1 //! Oracles.
2 //!
3 //! Oracles take a test case and determine whether we have a bug. For example,
4 //! one of the simplest oracles is to take a Wasm binary as our input test case,
5 //! validate and instantiate it, and (implicitly) check that no assertions
6 //! failed or segfaults happened. A more complicated oracle might compare the
7 //! result of executing a Wasm file with and without optimizations enabled, and
8 //! make sure that the two executions are observably identical.
9 //!
10 //! When an oracle finds a bug, it should report it to the fuzzing engine by
11 //! panicking.
12
13 pub mod component_api;
14 pub mod component_async;
15 #[cfg(feature = "fuzz-spec-interpreter")]
16 pub mod diff_spec;
17 pub mod diff_wasmi;
18 pub mod diff_wasmtime;
19 pub mod dummy;
20 pub mod engine;
21 pub mod memory;
22 mod stacks;
23
24 use self::diff_wasmtime::WasmtimeInstance;
25 use self::engine::{DiffEngine, DiffInstance};
26 use crate::generators::ExceptionOps;
27 use crate::generators::GcOps;
28 use crate::generators::{self, CompilerStrategy, DiffValue, DiffValueType};
29 use crate::single_module_fuzzer::KnownValid;
30 use crate::{YieldN, block_on};
31 use arbitrary::Arbitrary;
32 pub use stacks::check_stacks;
33 use std::future::Future;
34 use std::pin::Pin;
35 use std::sync::atomic::{AtomicBool, AtomicUsize, Ordering::SeqCst};
36 use std::sync::{Arc, Condvar, Mutex};
37 use std::task::{Context, Poll};
38 use std::time::{Duration, Instant};
39 use wasmtime::*;
40 use wasmtime_wast::WastContext;
41
42 #[cfg(not(any(windows, target_arch = "s390x", target_arch = "riscv64")))]
43 mod diff_v8;
44
45 static CNT: AtomicUsize = AtomicUsize::new(0);
46
47 /// Logs a wasm file to the filesystem to make it easy to figure out what wasm
48 /// was used when debugging.
log_wasm(wasm: &[u8])49 pub fn log_wasm(wasm: &[u8]) {
50 super::init_fuzzing();
51
52 if !log::log_enabled!(log::Level::Debug) {
53 return;
54 }
55
56 let i = CNT.fetch_add(1, SeqCst);
57 let name = format!("testcase{i}.wasm");
58 std::fs::write(&name, wasm).expect("failed to write wasm file");
59 log::debug!("wrote wasm file to `{name}`");
60 let wat = format!("testcase{i}.wat");
61 match wasmprinter::print_bytes(wasm) {
62 Ok(s) => {
63 std::fs::write(&wat, s).expect("failed to write wat file");
64 log::debug!("wrote wat file to `{wat}`");
65 }
66 // If wasmprinter failed remove a `*.wat` file, if any, to avoid
67 // confusing a preexisting one with this wasm which failed to get
68 // printed.
69 Err(e) => {
70 log::debug!("failed to print to wat: {e}");
71 drop(std::fs::remove_file(&wat));
72 }
73 }
74 }
75
76 /// The `T` in `Store<T>` for fuzzing stores, used to limit resource
77 /// consumption during fuzzing.
78 #[derive(Clone)]
79 pub struct StoreLimits(Arc<LimitsState>);
80
81 struct LimitsState {
82 /// Remaining memory, in bytes, left to allocate
83 remaining_memory: AtomicUsize,
84 /// Remaining amount of memory that's allowed to be copied via a growth.
85 remaining_copy_allowance: AtomicUsize,
86 /// Whether or not an allocation request has been denied
87 oom: AtomicBool,
88 }
89
90 /// Allow up to 1G which is well below the 2G limit on OSS-Fuzz and should allow
91 /// most interesting behavior.
92 const MAX_MEMORY: usize = 1 << 30;
93
94 /// Allow up to 4G of bytes to be copied (conservatively) which should enable
95 /// growth up to `MAX_MEMORY` or at least up to a relatively large amount.
96 const MAX_MEMORY_MOVED: usize = 4 << 30;
97
98 impl StoreLimits {
99 /// Creates the default set of limits for all fuzzing stores.
new() -> StoreLimits100 pub fn new() -> StoreLimits {
101 StoreLimits(Arc::new(LimitsState {
102 remaining_memory: AtomicUsize::new(MAX_MEMORY),
103 remaining_copy_allowance: AtomicUsize::new(MAX_MEMORY_MOVED),
104 oom: AtomicBool::new(false),
105 }))
106 }
107
alloc(&mut self, amt: usize) -> bool108 fn alloc(&mut self, amt: usize) -> bool {
109 log::trace!("alloc {amt:#x} bytes");
110
111 // Assume that on each allocation of memory that all previous
112 // allocations of memory are moved. This is pretty coarse but is used to
113 // help prevent against fuzz test cases that just move tons of bytes
114 // around continuously. This assumes that all previous memory was
115 // allocated in a single linear memory and growing by `amt` will require
116 // moving all the bytes to a new location. This isn't actually required
117 // all the time nor does it accurately reflect what happens all the
118 // time, but it's a coarse approximation that should be "good enough"
119 // for allowing interesting fuzz behaviors to happen while not timing
120 // out just copying bytes around.
121 let prev_size = MAX_MEMORY - self.0.remaining_memory.load(SeqCst);
122 if self
123 .0
124 .remaining_copy_allowance
125 .fetch_update(SeqCst, SeqCst, |remaining| remaining.checked_sub(prev_size))
126 .is_err()
127 {
128 self.0.oom.store(true, SeqCst);
129 log::debug!("-> too many bytes moved, rejecting allocation");
130 return false;
131 }
132
133 // If we're allowed to move the bytes, then also check if we're allowed
134 // to actually have this much residence at once.
135 match self
136 .0
137 .remaining_memory
138 .fetch_update(SeqCst, SeqCst, |remaining| remaining.checked_sub(amt))
139 {
140 Ok(_) => true,
141 Err(_) => {
142 self.0.oom.store(true, SeqCst);
143 log::debug!("-> OOM hit");
144 false
145 }
146 }
147 }
148
is_oom(&self) -> bool149 fn is_oom(&self) -> bool {
150 self.0.oom.load(SeqCst)
151 }
152 }
153
154 impl ResourceLimiter for StoreLimits {
memory_growing( &mut self, current: usize, desired: usize, _maximum: Option<usize>, ) -> Result<bool>155 fn memory_growing(
156 &mut self,
157 current: usize,
158 desired: usize,
159 _maximum: Option<usize>,
160 ) -> Result<bool> {
161 Ok(self.alloc(desired - current))
162 }
163
table_growing( &mut self, current: usize, desired: usize, _maximum: Option<usize>, ) -> Result<bool>164 fn table_growing(
165 &mut self,
166 current: usize,
167 desired: usize,
168 _maximum: Option<usize>,
169 ) -> Result<bool> {
170 let delta = (desired - current).saturating_mul(std::mem::size_of::<usize>());
171 Ok(self.alloc(delta))
172 }
173 }
174
175 /// Methods of timing out execution of a WebAssembly module
176 #[derive(Clone, Debug)]
177 pub enum Timeout {
178 /// No timeout is used, it should be guaranteed via some other means that
179 /// the input does not infinite loop.
180 None,
181 /// Fuel-based timeouts are used where the specified fuel is all that the
182 /// provided wasm module is allowed to consume.
183 Fuel(u64),
184 /// An epoch-interruption-based timeout is used with a sleeping
185 /// thread bumping the epoch counter after the specified duration.
186 Epoch(Duration),
187 }
188
189 /// Instantiate the Wasm buffer, and implicitly fail if we have an unexpected
190 /// panic or segfault or anything else that can be detected "passively".
191 ///
192 /// The engine will be configured using provided config.
instantiate( wasm: &[u8], known_valid: KnownValid, config: &generators::Config, timeout: Timeout, )193 pub fn instantiate(
194 wasm: &[u8],
195 known_valid: KnownValid,
196 config: &generators::Config,
197 timeout: Timeout,
198 ) {
199 let mut store = config.to_store();
200
201 let module = match compile_module(store.engine(), wasm, known_valid, config) {
202 Some(module) => module,
203 None => return,
204 };
205
206 let mut timeout_state = HelperThread::default();
207 match timeout {
208 Timeout::Fuel(fuel) => store.set_fuel(fuel).unwrap(),
209
210 // If a timeout is requested then we spawn a helper thread to wait for
211 // the requested time and then send us a signal to get interrupted. We
212 // also arrange for the thread's sleep to get interrupted if we return
213 // early (or the wasm returns within the time limit), which allows the
214 // thread to get torn down.
215 //
216 // This prevents us from creating a huge number of sleeping threads if
217 // this function is executed in a loop, like it does on nightly fuzzing
218 // infrastructure.
219 Timeout::Epoch(timeout) => {
220 let engine = store.engine().clone();
221 timeout_state.run_periodically(timeout, move || engine.increment_epoch());
222 }
223 Timeout::None => {}
224 }
225
226 instantiate_with_dummy(&mut store, &module);
227 }
228
229 /// Represents supported commands to the `instantiate_many` function.
230 #[derive(Arbitrary, Debug)]
231 pub enum Command {
232 /// Instantiates a module.
233 ///
234 /// The value is the index of the module to instantiate.
235 ///
236 /// The module instantiated will be this value modulo the number of modules provided to `instantiate_many`.
237 Instantiate(usize),
238 /// Terminates a "running" instance.
239 ///
240 /// The value is the index of the instance to terminate.
241 ///
242 /// The instance terminated will be this value modulo the number of currently running
243 /// instances.
244 ///
245 /// If no instances are running, the command will be ignored.
246 Terminate(usize),
247 }
248
249 /// Instantiates many instances from the given modules.
250 ///
251 /// The engine will be configured using the provided config.
252 ///
253 /// The modules are expected to *not* have start functions as no timeouts are configured.
instantiate_many( modules: &[Vec<u8>], known_valid: KnownValid, config: &generators::Config, commands: &[Command], )254 pub fn instantiate_many(
255 modules: &[Vec<u8>],
256 known_valid: KnownValid,
257 config: &generators::Config,
258 commands: &[Command],
259 ) {
260 log::debug!("instantiate_many: {commands:#?}");
261
262 assert!(!config.module_config.config.allow_start_export);
263
264 let engine = Engine::new(&config.to_wasmtime()).unwrap();
265
266 let modules = modules
267 .iter()
268 .enumerate()
269 .filter_map(
270 |(i, bytes)| match compile_module(&engine, bytes, known_valid, config) {
271 Some(m) => {
272 log::debug!("successfully compiled module {i}");
273 Some(m)
274 }
275 None => {
276 log::debug!("failed to compile module {i}");
277 None
278 }
279 },
280 )
281 .collect::<Vec<_>>();
282
283 // If no modules were valid, we're done
284 if modules.is_empty() {
285 return;
286 }
287
288 // This stores every `Store` where a successful instantiation takes place
289 let mut stores = Vec::new();
290 let limits = StoreLimits::new();
291
292 for command in commands {
293 match command {
294 Command::Instantiate(index) => {
295 let index = *index % modules.len();
296 log::info!("instantiating {index}");
297 let module = &modules[index];
298 let mut store = Store::new(&engine, limits.clone());
299 config.configure_store(&mut store);
300
301 if instantiate_with_dummy(&mut store, module).is_some() {
302 stores.push(Some(store));
303 } else {
304 log::warn!("instantiation failed");
305 }
306 }
307 Command::Terminate(index) => {
308 if stores.is_empty() {
309 continue;
310 }
311 let index = *index % stores.len();
312
313 log::info!("dropping {index}");
314 stores.swap_remove(index);
315 }
316 }
317 }
318 }
319
compile_module( engine: &Engine, bytes: &[u8], known_valid: KnownValid, config: &generators::Config, ) -> Option<Module>320 fn compile_module(
321 engine: &Engine,
322 bytes: &[u8],
323 known_valid: KnownValid,
324 config: &generators::Config,
325 ) -> Option<Module> {
326 log_wasm(bytes);
327
328 match config.compile(engine, bytes) {
329 Ok(module) => Some(module),
330 Err(_) if known_valid == KnownValid::No => None,
331 Err(e) => {
332 if let generators::InstanceAllocationStrategy::Pooling(c) = &config.wasmtime.strategy {
333 // When using the pooling allocator, accept failures to compile
334 // when arbitrary table element limits have been exceeded as
335 // there is currently no way to constrain the generated module
336 // table types.
337 let string = format!("{e:?}");
338 if string.contains("minimum element size") {
339 return None;
340 }
341
342 // Allow modules-failing-to-compile which exceed the requested
343 // size for each instance. This is something that is difficult
344 // to control and ensure it always succeeds, so we simply have a
345 // "random" instance size limit and if a module doesn't fit we
346 // move on to the next fuzz input.
347 if string.contains("instance allocation for this module requires") {
348 return None;
349 }
350
351 // If the pooling allocator is more restrictive on the number of
352 // tables and memories than we allowed wasm-smith to generate
353 // then allow compilation errors along those lines.
354 if c.max_tables_per_module < (config.module_config.config.max_tables as u32)
355 && string.contains("defined tables count")
356 && string.contains("exceeds the per-instance limit")
357 {
358 return None;
359 }
360
361 if c.max_memories_per_module < (config.module_config.config.max_memories as u32)
362 && string.contains("defined memories count")
363 && string.contains("exceeds the per-instance limit")
364 {
365 return None;
366 }
367 }
368
369 panic!("failed to compile module: {e:?}");
370 }
371 }
372 }
373
374 /// Create a Wasmtime [`Instance`] from a [`Module`] and fill in all imports
375 /// with dummy values (e.g., zeroed values, immediately-trapping functions).
376 /// Also, this function catches certain fuzz-related instantiation failures and
377 /// returns `None` instead of panicking.
378 ///
379 /// TODO: we should implement tracing versions of these dummy imports that
380 /// record a trace of the order that imported functions were called in and with
381 /// what values. Like the results of exported functions, calls to imports should
382 /// also yield the same values for each configuration, and we should assert
383 /// that.
instantiate_with_dummy(store: &mut Store<StoreLimits>, module: &Module) -> Option<Instance>384 pub fn instantiate_with_dummy(store: &mut Store<StoreLimits>, module: &Module) -> Option<Instance> {
385 // Creation of imports can fail due to resource limit constraints, and then
386 // instantiation can naturally fail for a number of reasons as well. Bundle
387 // the two steps together to match on the error below.
388 let linker = dummy::dummy_linker(store, module);
389 if let Err(e) = &linker {
390 log::warn!("failed to create dummy linker: {e:?}");
391 }
392 let instance = linker.and_then(|l| l.instantiate(&mut *store, module));
393 unwrap_instance(store, instance)
394 }
395
unwrap_instance( store: &Store<StoreLimits>, instance: wasmtime::Result<Instance>, ) -> Option<Instance>396 fn unwrap_instance(
397 store: &Store<StoreLimits>,
398 instance: wasmtime::Result<Instance>,
399 ) -> Option<Instance> {
400 let e = match instance {
401 Ok(i) => return Some(i),
402 Err(e) => e,
403 };
404
405 log::debug!("failed to instantiate: {e:?}");
406
407 // If the instantiation hit OOM for some reason then that's ok, it's
408 // expected that fuzz-generated programs try to allocate lots of
409 // stuff.
410 if store.data().is_oom() {
411 return None;
412 }
413
414 // Allow traps which can happen normally with `unreachable` or a timeout or
415 // such.
416 if e.is::<Trap>()
417 // Also allow failures to instantiate as a result of hitting pooling
418 // limits.
419 || e.is::<wasmtime::PoolConcurrencyLimitError>()
420 // And GC heap OOMs.
421 || e.is::<wasmtime::GcHeapOutOfMemory<()>>()
422 // And thrown exceptions.
423 || e.is::<wasmtime::ThrownException>()
424 {
425 return None;
426 }
427
428 let string = e.to_string();
429
430 // Currently we instantiate with a `Linker` which can't instantiate
431 // every single module under the sun due to using name-based resolution
432 // rather than positional-based resolution
433 if string.contains("incompatible import type") {
434 return None;
435 }
436
437 // Everything else should be a bug in the fuzzer or a bug in wasmtime
438 panic!("failed to instantiate: {e:?}");
439 }
440
441 /// Evaluate the function identified by `name` in two different engine
442 /// instances--`lhs` and `rhs`.
443 ///
444 /// Returns `Ok(true)` if more evaluations can happen or `Ok(false)` if the
445 /// instances may have drifted apart and no more evaluations can happen.
446 ///
447 /// # Panics
448 ///
449 /// This will panic if the evaluation is different between engines (e.g.,
450 /// results are different, hashed instance is different, one side traps, etc.).
differential( lhs: &mut dyn DiffInstance, lhs_engine: &dyn DiffEngine, rhs: &mut WasmtimeInstance, name: &str, args: &[DiffValue], result_tys: &[DiffValueType], ) -> wasmtime::Result<bool>451 pub fn differential(
452 lhs: &mut dyn DiffInstance,
453 lhs_engine: &dyn DiffEngine,
454 rhs: &mut WasmtimeInstance,
455 name: &str,
456 args: &[DiffValue],
457 result_tys: &[DiffValueType],
458 ) -> wasmtime::Result<bool> {
459 log::debug!("Evaluating: `{name}` with {args:?}");
460 let lhs_results = match lhs.evaluate(name, args, result_tys) {
461 Ok(Some(results)) => Ok(results),
462 Err(e) => Err(e),
463 // this engine couldn't execute this type signature, so discard this
464 // execution by returning success.
465 Ok(None) => return Ok(true),
466 };
467 log::debug!(" -> lhs results on {}: {:?}", lhs.name(), &lhs_results);
468
469 let rhs_results = rhs
470 .evaluate(name, args, result_tys)
471 // wasmtime should be able to invoke any signature, so unwrap this result
472 .map(|results| results.unwrap());
473 log::debug!(" -> rhs results on {}: {:?}", rhs.name(), &rhs_results);
474
475 // If Wasmtime hit its OOM condition, which is possible since it's set
476 // somewhat low while fuzzing, then don't return an error but return
477 // `false` indicating that differential fuzzing must stop. There's no
478 // guarantee the other engine has the same OOM limits as Wasmtime, and
479 // it's assumed that Wasmtime is configured to have a more conservative
480 // limit than the other engine.
481 if rhs.is_oom() {
482 return Ok(false);
483 }
484
485 match DiffEqResult::new(lhs_engine, lhs_results, rhs_results) {
486 DiffEqResult::Success(lhs, rhs) => assert_eq!(lhs, rhs),
487 DiffEqResult::Poisoned => return Ok(false),
488 DiffEqResult::Failed => {}
489 }
490
491 for (global, ty) in rhs.exported_globals() {
492 log::debug!("Comparing global `{global}`");
493 let lhs = match lhs.get_global(&global, ty) {
494 Some(val) => val,
495 None => continue,
496 };
497 let rhs = rhs.get_global(&global, ty).unwrap();
498 assert_eq!(lhs, rhs);
499 }
500 for (memory, shared) in rhs.exported_memories() {
501 log::debug!("Comparing memory `{memory}`");
502 let lhs = match lhs.get_memory(&memory, shared) {
503 Some(val) => val,
504 None => continue,
505 };
506 let rhs = rhs.get_memory(&memory, shared).unwrap();
507 if lhs == rhs {
508 continue;
509 }
510 eprintln!("differential memory is {} bytes long", lhs.len());
511 eprintln!("wasmtime memory is {} bytes long", rhs.len());
512 panic!("memories have differing values");
513 }
514
515 Ok(true)
516 }
517
518 /// Result of comparing the result of two operations during differential
519 /// execution.
520 pub enum DiffEqResult<T, U> {
521 /// Both engines succeeded.
522 Success(T, U),
523 /// The result has reached the state where engines may have diverged and
524 /// results can no longer be compared.
525 Poisoned,
526 /// Both engines failed with the same error message, and internal state
527 /// should still match between the two engines.
528 Failed,
529 }
530
wasmtime_trap_is_non_deterministic(trap: &Trap) -> bool531 fn wasmtime_trap_is_non_deterministic(trap: &Trap) -> bool {
532 match trap {
533 // Allocations being too large for the GC are
534 // implementation-defined.
535 Trap::AllocationTooLarge |
536 // Stack size, and therefore when overflow happens, is
537 // implementation-defined.
538 Trap::StackOverflow => true,
539 _ => false,
540 }
541 }
542
wasmtime_error_is_non_deterministic(error: &wasmtime::Error) -> bool543 fn wasmtime_error_is_non_deterministic(error: &wasmtime::Error) -> bool {
544 match error.downcast_ref::<Trap>() {
545 Some(trap) => wasmtime_trap_is_non_deterministic(trap),
546
547 // For general, unknown errors, we can't rely on this being
548 // a deterministic Wasm failure that both engines handled
549 // identically, leaving Wasm in identical states. We could
550 // just as easily be hitting engine-specific failures, like
551 // different implementation-defined limits. So simply poison
552 // this execution and move on to the next test.
553 None => true,
554 }
555 }
556
557 impl<T, U> DiffEqResult<T, U> {
558 /// Computes the differential result from executing in two different
559 /// engines.
new( lhs_engine: &dyn DiffEngine, lhs_result: Result<T>, rhs_result: Result<U>, ) -> DiffEqResult<T, U>560 pub fn new(
561 lhs_engine: &dyn DiffEngine,
562 lhs_result: Result<T>,
563 rhs_result: Result<U>,
564 ) -> DiffEqResult<T, U> {
565 match (lhs_result, rhs_result) {
566 (Ok(lhs_result), Ok(rhs_result)) => DiffEqResult::Success(lhs_result, rhs_result),
567
568 // Handle all non-deterministic errors by poisoning this execution's
569 // state, so that we simply move on to the next test.
570 (Err(lhs), _) if lhs_engine.is_non_deterministic_error(&lhs) => {
571 log::debug!("lhs failed non-deterministically: {lhs:?}");
572 DiffEqResult::Poisoned
573 }
574 (_, Err(rhs)) if wasmtime_error_is_non_deterministic(&rhs) => {
575 log::debug!("rhs failed non-deterministically: {rhs:?}");
576 DiffEqResult::Poisoned
577 }
578
579 // Both sides failed deterministically. Check that the trap and
580 // state at the time of failure is the same.
581 (Err(lhs), Err(rhs)) => {
582 let rhs = rhs
583 .downcast::<Trap>()
584 .expect("non-traps handled in earlier match arm");
585
586 debug_assert!(
587 !lhs_engine.is_non_deterministic_error(&lhs),
588 "non-deterministic traps handled in earlier match arm",
589 );
590 debug_assert!(
591 !wasmtime_trap_is_non_deterministic(&rhs),
592 "non-deterministic traps handled in earlier match arm",
593 );
594
595 lhs_engine.assert_error_match(&lhs, &rhs);
596 DiffEqResult::Failed
597 }
598
599 // A real bug is found if only one side fails.
600 (Ok(_), Err(err)) => panic!("only the `rhs` failed for this input: {err:?}"),
601 (Err(err), Ok(_)) => panic!("only the `lhs` failed for this input: {err:?}"),
602 }
603 }
604 }
605
606 /// Invoke the given API calls.
make_api_calls(api: generators::api::ApiCalls)607 pub fn make_api_calls(api: generators::api::ApiCalls) {
608 use crate::generators::api::ApiCall;
609 use std::collections::HashMap;
610
611 let mut store: Option<Store<StoreLimits>> = None;
612 let mut modules: HashMap<usize, Module> = Default::default();
613 let mut instances: HashMap<usize, Instance> = Default::default();
614
615 for call in api.calls {
616 match call {
617 ApiCall::StoreNew(config) => {
618 log::trace!("creating store");
619 assert!(store.is_none());
620 store = Some(config.to_store());
621 }
622
623 ApiCall::ModuleNew { id, wasm } => {
624 log::debug!("creating module: {id}");
625 log_wasm(&wasm);
626 let module = match Module::new(store.as_ref().unwrap().engine(), &wasm) {
627 Ok(m) => m,
628 Err(_) => continue,
629 };
630 let old = modules.insert(id, module);
631 assert!(old.is_none());
632 }
633
634 ApiCall::ModuleDrop { id } => {
635 log::trace!("dropping module: {id}");
636 drop(modules.remove(&id));
637 }
638
639 ApiCall::InstanceNew { id, module } => {
640 log::trace!("instantiating module {module} as {id}");
641 let module = match modules.get(&module) {
642 Some(m) => m,
643 None => continue,
644 };
645
646 let store = store.as_mut().unwrap();
647 if let Some(instance) = instantiate_with_dummy(store, module) {
648 instances.insert(id, instance);
649 }
650 }
651
652 ApiCall::InstanceDrop { id } => {
653 log::trace!("dropping instance {id}");
654 instances.remove(&id);
655 }
656
657 ApiCall::CallExportedFunc { instance, nth } => {
658 log::trace!("calling instance export {instance} / {nth}");
659 let instance = match instances.get(&instance) {
660 Some(i) => i,
661 None => {
662 // Note that we aren't guaranteed to instantiate valid
663 // modules, see comments in `InstanceNew` for details on
664 // that. But the API call generator can't know if
665 // instantiation failed, so we might not actually have
666 // this instance. When that's the case, just skip the
667 // API call and keep going.
668 continue;
669 }
670 };
671 let store = store.as_mut().unwrap();
672
673 let funcs = instance
674 .exports(&mut *store)
675 .filter_map(|e| match e.into_extern() {
676 Extern::Func(f) => Some(f),
677 _ => None,
678 })
679 .collect::<Vec<_>>();
680
681 if funcs.is_empty() {
682 continue;
683 }
684
685 let nth = nth % funcs.len();
686 let f = &funcs[nth];
687 let ty = f.ty(&store);
688 if let Some(params) = ty
689 .params()
690 .map(|p| p.default_value())
691 .collect::<Option<Vec<_>>>()
692 {
693 let mut results = vec![Val::I32(0); ty.results().len()];
694 let _ = f.call(store, ¶ms, &mut results);
695 }
696 }
697 }
698 }
699 }
700
701 /// Executes the wast `test` with the `config` specified.
702 ///
703 /// Ensures that wast tests pass regardless of the `Config`.
wast_test(u: &mut arbitrary::Unstructured<'_>) -> arbitrary::Result<()>704 pub fn wast_test(u: &mut arbitrary::Unstructured<'_>) -> arbitrary::Result<()> {
705 crate::init_fuzzing();
706
707 let mut fuzz_config: generators::Config = u.arbitrary()?;
708 fuzz_config.module_config.shared_memory = true;
709 let test: generators::WastTest = u.arbitrary()?;
710
711 let test = &test.test;
712
713 if test.config.component_model_async() || u.arbitrary()? {
714 fuzz_config.enable_async(u)?;
715 }
716
717 // Discard tests that allocate a lot of memory as we don't want to OOM the
718 // fuzzer and we also limit memory growth which would cause the test to
719 // fail.
720 if test.config.hogs_memory.unwrap_or(false) {
721 return Err(arbitrary::Error::IncorrectFormat);
722 }
723
724 // Transform `fuzz_config` to be valid for `test` and make sure that this
725 // test is supposed to pass.
726 let wast_config = fuzz_config.make_wast_test_compliant(test);
727 if test.should_fail(&wast_config) {
728 return Err(arbitrary::Error::IncorrectFormat);
729 }
730
731 // Winch requires AVX and AVX2 for SIMD tests to pass so don't run the test
732 // if either isn't enabled.
733 if fuzz_config.wasmtime.compiler_strategy == CompilerStrategy::Winch
734 && test.config.simd()
735 && (fuzz_config
736 .wasmtime
737 .codegen_flag("has_avx")
738 .is_some_and(|value| value == "false")
739 || fuzz_config
740 .wasmtime
741 .codegen_flag("has_avx2")
742 .is_some_and(|value| value == "false"))
743 {
744 log::warn!(
745 "Skipping Wast test because Winch doesn't support SIMD tests with AVX or AVX2 disabled"
746 );
747 return Err(arbitrary::Error::IncorrectFormat);
748 }
749
750 // Fuel and epochs don't play well with threads right now, so exclude any
751 // thread-spawning test if it looks like threads are spawned in that case.
752 if fuzz_config.wasmtime.consume_fuel || fuzz_config.wasmtime.epoch_interruption {
753 if test.contents.contains("(thread") {
754 return Err(arbitrary::Error::IncorrectFormat);
755 }
756 }
757
758 log::debug!("running {:?}", test.path);
759 let async_ = if fuzz_config.wasmtime.async_config == generators::AsyncConfig::Disabled {
760 wasmtime_wast::Async::No
761 } else {
762 wasmtime_wast::Async::Yes
763 };
764 log::debug!("async: {async_:?}");
765 let engine = Engine::new(&fuzz_config.to_wasmtime()).unwrap();
766 let mut wast_context = WastContext::new(&engine, async_, move |store| {
767 fuzz_config.configure_store_epoch_and_fuel(store);
768 });
769 wast_context
770 .register_spectest(&wasmtime_wast::SpectestConfig {
771 use_shared_memory: true,
772 suppress_prints: true,
773 })
774 .unwrap();
775 wast_context.register_wasmtime().unwrap();
776 wast_context
777 .run_wast(test.path.to_str().unwrap(), test.contents.as_bytes())
778 .unwrap();
779 Ok(())
780 }
781
782 /// Execute a series of `gc` operations.
783 ///
784 /// Returns the number of `gc` operations which occurred throughout the test
785 /// case -- used to test below that gc happens reasonably soon and eventually.
gc_ops(mut fuzz_config: generators::Config, mut ops: GcOps) -> Result<usize>786 pub fn gc_ops(mut fuzz_config: generators::Config, mut ops: GcOps) -> Result<usize> {
787 let expected_drops = Arc::new(AtomicUsize::new(0));
788 let num_dropped = Arc::new(AtomicUsize::new(0));
789
790 let num_gcs = Arc::new(AtomicUsize::new(0));
791 {
792 fuzz_config.wasmtime.consume_fuel = true;
793 let mut store = fuzz_config.to_store();
794 store.set_fuel(1_000).unwrap();
795
796 let wasm = ops.to_wasm_binary();
797 log_wasm(&wasm);
798 let module = match compile_module(store.engine(), &wasm, KnownValid::No, &fuzz_config) {
799 Some(m) => m,
800 None => return Ok(0),
801 };
802
803 let mut linker = Linker::new(store.engine());
804
805 // To avoid timeouts, limit the number of explicit GCs we perform per
806 // test case.
807 const MAX_GCS: usize = 5;
808
809 let func_ty = FuncType::new(
810 store.engine(),
811 vec![],
812 vec![ValType::EXTERNREF, ValType::EXTERNREF, ValType::EXTERNREF],
813 );
814 let func = Func::new(&mut store, func_ty, {
815 let num_dropped = num_dropped.clone();
816 let expected_drops = expected_drops.clone();
817 let num_gcs = num_gcs.clone();
818 move |mut caller: Caller<'_, StoreLimits>, _params, results| {
819 log::info!("gc_ops: GC");
820 if num_gcs.fetch_add(1, SeqCst) < MAX_GCS {
821 caller.gc(None)?;
822 }
823
824 let a = ExternRef::new(
825 &mut caller,
826 CountDrops::new(&expected_drops, num_dropped.clone()),
827 )?;
828 let b = ExternRef::new(
829 &mut caller,
830 CountDrops::new(&expected_drops, num_dropped.clone()),
831 )?;
832 let c = ExternRef::new(
833 &mut caller,
834 CountDrops::new(&expected_drops, num_dropped.clone()),
835 )?;
836
837 log::info!("gc_ops: gc() -> ({a:?}, {b:?}, {c:?})");
838 results[0] = Some(a).into();
839 results[1] = Some(b).into();
840 results[2] = Some(c).into();
841 Ok(())
842 }
843 });
844 linker.define(&store, "", "gc", func).unwrap();
845
846 linker
847 .func_wrap("", "take_refs", {
848 let expected_drops = expected_drops.clone();
849 move |caller: Caller<'_, StoreLimits>,
850 a: Option<Rooted<ExternRef>>,
851 b: Option<Rooted<ExternRef>>,
852 c: Option<Rooted<ExternRef>>|
853 -> Result<()> {
854 log::info!("gc_ops: take_refs({a:?}, {b:?}, {c:?})",);
855
856 // Do the assertion on each ref's inner data, even though it
857 // all points to the same atomic, so that if we happen to
858 // run into a use-after-free bug with one of these refs we
859 // are more likely to trigger a segfault.
860 if let Some(a) = a {
861 let a = a
862 .data(&caller)?
863 .unwrap()
864 .downcast_ref::<CountDrops>()
865 .unwrap();
866 assert!(a.0.load(SeqCst) <= expected_drops.load(SeqCst));
867 }
868 if let Some(b) = b {
869 let b = b
870 .data(&caller)?
871 .unwrap()
872 .downcast_ref::<CountDrops>()
873 .unwrap();
874 assert!(b.0.load(SeqCst) <= expected_drops.load(SeqCst));
875 }
876 if let Some(c) = c {
877 let c = c
878 .data(&caller)?
879 .unwrap()
880 .downcast_ref::<CountDrops>()
881 .unwrap();
882 assert!(c.0.load(SeqCst) <= expected_drops.load(SeqCst));
883 }
884 Ok(())
885 }
886 })
887 .unwrap();
888
889 let func_ty = FuncType::new(
890 store.engine(),
891 vec![],
892 vec![ValType::EXTERNREF, ValType::EXTERNREF, ValType::EXTERNREF],
893 );
894 let func = Func::new(&mut store, func_ty, {
895 let num_dropped = num_dropped.clone();
896 let expected_drops = expected_drops.clone();
897 move |mut caller, _params, results| {
898 log::info!("gc_ops: make_refs");
899
900 let a = ExternRef::new(
901 &mut caller,
902 CountDrops::new(&expected_drops, num_dropped.clone()),
903 )?;
904 let b = ExternRef::new(
905 &mut caller,
906 CountDrops::new(&expected_drops, num_dropped.clone()),
907 )?;
908 let c = ExternRef::new(
909 &mut caller,
910 CountDrops::new(&expected_drops, num_dropped.clone()),
911 )?;
912
913 log::info!("gc_ops: make_refs() -> ({a:?}, {b:?}, {c:?})");
914
915 results[0] = Some(a).into();
916 results[1] = Some(b).into();
917 results[2] = Some(c).into();
918
919 Ok(())
920 }
921 });
922 linker.define(&store, "", "make_refs", func).unwrap();
923
924 let func_ty = FuncType::new(
925 store.engine(),
926 vec![ValType::Ref(RefType::new(true, HeapType::Struct))],
927 vec![],
928 );
929
930 let func = Func::new(&mut store, func_ty, {
931 move |_caller: Caller<'_, StoreLimits>, _params, _results| {
932 log::info!("gc_ops: take_struct(<ref null struct>)");
933 Ok(())
934 }
935 });
936
937 linker.define(&store, "", "take_struct", func).unwrap();
938
939 for imp in module.imports() {
940 if imp.module() == "" {
941 let name = imp.name();
942 if name.starts_with("take_struct_") {
943 if let wasmtime::ExternType::Func(ft) = imp.ty() {
944 let imp_name = name.to_string();
945 let func =
946 Func::new(&mut store, ft.clone(), move |_caller, _params, _results| {
947 log::info!("gc_ops: {imp_name}(<typed structref>)");
948 Ok(())
949 });
950 linker.define(&store, "", name, func).unwrap();
951 }
952 }
953 }
954 }
955
956 let instance = linker.instantiate(&mut store, &module).unwrap();
957 let run = instance.get_func(&mut store, "run").unwrap();
958
959 {
960 let mut scope = RootScope::new(&mut store);
961
962 log::info!(
963 "gc_ops: begin allocating {} externref arguments",
964 ops.limits.num_globals
965 );
966 let args: Vec<_> = (0..ops.limits.num_params)
967 .map(|_| {
968 Ok(Val::ExternRef(Some(ExternRef::new(
969 &mut scope,
970 CountDrops::new(&expected_drops, num_dropped.clone()),
971 )?)))
972 })
973 .collect::<Result<_>>()?;
974 log::info!(
975 "gc_ops: end allocating {} externref arguments",
976 ops.limits.num_globals
977 );
978
979 // The generated function should always return a trap. The only two
980 // valid traps are table-out-of-bounds which happens through `table.get`
981 // and `table.set` generated or an out-of-fuel trap. Otherwise any other
982 // error is unexpected and should fail fuzzing.
983 log::info!("gc_ops: calling into Wasm `run` function");
984 let err = run.call(&mut scope, &args, &mut []).unwrap_err();
985 if err.is::<GcHeapOutOfMemory<CountDrops>>() || err.is::<GcHeapOutOfMemory<()>>() {
986 // Accept GC OOM as an allowed outcome for this fuzzer.
987 } else {
988 let trap = err
989 .downcast::<Trap>()
990 .expect("if not GC oom, error should be a Wasm trap");
991 match trap {
992 Trap::TableOutOfBounds | Trap::OutOfFuel | Trap::AllocationTooLarge => {}
993 _ => panic!("unexpected trap: {trap}"),
994 }
995 }
996 }
997
998 // Do a final GC after running the Wasm.
999 store.gc(None)?;
1000 }
1001
1002 assert_eq!(num_dropped.load(SeqCst), expected_drops.load(SeqCst));
1003 return Ok(num_gcs.load(SeqCst));
1004
1005 struct CountDrops(Arc<AtomicUsize>);
1006
1007 impl CountDrops {
1008 fn new(expected_drops: &AtomicUsize, num_dropped: Arc<AtomicUsize>) -> Self {
1009 let expected = expected_drops.fetch_add(1, SeqCst);
1010 log::info!(
1011 "CountDrops::new: expected drops: {expected} -> {}",
1012 expected + 1
1013 );
1014 Self(num_dropped)
1015 }
1016 }
1017
1018 impl Drop for CountDrops {
1019 fn drop(&mut self) {
1020 let drops = self.0.fetch_add(1, SeqCst);
1021 log::info!("CountDrops::drop: actual drops: {drops} -> {}", drops + 1);
1022 }
1023 }
1024 }
1025
1026 /// Execute a series of exception-related operations.
exception_ops(mut fuzz_config: generators::Config, mut ops: ExceptionOps) -> Result<()>1027 pub fn exception_ops(mut fuzz_config: generators::Config, mut ops: ExceptionOps) -> Result<()> {
1028 match fuzz_config.wasmtime.compiler_strategy {
1029 // Winch doesn't support exceptions; force to Cranelift.
1030 CompilerStrategy::Winch => {
1031 fuzz_config.wasmtime.compiler_strategy = CompilerStrategy::CraneliftNative;
1032 }
1033 CompilerStrategy::CraneliftNative | CompilerStrategy::CraneliftPulley => {}
1034 }
1035
1036 let module_cfg = &mut fuzz_config.module_config.config;
1037 // Force exceptions + GC on (exceptions require GC).
1038 module_cfg.gc_enabled = true;
1039 module_cfg.exceptions_enabled = true;
1040 module_cfg.reference_types_enabled = true;
1041
1042 let expected = ops.expected_result();
1043
1044 let wasm = ops.to_wasm_binary();
1045 log_wasm(&wasm);
1046
1047 let mut store = fuzz_config.to_store();
1048
1049 let module = compile_module(store.engine(), &wasm, KnownValid::No, &fuzz_config)
1050 .ok_or_else(|| wasmtime::format_err!("Compilation failed"))?;
1051 let mut linker = Linker::new(store.engine());
1052
1053 let check_ty = FuncType::new(store.engine(), [ValType::I32, ValType::I32], []);
1054 let check_func = Func::new(&mut store, check_ty, |_caller, params, _results| {
1055 let actual = params[0].unwrap_i32();
1056 let expected = params[1].unwrap_i32();
1057 assert_eq!(actual, expected, "check_i32 mismatch");
1058 Ok(())
1059 });
1060 linker.define(&store, "", "check_i32", check_func).unwrap();
1061
1062 let instance = linker.instantiate(&mut store, &module).unwrap();
1063 let run = instance.get_func(&mut store, "run").unwrap();
1064
1065 let mut results = [Val::I32(0)];
1066 match run.call(&mut store, &[], &mut results) {
1067 Ok(()) => {
1068 let actual = results[0].unwrap_i32();
1069 assert_eq!(
1070 actual, expected,
1071 "exception_ops: run returned {actual}, expected {expected} \
1072 (one catch per scenario)"
1073 );
1074 }
1075 Err(e) => {
1076 // AllocationTooLarge / GcHeapOutOfMemory are acceptable resource-limit traps.
1077 if let Some(trap) = e.downcast_ref::<Trap>() {
1078 match trap {
1079 Trap::AllocationTooLarge => return Ok(()),
1080 _ => {}
1081 }
1082 }
1083 if e.is::<GcHeapOutOfMemory<()>>() {
1084 return Ok(());
1085 }
1086 // Any other error (including ThrownException) is unexpected.
1087 panic!("exception_ops: unexpected error during execution: {e:?}");
1088 }
1089 }
1090
1091 Ok(())
1092 }
1093
1094 #[derive(Default)]
1095 struct HelperThread {
1096 state: Arc<HelperThreadState>,
1097 thread: Option<std::thread::JoinHandle<()>>,
1098 }
1099
1100 #[derive(Default)]
1101 struct HelperThreadState {
1102 should_exit: Mutex<bool>,
1103 should_exit_cvar: Condvar,
1104 }
1105
1106 impl HelperThread {
run_periodically(&mut self, dur: Duration, mut closure: impl FnMut() + Send + 'static)1107 fn run_periodically(&mut self, dur: Duration, mut closure: impl FnMut() + Send + 'static) {
1108 let state = self.state.clone();
1109 self.thread = Some(std::thread::spawn(move || {
1110 // Using our mutex/condvar we wait here for the first of `dur` to
1111 // pass or the `HelperThread` instance to get dropped.
1112 let mut should_exit = state.should_exit.lock().unwrap();
1113 while !*should_exit {
1114 let (lock, result) = state
1115 .should_exit_cvar
1116 .wait_timeout(should_exit, dur)
1117 .unwrap();
1118 should_exit = lock;
1119 // If we timed out for sure then there's no need to continue
1120 // since we'll just abort on the next `checked_sub` anyway.
1121 if result.timed_out() {
1122 closure();
1123 }
1124 }
1125 }));
1126 }
1127 }
1128
1129 impl Drop for HelperThread {
drop(&mut self)1130 fn drop(&mut self) {
1131 let thread = match self.thread.take() {
1132 Some(thread) => thread,
1133 None => return,
1134 };
1135 // Signal our thread that it should exit and wake it up in case it's
1136 // sleeping.
1137 *self.state.should_exit.lock().unwrap() = true;
1138 self.state.should_exit_cvar.notify_one();
1139
1140 // ... and then wait for the thread to exit to ensure we clean up
1141 // after ourselves.
1142 thread.join().unwrap();
1143 }
1144 }
1145
1146 /// Instantiates a wasm module and runs its exports with dummy values, all in
1147 /// an async fashion.
1148 ///
1149 /// Attempts to stress yields in host functions to ensure that exiting and
1150 /// resuming a wasm function call works.
call_async(wasm: &[u8], config: &generators::Config, mut poll_amts: &[u32])1151 pub fn call_async(wasm: &[u8], config: &generators::Config, mut poll_amts: &[u32]) {
1152 let mut store = config.to_store();
1153 let module = match compile_module(store.engine(), wasm, KnownValid::Yes, config) {
1154 Some(module) => module,
1155 None => return,
1156 };
1157
1158 // Configure a helper thread to periodically increment the epoch to
1159 // forcibly enable yields-via-epochs if epochs are in use. Note that this
1160 // is required because the wasm isn't otherwise guaranteed to necessarily
1161 // call any imports which will also increment the epoch.
1162 let mut helper_thread = HelperThread::default();
1163 if let generators::AsyncConfig::YieldWithEpochs { dur, .. } = &config.wasmtime.async_config {
1164 let engine = store.engine().clone();
1165 helper_thread.run_periodically(*dur, move || engine.increment_epoch());
1166 }
1167
1168 // Generate a `Linker` where all function imports are custom-built to yield
1169 // periodically and additionally increment the epoch.
1170 let mut imports = Vec::new();
1171 for import in module.imports() {
1172 let item = match import.ty() {
1173 ExternType::Func(ty) => {
1174 let poll_amt = take_poll_amt(&mut poll_amts);
1175 Func::new_async(&mut store, ty.clone(), move |caller, _, results| {
1176 let ty = ty.clone();
1177 Box::new(async move {
1178 caller.engine().increment_epoch();
1179 log::info!("yielding {poll_amt} times in import");
1180 YieldN(poll_amt).await;
1181 for (ret_ty, result) in ty.results().zip(results) {
1182 *result = ret_ty.default_value().unwrap();
1183 }
1184 Ok(())
1185 })
1186 })
1187 .into()
1188 }
1189 other_ty => match other_ty.default_value(&mut store) {
1190 Ok(item) => item,
1191 Err(e) => {
1192 log::warn!("couldn't create import for {import:?}: {e:?}");
1193 return;
1194 }
1195 },
1196 };
1197 imports.push(item);
1198 }
1199
1200 // Run the instantiation process, asynchronously, and if everything
1201 // succeeds then pull out the instance.
1202 // log::info!("starting instantiation");
1203 let instance = block_on(Timeout {
1204 future: Instance::new_async(&mut store, &module, &imports),
1205 polls: take_poll_amt(&mut poll_amts),
1206 end: Instant::now() + Duration::from_millis(2_000),
1207 });
1208 let instance = match instance {
1209 Ok(instantiation_result) => match unwrap_instance(&store, instantiation_result) {
1210 Some(instance) => instance,
1211 None => {
1212 log::info!("instantiation hit a nominal error");
1213 return; // resource exhaustion or limits met
1214 }
1215 },
1216 Err(_) => {
1217 log::info!("instantiation failed to complete");
1218 return; // Timed out or ran out of polls
1219 }
1220 };
1221
1222 // Run each export of the instance in the same manner as instantiation
1223 // above. Dummy values are passed in for argument values here:
1224 //
1225 // TODO: this should probably be more clever about passing in arguments for
1226 // example they might be used as pointers or something and always using 0
1227 // isn't too interesting.
1228 let funcs = instance
1229 .exports(&mut store)
1230 .filter_map(|e| {
1231 let name = e.name().to_string();
1232 let func = e.into_extern().into_func()?;
1233 Some((name, func))
1234 })
1235 .collect::<Vec<_>>();
1236 for (name, func) in funcs {
1237 let ty = func.ty(&store);
1238 let params = ty
1239 .params()
1240 .map(|ty| ty.default_value().unwrap())
1241 .collect::<Vec<_>>();
1242 let mut results = ty
1243 .results()
1244 .map(|ty| ty.default_value().unwrap())
1245 .collect::<Vec<_>>();
1246
1247 log::info!("invoking export {name:?}");
1248 let future = func.call_async(&mut store, ¶ms, &mut results);
1249 match block_on(Timeout {
1250 future,
1251 polls: take_poll_amt(&mut poll_amts),
1252 end: Instant::now() + Duration::from_millis(2_000),
1253 }) {
1254 // On success or too many polls, try the next export.
1255 Ok(_) | Err(Exhausted::Polls) => {}
1256
1257 // If time ran out then stop the current test case as we might have
1258 // already sucked up a lot of time for this fuzz test case so don't
1259 // keep it going.
1260 Err(Exhausted::Time) => return,
1261 }
1262 }
1263
1264 fn take_poll_amt(polls: &mut &[u32]) -> u32 {
1265 match polls.split_first() {
1266 Some((a, rest)) => {
1267 *polls = rest;
1268 *a
1269 }
1270 None => 0,
1271 }
1272 }
1273
1274 /// Helper future for applying a timeout to `future` up to either when `end`
1275 /// is the current time or `polls` polls happen.
1276 ///
1277 /// Note that this helps to time out infinite loops in wasm, for example.
1278 struct Timeout<F> {
1279 future: F,
1280 /// If the future isn't ready by this time then the `Timeout<F>` future
1281 /// will return `None`.
1282 end: Instant,
1283 /// If the future doesn't resolve itself in this many calls to `poll`
1284 /// then the `Timeout<F>` future will return `None`.
1285 polls: u32,
1286 }
1287
1288 enum Exhausted {
1289 Time,
1290 Polls,
1291 }
1292
1293 impl<F: Future> Future for Timeout<F> {
1294 type Output = Result<F::Output, Exhausted>;
1295
1296 fn poll(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Self::Output> {
1297 let (end, polls, future) = unsafe {
1298 let me = self.get_unchecked_mut();
1299 (me.end, &mut me.polls, Pin::new_unchecked(&mut me.future))
1300 };
1301 match future.poll(cx) {
1302 Poll::Ready(val) => Poll::Ready(Ok(val)),
1303 Poll::Pending => {
1304 if Instant::now() >= end {
1305 log::warn!("future operation timed out");
1306 return Poll::Ready(Err(Exhausted::Time));
1307 }
1308 if *polls == 0 {
1309 log::warn!("future operation ran out of polls");
1310 return Poll::Ready(Err(Exhausted::Polls));
1311 }
1312 *polls -= 1;
1313 Poll::Pending
1314 }
1315 }
1316 }
1317 }
1318 }
1319
1320 #[cfg(test)]
1321 mod tests {
1322 use super::*;
1323 use crate::test::{gen_until_pass, test_n_times};
1324 use wasmparser::{Validator, WasmFeatures};
1325
1326 // Test that the `gc_ops` fuzzer eventually runs the gc function in the host.
1327 // We've historically had issues where this fuzzer accidentally wasn't fuzzing
1328 // anything for a long time so this is an attempt to prevent that from happening
1329 // again.
1330 #[test]
gc_ops_eventually_gcs()1331 fn gc_ops_eventually_gcs() {
1332 // Skip if we're under emulation because some fuzz configurations will do
1333 // large address space reservations that QEMU doesn't handle well.
1334 if std::env::var("WASMTIME_TEST_NO_HOG_MEMORY").is_ok() {
1335 return;
1336 }
1337
1338 let ok = gen_until_pass(|(config, test), _| {
1339 let result = gc_ops(config, test)?;
1340 Ok(result > 0)
1341 });
1342
1343 if !ok {
1344 panic!("gc was never found");
1345 }
1346 }
1347
1348 #[test]
module_generation_uses_expected_proposals()1349 fn module_generation_uses_expected_proposals() {
1350 // Proposals that Wasmtime supports. Eventually a module should be
1351 // generated that needs these proposals.
1352 let mut expected = WasmFeatures::MUTABLE_GLOBAL
1353 | WasmFeatures::FLOATS
1354 | WasmFeatures::SIGN_EXTENSION
1355 | WasmFeatures::SATURATING_FLOAT_TO_INT
1356 | WasmFeatures::MULTI_VALUE
1357 | WasmFeatures::BULK_MEMORY
1358 | WasmFeatures::REFERENCE_TYPES
1359 | WasmFeatures::SIMD
1360 | WasmFeatures::MULTI_MEMORY
1361 | WasmFeatures::RELAXED_SIMD
1362 | WasmFeatures::TAIL_CALL
1363 | WasmFeatures::WIDE_ARITHMETIC
1364 | WasmFeatures::MEMORY64
1365 | WasmFeatures::FUNCTION_REFERENCES
1366 | WasmFeatures::GC
1367 | WasmFeatures::GC_TYPES
1368 | WasmFeatures::CUSTOM_PAGE_SIZES
1369 | WasmFeatures::EXTENDED_CONST
1370 | WasmFeatures::EXCEPTIONS;
1371
1372 // All other features that wasmparser supports, which is presumably a
1373 // superset of the features that wasm-smith supports, are listed here as
1374 // unexpected. This means, for example, that if wasm-smith updates to
1375 // include a new proposal by default that wasmtime implements then it
1376 // will be required to be listed above.
1377 let unexpected = WasmFeatures::all() ^ expected;
1378
1379 let ok = gen_until_pass(|config: generators::Config, u| {
1380 let wasm = config.generate(u, None)?.to_bytes();
1381
1382 // Double-check the module is valid
1383 Validator::new_with_features(WasmFeatures::all()).validate_all(&wasm)?;
1384
1385 // If any of the unexpected features are removed then this module
1386 // should always be valid, otherwise something went wrong.
1387 for feature in unexpected.iter() {
1388 let ok =
1389 Validator::new_with_features(WasmFeatures::all() ^ feature).validate_all(&wasm);
1390 if ok.is_err() {
1391 wasmtime::bail!("generated a module with {feature:?} but that wasn't expected");
1392 }
1393 }
1394
1395 // If any of `expected` is removed and the module fails to validate,
1396 // then that means the module requires that feature. Remove that
1397 // from the set of features we're then expecting.
1398 for feature in expected.iter() {
1399 let ok =
1400 Validator::new_with_features(WasmFeatures::all() ^ feature).validate_all(&wasm);
1401 if ok.is_err() {
1402 expected ^= feature;
1403 }
1404 }
1405
1406 Ok(expected.is_empty())
1407 });
1408
1409 if !ok {
1410 panic!("never generated wasm module using {expected:?}");
1411 }
1412 }
1413
1414 #[test]
wast_smoke_test()1415 fn wast_smoke_test() {
1416 test_n_times(50, |(), u| super::wast_test(u));
1417 }
1418 }
1419