1 //! Oracles. 2 //! 3 //! Oracles take a test case and determine whether we have a bug. For example, 4 //! one of the simplest oracles is to take a Wasm binary as our input test case, 5 //! validate and instantiate it, and (implicitly) check that no assertions 6 //! failed or segfaults happened. A more complicated oracle might compare the 7 //! result of executing a Wasm file with and without optimizations enabled, and 8 //! make sure that the two executions are observably identical. 9 //! 10 //! When an oracle finds a bug, it should report it to the fuzzing engine by 11 //! panicking. 12 13 #[cfg(feature = "fuzz-spec-interpreter")] 14 pub mod diff_spec; 15 pub mod diff_wasmi; 16 pub mod diff_wasmtime; 17 pub mod dummy; 18 pub mod engine; 19 pub mod memory; 20 mod stacks; 21 22 use self::diff_wasmtime::WasmtimeInstance; 23 use self::engine::{DiffEngine, DiffInstance}; 24 use crate::generators::{self, CompilerStrategy, DiffValue, DiffValueType}; 25 use crate::single_module_fuzzer::KnownValid; 26 use arbitrary::Arbitrary; 27 pub use stacks::check_stacks; 28 use std::future::Future; 29 use std::pin::Pin; 30 use std::sync::atomic::{AtomicBool, AtomicUsize, Ordering::SeqCst}; 31 use std::sync::{Arc, Condvar, Mutex}; 32 use std::task::{Context, Poll, Waker}; 33 use std::time::{Duration, Instant}; 34 use wasmtime::*; 35 use wasmtime_wast::WastContext; 36 37 #[cfg(not(any(windows, target_arch = "s390x", target_arch = "riscv64")))] 38 mod diff_v8; 39 40 static CNT: AtomicUsize = AtomicUsize::new(0); 41 42 /// Logs a wasm file to the filesystem to make it easy to figure out what wasm 43 /// was used when debugging. 44 pub fn log_wasm(wasm: &[u8]) { 45 super::init_fuzzing(); 46 47 if !log::log_enabled!(log::Level::Debug) { 48 return; 49 } 50 51 let i = CNT.fetch_add(1, SeqCst); 52 let name = format!("testcase{i}.wasm"); 53 std::fs::write(&name, wasm).expect("failed to write wasm file"); 54 log::debug!("wrote wasm file to `{name}`"); 55 let wat = format!("testcase{i}.wat"); 56 match wasmprinter::print_bytes(wasm) { 57 Ok(s) => std::fs::write(&wat, s).expect("failed to write wat file"), 58 // If wasmprinter failed remove a `*.wat` file, if any, to avoid 59 // confusing a preexisting one with this wasm which failed to get 60 // printed. 61 Err(_) => drop(std::fs::remove_file(&wat)), 62 } 63 } 64 65 /// The `T` in `Store<T>` for fuzzing stores, used to limit resource 66 /// consumption during fuzzing. 67 #[derive(Clone)] 68 pub struct StoreLimits(Arc<LimitsState>); 69 70 struct LimitsState { 71 /// Remaining memory, in bytes, left to allocate 72 remaining_memory: AtomicUsize, 73 /// Remaining amount of memory that's allowed to be copied via a growth. 74 remaining_copy_allowance: AtomicUsize, 75 /// Whether or not an allocation request has been denied 76 oom: AtomicBool, 77 } 78 79 /// Allow up to 1G which is well below the 2G limit on OSS-Fuzz and should allow 80 /// most interesting behavior. 81 const MAX_MEMORY: usize = 1 << 30; 82 83 /// Allow up to 4G of bytes to be copied (conservatively) which should enable 84 /// growth up to `MAX_MEMORY` or at least up to a relatively large amount. 85 const MAX_MEMORY_MOVED: usize = 4 << 30; 86 87 impl StoreLimits { 88 /// Creates the default set of limits for all fuzzing stores. 89 pub fn new() -> StoreLimits { 90 StoreLimits(Arc::new(LimitsState { 91 remaining_memory: AtomicUsize::new(MAX_MEMORY), 92 remaining_copy_allowance: AtomicUsize::new(MAX_MEMORY_MOVED), 93 oom: AtomicBool::new(false), 94 })) 95 } 96 97 fn alloc(&mut self, amt: usize) -> bool { 98 log::trace!("alloc {amt:#x} bytes"); 99 100 // Assume that on each allocation of memory that all previous 101 // allocations of memory are moved. This is pretty coarse but is used to 102 // help prevent against fuzz test cases that just move tons of bytes 103 // around continuously. This assumes that all previous memory was 104 // allocated in a single linear memory and growing by `amt` will require 105 // moving all the bytes to a new location. This isn't actually required 106 // all the time nor does it accurately reflect what happens all the 107 // time, but it's a coarse approximation that should be "good enough" 108 // for allowing interesting fuzz behaviors to happen while not timing 109 // out just copying bytes around. 110 let prev_size = MAX_MEMORY - self.0.remaining_memory.load(SeqCst); 111 if self 112 .0 113 .remaining_copy_allowance 114 .fetch_update(SeqCst, SeqCst, |remaining| remaining.checked_sub(prev_size)) 115 .is_err() 116 { 117 self.0.oom.store(true, SeqCst); 118 log::debug!("-> too many bytes moved, rejecting allocation"); 119 return false; 120 } 121 122 // If we're allowed to move the bytes, then also check if we're allowed 123 // to actually have this much residence at once. 124 match self 125 .0 126 .remaining_memory 127 .fetch_update(SeqCst, SeqCst, |remaining| remaining.checked_sub(amt)) 128 { 129 Ok(_) => true, 130 Err(_) => { 131 self.0.oom.store(true, SeqCst); 132 log::debug!("-> OOM hit"); 133 false 134 } 135 } 136 } 137 138 fn is_oom(&self) -> bool { 139 self.0.oom.load(SeqCst) 140 } 141 } 142 143 impl ResourceLimiter for StoreLimits { 144 fn memory_growing( 145 &mut self, 146 current: usize, 147 desired: usize, 148 _maximum: Option<usize>, 149 ) -> Result<bool> { 150 Ok(self.alloc(desired - current)) 151 } 152 153 fn table_growing( 154 &mut self, 155 current: usize, 156 desired: usize, 157 _maximum: Option<usize>, 158 ) -> Result<bool> { 159 let delta = (desired - current).saturating_mul(std::mem::size_of::<usize>()); 160 Ok(self.alloc(delta)) 161 } 162 } 163 164 /// Methods of timing out execution of a WebAssembly module 165 #[derive(Clone, Debug)] 166 pub enum Timeout { 167 /// No timeout is used, it should be guaranteed via some other means that 168 /// the input does not infinite loop. 169 None, 170 /// Fuel-based timeouts are used where the specified fuel is all that the 171 /// provided wasm module is allowed to consume. 172 Fuel(u64), 173 /// An epoch-interruption-based timeout is used with a sleeping 174 /// thread bumping the epoch counter after the specified duration. 175 Epoch(Duration), 176 } 177 178 /// Instantiate the Wasm buffer, and implicitly fail if we have an unexpected 179 /// panic or segfault or anything else that can be detected "passively". 180 /// 181 /// The engine will be configured using provided config. 182 pub fn instantiate( 183 wasm: &[u8], 184 known_valid: KnownValid, 185 config: &generators::Config, 186 timeout: Timeout, 187 ) { 188 let mut store = config.to_store(); 189 190 let module = match compile_module(store.engine(), wasm, known_valid, config) { 191 Some(module) => module, 192 None => return, 193 }; 194 195 let mut timeout_state = HelperThread::default(); 196 match timeout { 197 Timeout::Fuel(fuel) => store.set_fuel(fuel).unwrap(), 198 199 // If a timeout is requested then we spawn a helper thread to wait for 200 // the requested time and then send us a signal to get interrupted. We 201 // also arrange for the thread's sleep to get interrupted if we return 202 // early (or the wasm returns within the time limit), which allows the 203 // thread to get torn down. 204 // 205 // This prevents us from creating a huge number of sleeping threads if 206 // this function is executed in a loop, like it does on nightly fuzzing 207 // infrastructure. 208 Timeout::Epoch(timeout) => { 209 let engine = store.engine().clone(); 210 timeout_state.run_periodically(timeout, move || engine.increment_epoch()); 211 } 212 Timeout::None => {} 213 } 214 215 instantiate_with_dummy(&mut store, &module); 216 } 217 218 /// Represents supported commands to the `instantiate_many` function. 219 #[derive(Arbitrary, Debug)] 220 pub enum Command { 221 /// Instantiates a module. 222 /// 223 /// The value is the index of the module to instantiate. 224 /// 225 /// The module instantiated will be this value modulo the number of modules provided to `instantiate_many`. 226 Instantiate(usize), 227 /// Terminates a "running" instance. 228 /// 229 /// The value is the index of the instance to terminate. 230 /// 231 /// The instance terminated will be this value modulo the number of currently running 232 /// instances. 233 /// 234 /// If no instances are running, the command will be ignored. 235 Terminate(usize), 236 } 237 238 /// Instantiates many instances from the given modules. 239 /// 240 /// The engine will be configured using the provided config. 241 /// 242 /// The modules are expected to *not* have start functions as no timeouts are configured. 243 pub fn instantiate_many( 244 modules: &[Vec<u8>], 245 known_valid: KnownValid, 246 config: &generators::Config, 247 commands: &[Command], 248 ) { 249 log::debug!("instantiate_many: {commands:#?}"); 250 251 assert!(!config.module_config.config.allow_start_export); 252 253 let engine = Engine::new(&config.to_wasmtime()).unwrap(); 254 255 let modules = modules 256 .iter() 257 .enumerate() 258 .filter_map( 259 |(i, bytes)| match compile_module(&engine, bytes, known_valid, config) { 260 Some(m) => { 261 log::debug!("successfully compiled module {i}"); 262 Some(m) 263 } 264 None => { 265 log::debug!("failed to compile module {i}"); 266 None 267 } 268 }, 269 ) 270 .collect::<Vec<_>>(); 271 272 // If no modules were valid, we're done 273 if modules.is_empty() { 274 return; 275 } 276 277 // This stores every `Store` where a successful instantiation takes place 278 let mut stores = Vec::new(); 279 let limits = StoreLimits::new(); 280 281 for command in commands { 282 match command { 283 Command::Instantiate(index) => { 284 let index = *index % modules.len(); 285 log::info!("instantiating {index}"); 286 let module = &modules[index]; 287 let mut store = Store::new(&engine, limits.clone()); 288 config.configure_store(&mut store); 289 290 if instantiate_with_dummy(&mut store, module).is_some() { 291 stores.push(Some(store)); 292 } else { 293 log::warn!("instantiation failed"); 294 } 295 } 296 Command::Terminate(index) => { 297 if stores.is_empty() { 298 continue; 299 } 300 let index = *index % stores.len(); 301 302 log::info!("dropping {index}"); 303 stores.swap_remove(index); 304 } 305 } 306 } 307 } 308 309 fn compile_module( 310 engine: &Engine, 311 bytes: &[u8], 312 known_valid: KnownValid, 313 config: &generators::Config, 314 ) -> Option<Module> { 315 log_wasm(bytes); 316 317 fn is_pcc_error(e: &anyhow::Error) -> bool { 318 // NOTE: please keep this predicate in sync with the display format of CodegenError, 319 // defined in `wasmtime/cranelift/codegen/src/result.rs` 320 e.to_string().to_lowercase().contains("proof-carrying-code") 321 } 322 323 match config.compile(engine, bytes) { 324 Ok(module) => Some(module), 325 Err(e) if is_pcc_error(&e) => { 326 panic!("pcc error in input: {e:#?}"); 327 } 328 Err(_) if known_valid == KnownValid::No => None, 329 Err(e) => { 330 if let generators::InstanceAllocationStrategy::Pooling(c) = &config.wasmtime.strategy { 331 // When using the pooling allocator, accept failures to compile 332 // when arbitrary table element limits have been exceeded as 333 // there is currently no way to constrain the generated module 334 // table types. 335 let string = format!("{e:?}"); 336 if string.contains("minimum element size") { 337 return None; 338 } 339 340 // Allow modules-failing-to-compile which exceed the requested 341 // size for each instance. This is something that is difficult 342 // to control and ensure it always succeeds, so we simply have a 343 // "random" instance size limit and if a module doesn't fit we 344 // move on to the next fuzz input. 345 if string.contains("instance allocation for this module requires") { 346 return None; 347 } 348 349 // If the pooling allocator is more restrictive on the number of 350 // tables and memories than we allowed wasm-smith to generate 351 // then allow compilation errors along those lines. 352 if c.max_tables_per_module < (config.module_config.config.max_tables as u32) 353 && string.contains("defined tables count") 354 && string.contains("exceeds the per-instance limit") 355 { 356 return None; 357 } 358 359 if c.max_memories_per_module < (config.module_config.config.max_memories as u32) 360 && string.contains("defined memories count") 361 && string.contains("exceeds the per-instance limit") 362 { 363 return None; 364 } 365 } 366 367 panic!("failed to compile module: {e:?}"); 368 } 369 } 370 } 371 372 /// Create a Wasmtime [`Instance`] from a [`Module`] and fill in all imports 373 /// with dummy values (e.g., zeroed values, immediately-trapping functions). 374 /// Also, this function catches certain fuzz-related instantiation failures and 375 /// returns `None` instead of panicking. 376 /// 377 /// TODO: we should implement tracing versions of these dummy imports that 378 /// record a trace of the order that imported functions were called in and with 379 /// what values. Like the results of exported functions, calls to imports should 380 /// also yield the same values for each configuration, and we should assert 381 /// that. 382 pub fn instantiate_with_dummy(store: &mut Store<StoreLimits>, module: &Module) -> Option<Instance> { 383 // Creation of imports can fail due to resource limit constraints, and then 384 // instantiation can naturally fail for a number of reasons as well. Bundle 385 // the two steps together to match on the error below. 386 let linker = dummy::dummy_linker(store, module); 387 if let Err(e) = &linker { 388 log::warn!("failed to create dummy linker: {e:?}"); 389 } 390 let instance = linker.and_then(|l| l.instantiate(&mut *store, module)); 391 unwrap_instance(store, instance) 392 } 393 394 fn unwrap_instance( 395 store: &Store<StoreLimits>, 396 instance: anyhow::Result<Instance>, 397 ) -> Option<Instance> { 398 let e = match instance { 399 Ok(i) => return Some(i), 400 Err(e) => e, 401 }; 402 403 log::debug!("failed to instantiate: {e:?}"); 404 405 // If the instantiation hit OOM for some reason then that's ok, it's 406 // expected that fuzz-generated programs try to allocate lots of 407 // stuff. 408 if store.data().is_oom() { 409 return None; 410 } 411 412 // Allow traps which can happen normally with `unreachable` or a timeout or 413 // such. 414 if e.is::<Trap>() 415 // Also allow failures to instantiate as a result of hitting pooling 416 // limits. 417 || e.is::<wasmtime::PoolConcurrencyLimitError>() 418 // And GC heap OOMs. 419 || e.is::<wasmtime::GcHeapOutOfMemory<()>>() 420 // And thrown exceptions. 421 || e.is::<wasmtime::ThrownException>() 422 { 423 return None; 424 } 425 426 let string = e.to_string(); 427 428 // Currently we instantiate with a `Linker` which can't instantiate 429 // every single module under the sun due to using name-based resolution 430 // rather than positional-based resolution 431 if string.contains("incompatible import type") { 432 return None; 433 } 434 435 // Everything else should be a bug in the fuzzer or a bug in wasmtime 436 panic!("failed to instantiate: {e:?}"); 437 } 438 439 /// Evaluate the function identified by `name` in two different engine 440 /// instances--`lhs` and `rhs`. 441 /// 442 /// Returns `Ok(true)` if more evaluations can happen or `Ok(false)` if the 443 /// instances may have drifted apart and no more evaluations can happen. 444 /// 445 /// # Panics 446 /// 447 /// This will panic if the evaluation is different between engines (e.g., 448 /// results are different, hashed instance is different, one side traps, etc.). 449 pub fn differential( 450 lhs: &mut dyn DiffInstance, 451 lhs_engine: &dyn DiffEngine, 452 rhs: &mut WasmtimeInstance, 453 name: &str, 454 args: &[DiffValue], 455 result_tys: &[DiffValueType], 456 ) -> anyhow::Result<bool> { 457 log::debug!("Evaluating: `{name}` with {args:?}"); 458 let lhs_results = match lhs.evaluate(name, args, result_tys) { 459 Ok(Some(results)) => Ok(results), 460 Err(e) => Err(e), 461 // this engine couldn't execute this type signature, so discard this 462 // execution by returning success. 463 Ok(None) => return Ok(true), 464 }; 465 log::debug!(" -> lhs results on {}: {:?}", lhs.name(), &lhs_results); 466 467 let rhs_results = rhs 468 .evaluate(name, args, result_tys) 469 // wasmtime should be able to invoke any signature, so unwrap this result 470 .map(|results| results.unwrap()); 471 log::debug!(" -> rhs results on {}: {:?}", rhs.name(), &rhs_results); 472 473 // If Wasmtime hit its OOM condition, which is possible since it's set 474 // somewhat low while fuzzing, then don't return an error but return 475 // `false` indicating that differential fuzzing must stop. There's no 476 // guarantee the other engine has the same OOM limits as Wasmtime, and 477 // it's assumed that Wasmtime is configured to have a more conservative 478 // limit than the other engine. 479 if rhs.is_oom() { 480 return Ok(false); 481 } 482 483 match DiffEqResult::new(lhs_engine, lhs_results, rhs_results) { 484 DiffEqResult::Success(lhs, rhs) => assert_eq!(lhs, rhs), 485 DiffEqResult::Poisoned => return Ok(false), 486 DiffEqResult::Failed => {} 487 } 488 489 for (global, ty) in rhs.exported_globals() { 490 log::debug!("Comparing global `{global}`"); 491 let lhs = match lhs.get_global(&global, ty) { 492 Some(val) => val, 493 None => continue, 494 }; 495 let rhs = rhs.get_global(&global, ty).unwrap(); 496 assert_eq!(lhs, rhs); 497 } 498 for (memory, shared) in rhs.exported_memories() { 499 log::debug!("Comparing memory `{memory}`"); 500 let lhs = match lhs.get_memory(&memory, shared) { 501 Some(val) => val, 502 None => continue, 503 }; 504 let rhs = rhs.get_memory(&memory, shared).unwrap(); 505 if lhs == rhs { 506 continue; 507 } 508 eprintln!("differential memory is {} bytes long", lhs.len()); 509 eprintln!("wasmtime memory is {} bytes long", rhs.len()); 510 panic!("memories have differing values"); 511 } 512 513 Ok(true) 514 } 515 516 /// Result of comparing the result of two operations during differential 517 /// execution. 518 pub enum DiffEqResult<T, U> { 519 /// Both engines succeeded. 520 Success(T, U), 521 /// The result has reached the state where engines may have diverged and 522 /// results can no longer be compared. 523 Poisoned, 524 /// Both engines failed with the same error message, and internal state 525 /// should still match between the two engines. 526 Failed, 527 } 528 529 fn wasmtime_trap_is_non_deterministic(trap: &Trap) -> bool { 530 match trap { 531 // Allocations being too large for the GC are 532 // implementation-defined. 533 Trap::AllocationTooLarge | 534 // Stack size, and therefore when overflow happens, is 535 // implementation-defined. 536 Trap::StackOverflow => true, 537 _ => false, 538 } 539 } 540 541 fn wasmtime_error_is_non_deterministic(error: &wasmtime::Error) -> bool { 542 match error.downcast_ref::<Trap>() { 543 Some(trap) => wasmtime_trap_is_non_deterministic(trap), 544 545 // For general, unknown errors, we can't rely on this being 546 // a deterministic Wasm failure that both engines handled 547 // identically, leaving Wasm in identical states. We could 548 // just as easily be hitting engine-specific failures, like 549 // different implementation-defined limits. So simply poison 550 // this execution and move on to the next test. 551 None => true, 552 } 553 } 554 555 impl<T, U> DiffEqResult<T, U> { 556 /// Computes the differential result from executing in two different 557 /// engines. 558 pub fn new( 559 lhs_engine: &dyn DiffEngine, 560 lhs_result: Result<T>, 561 rhs_result: Result<U>, 562 ) -> DiffEqResult<T, U> { 563 match (lhs_result, rhs_result) { 564 (Ok(lhs_result), Ok(rhs_result)) => DiffEqResult::Success(lhs_result, rhs_result), 565 566 // Handle all non-deterministic errors by poisoning this execution's 567 // state, so that we simply move on to the next test. 568 (Err(lhs), _) if lhs_engine.is_non_deterministic_error(&lhs) => { 569 log::debug!("lhs failed non-deterministically: {lhs:?}"); 570 DiffEqResult::Poisoned 571 } 572 (_, Err(rhs)) if wasmtime_error_is_non_deterministic(&rhs) => { 573 log::debug!("rhs failed non-deterministically: {rhs:?}"); 574 DiffEqResult::Poisoned 575 } 576 577 // Both sides failed deterministically. Check that the trap and 578 // state at the time of failure is the same. 579 (Err(lhs), Err(rhs)) => { 580 let rhs = rhs 581 .downcast::<Trap>() 582 .expect("non-traps handled in earlier match arm"); 583 584 debug_assert!( 585 !lhs_engine.is_non_deterministic_error(&lhs), 586 "non-deterministic traps handled in earlier match arm", 587 ); 588 debug_assert!( 589 !wasmtime_trap_is_non_deterministic(&rhs), 590 "non-deterministic traps handled in earlier match arm", 591 ); 592 593 lhs_engine.assert_error_match(&lhs, &rhs); 594 DiffEqResult::Failed 595 } 596 597 // A real bug is found if only one side fails. 598 (Ok(_), Err(err)) => panic!("only the `rhs` failed for this input: {err:?}"), 599 (Err(err), Ok(_)) => panic!("only the `lhs` failed for this input: {err:?}"), 600 } 601 } 602 } 603 604 /// Invoke the given API calls. 605 pub fn make_api_calls(api: generators::api::ApiCalls) { 606 use crate::generators::api::ApiCall; 607 use std::collections::HashMap; 608 609 let mut store: Option<Store<StoreLimits>> = None; 610 let mut modules: HashMap<usize, Module> = Default::default(); 611 let mut instances: HashMap<usize, Instance> = Default::default(); 612 613 for call in api.calls { 614 match call { 615 ApiCall::StoreNew(config) => { 616 log::trace!("creating store"); 617 assert!(store.is_none()); 618 store = Some(config.to_store()); 619 } 620 621 ApiCall::ModuleNew { id, wasm } => { 622 log::debug!("creating module: {id}"); 623 log_wasm(&wasm); 624 let module = match Module::new(store.as_ref().unwrap().engine(), &wasm) { 625 Ok(m) => m, 626 Err(_) => continue, 627 }; 628 let old = modules.insert(id, module); 629 assert!(old.is_none()); 630 } 631 632 ApiCall::ModuleDrop { id } => { 633 log::trace!("dropping module: {id}"); 634 drop(modules.remove(&id)); 635 } 636 637 ApiCall::InstanceNew { id, module } => { 638 log::trace!("instantiating module {module} as {id}"); 639 let module = match modules.get(&module) { 640 Some(m) => m, 641 None => continue, 642 }; 643 644 let store = store.as_mut().unwrap(); 645 if let Some(instance) = instantiate_with_dummy(store, module) { 646 instances.insert(id, instance); 647 } 648 } 649 650 ApiCall::InstanceDrop { id } => { 651 log::trace!("dropping instance {id}"); 652 instances.remove(&id); 653 } 654 655 ApiCall::CallExportedFunc { instance, nth } => { 656 log::trace!("calling instance export {instance} / {nth}"); 657 let instance = match instances.get(&instance) { 658 Some(i) => i, 659 None => { 660 // Note that we aren't guaranteed to instantiate valid 661 // modules, see comments in `InstanceNew` for details on 662 // that. But the API call generator can't know if 663 // instantiation failed, so we might not actually have 664 // this instance. When that's the case, just skip the 665 // API call and keep going. 666 continue; 667 } 668 }; 669 let store = store.as_mut().unwrap(); 670 671 let funcs = instance 672 .exports(&mut *store) 673 .filter_map(|e| match e.into_extern() { 674 Extern::Func(f) => Some(f), 675 _ => None, 676 }) 677 .collect::<Vec<_>>(); 678 679 if funcs.is_empty() { 680 continue; 681 } 682 683 let nth = nth % funcs.len(); 684 let f = &funcs[nth]; 685 let ty = f.ty(&store); 686 if let Some(params) = ty 687 .params() 688 .map(|p| p.default_value()) 689 .collect::<Option<Vec<_>>>() 690 { 691 let mut results = vec![Val::I32(0); ty.results().len()]; 692 let _ = f.call(store, ¶ms, &mut results); 693 } 694 } 695 } 696 } 697 } 698 699 /// Executes the wast `test` with the `config` specified. 700 /// 701 /// Ensures that wast tests pass regardless of the `Config`. 702 pub fn wast_test(u: &mut arbitrary::Unstructured<'_>) -> arbitrary::Result<()> { 703 crate::init_fuzzing(); 704 705 let mut fuzz_config: generators::Config = u.arbitrary()?; 706 let test: generators::WastTest = u.arbitrary()?; 707 708 let test = &test.test; 709 710 if test.config.component_model_async() || u.arbitrary()? { 711 fuzz_config.enable_async(u)?; 712 } 713 714 // Discard tests that allocate a lot of memory as we don't want to OOM the 715 // fuzzer and we also limit memory growth which would cause the test to 716 // fail. 717 if test.config.hogs_memory.unwrap_or(false) { 718 return Err(arbitrary::Error::IncorrectFormat); 719 } 720 721 // Transform `fuzz_config` to be valid for `test` and make sure that this 722 // test is supposed to pass. 723 let wast_config = fuzz_config.make_wast_test_compliant(test); 724 if test.should_fail(&wast_config) { 725 return Err(arbitrary::Error::IncorrectFormat); 726 } 727 728 // Winch requires AVX and AVX2 for SIMD tests to pass so don't run the test 729 // if either isn't enabled. 730 if fuzz_config.wasmtime.compiler_strategy == CompilerStrategy::Winch 731 && test.config.simd() 732 && (fuzz_config 733 .wasmtime 734 .codegen_flag("has_avx") 735 .is_some_and(|value| value == "false") 736 || fuzz_config 737 .wasmtime 738 .codegen_flag("has_avx2") 739 .is_some_and(|value| value == "false")) 740 { 741 log::warn!( 742 "Skipping Wast test because Winch doesn't support SIMD tests with AVX or AVX2 disabled" 743 ); 744 return Err(arbitrary::Error::IncorrectFormat); 745 } 746 747 // Fuel and epochs don't play well with threads right now, so exclude any 748 // thread-spawning test if it looks like threads are spawned in that case. 749 if fuzz_config.wasmtime.consume_fuel || fuzz_config.wasmtime.epoch_interruption { 750 if test.contents.contains("(thread") { 751 return Err(arbitrary::Error::IncorrectFormat); 752 } 753 } 754 755 log::debug!("running {:?}", test.path); 756 let async_ = if fuzz_config.wasmtime.async_config == generators::AsyncConfig::Disabled { 757 wasmtime_wast::Async::No 758 } else { 759 wasmtime_wast::Async::Yes 760 }; 761 let engine = Engine::new(&fuzz_config.to_wasmtime()).unwrap(); 762 let mut wast_context = WastContext::new(&engine, async_, move |store| { 763 fuzz_config.configure_store_epoch_and_fuel(store); 764 }); 765 wast_context 766 .register_spectest(&wasmtime_wast::SpectestConfig { 767 use_shared_memory: true, 768 suppress_prints: true, 769 }) 770 .unwrap(); 771 wast_context 772 .run_wast(test.path.to_str().unwrap(), test.contents.as_bytes()) 773 .unwrap(); 774 Ok(()) 775 } 776 777 /// Execute a series of `table.get` and `table.set` operations. 778 /// 779 /// Returns the number of `gc` operations which occurred throughout the test 780 /// case -- used to test below that gc happens reasonably soon and eventually. 781 pub fn table_ops( 782 mut fuzz_config: generators::Config, 783 mut ops: generators::table_ops::TableOps, 784 ) -> Result<usize> { 785 let expected_drops = Arc::new(AtomicUsize::new(0)); 786 let num_dropped = Arc::new(AtomicUsize::new(0)); 787 788 let num_gcs = Arc::new(AtomicUsize::new(0)); 789 { 790 fuzz_config.wasmtime.consume_fuel = true; 791 let mut store = fuzz_config.to_store(); 792 store.set_fuel(1_000).unwrap(); 793 794 let wasm = ops.to_wasm_binary(); 795 log_wasm(&wasm); 796 let module = match compile_module(store.engine(), &wasm, KnownValid::No, &fuzz_config) { 797 Some(m) => m, 798 None => return Ok(0), 799 }; 800 801 let mut linker = Linker::new(store.engine()); 802 803 // To avoid timeouts, limit the number of explicit GCs we perform per 804 // test case. 805 const MAX_GCS: usize = 5; 806 807 let func_ty = FuncType::new( 808 store.engine(), 809 vec![], 810 vec![ValType::EXTERNREF, ValType::EXTERNREF, ValType::EXTERNREF], 811 ); 812 let func = Func::new(&mut store, func_ty, { 813 let num_dropped = num_dropped.clone(); 814 let expected_drops = expected_drops.clone(); 815 let num_gcs = num_gcs.clone(); 816 move |mut caller: Caller<'_, StoreLimits>, _params, results| { 817 log::info!("table_ops: GC"); 818 if num_gcs.fetch_add(1, SeqCst) < MAX_GCS { 819 caller.gc(None); 820 } 821 822 let a = ExternRef::new( 823 &mut caller, 824 CountDrops::new(&expected_drops, num_dropped.clone()), 825 )?; 826 let b = ExternRef::new( 827 &mut caller, 828 CountDrops::new(&expected_drops, num_dropped.clone()), 829 )?; 830 let c = ExternRef::new( 831 &mut caller, 832 CountDrops::new(&expected_drops, num_dropped.clone()), 833 )?; 834 835 log::info!("table_ops: gc() -> ({a:?}, {b:?}, {c:?})"); 836 results[0] = Some(a).into(); 837 results[1] = Some(b).into(); 838 results[2] = Some(c).into(); 839 Ok(()) 840 } 841 }); 842 linker.define(&store, "", "gc", func).unwrap(); 843 844 linker 845 .func_wrap("", "take_refs", { 846 let expected_drops = expected_drops.clone(); 847 move |caller: Caller<'_, StoreLimits>, 848 a: Option<Rooted<ExternRef>>, 849 b: Option<Rooted<ExternRef>>, 850 c: Option<Rooted<ExternRef>>| 851 -> Result<()> { 852 log::info!("table_ops: take_refs({a:?}, {b:?}, {c:?})",); 853 854 // Do the assertion on each ref's inner data, even though it 855 // all points to the same atomic, so that if we happen to 856 // run into a use-after-free bug with one of these refs we 857 // are more likely to trigger a segfault. 858 if let Some(a) = a { 859 let a = a 860 .data(&caller)? 861 .unwrap() 862 .downcast_ref::<CountDrops>() 863 .unwrap(); 864 assert!(a.0.load(SeqCst) <= expected_drops.load(SeqCst)); 865 } 866 if let Some(b) = b { 867 let b = b 868 .data(&caller)? 869 .unwrap() 870 .downcast_ref::<CountDrops>() 871 .unwrap(); 872 assert!(b.0.load(SeqCst) <= expected_drops.load(SeqCst)); 873 } 874 if let Some(c) = c { 875 let c = c 876 .data(&caller)? 877 .unwrap() 878 .downcast_ref::<CountDrops>() 879 .unwrap(); 880 assert!(c.0.load(SeqCst) <= expected_drops.load(SeqCst)); 881 } 882 Ok(()) 883 } 884 }) 885 .unwrap(); 886 887 let func_ty = FuncType::new( 888 store.engine(), 889 vec![], 890 vec![ValType::EXTERNREF, ValType::EXTERNREF, ValType::EXTERNREF], 891 ); 892 let func = Func::new(&mut store, func_ty, { 893 let num_dropped = num_dropped.clone(); 894 let expected_drops = expected_drops.clone(); 895 move |mut caller, _params, results| { 896 log::info!("table_ops: make_refs"); 897 898 let a = ExternRef::new( 899 &mut caller, 900 CountDrops::new(&expected_drops, num_dropped.clone()), 901 )?; 902 let b = ExternRef::new( 903 &mut caller, 904 CountDrops::new(&expected_drops, num_dropped.clone()), 905 )?; 906 let c = ExternRef::new( 907 &mut caller, 908 CountDrops::new(&expected_drops, num_dropped.clone()), 909 )?; 910 911 log::info!("table_ops: make_refs() -> ({a:?}, {b:?}, {c:?})"); 912 913 results[0] = Some(a).into(); 914 results[1] = Some(b).into(); 915 results[2] = Some(c).into(); 916 917 Ok(()) 918 } 919 }); 920 linker.define(&store, "", "make_refs", func).unwrap(); 921 922 let instance = linker.instantiate(&mut store, &module).unwrap(); 923 let run = instance.get_func(&mut store, "run").unwrap(); 924 925 { 926 let mut scope = RootScope::new(&mut store); 927 928 log::info!( 929 "table_ops: begin allocating {} externref arguments", 930 ops.limits.num_globals 931 ); 932 let args: Vec<_> = (0..ops.limits.num_params) 933 .map(|_| { 934 Ok(Val::ExternRef(Some(ExternRef::new( 935 &mut scope, 936 CountDrops::new(&expected_drops, num_dropped.clone()), 937 )?))) 938 }) 939 .collect::<Result<_>>()?; 940 log::info!( 941 "table_ops: end allocating {} externref arguments", 942 ops.limits.num_globals 943 ); 944 945 // The generated function should always return a trap. The only two 946 // valid traps are table-out-of-bounds which happens through `table.get` 947 // and `table.set` generated or an out-of-fuel trap. Otherwise any other 948 // error is unexpected and should fail fuzzing. 949 log::info!("table_ops: calling into Wasm `run` function"); 950 let err = run.call(&mut scope, &args, &mut []).unwrap_err(); 951 match err.downcast::<GcHeapOutOfMemory<CountDrops>>() { 952 Ok(_oom) => {} 953 Err(err) => { 954 let trap = err 955 .downcast::<Trap>() 956 .expect("if not GC oom, error should be a Wasm trap"); 957 match trap { 958 Trap::TableOutOfBounds | Trap::OutOfFuel => {} 959 _ => panic!("unexpected trap: {trap}"), 960 } 961 } 962 } 963 } 964 965 // Do a final GC after running the Wasm. 966 store.gc(None); 967 } 968 969 assert_eq!(num_dropped.load(SeqCst), expected_drops.load(SeqCst)); 970 return Ok(num_gcs.load(SeqCst)); 971 972 struct CountDrops(Arc<AtomicUsize>); 973 974 impl CountDrops { 975 fn new(expected_drops: &AtomicUsize, num_dropped: Arc<AtomicUsize>) -> Self { 976 let expected = expected_drops.fetch_add(1, SeqCst); 977 log::info!( 978 "CountDrops::new: expected drops: {expected} -> {}", 979 expected + 1 980 ); 981 Self(num_dropped) 982 } 983 } 984 985 impl Drop for CountDrops { 986 fn drop(&mut self) { 987 let drops = self.0.fetch_add(1, SeqCst); 988 log::info!("CountDrops::drop: actual drops: {drops} -> {}", drops + 1); 989 } 990 } 991 } 992 993 #[derive(Default)] 994 struct HelperThread { 995 state: Arc<HelperThreadState>, 996 thread: Option<std::thread::JoinHandle<()>>, 997 } 998 999 #[derive(Default)] 1000 struct HelperThreadState { 1001 should_exit: Mutex<bool>, 1002 should_exit_cvar: Condvar, 1003 } 1004 1005 impl HelperThread { 1006 fn run_periodically(&mut self, dur: Duration, mut closure: impl FnMut() + Send + 'static) { 1007 let state = self.state.clone(); 1008 self.thread = Some(std::thread::spawn(move || { 1009 // Using our mutex/condvar we wait here for the first of `dur` to 1010 // pass or the `HelperThread` instance to get dropped. 1011 let mut should_exit = state.should_exit.lock().unwrap(); 1012 while !*should_exit { 1013 let (lock, result) = state 1014 .should_exit_cvar 1015 .wait_timeout(should_exit, dur) 1016 .unwrap(); 1017 should_exit = lock; 1018 // If we timed out for sure then there's no need to continue 1019 // since we'll just abort on the next `checked_sub` anyway. 1020 if result.timed_out() { 1021 closure(); 1022 } 1023 } 1024 })); 1025 } 1026 } 1027 1028 impl Drop for HelperThread { 1029 fn drop(&mut self) { 1030 let thread = match self.thread.take() { 1031 Some(thread) => thread, 1032 None => return, 1033 }; 1034 // Signal our thread that it should exit and wake it up in case it's 1035 // sleeping. 1036 *self.state.should_exit.lock().unwrap() = true; 1037 self.state.should_exit_cvar.notify_one(); 1038 1039 // ... and then wait for the thread to exit to ensure we clean up 1040 // after ourselves. 1041 thread.join().unwrap(); 1042 } 1043 } 1044 1045 /// Generate and execute a `crate::generators::component_types::TestCase` using the specified `input` to create 1046 /// arbitrary types and values. 1047 pub fn dynamic_component_api_target(input: &mut arbitrary::Unstructured) -> arbitrary::Result<()> { 1048 use crate::generators::component_types; 1049 use wasmtime::component::{Component, Linker, Val}; 1050 use wasmtime_test_util::component::FuncExt; 1051 use wasmtime_test_util::component_fuzz::{ 1052 EXPORT_FUNCTION, IMPORT_FUNCTION, MAX_TYPE_DEPTH, TestCase, Type, 1053 }; 1054 1055 crate::init_fuzzing(); 1056 1057 let mut types = Vec::new(); 1058 let mut type_fuel = 500; 1059 1060 for _ in 0..5 { 1061 types.push(Type::generate(input, MAX_TYPE_DEPTH, &mut type_fuel)?); 1062 } 1063 let params = (0..input.int_in_range(0..=5)?) 1064 .map(|_| input.choose(&types)) 1065 .collect::<arbitrary::Result<Vec<_>>>()?; 1066 let result = if input.arbitrary()? { 1067 Some(input.choose(&types)?) 1068 } else { 1069 None 1070 }; 1071 1072 let case = TestCase { 1073 params, 1074 result, 1075 encoding1: input.arbitrary()?, 1076 encoding2: input.arbitrary()?, 1077 }; 1078 1079 let mut config = wasmtime_test_util::component::config(); 1080 config.debug_adapter_modules(input.arbitrary()?); 1081 let engine = Engine::new(&config).unwrap(); 1082 let mut store = Store::new(&engine, (Vec::new(), None)); 1083 let wat = case.declarations().make_component(); 1084 let wat = wat.as_bytes(); 1085 log_wasm(wat); 1086 let component = Component::new(&engine, wat).unwrap(); 1087 let mut linker = Linker::new(&engine); 1088 1089 linker 1090 .root() 1091 .func_new(IMPORT_FUNCTION, { 1092 move |mut cx: StoreContextMut<'_, (Vec<Val>, Option<Vec<Val>>)>, 1093 params: &[Val], 1094 results: &mut [Val]| 1095 -> Result<()> { 1096 log::trace!("received params {params:?}"); 1097 let (expected_args, expected_results) = cx.data_mut(); 1098 assert_eq!(params.len(), expected_args.len()); 1099 for (expected, actual) in expected_args.iter().zip(params) { 1100 assert_eq!(expected, actual); 1101 } 1102 results.clone_from_slice(&expected_results.take().unwrap()); 1103 log::trace!("returning results {results:?}"); 1104 Ok(()) 1105 } 1106 }) 1107 .unwrap(); 1108 1109 let instance = linker.instantiate(&mut store, &component).unwrap(); 1110 let func = instance.get_func(&mut store, EXPORT_FUNCTION).unwrap(); 1111 let param_tys = func.params(&store); 1112 let result_tys = func.results(&store); 1113 1114 while input.arbitrary()? { 1115 let params = param_tys 1116 .iter() 1117 .map(|(_, ty)| component_types::arbitrary_val(ty, input)) 1118 .collect::<arbitrary::Result<Vec<_>>>()?; 1119 let results = result_tys 1120 .iter() 1121 .map(|ty| component_types::arbitrary_val(ty, input)) 1122 .collect::<arbitrary::Result<Vec<_>>>()?; 1123 1124 *store.data_mut() = (params.clone(), Some(results.clone())); 1125 1126 log::trace!("passing params {params:?}"); 1127 let mut actual = vec![Val::Bool(false); results.len()]; 1128 func.call_and_post_return(&mut store, ¶ms, &mut actual) 1129 .unwrap(); 1130 log::trace!("received results {actual:?}"); 1131 assert_eq!(actual, results); 1132 } 1133 1134 Ok(()) 1135 } 1136 1137 /// Instantiates a wasm module and runs its exports with dummy values, all in 1138 /// an async fashion. 1139 /// 1140 /// Attempts to stress yields in host functions to ensure that exiting and 1141 /// resuming a wasm function call works. 1142 pub fn call_async(wasm: &[u8], config: &generators::Config, mut poll_amts: &[u32]) { 1143 let mut store = config.to_store(); 1144 let module = match compile_module(store.engine(), wasm, KnownValid::Yes, config) { 1145 Some(module) => module, 1146 None => return, 1147 }; 1148 1149 // Configure a helper thread to periodically increment the epoch to 1150 // forcibly enable yields-via-epochs if epochs are in use. Note that this 1151 // is required because the wasm isn't otherwise guaranteed to necessarily 1152 // call any imports which will also increment the epoch. 1153 let mut helper_thread = HelperThread::default(); 1154 if let generators::AsyncConfig::YieldWithEpochs { dur, .. } = &config.wasmtime.async_config { 1155 let engine = store.engine().clone(); 1156 helper_thread.run_periodically(*dur, move || engine.increment_epoch()); 1157 } 1158 1159 // Generate a `Linker` where all function imports are custom-built to yield 1160 // periodically and additionally increment the epoch. 1161 let mut imports = Vec::new(); 1162 for import in module.imports() { 1163 let item = match import.ty() { 1164 ExternType::Func(ty) => { 1165 let poll_amt = take_poll_amt(&mut poll_amts); 1166 Func::new_async(&mut store, ty.clone(), move |caller, _, results| { 1167 let ty = ty.clone(); 1168 Box::new(async move { 1169 caller.engine().increment_epoch(); 1170 log::info!("yielding {poll_amt} times in import"); 1171 YieldN(poll_amt).await; 1172 for (ret_ty, result) in ty.results().zip(results) { 1173 *result = ret_ty.default_value().unwrap(); 1174 } 1175 Ok(()) 1176 }) 1177 }) 1178 .into() 1179 } 1180 other_ty => match other_ty.default_value(&mut store) { 1181 Ok(item) => item, 1182 Err(e) => { 1183 log::warn!("couldn't create import for {import:?}: {e:?}"); 1184 return; 1185 } 1186 }, 1187 }; 1188 imports.push(item); 1189 } 1190 1191 // Run the instantiation process, asynchronously, and if everything 1192 // succeeds then pull out the instance. 1193 // log::info!("starting instantiation"); 1194 let instance = run(Timeout { 1195 future: Instance::new_async(&mut store, &module, &imports), 1196 polls: take_poll_amt(&mut poll_amts), 1197 end: Instant::now() + Duration::from_millis(2_000), 1198 }); 1199 let instance = match instance { 1200 Ok(instantiation_result) => match unwrap_instance(&store, instantiation_result) { 1201 Some(instance) => instance, 1202 None => { 1203 log::info!("instantiation hit a nominal error"); 1204 return; // resource exhaustion or limits met 1205 } 1206 }, 1207 Err(_) => { 1208 log::info!("instantiation failed to complete"); 1209 return; // Timed out or ran out of polls 1210 } 1211 }; 1212 1213 // Run each export of the instance in the same manner as instantiation 1214 // above. Dummy values are passed in for argument values here: 1215 // 1216 // TODO: this should probably be more clever about passing in arguments for 1217 // example they might be used as pointers or something and always using 0 1218 // isn't too interesting. 1219 let funcs = instance 1220 .exports(&mut store) 1221 .filter_map(|e| { 1222 let name = e.name().to_string(); 1223 let func = e.into_extern().into_func()?; 1224 Some((name, func)) 1225 }) 1226 .collect::<Vec<_>>(); 1227 for (name, func) in funcs { 1228 let ty = func.ty(&store); 1229 let params = ty 1230 .params() 1231 .map(|ty| ty.default_value().unwrap()) 1232 .collect::<Vec<_>>(); 1233 let mut results = ty 1234 .results() 1235 .map(|ty| ty.default_value().unwrap()) 1236 .collect::<Vec<_>>(); 1237 1238 log::info!("invoking export {name:?}"); 1239 let future = func.call_async(&mut store, ¶ms, &mut results); 1240 match run(Timeout { 1241 future, 1242 polls: take_poll_amt(&mut poll_amts), 1243 end: Instant::now() + Duration::from_millis(2_000), 1244 }) { 1245 // On success or too many polls, try the next export. 1246 Ok(_) | Err(Exhausted::Polls) => {} 1247 1248 // If time ran out then stop the current test case as we might have 1249 // already sucked up a lot of time for this fuzz test case so don't 1250 // keep it going. 1251 Err(Exhausted::Time) => return, 1252 } 1253 } 1254 1255 fn take_poll_amt(polls: &mut &[u32]) -> u32 { 1256 match polls.split_first() { 1257 Some((a, rest)) => { 1258 *polls = rest; 1259 *a 1260 } 1261 None => 0, 1262 } 1263 } 1264 1265 /// Helper future to yield N times before resolving. 1266 struct YieldN(u32); 1267 1268 impl Future for YieldN { 1269 type Output = (); 1270 1271 fn poll(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<()> { 1272 if self.0 == 0 { 1273 Poll::Ready(()) 1274 } else { 1275 self.0 -= 1; 1276 cx.waker().wake_by_ref(); 1277 Poll::Pending 1278 } 1279 } 1280 } 1281 1282 /// Helper future for applying a timeout to `future` up to either when `end` 1283 /// is the current time or `polls` polls happen. 1284 /// 1285 /// Note that this helps to time out infinite loops in wasm, for example. 1286 struct Timeout<F> { 1287 future: F, 1288 /// If the future isn't ready by this time then the `Timeout<F>` future 1289 /// will return `None`. 1290 end: Instant, 1291 /// If the future doesn't resolve itself in this many calls to `poll` 1292 /// then the `Timeout<F>` future will return `None`. 1293 polls: u32, 1294 } 1295 1296 enum Exhausted { 1297 Time, 1298 Polls, 1299 } 1300 1301 impl<F: Future> Future for Timeout<F> { 1302 type Output = Result<F::Output, Exhausted>; 1303 1304 fn poll(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Self::Output> { 1305 let (end, polls, future) = unsafe { 1306 let me = self.get_unchecked_mut(); 1307 (me.end, &mut me.polls, Pin::new_unchecked(&mut me.future)) 1308 }; 1309 match future.poll(cx) { 1310 Poll::Ready(val) => Poll::Ready(Ok(val)), 1311 Poll::Pending => { 1312 if Instant::now() >= end { 1313 log::warn!("future operation timed out"); 1314 return Poll::Ready(Err(Exhausted::Time)); 1315 } 1316 if *polls == 0 { 1317 log::warn!("future operation ran out of polls"); 1318 return Poll::Ready(Err(Exhausted::Polls)); 1319 } 1320 *polls -= 1; 1321 Poll::Pending 1322 } 1323 } 1324 } 1325 } 1326 1327 fn run<F: Future>(future: F) -> F::Output { 1328 let mut f = Box::pin(future); 1329 let mut cx = Context::from_waker(Waker::noop()); 1330 loop { 1331 match f.as_mut().poll(&mut cx) { 1332 Poll::Ready(val) => break val, 1333 Poll::Pending => {} 1334 } 1335 } 1336 } 1337 } 1338 1339 #[cfg(test)] 1340 mod tests { 1341 use super::*; 1342 use arbitrary::Unstructured; 1343 use rand::prelude::*; 1344 use wasmparser::{Validator, WasmFeatures}; 1345 1346 fn gen_until_pass<T: for<'a> Arbitrary<'a>>( 1347 mut f: impl FnMut(T, &mut Unstructured<'_>) -> Result<bool>, 1348 ) -> bool { 1349 let mut rng = SmallRng::seed_from_u64(0); 1350 let mut buf = vec![0; 2048]; 1351 let n = 3000; 1352 for _ in 0..n { 1353 rng.fill_bytes(&mut buf); 1354 let mut u = Unstructured::new(&buf); 1355 1356 if let Ok(config) = u.arbitrary() { 1357 if f(config, &mut u).unwrap() { 1358 return true; 1359 } 1360 } 1361 } 1362 false 1363 } 1364 1365 /// Runs `f` with random data until it returns `Ok(())` `iters` times. 1366 fn test_n_times<T: for<'a> Arbitrary<'a>>( 1367 iters: u32, 1368 mut f: impl FnMut(T, &mut Unstructured<'_>) -> arbitrary::Result<()>, 1369 ) { 1370 let mut to_test = 0..iters; 1371 let ok = gen_until_pass(|a, b| { 1372 if f(a, b).is_ok() { 1373 Ok(to_test.next().is_none()) 1374 } else { 1375 Ok(false) 1376 } 1377 }); 1378 assert!(ok); 1379 } 1380 1381 // Test that the `table_ops` fuzzer eventually runs the gc function in the host. 1382 // We've historically had issues where this fuzzer accidentally wasn't fuzzing 1383 // anything for a long time so this is an attempt to prevent that from happening 1384 // again. 1385 #[test] 1386 fn table_ops_eventually_gcs() { 1387 // Skip if we're under emulation because some fuzz configurations will do 1388 // large address space reservations that QEMU doesn't handle well. 1389 if std::env::var("WASMTIME_TEST_NO_HOG_MEMORY").is_ok() { 1390 return; 1391 } 1392 1393 let ok = gen_until_pass(|(config, test), _| { 1394 let result = table_ops(config, test)?; 1395 Ok(result > 0) 1396 }); 1397 1398 if !ok { 1399 panic!("gc was never found"); 1400 } 1401 } 1402 1403 #[test] 1404 fn module_generation_uses_expected_proposals() { 1405 // Proposals that Wasmtime supports. Eventually a module should be 1406 // generated that needs these proposals. 1407 let mut expected = WasmFeatures::MUTABLE_GLOBAL 1408 | WasmFeatures::FLOATS 1409 | WasmFeatures::SIGN_EXTENSION 1410 | WasmFeatures::SATURATING_FLOAT_TO_INT 1411 | WasmFeatures::MULTI_VALUE 1412 | WasmFeatures::BULK_MEMORY 1413 | WasmFeatures::REFERENCE_TYPES 1414 | WasmFeatures::SIMD 1415 | WasmFeatures::MULTI_MEMORY 1416 | WasmFeatures::RELAXED_SIMD 1417 | WasmFeatures::THREADS 1418 | WasmFeatures::TAIL_CALL 1419 | WasmFeatures::WIDE_ARITHMETIC 1420 | WasmFeatures::MEMORY64 1421 | WasmFeatures::FUNCTION_REFERENCES 1422 | WasmFeatures::GC 1423 | WasmFeatures::GC_TYPES 1424 | WasmFeatures::CUSTOM_PAGE_SIZES 1425 | WasmFeatures::EXTENDED_CONST 1426 | WasmFeatures::EXCEPTIONS; 1427 1428 // All other features that wasmparser supports, which is presumably a 1429 // superset of the features that wasm-smith supports, are listed here as 1430 // unexpected. This means, for example, that if wasm-smith updates to 1431 // include a new proposal by default that wasmtime implements then it 1432 // will be required to be listed above. 1433 let unexpected = WasmFeatures::all() ^ expected; 1434 1435 let ok = gen_until_pass(|config: generators::Config, u| { 1436 let wasm = config.generate(u, None)?.to_bytes(); 1437 1438 // Double-check the module is valid 1439 Validator::new_with_features(WasmFeatures::all()).validate_all(&wasm)?; 1440 1441 // If any of the unexpected features are removed then this module 1442 // should always be valid, otherwise something went wrong. 1443 for feature in unexpected.iter() { 1444 let ok = 1445 Validator::new_with_features(WasmFeatures::all() ^ feature).validate_all(&wasm); 1446 if ok.is_err() { 1447 anyhow::bail!("generated a module with {feature:?} but that wasn't expected"); 1448 } 1449 } 1450 1451 // If any of `expected` is removed and the module fails to validate, 1452 // then that means the module requires that feature. Remove that 1453 // from the set of features we're then expecting. 1454 for feature in expected.iter() { 1455 let ok = 1456 Validator::new_with_features(WasmFeatures::all() ^ feature).validate_all(&wasm); 1457 if ok.is_err() { 1458 expected ^= feature; 1459 } 1460 } 1461 1462 Ok(expected.is_empty()) 1463 }); 1464 1465 if !ok { 1466 panic!("never generated wasm module using {expected:?}"); 1467 } 1468 } 1469 1470 #[test] 1471 fn wast_smoke_test() { 1472 test_n_times(50, |(), u| super::wast_test(u)); 1473 } 1474 } 1475