()), OomState::DidOom) => { 224 bail!("OOM test function missed an OOM: returned Ok(())"); 225 } 226 (Err(e), OomState::DidOom) => { 227 return Err( 228 e.context("OOM test function missed an OOM: returned non-OOM error") 229 ); 230 } 231 232 // Unexpected error. 233 (Err(e), OomState::OomOnAlloc(_)) => { 234 return Err( 235 e.context("OOM test function returned an error when there was no OOM") 236 ); 237 } 238 } 239 } 240 241 Ok(()) 242 } 243 244 fn is_oom_error(&self, e: &Error) -> bool { 245 e.is::<OutOfMemory>() 246 } 247 } 248