1 //! Oracles.
2 //!
3 //! Oracles take a test case and determine whether we have a bug. For example,
4 //! one of the simplest oracles is to take a Wasm binary as our input test case,
5 //! validate and instantiate it, and (implicitly) check that no assertions
6 //! failed or segfaults happened. A more complicated oracle might compare the
7 //! result of executing a Wasm file with and without optimizations enabled, and
8 //! make sure that the two executions are observably identical.
9 //!
10 //! When an oracle finds a bug, it should report it to the fuzzing engine by
11 //! panicking.
12 
13 #[cfg(feature = "fuzz-spec-interpreter")]
14 pub mod diff_spec;
15 pub mod diff_wasmi;
16 pub mod diff_wasmtime;
17 pub mod dummy;
18 pub mod engine;
19 pub mod memory;
20 mod stacks;
21 
22 use self::diff_wasmtime::WasmtimeInstance;
23 use self::engine::{DiffEngine, DiffInstance};
24 use crate::generators::{self, CompilerStrategy, DiffValue, DiffValueType};
25 use crate::single_module_fuzzer::KnownValid;
26 use arbitrary::Arbitrary;
27 pub use stacks::check_stacks;
28 use std::future::Future;
29 use std::pin::Pin;
30 use std::sync::atomic::{AtomicBool, AtomicUsize, Ordering::SeqCst};
31 use std::sync::{Arc, Condvar, Mutex};
32 use std::task::{Context, Poll, Waker};
33 use std::time::{Duration, Instant};
34 use wasmtime::*;
35 use wasmtime_wast::WastContext;
36 
37 #[cfg(not(any(windows, target_arch = "s390x", target_arch = "riscv64")))]
38 mod diff_v8;
39 
40 static CNT: AtomicUsize = AtomicUsize::new(0);
41 
42 /// Logs a wasm file to the filesystem to make it easy to figure out what wasm
43 /// was used when debugging.
44 pub fn log_wasm(wasm: &[u8]) {
45     super::init_fuzzing();
46 
47     if !log::log_enabled!(log::Level::Debug) {
48         return;
49     }
50 
51     let i = CNT.fetch_add(1, SeqCst);
52     let name = format!("testcase{i}.wasm");
53     std::fs::write(&name, wasm).expect("failed to write wasm file");
54     log::debug!("wrote wasm file to `{name}`");
55     let wat = format!("testcase{i}.wat");
56     match wasmprinter::print_bytes(wasm) {
57         Ok(s) => std::fs::write(&wat, s).expect("failed to write wat file"),
58         // If wasmprinter failed remove a `*.wat` file, if any, to avoid
59         // confusing a preexisting one with this wasm which failed to get
60         // printed.
61         Err(_) => drop(std::fs::remove_file(&wat)),
62     }
63 }
64 
65 /// The `T` in `Store<T>` for fuzzing stores, used to limit resource
66 /// consumption during fuzzing.
67 #[derive(Clone)]
68 pub struct StoreLimits(Arc<LimitsState>);
69 
70 struct LimitsState {
71     /// Remaining memory, in bytes, left to allocate
72     remaining_memory: AtomicUsize,
73     /// Remaining amount of memory that's allowed to be copied via a growth.
74     remaining_copy_allowance: AtomicUsize,
75     /// Whether or not an allocation request has been denied
76     oom: AtomicBool,
77 }
78 
79 /// Allow up to 1G which is well below the 2G limit on OSS-Fuzz and should allow
80 /// most interesting behavior.
81 const MAX_MEMORY: usize = 1 << 30;
82 
83 /// Allow up to 4G of bytes to be copied (conservatively) which should enable
84 /// growth up to `MAX_MEMORY` or at least up to a relatively large amount.
85 const MAX_MEMORY_MOVED: usize = 4 << 30;
86 
87 impl StoreLimits {
88     /// Creates the default set of limits for all fuzzing stores.
89     pub fn new() -> StoreLimits {
90         StoreLimits(Arc::new(LimitsState {
91             remaining_memory: AtomicUsize::new(MAX_MEMORY),
92             remaining_copy_allowance: AtomicUsize::new(MAX_MEMORY_MOVED),
93             oom: AtomicBool::new(false),
94         }))
95     }
96 
97     fn alloc(&mut self, amt: usize) -> bool {
98         log::trace!("alloc {amt:#x} bytes");
99 
100         // Assume that on each allocation of memory that all previous
101         // allocations of memory are moved. This is pretty coarse but is used to
102         // help prevent against fuzz test cases that just move tons of bytes
103         // around continuously. This assumes that all previous memory was
104         // allocated in a single linear memory and growing by `amt` will require
105         // moving all the bytes to a new location. This isn't actually required
106         // all the time nor does it accurately reflect what happens all the
107         // time, but it's a coarse approximation that should be "good enough"
108         // for allowing interesting fuzz behaviors to happen while not timing
109         // out just copying bytes around.
110         let prev_size = MAX_MEMORY - self.0.remaining_memory.load(SeqCst);
111         if self
112             .0
113             .remaining_copy_allowance
114             .fetch_update(SeqCst, SeqCst, |remaining| remaining.checked_sub(prev_size))
115             .is_err()
116         {
117             self.0.oom.store(true, SeqCst);
118             log::debug!("-> too many bytes moved, rejecting allocation");
119             return false;
120         }
121 
122         // If we're allowed to move the bytes, then also check if we're allowed
123         // to actually have this much residence at once.
124         match self
125             .0
126             .remaining_memory
127             .fetch_update(SeqCst, SeqCst, |remaining| remaining.checked_sub(amt))
128         {
129             Ok(_) => true,
130             Err(_) => {
131                 self.0.oom.store(true, SeqCst);
132                 log::debug!("-> OOM hit");
133                 false
134             }
135         }
136     }
137 
138     fn is_oom(&self) -> bool {
139         self.0.oom.load(SeqCst)
140     }
141 }
142 
143 impl ResourceLimiter for StoreLimits {
144     fn memory_growing(
145         &mut self,
146         current: usize,
147         desired: usize,
148         _maximum: Option<usize>,
149     ) -> Result<bool> {
150         Ok(self.alloc(desired - current))
151     }
152 
153     fn table_growing(
154         &mut self,
155         current: usize,
156         desired: usize,
157         _maximum: Option<usize>,
158     ) -> Result<bool> {
159         let delta = (desired - current).saturating_mul(std::mem::size_of::<usize>());
160         Ok(self.alloc(delta))
161     }
162 }
163 
164 /// Methods of timing out execution of a WebAssembly module
165 #[derive(Clone, Debug)]
166 pub enum Timeout {
167     /// No timeout is used, it should be guaranteed via some other means that
168     /// the input does not infinite loop.
169     None,
170     /// Fuel-based timeouts are used where the specified fuel is all that the
171     /// provided wasm module is allowed to consume.
172     Fuel(u64),
173     /// An epoch-interruption-based timeout is used with a sleeping
174     /// thread bumping the epoch counter after the specified duration.
175     Epoch(Duration),
176 }
177 
178 /// Instantiate the Wasm buffer, and implicitly fail if we have an unexpected
179 /// panic or segfault or anything else that can be detected "passively".
180 ///
181 /// The engine will be configured using provided config.
182 pub fn instantiate(
183     wasm: &[u8],
184     known_valid: KnownValid,
185     config: &generators::Config,
186     timeout: Timeout,
187 ) {
188     let mut store = config.to_store();
189 
190     let module = match compile_module(store.engine(), wasm, known_valid, config) {
191         Some(module) => module,
192         None => return,
193     };
194 
195     let mut timeout_state = HelperThread::default();
196     match timeout {
197         Timeout::Fuel(fuel) => store.set_fuel(fuel).unwrap(),
198 
199         // If a timeout is requested then we spawn a helper thread to wait for
200         // the requested time and then send us a signal to get interrupted. We
201         // also arrange for the thread's sleep to get interrupted if we return
202         // early (or the wasm returns within the time limit), which allows the
203         // thread to get torn down.
204         //
205         // This prevents us from creating a huge number of sleeping threads if
206         // this function is executed in a loop, like it does on nightly fuzzing
207         // infrastructure.
208         Timeout::Epoch(timeout) => {
209             let engine = store.engine().clone();
210             timeout_state.run_periodically(timeout, move || engine.increment_epoch());
211         }
212         Timeout::None => {}
213     }
214 
215     instantiate_with_dummy(&mut store, &module);
216 }
217 
218 /// Represents supported commands to the `instantiate_many` function.
219 #[derive(Arbitrary, Debug)]
220 pub enum Command {
221     /// Instantiates a module.
222     ///
223     /// The value is the index of the module to instantiate.
224     ///
225     /// The module instantiated will be this value modulo the number of modules provided to `instantiate_many`.
226     Instantiate(usize),
227     /// Terminates a "running" instance.
228     ///
229     /// The value is the index of the instance to terminate.
230     ///
231     /// The instance terminated will be this value modulo the number of currently running
232     /// instances.
233     ///
234     /// If no instances are running, the command will be ignored.
235     Terminate(usize),
236 }
237 
238 /// Instantiates many instances from the given modules.
239 ///
240 /// The engine will be configured using the provided config.
241 ///
242 /// The modules are expected to *not* have start functions as no timeouts are configured.
243 pub fn instantiate_many(
244     modules: &[Vec<u8>],
245     known_valid: KnownValid,
246     config: &generators::Config,
247     commands: &[Command],
248 ) {
249     log::debug!("instantiate_many: {commands:#?}");
250 
251     assert!(!config.module_config.config.allow_start_export);
252 
253     let engine = Engine::new(&config.to_wasmtime()).unwrap();
254 
255     let modules = modules
256         .iter()
257         .enumerate()
258         .filter_map(
259             |(i, bytes)| match compile_module(&engine, bytes, known_valid, config) {
260                 Some(m) => {
261                     log::debug!("successfully compiled module {i}");
262                     Some(m)
263                 }
264                 None => {
265                     log::debug!("failed to compile module {i}");
266                     None
267                 }
268             },
269         )
270         .collect::<Vec<_>>();
271 
272     // If no modules were valid, we're done
273     if modules.is_empty() {
274         return;
275     }
276 
277     // This stores every `Store` where a successful instantiation takes place
278     let mut stores = Vec::new();
279     let limits = StoreLimits::new();
280 
281     for command in commands {
282         match command {
283             Command::Instantiate(index) => {
284                 let index = *index % modules.len();
285                 log::info!("instantiating {index}");
286                 let module = &modules[index];
287                 let mut store = Store::new(&engine, limits.clone());
288                 config.configure_store(&mut store);
289 
290                 if instantiate_with_dummy(&mut store, module).is_some() {
291                     stores.push(Some(store));
292                 } else {
293                     log::warn!("instantiation failed");
294                 }
295             }
296             Command::Terminate(index) => {
297                 if stores.is_empty() {
298                     continue;
299                 }
300                 let index = *index % stores.len();
301 
302                 log::info!("dropping {index}");
303                 stores.swap_remove(index);
304             }
305         }
306     }
307 }
308 
309 fn compile_module(
310     engine: &Engine,
311     bytes: &[u8],
312     known_valid: KnownValid,
313     config: &generators::Config,
314 ) -> Option<Module> {
315     log_wasm(bytes);
316 
317     fn is_pcc_error(e: &anyhow::Error) -> bool {
318         // NOTE: please keep this predicate in sync with the display format of CodegenError,
319         // defined in `wasmtime/cranelift/codegen/src/result.rs`
320         e.to_string().to_lowercase().contains("proof-carrying-code")
321     }
322 
323     match config.compile(engine, bytes) {
324         Ok(module) => Some(module),
325         Err(e) if is_pcc_error(&e) => {
326             panic!("pcc error in input: {e:#?}");
327         }
328         Err(_) if known_valid == KnownValid::No => None,
329         Err(e) => {
330             if let generators::InstanceAllocationStrategy::Pooling(c) = &config.wasmtime.strategy {
331                 // When using the pooling allocator, accept failures to compile
332                 // when arbitrary table element limits have been exceeded as
333                 // there is currently no way to constrain the generated module
334                 // table types.
335                 let string = format!("{e:?}");
336                 if string.contains("minimum element size") {
337                     return None;
338                 }
339 
340                 // Allow modules-failing-to-compile which exceed the requested
341                 // size for each instance. This is something that is difficult
342                 // to control and ensure it always succeeds, so we simply have a
343                 // "random" instance size limit and if a module doesn't fit we
344                 // move on to the next fuzz input.
345                 if string.contains("instance allocation for this module requires") {
346                     return None;
347                 }
348 
349                 // If the pooling allocator is more restrictive on the number of
350                 // tables and memories than we allowed wasm-smith to generate
351                 // then allow compilation errors along those lines.
352                 if c.max_tables_per_module < (config.module_config.config.max_tables as u32)
353                     && string.contains("defined tables count")
354                     && string.contains("exceeds the per-instance limit")
355                 {
356                     return None;
357                 }
358 
359                 if c.max_memories_per_module < (config.module_config.config.max_memories as u32)
360                     && string.contains("defined memories count")
361                     && string.contains("exceeds the per-instance limit")
362                 {
363                     return None;
364                 }
365             }
366 
367             panic!("failed to compile module: {e:?}");
368         }
369     }
370 }
371 
372 /// Create a Wasmtime [`Instance`] from a [`Module`] and fill in all imports
373 /// with dummy values (e.g., zeroed values, immediately-trapping functions).
374 /// Also, this function catches certain fuzz-related instantiation failures and
375 /// returns `None` instead of panicking.
376 ///
377 /// TODO: we should implement tracing versions of these dummy imports that
378 /// record a trace of the order that imported functions were called in and with
379 /// what values. Like the results of exported functions, calls to imports should
380 /// also yield the same values for each configuration, and we should assert
381 /// that.
382 pub fn instantiate_with_dummy(store: &mut Store<StoreLimits>, module: &Module) -> Option<Instance> {
383     // Creation of imports can fail due to resource limit constraints, and then
384     // instantiation can naturally fail for a number of reasons as well. Bundle
385     // the two steps together to match on the error below.
386     let linker = dummy::dummy_linker(store, module);
387     if let Err(e) = &linker {
388         log::warn!("failed to create dummy linker: {e:?}");
389     }
390     let instance = linker.and_then(|l| l.instantiate(&mut *store, module));
391     unwrap_instance(store, instance)
392 }
393 
394 fn unwrap_instance(
395     store: &Store<StoreLimits>,
396     instance: anyhow::Result<Instance>,
397 ) -> Option<Instance> {
398     let e = match instance {
399         Ok(i) => return Some(i),
400         Err(e) => e,
401     };
402 
403     log::debug!("failed to instantiate: {e:?}");
404 
405     // If the instantiation hit OOM for some reason then that's ok, it's
406     // expected that fuzz-generated programs try to allocate lots of
407     // stuff.
408     if store.data().is_oom() {
409         return None;
410     }
411 
412     // Allow traps which can happen normally with `unreachable` or a timeout or
413     // such.
414     if e.is::<Trap>()
415         // Also allow failures to instantiate as a result of hitting pooling
416         // limits.
417         || e.is::<wasmtime::PoolConcurrencyLimitError>()
418         // And GC heap OOMs.
419         || e.is::<wasmtime::GcHeapOutOfMemory<()>>()
420         // And thrown exceptions.
421         || e.is::<wasmtime::ThrownException>()
422     {
423         return None;
424     }
425 
426     let string = e.to_string();
427 
428     // Currently we instantiate with a `Linker` which can't instantiate
429     // every single module under the sun due to using name-based resolution
430     // rather than positional-based resolution
431     if string.contains("incompatible import type") {
432         return None;
433     }
434 
435     // Everything else should be a bug in the fuzzer or a bug in wasmtime
436     panic!("failed to instantiate: {e:?}");
437 }
438 
439 /// Evaluate the function identified by `name` in two different engine
440 /// instances--`lhs` and `rhs`.
441 ///
442 /// Returns `Ok(true)` if more evaluations can happen or `Ok(false)` if the
443 /// instances may have drifted apart and no more evaluations can happen.
444 ///
445 /// # Panics
446 ///
447 /// This will panic if the evaluation is different between engines (e.g.,
448 /// results are different, hashed instance is different, one side traps, etc.).
449 pub fn differential(
450     lhs: &mut dyn DiffInstance,
451     lhs_engine: &dyn DiffEngine,
452     rhs: &mut WasmtimeInstance,
453     name: &str,
454     args: &[DiffValue],
455     result_tys: &[DiffValueType],
456 ) -> anyhow::Result<bool> {
457     log::debug!("Evaluating: `{name}` with {args:?}");
458     let lhs_results = match lhs.evaluate(name, args, result_tys) {
459         Ok(Some(results)) => Ok(results),
460         Err(e) => Err(e),
461         // this engine couldn't execute this type signature, so discard this
462         // execution by returning success.
463         Ok(None) => return Ok(true),
464     };
465     log::debug!(" -> lhs results on {}: {:?}", lhs.name(), &lhs_results);
466 
467     let rhs_results = rhs
468         .evaluate(name, args, result_tys)
469         // wasmtime should be able to invoke any signature, so unwrap this result
470         .map(|results| results.unwrap());
471     log::debug!(" -> rhs results on {}: {:?}", rhs.name(), &rhs_results);
472 
473     // If Wasmtime hit its OOM condition, which is possible since it's set
474     // somewhat low while fuzzing, then don't return an error but return
475     // `false` indicating that differential fuzzing must stop. There's no
476     // guarantee the other engine has the same OOM limits as Wasmtime, and
477     // it's assumed that Wasmtime is configured to have a more conservative
478     // limit than the other engine.
479     if rhs.is_oom() {
480         return Ok(false);
481     }
482 
483     match DiffEqResult::new(lhs_engine, lhs_results, rhs_results) {
484         DiffEqResult::Success(lhs, rhs) => assert_eq!(lhs, rhs),
485         DiffEqResult::Poisoned => return Ok(false),
486         DiffEqResult::Failed => {}
487     }
488 
489     for (global, ty) in rhs.exported_globals() {
490         log::debug!("Comparing global `{global}`");
491         let lhs = match lhs.get_global(&global, ty) {
492             Some(val) => val,
493             None => continue,
494         };
495         let rhs = rhs.get_global(&global, ty).unwrap();
496         assert_eq!(lhs, rhs);
497     }
498     for (memory, shared) in rhs.exported_memories() {
499         log::debug!("Comparing memory `{memory}`");
500         let lhs = match lhs.get_memory(&memory, shared) {
501             Some(val) => val,
502             None => continue,
503         };
504         let rhs = rhs.get_memory(&memory, shared).unwrap();
505         if lhs == rhs {
506             continue;
507         }
508         eprintln!("differential memory is {} bytes long", lhs.len());
509         eprintln!("wasmtime memory is     {} bytes long", rhs.len());
510         panic!("memories have differing values");
511     }
512 
513     Ok(true)
514 }
515 
516 /// Result of comparing the result of two operations during differential
517 /// execution.
518 pub enum DiffEqResult<T, U> {
519     /// Both engines succeeded.
520     Success(T, U),
521     /// The result has reached the state where engines may have diverged and
522     /// results can no longer be compared.
523     Poisoned,
524     /// Both engines failed with the same error message, and internal state
525     /// should still match between the two engines.
526     Failed,
527 }
528 
529 fn wasmtime_trap_is_non_deterministic(trap: &Trap) -> bool {
530     match trap {
531         // Allocations being too large for the GC are
532         // implementation-defined.
533         Trap::AllocationTooLarge |
534         // Stack size, and therefore when overflow happens, is
535         // implementation-defined.
536         Trap::StackOverflow => true,
537         _ => false,
538     }
539 }
540 
541 fn wasmtime_error_is_non_deterministic(error: &wasmtime::Error) -> bool {
542     match error.downcast_ref::<Trap>() {
543         Some(trap) => wasmtime_trap_is_non_deterministic(trap),
544 
545         // For general, unknown errors, we can't rely on this being
546         // a deterministic Wasm failure that both engines handled
547         // identically, leaving Wasm in identical states. We could
548         // just as easily be hitting engine-specific failures, like
549         // different implementation-defined limits. So simply poison
550         // this execution and move on to the next test.
551         None => true,
552     }
553 }
554 
555 impl<T, U> DiffEqResult<T, U> {
556     /// Computes the differential result from executing in two different
557     /// engines.
558     pub fn new(
559         lhs_engine: &dyn DiffEngine,
560         lhs_result: Result<T>,
561         rhs_result: Result<U>,
562     ) -> DiffEqResult<T, U> {
563         match (lhs_result, rhs_result) {
564             (Ok(lhs_result), Ok(rhs_result)) => DiffEqResult::Success(lhs_result, rhs_result),
565 
566             // Handle all non-deterministic errors by poisoning this execution's
567             // state, so that we simply move on to the next test.
568             (Err(lhs), _) if lhs_engine.is_non_deterministic_error(&lhs) => {
569                 log::debug!("lhs failed non-deterministically: {lhs:?}");
570                 DiffEqResult::Poisoned
571             }
572             (_, Err(rhs)) if wasmtime_error_is_non_deterministic(&rhs) => {
573                 log::debug!("rhs failed non-deterministically: {rhs:?}");
574                 DiffEqResult::Poisoned
575             }
576 
577             // Both sides failed deterministically. Check that the trap and
578             // state at the time of failure is the same.
579             (Err(lhs), Err(rhs)) => {
580                 let rhs = rhs
581                     .downcast::<Trap>()
582                     .expect("non-traps handled in earlier match arm");
583 
584                 debug_assert!(
585                     !lhs_engine.is_non_deterministic_error(&lhs),
586                     "non-deterministic traps handled in earlier match arm",
587                 );
588                 debug_assert!(
589                     !wasmtime_trap_is_non_deterministic(&rhs),
590                     "non-deterministic traps handled in earlier match arm",
591                 );
592 
593                 lhs_engine.assert_error_match(&lhs, &rhs);
594                 DiffEqResult::Failed
595             }
596 
597             // A real bug is found if only one side fails.
598             (Ok(_), Err(err)) => panic!("only the `rhs` failed for this input: {err:?}"),
599             (Err(err), Ok(_)) => panic!("only the `lhs` failed for this input: {err:?}"),
600         }
601     }
602 }
603 
604 /// Invoke the given API calls.
605 pub fn make_api_calls(api: generators::api::ApiCalls) {
606     use crate::generators::api::ApiCall;
607     use std::collections::HashMap;
608 
609     let mut store: Option<Store<StoreLimits>> = None;
610     let mut modules: HashMap<usize, Module> = Default::default();
611     let mut instances: HashMap<usize, Instance> = Default::default();
612 
613     for call in api.calls {
614         match call {
615             ApiCall::StoreNew(config) => {
616                 log::trace!("creating store");
617                 assert!(store.is_none());
618                 store = Some(config.to_store());
619             }
620 
621             ApiCall::ModuleNew { id, wasm } => {
622                 log::debug!("creating module: {id}");
623                 log_wasm(&wasm);
624                 let module = match Module::new(store.as_ref().unwrap().engine(), &wasm) {
625                     Ok(m) => m,
626                     Err(_) => continue,
627                 };
628                 let old = modules.insert(id, module);
629                 assert!(old.is_none());
630             }
631 
632             ApiCall::ModuleDrop { id } => {
633                 log::trace!("dropping module: {id}");
634                 drop(modules.remove(&id));
635             }
636 
637             ApiCall::InstanceNew { id, module } => {
638                 log::trace!("instantiating module {module} as {id}");
639                 let module = match modules.get(&module) {
640                     Some(m) => m,
641                     None => continue,
642                 };
643 
644                 let store = store.as_mut().unwrap();
645                 if let Some(instance) = instantiate_with_dummy(store, module) {
646                     instances.insert(id, instance);
647                 }
648             }
649 
650             ApiCall::InstanceDrop { id } => {
651                 log::trace!("dropping instance {id}");
652                 instances.remove(&id);
653             }
654 
655             ApiCall::CallExportedFunc { instance, nth } => {
656                 log::trace!("calling instance export {instance} / {nth}");
657                 let instance = match instances.get(&instance) {
658                     Some(i) => i,
659                     None => {
660                         // Note that we aren't guaranteed to instantiate valid
661                         // modules, see comments in `InstanceNew` for details on
662                         // that. But the API call generator can't know if
663                         // instantiation failed, so we might not actually have
664                         // this instance. When that's the case, just skip the
665                         // API call and keep going.
666                         continue;
667                     }
668                 };
669                 let store = store.as_mut().unwrap();
670 
671                 let funcs = instance
672                     .exports(&mut *store)
673                     .filter_map(|e| match e.into_extern() {
674                         Extern::Func(f) => Some(f),
675                         _ => None,
676                     })
677                     .collect::<Vec<_>>();
678 
679                 if funcs.is_empty() {
680                     continue;
681                 }
682 
683                 let nth = nth % funcs.len();
684                 let f = &funcs[nth];
685                 let ty = f.ty(&store);
686                 if let Some(params) = ty
687                     .params()
688                     .map(|p| p.default_value())
689                     .collect::<Option<Vec<_>>>()
690                 {
691                     let mut results = vec![Val::I32(0); ty.results().len()];
692                     let _ = f.call(store, &params, &mut results);
693                 }
694             }
695         }
696     }
697 }
698 
699 /// Executes the wast `test` with the `config` specified.
700 ///
701 /// Ensures that wast tests pass regardless of the `Config`.
702 pub fn wast_test(u: &mut arbitrary::Unstructured<'_>) -> arbitrary::Result<()> {
703     crate::init_fuzzing();
704 
705     let mut fuzz_config: generators::Config = u.arbitrary()?;
706     let test: generators::WastTest = u.arbitrary()?;
707 
708     let test = &test.test;
709 
710     if test.config.component_model_async() || u.arbitrary()? {
711         fuzz_config.enable_async(u)?;
712     }
713 
714     // Discard tests that allocate a lot of memory as we don't want to OOM the
715     // fuzzer and we also limit memory growth which would cause the test to
716     // fail.
717     if test.config.hogs_memory.unwrap_or(false) {
718         return Err(arbitrary::Error::IncorrectFormat);
719     }
720 
721     // Transform `fuzz_config` to be valid for `test` and make sure that this
722     // test is supposed to pass.
723     let wast_config = fuzz_config.make_wast_test_compliant(test);
724     if test.should_fail(&wast_config) {
725         return Err(arbitrary::Error::IncorrectFormat);
726     }
727 
728     // Winch requires AVX and AVX2 for SIMD tests to pass so don't run the test
729     // if either isn't enabled.
730     if fuzz_config.wasmtime.compiler_strategy == CompilerStrategy::Winch
731         && test.config.simd()
732         && (fuzz_config
733             .wasmtime
734             .codegen_flag("has_avx")
735             .is_some_and(|value| value == "false")
736             || fuzz_config
737                 .wasmtime
738                 .codegen_flag("has_avx2")
739                 .is_some_and(|value| value == "false"))
740     {
741         log::warn!(
742             "Skipping Wast test because Winch doesn't support SIMD tests with AVX or AVX2 disabled"
743         );
744         return Err(arbitrary::Error::IncorrectFormat);
745     }
746 
747     // Fuel and epochs don't play well with threads right now, so exclude any
748     // thread-spawning test if it looks like threads are spawned in that case.
749     if fuzz_config.wasmtime.consume_fuel || fuzz_config.wasmtime.epoch_interruption {
750         if test.contents.contains("(thread") {
751             return Err(arbitrary::Error::IncorrectFormat);
752         }
753     }
754 
755     log::debug!("running {:?}", test.path);
756     let async_ = if fuzz_config.wasmtime.async_config == generators::AsyncConfig::Disabled {
757         wasmtime_wast::Async::No
758     } else {
759         wasmtime_wast::Async::Yes
760     };
761     let engine = Engine::new(&fuzz_config.to_wasmtime()).unwrap();
762     let mut wast_context = WastContext::new(&engine, async_, move |store| {
763         fuzz_config.configure_store_epoch_and_fuel(store);
764     });
765     wast_context
766         .register_spectest(&wasmtime_wast::SpectestConfig {
767             use_shared_memory: true,
768             suppress_prints: true,
769         })
770         .unwrap();
771     wast_context
772         .run_wast(test.path.to_str().unwrap(), test.contents.as_bytes())
773         .unwrap();
774     Ok(())
775 }
776 
777 /// Execute a series of `table.get` and `table.set` operations.
778 ///
779 /// Returns the number of `gc` operations which occurred throughout the test
780 /// case -- used to test below that gc happens reasonably soon and eventually.
781 pub fn table_ops(
782     mut fuzz_config: generators::Config,
783     mut ops: generators::table_ops::TableOps,
784 ) -> Result<usize> {
785     let expected_drops = Arc::new(AtomicUsize::new(0));
786     let num_dropped = Arc::new(AtomicUsize::new(0));
787 
788     let num_gcs = Arc::new(AtomicUsize::new(0));
789     {
790         fuzz_config.wasmtime.consume_fuel = true;
791         let mut store = fuzz_config.to_store();
792         store.set_fuel(1_000).unwrap();
793 
794         let wasm = ops.to_wasm_binary();
795         log_wasm(&wasm);
796         let module = match compile_module(store.engine(), &wasm, KnownValid::No, &fuzz_config) {
797             Some(m) => m,
798             None => return Ok(0),
799         };
800 
801         let mut linker = Linker::new(store.engine());
802 
803         // To avoid timeouts, limit the number of explicit GCs we perform per
804         // test case.
805         const MAX_GCS: usize = 5;
806 
807         let func_ty = FuncType::new(
808             store.engine(),
809             vec![],
810             vec![ValType::EXTERNREF, ValType::EXTERNREF, ValType::EXTERNREF],
811         );
812         let func = Func::new(&mut store, func_ty, {
813             let num_dropped = num_dropped.clone();
814             let expected_drops = expected_drops.clone();
815             let num_gcs = num_gcs.clone();
816             move |mut caller: Caller<'_, StoreLimits>, _params, results| {
817                 log::info!("table_ops: GC");
818                 if num_gcs.fetch_add(1, SeqCst) < MAX_GCS {
819                     caller.gc(None);
820                 }
821 
822                 let a = ExternRef::new(
823                     &mut caller,
824                     CountDrops::new(&expected_drops, num_dropped.clone()),
825                 )?;
826                 let b = ExternRef::new(
827                     &mut caller,
828                     CountDrops::new(&expected_drops, num_dropped.clone()),
829                 )?;
830                 let c = ExternRef::new(
831                     &mut caller,
832                     CountDrops::new(&expected_drops, num_dropped.clone()),
833                 )?;
834 
835                 log::info!("table_ops: gc() -> ({a:?}, {b:?}, {c:?})");
836                 results[0] = Some(a).into();
837                 results[1] = Some(b).into();
838                 results[2] = Some(c).into();
839                 Ok(())
840             }
841         });
842         linker.define(&store, "", "gc", func).unwrap();
843 
844         linker
845             .func_wrap("", "take_refs", {
846                 let expected_drops = expected_drops.clone();
847                 move |caller: Caller<'_, StoreLimits>,
848                       a: Option<Rooted<ExternRef>>,
849                       b: Option<Rooted<ExternRef>>,
850                       c: Option<Rooted<ExternRef>>|
851                       -> Result<()> {
852                     log::info!("table_ops: take_refs({a:?}, {b:?}, {c:?})",);
853 
854                     // Do the assertion on each ref's inner data, even though it
855                     // all points to the same atomic, so that if we happen to
856                     // run into a use-after-free bug with one of these refs we
857                     // are more likely to trigger a segfault.
858                     if let Some(a) = a {
859                         let a = a
860                             .data(&caller)?
861                             .unwrap()
862                             .downcast_ref::<CountDrops>()
863                             .unwrap();
864                         assert!(a.0.load(SeqCst) <= expected_drops.load(SeqCst));
865                     }
866                     if let Some(b) = b {
867                         let b = b
868                             .data(&caller)?
869                             .unwrap()
870                             .downcast_ref::<CountDrops>()
871                             .unwrap();
872                         assert!(b.0.load(SeqCst) <= expected_drops.load(SeqCst));
873                     }
874                     if let Some(c) = c {
875                         let c = c
876                             .data(&caller)?
877                             .unwrap()
878                             .downcast_ref::<CountDrops>()
879                             .unwrap();
880                         assert!(c.0.load(SeqCst) <= expected_drops.load(SeqCst));
881                     }
882                     Ok(())
883                 }
884             })
885             .unwrap();
886 
887         let func_ty = FuncType::new(
888             store.engine(),
889             vec![],
890             vec![ValType::EXTERNREF, ValType::EXTERNREF, ValType::EXTERNREF],
891         );
892         let func = Func::new(&mut store, func_ty, {
893             let num_dropped = num_dropped.clone();
894             let expected_drops = expected_drops.clone();
895             move |mut caller, _params, results| {
896                 log::info!("table_ops: make_refs");
897 
898                 let a = ExternRef::new(
899                     &mut caller,
900                     CountDrops::new(&expected_drops, num_dropped.clone()),
901                 )?;
902                 let b = ExternRef::new(
903                     &mut caller,
904                     CountDrops::new(&expected_drops, num_dropped.clone()),
905                 )?;
906                 let c = ExternRef::new(
907                     &mut caller,
908                     CountDrops::new(&expected_drops, num_dropped.clone()),
909                 )?;
910 
911                 log::info!("table_ops: make_refs() -> ({a:?}, {b:?}, {c:?})");
912 
913                 results[0] = Some(a).into();
914                 results[1] = Some(b).into();
915                 results[2] = Some(c).into();
916 
917                 Ok(())
918             }
919         });
920         linker.define(&store, "", "make_refs", func).unwrap();
921 
922         let instance = linker.instantiate(&mut store, &module).unwrap();
923         let run = instance.get_func(&mut store, "run").unwrap();
924 
925         {
926             let mut scope = RootScope::new(&mut store);
927 
928             log::info!(
929                 "table_ops: begin allocating {} externref arguments",
930                 ops.limits.num_globals
931             );
932             let args: Vec<_> = (0..ops.limits.num_params)
933                 .map(|_| {
934                     Ok(Val::ExternRef(Some(ExternRef::new(
935                         &mut scope,
936                         CountDrops::new(&expected_drops, num_dropped.clone()),
937                     )?)))
938                 })
939                 .collect::<Result<_>>()?;
940             log::info!(
941                 "table_ops: end allocating {} externref arguments",
942                 ops.limits.num_globals
943             );
944 
945             // The generated function should always return a trap. The only two
946             // valid traps are table-out-of-bounds which happens through `table.get`
947             // and `table.set` generated or an out-of-fuel trap. Otherwise any other
948             // error is unexpected and should fail fuzzing.
949             log::info!("table_ops: calling into Wasm `run` function");
950             let err = run.call(&mut scope, &args, &mut []).unwrap_err();
951             match err.downcast::<GcHeapOutOfMemory<CountDrops>>() {
952                 Ok(_oom) => {}
953                 Err(err) => {
954                     let trap = err
955                         .downcast::<Trap>()
956                         .expect("if not GC oom, error should be a Wasm trap");
957                     match trap {
958                         Trap::TableOutOfBounds | Trap::OutOfFuel => {}
959                         _ => panic!("unexpected trap: {trap}"),
960                     }
961                 }
962             }
963         }
964 
965         // Do a final GC after running the Wasm.
966         store.gc(None);
967     }
968 
969     assert_eq!(num_dropped.load(SeqCst), expected_drops.load(SeqCst));
970     return Ok(num_gcs.load(SeqCst));
971 
972     struct CountDrops(Arc<AtomicUsize>);
973 
974     impl CountDrops {
975         fn new(expected_drops: &AtomicUsize, num_dropped: Arc<AtomicUsize>) -> Self {
976             let expected = expected_drops.fetch_add(1, SeqCst);
977             log::info!(
978                 "CountDrops::new: expected drops: {expected} -> {}",
979                 expected + 1
980             );
981             Self(num_dropped)
982         }
983     }
984 
985     impl Drop for CountDrops {
986         fn drop(&mut self) {
987             let drops = self.0.fetch_add(1, SeqCst);
988             log::info!("CountDrops::drop: actual drops: {drops} -> {}", drops + 1);
989         }
990     }
991 }
992 
993 #[derive(Default)]
994 struct HelperThread {
995     state: Arc<HelperThreadState>,
996     thread: Option<std::thread::JoinHandle<()>>,
997 }
998 
999 #[derive(Default)]
1000 struct HelperThreadState {
1001     should_exit: Mutex<bool>,
1002     should_exit_cvar: Condvar,
1003 }
1004 
1005 impl HelperThread {
1006     fn run_periodically(&mut self, dur: Duration, mut closure: impl FnMut() + Send + 'static) {
1007         let state = self.state.clone();
1008         self.thread = Some(std::thread::spawn(move || {
1009             // Using our mutex/condvar we wait here for the first of `dur` to
1010             // pass or the `HelperThread` instance to get dropped.
1011             let mut should_exit = state.should_exit.lock().unwrap();
1012             while !*should_exit {
1013                 let (lock, result) = state
1014                     .should_exit_cvar
1015                     .wait_timeout(should_exit, dur)
1016                     .unwrap();
1017                 should_exit = lock;
1018                 // If we timed out for sure then there's no need to continue
1019                 // since we'll just abort on the next `checked_sub` anyway.
1020                 if result.timed_out() {
1021                     closure();
1022                 }
1023             }
1024         }));
1025     }
1026 }
1027 
1028 impl Drop for HelperThread {
1029     fn drop(&mut self) {
1030         let thread = match self.thread.take() {
1031             Some(thread) => thread,
1032             None => return,
1033         };
1034         // Signal our thread that it should exit and wake it up in case it's
1035         // sleeping.
1036         *self.state.should_exit.lock().unwrap() = true;
1037         self.state.should_exit_cvar.notify_one();
1038 
1039         // ... and then wait for the thread to exit to ensure we clean up
1040         // after ourselves.
1041         thread.join().unwrap();
1042     }
1043 }
1044 
1045 /// Generate and execute a `crate::generators::component_types::TestCase` using the specified `input` to create
1046 /// arbitrary types and values.
1047 pub fn dynamic_component_api_target(input: &mut arbitrary::Unstructured) -> arbitrary::Result<()> {
1048     use crate::generators::component_types;
1049     use wasmtime::component::{Component, Linker, Val};
1050     use wasmtime_test_util::component::FuncExt;
1051     use wasmtime_test_util::component_fuzz::{
1052         EXPORT_FUNCTION, IMPORT_FUNCTION, MAX_TYPE_DEPTH, TestCase, Type,
1053     };
1054 
1055     crate::init_fuzzing();
1056 
1057     let mut types = Vec::new();
1058     let mut type_fuel = 500;
1059 
1060     for _ in 0..5 {
1061         types.push(Type::generate(input, MAX_TYPE_DEPTH, &mut type_fuel)?);
1062     }
1063     let params = (0..input.int_in_range(0..=5)?)
1064         .map(|_| input.choose(&types))
1065         .collect::<arbitrary::Result<Vec<_>>>()?;
1066     let result = if input.arbitrary()? {
1067         Some(input.choose(&types)?)
1068     } else {
1069         None
1070     };
1071 
1072     let case = TestCase {
1073         params,
1074         result,
1075         encoding1: input.arbitrary()?,
1076         encoding2: input.arbitrary()?,
1077     };
1078 
1079     let mut config = wasmtime_test_util::component::config();
1080     config.debug_adapter_modules(input.arbitrary()?);
1081     let engine = Engine::new(&config).unwrap();
1082     let mut store = Store::new(&engine, (Vec::new(), None));
1083     let wat = case.declarations().make_component();
1084     let wat = wat.as_bytes();
1085     log_wasm(wat);
1086     let component = Component::new(&engine, wat).unwrap();
1087     let mut linker = Linker::new(&engine);
1088 
1089     linker
1090         .root()
1091         .func_new(IMPORT_FUNCTION, {
1092             move |mut cx: StoreContextMut<'_, (Vec<Val>, Option<Vec<Val>>)>,
1093                   params: &[Val],
1094                   results: &mut [Val]|
1095                   -> Result<()> {
1096                 log::trace!("received params {params:?}");
1097                 let (expected_args, expected_results) = cx.data_mut();
1098                 assert_eq!(params.len(), expected_args.len());
1099                 for (expected, actual) in expected_args.iter().zip(params) {
1100                     assert_eq!(expected, actual);
1101                 }
1102                 results.clone_from_slice(&expected_results.take().unwrap());
1103                 log::trace!("returning results {results:?}");
1104                 Ok(())
1105             }
1106         })
1107         .unwrap();
1108 
1109     let instance = linker.instantiate(&mut store, &component).unwrap();
1110     let func = instance.get_func(&mut store, EXPORT_FUNCTION).unwrap();
1111     let param_tys = func.params(&store);
1112     let result_tys = func.results(&store);
1113 
1114     while input.arbitrary()? {
1115         let params = param_tys
1116             .iter()
1117             .map(|(_, ty)| component_types::arbitrary_val(ty, input))
1118             .collect::<arbitrary::Result<Vec<_>>>()?;
1119         let results = result_tys
1120             .iter()
1121             .map(|ty| component_types::arbitrary_val(ty, input))
1122             .collect::<arbitrary::Result<Vec<_>>>()?;
1123 
1124         *store.data_mut() = (params.clone(), Some(results.clone()));
1125 
1126         log::trace!("passing params {params:?}");
1127         let mut actual = vec![Val::Bool(false); results.len()];
1128         func.call_and_post_return(&mut store, &params, &mut actual)
1129             .unwrap();
1130         log::trace!("received results {actual:?}");
1131         assert_eq!(actual, results);
1132     }
1133 
1134     Ok(())
1135 }
1136 
1137 /// Instantiates a wasm module and runs its exports with dummy values, all in
1138 /// an async fashion.
1139 ///
1140 /// Attempts to stress yields in host functions to ensure that exiting and
1141 /// resuming a wasm function call works.
1142 pub fn call_async(wasm: &[u8], config: &generators::Config, mut poll_amts: &[u32]) {
1143     let mut store = config.to_store();
1144     let module = match compile_module(store.engine(), wasm, KnownValid::Yes, config) {
1145         Some(module) => module,
1146         None => return,
1147     };
1148 
1149     // Configure a helper thread to periodically increment the epoch to
1150     // forcibly enable yields-via-epochs if epochs are in use. Note that this
1151     // is required because the wasm isn't otherwise guaranteed to necessarily
1152     // call any imports which will also increment the epoch.
1153     let mut helper_thread = HelperThread::default();
1154     if let generators::AsyncConfig::YieldWithEpochs { dur, .. } = &config.wasmtime.async_config {
1155         let engine = store.engine().clone();
1156         helper_thread.run_periodically(*dur, move || engine.increment_epoch());
1157     }
1158 
1159     // Generate a `Linker` where all function imports are custom-built to yield
1160     // periodically and additionally increment the epoch.
1161     let mut imports = Vec::new();
1162     for import in module.imports() {
1163         let item = match import.ty() {
1164             ExternType::Func(ty) => {
1165                 let poll_amt = take_poll_amt(&mut poll_amts);
1166                 Func::new_async(&mut store, ty.clone(), move |caller, _, results| {
1167                     let ty = ty.clone();
1168                     Box::new(async move {
1169                         caller.engine().increment_epoch();
1170                         log::info!("yielding {poll_amt} times in import");
1171                         YieldN(poll_amt).await;
1172                         for (ret_ty, result) in ty.results().zip(results) {
1173                             *result = ret_ty.default_value().unwrap();
1174                         }
1175                         Ok(())
1176                     })
1177                 })
1178                 .into()
1179             }
1180             other_ty => match other_ty.default_value(&mut store) {
1181                 Ok(item) => item,
1182                 Err(e) => {
1183                     log::warn!("couldn't create import for {import:?}: {e:?}");
1184                     return;
1185                 }
1186             },
1187         };
1188         imports.push(item);
1189     }
1190 
1191     // Run the instantiation process, asynchronously, and if everything
1192     // succeeds then pull out the instance.
1193     // log::info!("starting instantiation");
1194     let instance = run(Timeout {
1195         future: Instance::new_async(&mut store, &module, &imports),
1196         polls: take_poll_amt(&mut poll_amts),
1197         end: Instant::now() + Duration::from_millis(2_000),
1198     });
1199     let instance = match instance {
1200         Ok(instantiation_result) => match unwrap_instance(&store, instantiation_result) {
1201             Some(instance) => instance,
1202             None => {
1203                 log::info!("instantiation hit a nominal error");
1204                 return; // resource exhaustion or limits met
1205             }
1206         },
1207         Err(_) => {
1208             log::info!("instantiation failed to complete");
1209             return; // Timed out or ran out of polls
1210         }
1211     };
1212 
1213     // Run each export of the instance in the same manner as instantiation
1214     // above. Dummy values are passed in for argument values here:
1215     //
1216     // TODO: this should probably be more clever about passing in arguments for
1217     // example they might be used as pointers or something and always using 0
1218     // isn't too interesting.
1219     let funcs = instance
1220         .exports(&mut store)
1221         .filter_map(|e| {
1222             let name = e.name().to_string();
1223             let func = e.into_extern().into_func()?;
1224             Some((name, func))
1225         })
1226         .collect::<Vec<_>>();
1227     for (name, func) in funcs {
1228         let ty = func.ty(&store);
1229         let params = ty
1230             .params()
1231             .map(|ty| ty.default_value().unwrap())
1232             .collect::<Vec<_>>();
1233         let mut results = ty
1234             .results()
1235             .map(|ty| ty.default_value().unwrap())
1236             .collect::<Vec<_>>();
1237 
1238         log::info!("invoking export {name:?}");
1239         let future = func.call_async(&mut store, &params, &mut results);
1240         match run(Timeout {
1241             future,
1242             polls: take_poll_amt(&mut poll_amts),
1243             end: Instant::now() + Duration::from_millis(2_000),
1244         }) {
1245             // On success or too many polls, try the next export.
1246             Ok(_) | Err(Exhausted::Polls) => {}
1247 
1248             // If time ran out then stop the current test case as we might have
1249             // already sucked up a lot of time for this fuzz test case so don't
1250             // keep it going.
1251             Err(Exhausted::Time) => return,
1252         }
1253     }
1254 
1255     fn take_poll_amt(polls: &mut &[u32]) -> u32 {
1256         match polls.split_first() {
1257             Some((a, rest)) => {
1258                 *polls = rest;
1259                 *a
1260             }
1261             None => 0,
1262         }
1263     }
1264 
1265     /// Helper future to yield N times before resolving.
1266     struct YieldN(u32);
1267 
1268     impl Future for YieldN {
1269         type Output = ();
1270 
1271         fn poll(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<()> {
1272             if self.0 == 0 {
1273                 Poll::Ready(())
1274             } else {
1275                 self.0 -= 1;
1276                 cx.waker().wake_by_ref();
1277                 Poll::Pending
1278             }
1279         }
1280     }
1281 
1282     /// Helper future for applying a timeout to `future` up to either when `end`
1283     /// is the current time or `polls` polls happen.
1284     ///
1285     /// Note that this helps to time out infinite loops in wasm, for example.
1286     struct Timeout<F> {
1287         future: F,
1288         /// If the future isn't ready by this time then the `Timeout<F>` future
1289         /// will return `None`.
1290         end: Instant,
1291         /// If the future doesn't resolve itself in this many calls to `poll`
1292         /// then the `Timeout<F>` future will return `None`.
1293         polls: u32,
1294     }
1295 
1296     enum Exhausted {
1297         Time,
1298         Polls,
1299     }
1300 
1301     impl<F: Future> Future for Timeout<F> {
1302         type Output = Result<F::Output, Exhausted>;
1303 
1304         fn poll(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Self::Output> {
1305             let (end, polls, future) = unsafe {
1306                 let me = self.get_unchecked_mut();
1307                 (me.end, &mut me.polls, Pin::new_unchecked(&mut me.future))
1308             };
1309             match future.poll(cx) {
1310                 Poll::Ready(val) => Poll::Ready(Ok(val)),
1311                 Poll::Pending => {
1312                     if Instant::now() >= end {
1313                         log::warn!("future operation timed out");
1314                         return Poll::Ready(Err(Exhausted::Time));
1315                     }
1316                     if *polls == 0 {
1317                         log::warn!("future operation ran out of polls");
1318                         return Poll::Ready(Err(Exhausted::Polls));
1319                     }
1320                     *polls -= 1;
1321                     Poll::Pending
1322                 }
1323             }
1324         }
1325     }
1326 
1327     fn run<F: Future>(future: F) -> F::Output {
1328         let mut f = Box::pin(future);
1329         let mut cx = Context::from_waker(Waker::noop());
1330         loop {
1331             match f.as_mut().poll(&mut cx) {
1332                 Poll::Ready(val) => break val,
1333                 Poll::Pending => {}
1334             }
1335         }
1336     }
1337 }
1338 
1339 #[cfg(test)]
1340 mod tests {
1341     use super::*;
1342     use arbitrary::Unstructured;
1343     use rand::prelude::*;
1344     use wasmparser::{Validator, WasmFeatures};
1345 
1346     fn gen_until_pass<T: for<'a> Arbitrary<'a>>(
1347         mut f: impl FnMut(T, &mut Unstructured<'_>) -> Result<bool>,
1348     ) -> bool {
1349         let mut rng = SmallRng::seed_from_u64(0);
1350         let mut buf = vec![0; 2048];
1351         let n = 3000;
1352         for _ in 0..n {
1353             rng.fill_bytes(&mut buf);
1354             let mut u = Unstructured::new(&buf);
1355 
1356             if let Ok(config) = u.arbitrary() {
1357                 if f(config, &mut u).unwrap() {
1358                     return true;
1359                 }
1360             }
1361         }
1362         false
1363     }
1364 
1365     /// Runs `f` with random data until it returns `Ok(())` `iters` times.
1366     fn test_n_times<T: for<'a> Arbitrary<'a>>(
1367         iters: u32,
1368         mut f: impl FnMut(T, &mut Unstructured<'_>) -> arbitrary::Result<()>,
1369     ) {
1370         let mut to_test = 0..iters;
1371         let ok = gen_until_pass(|a, b| {
1372             if f(a, b).is_ok() {
1373                 Ok(to_test.next().is_none())
1374             } else {
1375                 Ok(false)
1376             }
1377         });
1378         assert!(ok);
1379     }
1380 
1381     // Test that the `table_ops` fuzzer eventually runs the gc function in the host.
1382     // We've historically had issues where this fuzzer accidentally wasn't fuzzing
1383     // anything for a long time so this is an attempt to prevent that from happening
1384     // again.
1385     #[test]
1386     fn table_ops_eventually_gcs() {
1387         // Skip if we're under emulation because some fuzz configurations will do
1388         // large address space reservations that QEMU doesn't handle well.
1389         if std::env::var("WASMTIME_TEST_NO_HOG_MEMORY").is_ok() {
1390             return;
1391         }
1392 
1393         let ok = gen_until_pass(|(config, test), _| {
1394             let result = table_ops(config, test)?;
1395             Ok(result > 0)
1396         });
1397 
1398         if !ok {
1399             panic!("gc was never found");
1400         }
1401     }
1402 
1403     #[test]
1404     fn module_generation_uses_expected_proposals() {
1405         // Proposals that Wasmtime supports. Eventually a module should be
1406         // generated that needs these proposals.
1407         let mut expected = WasmFeatures::MUTABLE_GLOBAL
1408             | WasmFeatures::FLOATS
1409             | WasmFeatures::SIGN_EXTENSION
1410             | WasmFeatures::SATURATING_FLOAT_TO_INT
1411             | WasmFeatures::MULTI_VALUE
1412             | WasmFeatures::BULK_MEMORY
1413             | WasmFeatures::REFERENCE_TYPES
1414             | WasmFeatures::SIMD
1415             | WasmFeatures::MULTI_MEMORY
1416             | WasmFeatures::RELAXED_SIMD
1417             | WasmFeatures::THREADS
1418             | WasmFeatures::TAIL_CALL
1419             | WasmFeatures::WIDE_ARITHMETIC
1420             | WasmFeatures::MEMORY64
1421             | WasmFeatures::FUNCTION_REFERENCES
1422             | WasmFeatures::GC
1423             | WasmFeatures::GC_TYPES
1424             | WasmFeatures::CUSTOM_PAGE_SIZES
1425             | WasmFeatures::EXTENDED_CONST
1426             | WasmFeatures::EXCEPTIONS;
1427 
1428         // All other features that wasmparser supports, which is presumably a
1429         // superset of the features that wasm-smith supports, are listed here as
1430         // unexpected. This means, for example, that if wasm-smith updates to
1431         // include a new proposal by default that wasmtime implements then it
1432         // will be required to be listed above.
1433         let unexpected = WasmFeatures::all() ^ expected;
1434 
1435         let ok = gen_until_pass(|config: generators::Config, u| {
1436             let wasm = config.generate(u, None)?.to_bytes();
1437 
1438             // Double-check the module is valid
1439             Validator::new_with_features(WasmFeatures::all()).validate_all(&wasm)?;
1440 
1441             // If any of the unexpected features are removed then this module
1442             // should always be valid, otherwise something went wrong.
1443             for feature in unexpected.iter() {
1444                 let ok =
1445                     Validator::new_with_features(WasmFeatures::all() ^ feature).validate_all(&wasm);
1446                 if ok.is_err() {
1447                     anyhow::bail!("generated a module with {feature:?} but that wasn't expected");
1448                 }
1449             }
1450 
1451             // If any of `expected` is removed and the module fails to validate,
1452             // then that means the module requires that feature. Remove that
1453             // from the set of features we're then expecting.
1454             for feature in expected.iter() {
1455                 let ok =
1456                     Validator::new_with_features(WasmFeatures::all() ^ feature).validate_all(&wasm);
1457                 if ok.is_err() {
1458                     expected ^= feature;
1459                 }
1460             }
1461 
1462             Ok(expected.is_empty())
1463         });
1464 
1465         if !ok {
1466             panic!("never generated wasm module using {expected:?}");
1467         }
1468     }
1469 
1470     #[test]
1471     fn wast_smoke_test() {
1472         test_n_times(50, |(), u| super::wast_test(u));
1473     }
1474 }
1475