1 //! Oracles. 2 //! 3 //! Oracles take a test case and determine whether we have a bug. For example, 4 //! one of the simplest oracles is to take a Wasm binary as our input test case, 5 //! validate and instantiate it, and (implicitly) check that no assertions 6 //! failed or segfaults happened. A more complicated oracle might compare the 7 //! result of executing a Wasm file with and without optimizations enabled, and 8 //! make sure that the two executions are observably identical. 9 //! 10 //! When an oracle finds a bug, it should report it to the fuzzing engine by 11 //! panicking. 12 13 #[cfg(feature = "fuzz-spec-interpreter")] 14 pub mod diff_spec; 15 pub mod diff_wasmi; 16 pub mod diff_wasmtime; 17 pub mod dummy; 18 pub mod engine; 19 pub mod memory; 20 mod stacks; 21 22 use self::diff_wasmtime::WasmtimeInstance; 23 use self::engine::{DiffEngine, DiffInstance}; 24 use crate::generators::{self, CompilerStrategy, DiffValue, DiffValueType}; 25 use crate::single_module_fuzzer::KnownValid; 26 use arbitrary::Arbitrary; 27 pub use stacks::check_stacks; 28 use std::future::Future; 29 use std::pin::Pin; 30 use std::sync::atomic::{AtomicBool, AtomicUsize, Ordering::SeqCst}; 31 use std::sync::{Arc, Condvar, Mutex}; 32 use std::task::{Context, Poll, Waker}; 33 use std::time::{Duration, Instant}; 34 use wasmtime::*; 35 use wasmtime_wast::WastContext; 36 37 #[cfg(not(any(windows, target_arch = "s390x", target_arch = "riscv64")))] 38 mod diff_v8; 39 40 static CNT: AtomicUsize = AtomicUsize::new(0); 41 42 /// Logs a wasm file to the filesystem to make it easy to figure out what wasm 43 /// was used when debugging. 44 pub fn log_wasm(wasm: &[u8]) { 45 super::init_fuzzing(); 46 47 if !log::log_enabled!(log::Level::Debug) { 48 return; 49 } 50 51 let i = CNT.fetch_add(1, SeqCst); 52 let name = format!("testcase{i}.wasm"); 53 std::fs::write(&name, wasm).expect("failed to write wasm file"); 54 log::debug!("wrote wasm file to `{name}`"); 55 let wat = format!("testcase{i}.wat"); 56 match wasmprinter::print_bytes(wasm) { 57 Ok(s) => std::fs::write(&wat, s).expect("failed to write wat file"), 58 // If wasmprinter failed remove a `*.wat` file, if any, to avoid 59 // confusing a preexisting one with this wasm which failed to get 60 // printed. 61 Err(_) => drop(std::fs::remove_file(&wat)), 62 } 63 } 64 65 /// The `T` in `Store<T>` for fuzzing stores, used to limit resource 66 /// consumption during fuzzing. 67 #[derive(Clone)] 68 pub struct StoreLimits(Arc<LimitsState>); 69 70 struct LimitsState { 71 /// Remaining memory, in bytes, left to allocate 72 remaining_memory: AtomicUsize, 73 /// Remaining amount of memory that's allowed to be copied via a growth. 74 remaining_copy_allowance: AtomicUsize, 75 /// Whether or not an allocation request has been denied 76 oom: AtomicBool, 77 } 78 79 /// Allow up to 1G which is well below the 2G limit on OSS-Fuzz and should allow 80 /// most interesting behavior. 81 const MAX_MEMORY: usize = 1 << 30; 82 83 /// Allow up to 4G of bytes to be copied (conservatively) which should enable 84 /// growth up to `MAX_MEMORY` or at least up to a relatively large amount. 85 const MAX_MEMORY_MOVED: usize = 4 << 30; 86 87 impl StoreLimits { 88 /// Creates the default set of limits for all fuzzing stores. 89 pub fn new() -> StoreLimits { 90 StoreLimits(Arc::new(LimitsState { 91 remaining_memory: AtomicUsize::new(MAX_MEMORY), 92 remaining_copy_allowance: AtomicUsize::new(MAX_MEMORY_MOVED), 93 oom: AtomicBool::new(false), 94 })) 95 } 96 97 fn alloc(&mut self, amt: usize) -> bool { 98 log::trace!("alloc {amt:#x} bytes"); 99 100 // Assume that on each allocation of memory that all previous 101 // allocations of memory are moved. This is pretty coarse but is used to 102 // help prevent against fuzz test cases that just move tons of bytes 103 // around continuously. This assumes that all previous memory was 104 // allocated in a single linear memory and growing by `amt` will require 105 // moving all the bytes to a new location. This isn't actually required 106 // all the time nor does it accurately reflect what happens all the 107 // time, but it's a coarse approximation that should be "good enough" 108 // for allowing interesting fuzz behaviors to happen while not timing 109 // out just copying bytes around. 110 let prev_size = MAX_MEMORY - self.0.remaining_memory.load(SeqCst); 111 if self 112 .0 113 .remaining_copy_allowance 114 .fetch_update(SeqCst, SeqCst, |remaining| remaining.checked_sub(prev_size)) 115 .is_err() 116 { 117 self.0.oom.store(true, SeqCst); 118 log::debug!("-> too many bytes moved, rejecting allocation"); 119 return false; 120 } 121 122 // If we're allowed to move the bytes, then also check if we're allowed 123 // to actually have this much residence at once. 124 match self 125 .0 126 .remaining_memory 127 .fetch_update(SeqCst, SeqCst, |remaining| remaining.checked_sub(amt)) 128 { 129 Ok(_) => true, 130 Err(_) => { 131 self.0.oom.store(true, SeqCst); 132 log::debug!("-> OOM hit"); 133 false 134 } 135 } 136 } 137 138 fn is_oom(&self) -> bool { 139 self.0.oom.load(SeqCst) 140 } 141 } 142 143 impl ResourceLimiter for StoreLimits { 144 fn memory_growing( 145 &mut self, 146 current: usize, 147 desired: usize, 148 _maximum: Option<usize>, 149 ) -> Result<bool> { 150 Ok(self.alloc(desired - current)) 151 } 152 153 fn table_growing( 154 &mut self, 155 current: usize, 156 desired: usize, 157 _maximum: Option<usize>, 158 ) -> Result<bool> { 159 let delta = (desired - current).saturating_mul(std::mem::size_of::<usize>()); 160 Ok(self.alloc(delta)) 161 } 162 } 163 164 /// Methods of timing out execution of a WebAssembly module 165 #[derive(Clone, Debug)] 166 pub enum Timeout { 167 /// No timeout is used, it should be guaranteed via some other means that 168 /// the input does not infinite loop. 169 None, 170 /// Fuel-based timeouts are used where the specified fuel is all that the 171 /// provided wasm module is allowed to consume. 172 Fuel(u64), 173 /// An epoch-interruption-based timeout is used with a sleeping 174 /// thread bumping the epoch counter after the specified duration. 175 Epoch(Duration), 176 } 177 178 /// Instantiate the Wasm buffer, and implicitly fail if we have an unexpected 179 /// panic or segfault or anything else that can be detected "passively". 180 /// 181 /// The engine will be configured using provided config. 182 pub fn instantiate( 183 wasm: &[u8], 184 known_valid: KnownValid, 185 config: &generators::Config, 186 timeout: Timeout, 187 ) { 188 let mut store = config.to_store(); 189 190 let module = match compile_module(store.engine(), wasm, known_valid, config) { 191 Some(module) => module, 192 None => return, 193 }; 194 195 let mut timeout_state = HelperThread::default(); 196 match timeout { 197 Timeout::Fuel(fuel) => store.set_fuel(fuel).unwrap(), 198 199 // If a timeout is requested then we spawn a helper thread to wait for 200 // the requested time and then send us a signal to get interrupted. We 201 // also arrange for the thread's sleep to get interrupted if we return 202 // early (or the wasm returns within the time limit), which allows the 203 // thread to get torn down. 204 // 205 // This prevents us from creating a huge number of sleeping threads if 206 // this function is executed in a loop, like it does on nightly fuzzing 207 // infrastructure. 208 Timeout::Epoch(timeout) => { 209 let engine = store.engine().clone(); 210 timeout_state.run_periodically(timeout, move || engine.increment_epoch()); 211 } 212 Timeout::None => {} 213 } 214 215 instantiate_with_dummy(&mut store, &module); 216 } 217 218 /// Represents supported commands to the `instantiate_many` function. 219 #[derive(Arbitrary, Debug)] 220 pub enum Command { 221 /// Instantiates a module. 222 /// 223 /// The value is the index of the module to instantiate. 224 /// 225 /// The module instantiated will be this value modulo the number of modules provided to `instantiate_many`. 226 Instantiate(usize), 227 /// Terminates a "running" instance. 228 /// 229 /// The value is the index of the instance to terminate. 230 /// 231 /// The instance terminated will be this value modulo the number of currently running 232 /// instances. 233 /// 234 /// If no instances are running, the command will be ignored. 235 Terminate(usize), 236 } 237 238 /// Instantiates many instances from the given modules. 239 /// 240 /// The engine will be configured using the provided config. 241 /// 242 /// The modules are expected to *not* have start functions as no timeouts are configured. 243 pub fn instantiate_many( 244 modules: &[Vec<u8>], 245 known_valid: KnownValid, 246 config: &generators::Config, 247 commands: &[Command], 248 ) { 249 log::debug!("instantiate_many: {commands:#?}"); 250 251 assert!(!config.module_config.config.allow_start_export); 252 253 let engine = Engine::new(&config.to_wasmtime()).unwrap(); 254 255 let modules = modules 256 .iter() 257 .enumerate() 258 .filter_map( 259 |(i, bytes)| match compile_module(&engine, bytes, known_valid, config) { 260 Some(m) => { 261 log::debug!("successfully compiled module {i}"); 262 Some(m) 263 } 264 None => { 265 log::debug!("failed to compile module {i}"); 266 None 267 } 268 }, 269 ) 270 .collect::<Vec<_>>(); 271 272 // If no modules were valid, we're done 273 if modules.is_empty() { 274 return; 275 } 276 277 // This stores every `Store` where a successful instantiation takes place 278 let mut stores = Vec::new(); 279 let limits = StoreLimits::new(); 280 281 for command in commands { 282 match command { 283 Command::Instantiate(index) => { 284 let index = *index % modules.len(); 285 log::info!("instantiating {index}"); 286 let module = &modules[index]; 287 let mut store = Store::new(&engine, limits.clone()); 288 config.configure_store(&mut store); 289 290 if instantiate_with_dummy(&mut store, module).is_some() { 291 stores.push(Some(store)); 292 } else { 293 log::warn!("instantiation failed"); 294 } 295 } 296 Command::Terminate(index) => { 297 if stores.is_empty() { 298 continue; 299 } 300 let index = *index % stores.len(); 301 302 log::info!("dropping {index}"); 303 stores.swap_remove(index); 304 } 305 } 306 } 307 } 308 309 fn compile_module( 310 engine: &Engine, 311 bytes: &[u8], 312 known_valid: KnownValid, 313 config: &generators::Config, 314 ) -> Option<Module> { 315 log_wasm(bytes); 316 317 fn is_pcc_error(e: &anyhow::Error) -> bool { 318 // NOTE: please keep this predicate in sync with the display format of CodegenError, 319 // defined in `wasmtime/cranelift/codegen/src/result.rs` 320 e.to_string().to_lowercase().contains("proof-carrying-code") 321 } 322 323 match config.compile(engine, bytes) { 324 Ok(module) => Some(module), 325 Err(e) if is_pcc_error(&e) => { 326 panic!("pcc error in input: {e:#?}"); 327 } 328 Err(_) if known_valid == KnownValid::No => None, 329 Err(e) => { 330 if let generators::InstanceAllocationStrategy::Pooling(c) = &config.wasmtime.strategy { 331 // When using the pooling allocator, accept failures to compile 332 // when arbitrary table element limits have been exceeded as 333 // there is currently no way to constrain the generated module 334 // table types. 335 let string = format!("{e:?}"); 336 if string.contains("minimum element size") { 337 return None; 338 } 339 340 // Allow modules-failing-to-compile which exceed the requested 341 // size for each instance. This is something that is difficult 342 // to control and ensure it always succeeds, so we simply have a 343 // "random" instance size limit and if a module doesn't fit we 344 // move on to the next fuzz input. 345 if string.contains("instance allocation for this module requires") { 346 return None; 347 } 348 349 // If the pooling allocator is more restrictive on the number of 350 // tables and memories than we allowed wasm-smith to generate 351 // then allow compilation errors along those lines. 352 if c.max_tables_per_module < (config.module_config.config.max_tables as u32) 353 && string.contains("defined tables count") 354 && string.contains("exceeds the per-instance limit") 355 { 356 return None; 357 } 358 359 if c.max_memories_per_module < (config.module_config.config.max_memories as u32) 360 && string.contains("defined memories count") 361 && string.contains("exceeds the per-instance limit") 362 { 363 return None; 364 } 365 } 366 367 panic!("failed to compile module: {e:?}"); 368 } 369 } 370 } 371 372 /// Create a Wasmtime [`Instance`] from a [`Module`] and fill in all imports 373 /// with dummy values (e.g., zeroed values, immediately-trapping functions). 374 /// Also, this function catches certain fuzz-related instantiation failures and 375 /// returns `None` instead of panicking. 376 /// 377 /// TODO: we should implement tracing versions of these dummy imports that 378 /// record a trace of the order that imported functions were called in and with 379 /// what values. Like the results of exported functions, calls to imports should 380 /// also yield the same values for each configuration, and we should assert 381 /// that. 382 pub fn instantiate_with_dummy(store: &mut Store<StoreLimits>, module: &Module) -> Option<Instance> { 383 // Creation of imports can fail due to resource limit constraints, and then 384 // instantiation can naturally fail for a number of reasons as well. Bundle 385 // the two steps together to match on the error below. 386 let linker = dummy::dummy_linker(store, module); 387 if let Err(e) = &linker { 388 log::warn!("failed to create dummy linker: {e:?}"); 389 } 390 let instance = linker.and_then(|l| l.instantiate(&mut *store, module)); 391 unwrap_instance(store, instance) 392 } 393 394 fn unwrap_instance( 395 store: &Store<StoreLimits>, 396 instance: anyhow::Result<Instance>, 397 ) -> Option<Instance> { 398 let e = match instance { 399 Ok(i) => return Some(i), 400 Err(e) => e, 401 }; 402 403 log::debug!("failed to instantiate: {e:?}"); 404 405 // If the instantiation hit OOM for some reason then that's ok, it's 406 // expected that fuzz-generated programs try to allocate lots of 407 // stuff. 408 if store.data().is_oom() { 409 return None; 410 } 411 412 // Allow traps which can happen normally with `unreachable` or a timeout or 413 // such. 414 if e.is::<Trap>() 415 // Also allow failures to instantiate as a result of hitting pooling 416 // limits. 417 || e.is::<wasmtime::PoolConcurrencyLimitError>() 418 // And GC heap OOMs. 419 || e.is::<wasmtime::GcHeapOutOfMemory<()>>() 420 { 421 return None; 422 } 423 424 let string = e.to_string(); 425 426 // Currently we instantiate with a `Linker` which can't instantiate 427 // every single module under the sun due to using name-based resolution 428 // rather than positional-based resolution 429 if string.contains("incompatible import type") { 430 return None; 431 } 432 433 // Everything else should be a bug in the fuzzer or a bug in wasmtime 434 panic!("failed to instantiate: {e:?}"); 435 } 436 437 /// Evaluate the function identified by `name` in two different engine 438 /// instances--`lhs` and `rhs`. 439 /// 440 /// Returns `Ok(true)` if more evaluations can happen or `Ok(false)` if the 441 /// instances may have drifted apart and no more evaluations can happen. 442 /// 443 /// # Panics 444 /// 445 /// This will panic if the evaluation is different between engines (e.g., 446 /// results are different, hashed instance is different, one side traps, etc.). 447 pub fn differential( 448 lhs: &mut dyn DiffInstance, 449 lhs_engine: &dyn DiffEngine, 450 rhs: &mut WasmtimeInstance, 451 name: &str, 452 args: &[DiffValue], 453 result_tys: &[DiffValueType], 454 ) -> anyhow::Result<bool> { 455 log::debug!("Evaluating: `{name}` with {args:?}"); 456 let lhs_results = match lhs.evaluate(name, args, result_tys) { 457 Ok(Some(results)) => Ok(results), 458 Err(e) => Err(e), 459 // this engine couldn't execute this type signature, so discard this 460 // execution by returning success. 461 Ok(None) => return Ok(true), 462 }; 463 log::debug!(" -> lhs results on {}: {:?}", lhs.name(), &lhs_results); 464 465 let rhs_results = rhs 466 .evaluate(name, args, result_tys) 467 // wasmtime should be able to invoke any signature, so unwrap this result 468 .map(|results| results.unwrap()); 469 log::debug!(" -> rhs results on {}: {:?}", rhs.name(), &rhs_results); 470 471 // If Wasmtime hit its OOM condition, which is possible since it's set 472 // somewhat low while fuzzing, then don't return an error but return 473 // `false` indicating that differential fuzzing must stop. There's no 474 // guarantee the other engine has the same OOM limits as Wasmtime, and 475 // it's assumed that Wasmtime is configured to have a more conservative 476 // limit than the other engine. 477 if rhs.is_oom() { 478 return Ok(false); 479 } 480 481 match DiffEqResult::new(lhs_engine, lhs_results, rhs_results) { 482 DiffEqResult::Success(lhs, rhs) => assert_eq!(lhs, rhs), 483 DiffEqResult::Poisoned => return Ok(false), 484 DiffEqResult::Failed => {} 485 } 486 487 for (global, ty) in rhs.exported_globals() { 488 log::debug!("Comparing global `{global}`"); 489 let lhs = match lhs.get_global(&global, ty) { 490 Some(val) => val, 491 None => continue, 492 }; 493 let rhs = rhs.get_global(&global, ty).unwrap(); 494 assert_eq!(lhs, rhs); 495 } 496 for (memory, shared) in rhs.exported_memories() { 497 log::debug!("Comparing memory `{memory}`"); 498 let lhs = match lhs.get_memory(&memory, shared) { 499 Some(val) => val, 500 None => continue, 501 }; 502 let rhs = rhs.get_memory(&memory, shared).unwrap(); 503 if lhs == rhs { 504 continue; 505 } 506 eprintln!("differential memory is {} bytes long", lhs.len()); 507 eprintln!("wasmtime memory is {} bytes long", rhs.len()); 508 panic!("memories have differing values"); 509 } 510 511 Ok(true) 512 } 513 514 /// Result of comparing the result of two operations during differential 515 /// execution. 516 pub enum DiffEqResult<T, U> { 517 /// Both engines succeeded. 518 Success(T, U), 519 /// The result has reached the state where engines may have diverged and 520 /// results can no longer be compared. 521 Poisoned, 522 /// Both engines failed with the same error message, and internal state 523 /// should still match between the two engines. 524 Failed, 525 } 526 527 fn wasmtime_trap_is_non_deterministic(trap: &Trap) -> bool { 528 match trap { 529 // Allocations being too large for the GC are 530 // implementation-defined. 531 Trap::AllocationTooLarge | 532 // Stack size, and therefore when overflow happens, is 533 // implementation-defined. 534 Trap::StackOverflow => true, 535 _ => false, 536 } 537 } 538 539 fn wasmtime_error_is_non_deterministic(error: &wasmtime::Error) -> bool { 540 match error.downcast_ref::<Trap>() { 541 Some(trap) => wasmtime_trap_is_non_deterministic(trap), 542 543 // For general, unknown errors, we can't rely on this being 544 // a deterministic Wasm failure that both engines handled 545 // identically, leaving Wasm in identical states. We could 546 // just as easily be hitting engine-specific failures, like 547 // different implementation-defined limits. So simply poison 548 // this execution and move on to the next test. 549 None => true, 550 } 551 } 552 553 impl<T, U> DiffEqResult<T, U> { 554 /// Computes the differential result from executing in two different 555 /// engines. 556 pub fn new( 557 lhs_engine: &dyn DiffEngine, 558 lhs_result: Result<T>, 559 rhs_result: Result<U>, 560 ) -> DiffEqResult<T, U> { 561 match (lhs_result, rhs_result) { 562 (Ok(lhs_result), Ok(rhs_result)) => DiffEqResult::Success(lhs_result, rhs_result), 563 564 // Handle all non-deterministic errors by poisoning this execution's 565 // state, so that we simply move on to the next test. 566 (Err(lhs), _) if lhs_engine.is_non_deterministic_error(&lhs) => { 567 log::debug!("lhs failed non-deterministically: {lhs:?}"); 568 DiffEqResult::Poisoned 569 } 570 (_, Err(rhs)) if wasmtime_error_is_non_deterministic(&rhs) => { 571 log::debug!("rhs failed non-deterministically: {rhs:?}"); 572 DiffEqResult::Poisoned 573 } 574 575 // Both sides failed deterministically. Check that the trap and 576 // state at the time of failure is the same. 577 (Err(lhs), Err(rhs)) => { 578 let rhs = rhs 579 .downcast::<Trap>() 580 .expect("non-traps handled in earlier match arm"); 581 582 debug_assert!( 583 !lhs_engine.is_non_deterministic_error(&lhs), 584 "non-deterministic traps handled in earlier match arm", 585 ); 586 debug_assert!( 587 !wasmtime_trap_is_non_deterministic(&rhs), 588 "non-deterministic traps handled in earlier match arm", 589 ); 590 591 lhs_engine.assert_error_match(&lhs, &rhs); 592 DiffEqResult::Failed 593 } 594 595 // A real bug is found if only one side fails. 596 (Ok(_), Err(err)) => panic!("only the `rhs` failed for this input: {err:?}"), 597 (Err(err), Ok(_)) => panic!("only the `lhs` failed for this input: {err:?}"), 598 } 599 } 600 } 601 602 /// Invoke the given API calls. 603 pub fn make_api_calls(api: generators::api::ApiCalls) { 604 use crate::generators::api::ApiCall; 605 use std::collections::HashMap; 606 607 let mut store: Option<Store<StoreLimits>> = None; 608 let mut modules: HashMap<usize, Module> = Default::default(); 609 let mut instances: HashMap<usize, Instance> = Default::default(); 610 611 for call in api.calls { 612 match call { 613 ApiCall::StoreNew(config) => { 614 log::trace!("creating store"); 615 assert!(store.is_none()); 616 store = Some(config.to_store()); 617 } 618 619 ApiCall::ModuleNew { id, wasm } => { 620 log::debug!("creating module: {id}"); 621 log_wasm(&wasm); 622 let module = match Module::new(store.as_ref().unwrap().engine(), &wasm) { 623 Ok(m) => m, 624 Err(_) => continue, 625 }; 626 let old = modules.insert(id, module); 627 assert!(old.is_none()); 628 } 629 630 ApiCall::ModuleDrop { id } => { 631 log::trace!("dropping module: {id}"); 632 drop(modules.remove(&id)); 633 } 634 635 ApiCall::InstanceNew { id, module } => { 636 log::trace!("instantiating module {module} as {id}"); 637 let module = match modules.get(&module) { 638 Some(m) => m, 639 None => continue, 640 }; 641 642 let store = store.as_mut().unwrap(); 643 if let Some(instance) = instantiate_with_dummy(store, module) { 644 instances.insert(id, instance); 645 } 646 } 647 648 ApiCall::InstanceDrop { id } => { 649 log::trace!("dropping instance {id}"); 650 instances.remove(&id); 651 } 652 653 ApiCall::CallExportedFunc { instance, nth } => { 654 log::trace!("calling instance export {instance} / {nth}"); 655 let instance = match instances.get(&instance) { 656 Some(i) => i, 657 None => { 658 // Note that we aren't guaranteed to instantiate valid 659 // modules, see comments in `InstanceNew` for details on 660 // that. But the API call generator can't know if 661 // instantiation failed, so we might not actually have 662 // this instance. When that's the case, just skip the 663 // API call and keep going. 664 continue; 665 } 666 }; 667 let store = store.as_mut().unwrap(); 668 669 let funcs = instance 670 .exports(&mut *store) 671 .filter_map(|e| match e.into_extern() { 672 Extern::Func(f) => Some(f), 673 _ => None, 674 }) 675 .collect::<Vec<_>>(); 676 677 if funcs.is_empty() { 678 continue; 679 } 680 681 let nth = nth % funcs.len(); 682 let f = &funcs[nth]; 683 let ty = f.ty(&store); 684 if let Some(params) = ty 685 .params() 686 .map(|p| p.default_value()) 687 .collect::<Option<Vec<_>>>() 688 { 689 let mut results = vec![Val::I32(0); ty.results().len()]; 690 let _ = f.call(store, ¶ms, &mut results); 691 } 692 } 693 } 694 } 695 } 696 697 /// Executes the wast `test` with the `config` specified. 698 /// 699 /// Ensures that wast tests pass regardless of the `Config`. 700 pub fn wast_test(u: &mut arbitrary::Unstructured<'_>) -> arbitrary::Result<()> { 701 crate::init_fuzzing(); 702 703 let mut fuzz_config: generators::Config = u.arbitrary()?; 704 let test: generators::WastTest = u.arbitrary()?; 705 706 let test = &test.test; 707 708 if test.config.component_model_async() || u.arbitrary()? { 709 fuzz_config.enable_async(u)?; 710 } 711 712 // Discard tests that allocate a lot of memory as we don't want to OOM the 713 // fuzzer and we also limit memory growth which would cause the test to 714 // fail. 715 if test.config.hogs_memory.unwrap_or(false) { 716 return Err(arbitrary::Error::IncorrectFormat); 717 } 718 719 // Transform `fuzz_config` to be valid for `test` and make sure that this 720 // test is supposed to pass. 721 let wast_config = fuzz_config.make_wast_test_compliant(test); 722 if test.should_fail(&wast_config) { 723 return Err(arbitrary::Error::IncorrectFormat); 724 } 725 726 // Winch requires AVX and AVX2 for SIMD tests to pass so don't run the test 727 // if either isn't enabled. 728 if fuzz_config.wasmtime.compiler_strategy == CompilerStrategy::Winch 729 && test.config.simd() 730 && (fuzz_config 731 .wasmtime 732 .codegen_flag("has_avx") 733 .is_some_and(|value| value == "false") 734 || fuzz_config 735 .wasmtime 736 .codegen_flag("has_avx2") 737 .is_some_and(|value| value == "false")) 738 { 739 log::warn!( 740 "Skipping Wast test because Winch doesn't support SIMD tests with AVX or AVX2 disabled" 741 ); 742 return Err(arbitrary::Error::IncorrectFormat); 743 } 744 745 // Fuel and epochs don't play well with threads right now, so exclude any 746 // thread-spawning test if it looks like threads are spawned in that case. 747 if fuzz_config.wasmtime.consume_fuel || fuzz_config.wasmtime.epoch_interruption { 748 if test.contents.contains("(thread") { 749 return Err(arbitrary::Error::IncorrectFormat); 750 } 751 } 752 753 log::debug!("running {:?}", test.path); 754 let async_ = if fuzz_config.wasmtime.async_config == generators::AsyncConfig::Disabled { 755 wasmtime_wast::Async::No 756 } else { 757 wasmtime_wast::Async::Yes 758 }; 759 let mut wast_context = WastContext::new(fuzz_config.to_store(), async_); 760 wast_context 761 .register_spectest(&wasmtime_wast::SpectestConfig { 762 use_shared_memory: true, 763 suppress_prints: true, 764 }) 765 .unwrap(); 766 wast_context 767 .run_wast(test.path.to_str().unwrap(), test.contents.as_bytes()) 768 .unwrap(); 769 Ok(()) 770 } 771 772 /// Execute a series of `table.get` and `table.set` operations. 773 /// 774 /// Returns the number of `gc` operations which occurred throughout the test 775 /// case -- used to test below that gc happens reasonably soon and eventually. 776 pub fn table_ops( 777 mut fuzz_config: generators::Config, 778 mut ops: generators::table_ops::TableOps, 779 ) -> Result<usize> { 780 let expected_drops = Arc::new(AtomicUsize::new(0)); 781 let num_dropped = Arc::new(AtomicUsize::new(0)); 782 783 let num_gcs = Arc::new(AtomicUsize::new(0)); 784 { 785 fuzz_config.wasmtime.consume_fuel = true; 786 let mut store = fuzz_config.to_store(); 787 store.set_fuel(1_000).unwrap(); 788 789 let wasm = ops.to_wasm_binary(); 790 log_wasm(&wasm); 791 let module = match compile_module(store.engine(), &wasm, KnownValid::No, &fuzz_config) { 792 Some(m) => m, 793 None => return Ok(0), 794 }; 795 796 let mut linker = Linker::new(store.engine()); 797 798 // To avoid timeouts, limit the number of explicit GCs we perform per 799 // test case. 800 const MAX_GCS: usize = 5; 801 802 let func_ty = FuncType::new( 803 store.engine(), 804 vec![], 805 vec![ValType::EXTERNREF, ValType::EXTERNREF, ValType::EXTERNREF], 806 ); 807 let func = Func::new(&mut store, func_ty, { 808 let num_dropped = num_dropped.clone(); 809 let expected_drops = expected_drops.clone(); 810 let num_gcs = num_gcs.clone(); 811 move |mut caller: Caller<'_, StoreLimits>, _params, results| { 812 log::info!("table_ops: GC"); 813 if num_gcs.fetch_add(1, SeqCst) < MAX_GCS { 814 caller.gc(None); 815 } 816 817 let a = ExternRef::new( 818 &mut caller, 819 CountDrops::new(&expected_drops, num_dropped.clone()), 820 )?; 821 let b = ExternRef::new( 822 &mut caller, 823 CountDrops::new(&expected_drops, num_dropped.clone()), 824 )?; 825 let c = ExternRef::new( 826 &mut caller, 827 CountDrops::new(&expected_drops, num_dropped.clone()), 828 )?; 829 830 log::info!("table_ops: gc() -> ({a:?}, {b:?}, {c:?})"); 831 results[0] = Some(a).into(); 832 results[1] = Some(b).into(); 833 results[2] = Some(c).into(); 834 Ok(()) 835 } 836 }); 837 linker.define(&store, "", "gc", func).unwrap(); 838 839 linker 840 .func_wrap("", "take_refs", { 841 let expected_drops = expected_drops.clone(); 842 move |caller: Caller<'_, StoreLimits>, 843 a: Option<Rooted<ExternRef>>, 844 b: Option<Rooted<ExternRef>>, 845 c: Option<Rooted<ExternRef>>| 846 -> Result<()> { 847 log::info!("table_ops: take_refs({a:?}, {b:?}, {c:?})",); 848 849 // Do the assertion on each ref's inner data, even though it 850 // all points to the same atomic, so that if we happen to 851 // run into a use-after-free bug with one of these refs we 852 // are more likely to trigger a segfault. 853 if let Some(a) = a { 854 let a = a 855 .data(&caller)? 856 .unwrap() 857 .downcast_ref::<CountDrops>() 858 .unwrap(); 859 assert!(a.0.load(SeqCst) <= expected_drops.load(SeqCst)); 860 } 861 if let Some(b) = b { 862 let b = b 863 .data(&caller)? 864 .unwrap() 865 .downcast_ref::<CountDrops>() 866 .unwrap(); 867 assert!(b.0.load(SeqCst) <= expected_drops.load(SeqCst)); 868 } 869 if let Some(c) = c { 870 let c = c 871 .data(&caller)? 872 .unwrap() 873 .downcast_ref::<CountDrops>() 874 .unwrap(); 875 assert!(c.0.load(SeqCst) <= expected_drops.load(SeqCst)); 876 } 877 Ok(()) 878 } 879 }) 880 .unwrap(); 881 882 let func_ty = FuncType::new( 883 store.engine(), 884 vec![], 885 vec![ValType::EXTERNREF, ValType::EXTERNREF, ValType::EXTERNREF], 886 ); 887 let func = Func::new(&mut store, func_ty, { 888 let num_dropped = num_dropped.clone(); 889 let expected_drops = expected_drops.clone(); 890 move |mut caller, _params, results| { 891 log::info!("table_ops: make_refs"); 892 893 let a = ExternRef::new( 894 &mut caller, 895 CountDrops::new(&expected_drops, num_dropped.clone()), 896 )?; 897 let b = ExternRef::new( 898 &mut caller, 899 CountDrops::new(&expected_drops, num_dropped.clone()), 900 )?; 901 let c = ExternRef::new( 902 &mut caller, 903 CountDrops::new(&expected_drops, num_dropped.clone()), 904 )?; 905 906 log::info!("table_ops: make_refs() -> ({a:?}, {b:?}, {c:?})"); 907 908 results[0] = Some(a).into(); 909 results[1] = Some(b).into(); 910 results[2] = Some(c).into(); 911 912 Ok(()) 913 } 914 }); 915 linker.define(&store, "", "make_refs", func).unwrap(); 916 917 let instance = linker.instantiate(&mut store, &module).unwrap(); 918 let run = instance.get_func(&mut store, "run").unwrap(); 919 920 { 921 let mut scope = RootScope::new(&mut store); 922 923 log::info!( 924 "table_ops: begin allocating {} externref arguments", 925 ops.limits.num_globals 926 ); 927 let args: Vec<_> = (0..ops.limits.num_params) 928 .map(|_| { 929 Ok(Val::ExternRef(Some(ExternRef::new( 930 &mut scope, 931 CountDrops::new(&expected_drops, num_dropped.clone()), 932 )?))) 933 }) 934 .collect::<Result<_>>()?; 935 log::info!( 936 "table_ops: end allocating {} externref arguments", 937 ops.limits.num_globals 938 ); 939 940 // The generated function should always return a trap. The only two 941 // valid traps are table-out-of-bounds which happens through `table.get` 942 // and `table.set` generated or an out-of-fuel trap. Otherwise any other 943 // error is unexpected and should fail fuzzing. 944 log::info!("table_ops: calling into Wasm `run` function"); 945 let err = run.call(&mut scope, &args, &mut []).unwrap_err(); 946 match err.downcast::<GcHeapOutOfMemory<CountDrops>>() { 947 Ok(_oom) => {} 948 Err(err) => { 949 let trap = err 950 .downcast::<Trap>() 951 .expect("if not GC oom, error should be a Wasm trap"); 952 match trap { 953 Trap::TableOutOfBounds | Trap::OutOfFuel => {} 954 _ => panic!("unexpected trap: {trap}"), 955 } 956 } 957 } 958 } 959 960 // Do a final GC after running the Wasm. 961 store.gc(None); 962 } 963 964 assert_eq!(num_dropped.load(SeqCst), expected_drops.load(SeqCst)); 965 return Ok(num_gcs.load(SeqCst)); 966 967 struct CountDrops(Arc<AtomicUsize>); 968 969 impl CountDrops { 970 fn new(expected_drops: &AtomicUsize, num_dropped: Arc<AtomicUsize>) -> Self { 971 let expected = expected_drops.fetch_add(1, SeqCst); 972 log::info!( 973 "CountDrops::new: expected drops: {expected} -> {}", 974 expected + 1 975 ); 976 Self(num_dropped) 977 } 978 } 979 980 impl Drop for CountDrops { 981 fn drop(&mut self) { 982 let drops = self.0.fetch_add(1, SeqCst); 983 log::info!("CountDrops::drop: actual drops: {drops} -> {}", drops + 1); 984 } 985 } 986 } 987 988 #[derive(Default)] 989 struct HelperThread { 990 state: Arc<HelperThreadState>, 991 thread: Option<std::thread::JoinHandle<()>>, 992 } 993 994 #[derive(Default)] 995 struct HelperThreadState { 996 should_exit: Mutex<bool>, 997 should_exit_cvar: Condvar, 998 } 999 1000 impl HelperThread { 1001 fn run_periodically(&mut self, dur: Duration, mut closure: impl FnMut() + Send + 'static) { 1002 let state = self.state.clone(); 1003 self.thread = Some(std::thread::spawn(move || { 1004 // Using our mutex/condvar we wait here for the first of `dur` to 1005 // pass or the `HelperThread` instance to get dropped. 1006 let mut should_exit = state.should_exit.lock().unwrap(); 1007 while !*should_exit { 1008 let (lock, result) = state 1009 .should_exit_cvar 1010 .wait_timeout(should_exit, dur) 1011 .unwrap(); 1012 should_exit = lock; 1013 // If we timed out for sure then there's no need to continue 1014 // since we'll just abort on the next `checked_sub` anyway. 1015 if result.timed_out() { 1016 closure(); 1017 } 1018 } 1019 })); 1020 } 1021 } 1022 1023 impl Drop for HelperThread { 1024 fn drop(&mut self) { 1025 let thread = match self.thread.take() { 1026 Some(thread) => thread, 1027 None => return, 1028 }; 1029 // Signal our thread that it should exit and wake it up in case it's 1030 // sleeping. 1031 *self.state.should_exit.lock().unwrap() = true; 1032 self.state.should_exit_cvar.notify_one(); 1033 1034 // ... and then wait for the thread to exit to ensure we clean up 1035 // after ourselves. 1036 thread.join().unwrap(); 1037 } 1038 } 1039 1040 /// Generate and execute a `crate::generators::component_types::TestCase` using the specified `input` to create 1041 /// arbitrary types and values. 1042 pub fn dynamic_component_api_target(input: &mut arbitrary::Unstructured) -> arbitrary::Result<()> { 1043 use crate::generators::component_types; 1044 use wasmtime::component::{Component, Linker, Val}; 1045 use wasmtime_test_util::component::FuncExt; 1046 use wasmtime_test_util::component_fuzz::{ 1047 EXPORT_FUNCTION, IMPORT_FUNCTION, MAX_TYPE_DEPTH, TestCase, Type, 1048 }; 1049 1050 crate::init_fuzzing(); 1051 1052 let mut types = Vec::new(); 1053 let mut type_fuel = 500; 1054 1055 for _ in 0..5 { 1056 types.push(Type::generate(input, MAX_TYPE_DEPTH, &mut type_fuel)?); 1057 } 1058 let params = (0..input.int_in_range(0..=5)?) 1059 .map(|_| input.choose(&types)) 1060 .collect::<arbitrary::Result<Vec<_>>>()?; 1061 let result = if input.arbitrary()? { 1062 Some(input.choose(&types)?) 1063 } else { 1064 None 1065 }; 1066 1067 let case = TestCase { 1068 params, 1069 result, 1070 encoding1: input.arbitrary()?, 1071 encoding2: input.arbitrary()?, 1072 }; 1073 1074 let mut config = wasmtime_test_util::component::config(); 1075 config.debug_adapter_modules(input.arbitrary()?); 1076 let engine = Engine::new(&config).unwrap(); 1077 let mut store = Store::new(&engine, (Vec::new(), None)); 1078 let wat = case.declarations().make_component(); 1079 let wat = wat.as_bytes(); 1080 log_wasm(wat); 1081 let component = Component::new(&engine, wat).unwrap(); 1082 let mut linker = Linker::new(&engine); 1083 1084 linker 1085 .root() 1086 .func_new(IMPORT_FUNCTION, { 1087 move |mut cx: StoreContextMut<'_, (Vec<Val>, Option<Vec<Val>>)>, 1088 params: &[Val], 1089 results: &mut [Val]| 1090 -> Result<()> { 1091 log::trace!("received params {params:?}"); 1092 let (expected_args, expected_results) = cx.data_mut(); 1093 assert_eq!(params.len(), expected_args.len()); 1094 for (expected, actual) in expected_args.iter().zip(params) { 1095 assert_eq!(expected, actual); 1096 } 1097 results.clone_from_slice(&expected_results.take().unwrap()); 1098 log::trace!("returning results {results:?}"); 1099 Ok(()) 1100 } 1101 }) 1102 .unwrap(); 1103 1104 let instance = linker.instantiate(&mut store, &component).unwrap(); 1105 let func = instance.get_func(&mut store, EXPORT_FUNCTION).unwrap(); 1106 let param_tys = func.params(&store); 1107 let result_tys = func.results(&store); 1108 1109 while input.arbitrary()? { 1110 let params = param_tys 1111 .iter() 1112 .map(|(_, ty)| component_types::arbitrary_val(ty, input)) 1113 .collect::<arbitrary::Result<Vec<_>>>()?; 1114 let results = result_tys 1115 .iter() 1116 .map(|ty| component_types::arbitrary_val(ty, input)) 1117 .collect::<arbitrary::Result<Vec<_>>>()?; 1118 1119 *store.data_mut() = (params.clone(), Some(results.clone())); 1120 1121 log::trace!("passing params {params:?}"); 1122 let mut actual = vec![Val::Bool(false); results.len()]; 1123 func.call_and_post_return(&mut store, ¶ms, &mut actual) 1124 .unwrap(); 1125 log::trace!("received results {actual:?}"); 1126 assert_eq!(actual, results); 1127 } 1128 1129 Ok(()) 1130 } 1131 1132 /// Instantiates a wasm module and runs its exports with dummy values, all in 1133 /// an async fashion. 1134 /// 1135 /// Attempts to stress yields in host functions to ensure that exiting and 1136 /// resuming a wasm function call works. 1137 pub fn call_async(wasm: &[u8], config: &generators::Config, mut poll_amts: &[u32]) { 1138 let mut store = config.to_store(); 1139 let module = match compile_module(store.engine(), wasm, KnownValid::Yes, config) { 1140 Some(module) => module, 1141 None => return, 1142 }; 1143 1144 // Configure a helper thread to periodically increment the epoch to 1145 // forcibly enable yields-via-epochs if epochs are in use. Note that this 1146 // is required because the wasm isn't otherwise guaranteed to necessarily 1147 // call any imports which will also increment the epoch. 1148 let mut helper_thread = HelperThread::default(); 1149 if let generators::AsyncConfig::YieldWithEpochs { dur, .. } = &config.wasmtime.async_config { 1150 let engine = store.engine().clone(); 1151 helper_thread.run_periodically(*dur, move || engine.increment_epoch()); 1152 } 1153 1154 // Generate a `Linker` where all function imports are custom-built to yield 1155 // periodically and additionally increment the epoch. 1156 let mut imports = Vec::new(); 1157 for import in module.imports() { 1158 let item = match import.ty() { 1159 ExternType::Func(ty) => { 1160 let poll_amt = take_poll_amt(&mut poll_amts); 1161 Func::new_async(&mut store, ty.clone(), move |caller, _, results| { 1162 let ty = ty.clone(); 1163 Box::new(async move { 1164 caller.engine().increment_epoch(); 1165 log::info!("yielding {poll_amt} times in import"); 1166 YieldN(poll_amt).await; 1167 for (ret_ty, result) in ty.results().zip(results) { 1168 *result = ret_ty.default_value().unwrap(); 1169 } 1170 Ok(()) 1171 }) 1172 }) 1173 .into() 1174 } 1175 other_ty => match other_ty.default_value(&mut store) { 1176 Ok(item) => item, 1177 Err(e) => { 1178 log::warn!("couldn't create import for {import:?}: {e:?}"); 1179 return; 1180 } 1181 }, 1182 }; 1183 imports.push(item); 1184 } 1185 1186 // Run the instantiation process, asynchronously, and if everything 1187 // succeeds then pull out the instance. 1188 // log::info!("starting instantiation"); 1189 let instance = run(Timeout { 1190 future: Instance::new_async(&mut store, &module, &imports), 1191 polls: take_poll_amt(&mut poll_amts), 1192 end: Instant::now() + Duration::from_millis(2_000), 1193 }); 1194 let instance = match instance { 1195 Ok(instantiation_result) => match unwrap_instance(&store, instantiation_result) { 1196 Some(instance) => instance, 1197 None => { 1198 log::info!("instantiation hit a nominal error"); 1199 return; // resource exhaustion or limits met 1200 } 1201 }, 1202 Err(_) => { 1203 log::info!("instantiation failed to complete"); 1204 return; // Timed out or ran out of polls 1205 } 1206 }; 1207 1208 // Run each export of the instance in the same manner as instantiation 1209 // above. Dummy values are passed in for argument values here: 1210 // 1211 // TODO: this should probably be more clever about passing in arguments for 1212 // example they might be used as pointers or something and always using 0 1213 // isn't too interesting. 1214 let funcs = instance 1215 .exports(&mut store) 1216 .filter_map(|e| { 1217 let name = e.name().to_string(); 1218 let func = e.into_extern().into_func()?; 1219 Some((name, func)) 1220 }) 1221 .collect::<Vec<_>>(); 1222 for (name, func) in funcs { 1223 let ty = func.ty(&store); 1224 let params = ty 1225 .params() 1226 .map(|ty| ty.default_value().unwrap()) 1227 .collect::<Vec<_>>(); 1228 let mut results = ty 1229 .results() 1230 .map(|ty| ty.default_value().unwrap()) 1231 .collect::<Vec<_>>(); 1232 1233 log::info!("invoking export {name:?}"); 1234 let future = func.call_async(&mut store, ¶ms, &mut results); 1235 match run(Timeout { 1236 future, 1237 polls: take_poll_amt(&mut poll_amts), 1238 end: Instant::now() + Duration::from_millis(2_000), 1239 }) { 1240 // On success or too many polls, try the next export. 1241 Ok(_) | Err(Exhausted::Polls) => {} 1242 1243 // If time ran out then stop the current test case as we might have 1244 // already sucked up a lot of time for this fuzz test case so don't 1245 // keep it going. 1246 Err(Exhausted::Time) => return, 1247 } 1248 } 1249 1250 fn take_poll_amt(polls: &mut &[u32]) -> u32 { 1251 match polls.split_first() { 1252 Some((a, rest)) => { 1253 *polls = rest; 1254 *a 1255 } 1256 None => 0, 1257 } 1258 } 1259 1260 /// Helper future to yield N times before resolving. 1261 struct YieldN(u32); 1262 1263 impl Future for YieldN { 1264 type Output = (); 1265 1266 fn poll(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<()> { 1267 if self.0 == 0 { 1268 Poll::Ready(()) 1269 } else { 1270 self.0 -= 1; 1271 cx.waker().wake_by_ref(); 1272 Poll::Pending 1273 } 1274 } 1275 } 1276 1277 /// Helper future for applying a timeout to `future` up to either when `end` 1278 /// is the current time or `polls` polls happen. 1279 /// 1280 /// Note that this helps to time out infinite loops in wasm, for example. 1281 struct Timeout<F> { 1282 future: F, 1283 /// If the future isn't ready by this time then the `Timeout<F>` future 1284 /// will return `None`. 1285 end: Instant, 1286 /// If the future doesn't resolve itself in this many calls to `poll` 1287 /// then the `Timeout<F>` future will return `None`. 1288 polls: u32, 1289 } 1290 1291 enum Exhausted { 1292 Time, 1293 Polls, 1294 } 1295 1296 impl<F: Future> Future for Timeout<F> { 1297 type Output = Result<F::Output, Exhausted>; 1298 1299 fn poll(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Self::Output> { 1300 let (end, polls, future) = unsafe { 1301 let me = self.get_unchecked_mut(); 1302 (me.end, &mut me.polls, Pin::new_unchecked(&mut me.future)) 1303 }; 1304 match future.poll(cx) { 1305 Poll::Ready(val) => Poll::Ready(Ok(val)), 1306 Poll::Pending => { 1307 if Instant::now() >= end { 1308 log::warn!("future operation timed out"); 1309 return Poll::Ready(Err(Exhausted::Time)); 1310 } 1311 if *polls == 0 { 1312 log::warn!("future operation ran out of polls"); 1313 return Poll::Ready(Err(Exhausted::Polls)); 1314 } 1315 *polls -= 1; 1316 Poll::Pending 1317 } 1318 } 1319 } 1320 } 1321 1322 fn run<F: Future>(future: F) -> F::Output { 1323 let mut f = Box::pin(future); 1324 let mut cx = Context::from_waker(Waker::noop()); 1325 loop { 1326 match f.as_mut().poll(&mut cx) { 1327 Poll::Ready(val) => break val, 1328 Poll::Pending => {} 1329 } 1330 } 1331 } 1332 } 1333 1334 #[cfg(test)] 1335 mod tests { 1336 use super::*; 1337 use arbitrary::Unstructured; 1338 use rand::prelude::*; 1339 use wasmparser::{Validator, WasmFeatures}; 1340 1341 fn gen_until_pass<T: for<'a> Arbitrary<'a>>( 1342 mut f: impl FnMut(T, &mut Unstructured<'_>) -> Result<bool>, 1343 ) -> bool { 1344 let mut rng = SmallRng::seed_from_u64(0); 1345 let mut buf = vec![0; 2048]; 1346 let n = 3000; 1347 for _ in 0..n { 1348 rng.fill_bytes(&mut buf); 1349 let mut u = Unstructured::new(&buf); 1350 1351 if let Ok(config) = u.arbitrary() { 1352 if f(config, &mut u).unwrap() { 1353 return true; 1354 } 1355 } 1356 } 1357 false 1358 } 1359 1360 /// Runs `f` with random data until it returns `Ok(())` `iters` times. 1361 fn test_n_times<T: for<'a> Arbitrary<'a>>( 1362 iters: u32, 1363 mut f: impl FnMut(T, &mut Unstructured<'_>) -> arbitrary::Result<()>, 1364 ) { 1365 let mut to_test = 0..iters; 1366 let ok = gen_until_pass(|a, b| { 1367 if f(a, b).is_ok() { 1368 Ok(to_test.next().is_none()) 1369 } else { 1370 Ok(false) 1371 } 1372 }); 1373 assert!(ok); 1374 } 1375 1376 // Test that the `table_ops` fuzzer eventually runs the gc function in the host. 1377 // We've historically had issues where this fuzzer accidentally wasn't fuzzing 1378 // anything for a long time so this is an attempt to prevent that from happening 1379 // again. 1380 #[test] 1381 fn table_ops_eventually_gcs() { 1382 // Skip if we're under emulation because some fuzz configurations will do 1383 // large address space reservations that QEMU doesn't handle well. 1384 if std::env::var("WASMTIME_TEST_NO_HOG_MEMORY").is_ok() { 1385 return; 1386 } 1387 1388 let ok = gen_until_pass(|(config, test), _| { 1389 let result = table_ops(config, test)?; 1390 Ok(result > 0) 1391 }); 1392 1393 if !ok { 1394 panic!("gc was never found"); 1395 } 1396 } 1397 1398 #[test] 1399 fn module_generation_uses_expected_proposals() { 1400 // Proposals that Wasmtime supports. Eventually a module should be 1401 // generated that needs these proposals. 1402 let mut expected = WasmFeatures::MUTABLE_GLOBAL 1403 | WasmFeatures::FLOATS 1404 | WasmFeatures::SIGN_EXTENSION 1405 | WasmFeatures::SATURATING_FLOAT_TO_INT 1406 | WasmFeatures::MULTI_VALUE 1407 | WasmFeatures::BULK_MEMORY 1408 | WasmFeatures::REFERENCE_TYPES 1409 | WasmFeatures::SIMD 1410 | WasmFeatures::MULTI_MEMORY 1411 | WasmFeatures::RELAXED_SIMD 1412 | WasmFeatures::THREADS 1413 | WasmFeatures::TAIL_CALL 1414 | WasmFeatures::WIDE_ARITHMETIC 1415 | WasmFeatures::MEMORY64 1416 | WasmFeatures::FUNCTION_REFERENCES 1417 | WasmFeatures::GC 1418 | WasmFeatures::GC_TYPES 1419 | WasmFeatures::CUSTOM_PAGE_SIZES 1420 | WasmFeatures::EXTENDED_CONST; 1421 1422 // All other features that wasmparser supports, which is presumably a 1423 // superset of the features that wasm-smith supports, are listed here as 1424 // unexpected. This means, for example, that if wasm-smith updates to 1425 // include a new proposal by default that wasmtime implements then it 1426 // will be required to be listed above. 1427 let unexpected = WasmFeatures::all() ^ expected; 1428 1429 let ok = gen_until_pass(|config: generators::Config, u| { 1430 let wasm = config.generate(u, None)?.to_bytes(); 1431 1432 // Double-check the module is valid 1433 Validator::new_with_features(WasmFeatures::all()).validate_all(&wasm)?; 1434 1435 // If any of the unexpected features are removed then this module 1436 // should always be valid, otherwise something went wrong. 1437 for feature in unexpected.iter() { 1438 let ok = 1439 Validator::new_with_features(WasmFeatures::all() ^ feature).validate_all(&wasm); 1440 if ok.is_err() { 1441 anyhow::bail!("generated a module with {feature:?} but that wasn't expected"); 1442 } 1443 } 1444 1445 // If any of `expected` is removed and the module fails to validate, 1446 // then that means the module requires that feature. Remove that 1447 // from the set of features we're then expecting. 1448 for feature in expected.iter() { 1449 let ok = 1450 Validator::new_with_features(WasmFeatures::all() ^ feature).validate_all(&wasm); 1451 if ok.is_err() { 1452 expected ^= feature; 1453 } 1454 } 1455 1456 Ok(expected.is_empty()) 1457 }); 1458 1459 if !ok { 1460 panic!("never generated wasm module using {expected:?}"); 1461 } 1462 } 1463 1464 #[test] 1465 fn wast_smoke_test() { 1466 test_n_times(50, |(), u| super::wast_test(u)); 1467 } 1468 } 1469