1 //! Oracles. 2 //! 3 //! Oracles take a test case and determine whether we have a bug. For example, 4 //! one of the simplest oracles is to take a Wasm binary as our input test case, 5 //! validate and instantiate it, and (implicitly) check that no assertions 6 //! failed or segfaults happened. A more complicated oracle might compare the 7 //! result of executing a Wasm file with and without optimizations enabled, and 8 //! make sure that the two executions are observably identical. 9 //! 10 //! When an oracle finds a bug, it should report it to the fuzzing engine by 11 //! panicking. 12 13 #[cfg(feature = "fuzz-spec-interpreter")] 14 pub mod diff_spec; 15 pub mod diff_wasmi; 16 pub mod diff_wasmtime; 17 pub mod dummy; 18 pub mod engine; 19 pub mod memory; 20 mod stacks; 21 22 use self::diff_wasmtime::WasmtimeInstance; 23 use self::engine::{DiffEngine, DiffInstance}; 24 use crate::generators::{self, CompilerStrategy, DiffValue, DiffValueType}; 25 use crate::single_module_fuzzer::KnownValid; 26 use arbitrary::Arbitrary; 27 pub use stacks::check_stacks; 28 use std::future::Future; 29 use std::pin::Pin; 30 use std::sync::atomic::{AtomicBool, AtomicUsize, Ordering::SeqCst}; 31 use std::sync::{Arc, Condvar, Mutex}; 32 use std::task::{Context, Poll}; 33 use std::time::{Duration, Instant}; 34 use wasmtime::*; 35 use wasmtime_wast::WastContext; 36 37 #[cfg(not(any(windows, target_arch = "s390x", target_arch = "riscv64")))] 38 mod diff_v8; 39 40 static CNT: AtomicUsize = AtomicUsize::new(0); 41 42 /// Logs a wasm file to the filesystem to make it easy to figure out what wasm 43 /// was used when debugging. 44 pub fn log_wasm(wasm: &[u8]) { 45 super::init_fuzzing(); 46 47 if !log::log_enabled!(log::Level::Debug) { 48 return; 49 } 50 51 let i = CNT.fetch_add(1, SeqCst); 52 let name = format!("testcase{i}.wasm"); 53 std::fs::write(&name, wasm).expect("failed to write wasm file"); 54 log::debug!("wrote wasm file to `{}`", name); 55 let wat = format!("testcase{i}.wat"); 56 match wasmprinter::print_bytes(wasm) { 57 Ok(s) => std::fs::write(&wat, s).expect("failed to write wat file"), 58 // If wasmprinter failed remove a `*.wat` file, if any, to avoid 59 // confusing a preexisting one with this wasm which failed to get 60 // printed. 61 Err(_) => drop(std::fs::remove_file(&wat)), 62 } 63 } 64 65 /// The `T` in `Store<T>` for fuzzing stores, used to limit resource 66 /// consumption during fuzzing. 67 #[derive(Clone)] 68 pub struct StoreLimits(Arc<LimitsState>); 69 70 struct LimitsState { 71 /// Remaining memory, in bytes, left to allocate 72 remaining_memory: AtomicUsize, 73 /// Remaining amount of memory that's allowed to be copied via a growth. 74 remaining_copy_allowance: AtomicUsize, 75 /// Whether or not an allocation request has been denied 76 oom: AtomicBool, 77 } 78 79 /// Allow up to 1G which is well below the 2G limit on OSS-Fuzz and should allow 80 /// most interesting behavior. 81 const MAX_MEMORY: usize = 1 << 30; 82 83 /// Allow up to 4G of bytes to be copied (conservatively) which should enable 84 /// growth up to `MAX_MEMORY` or at least up to a relatively large amount. 85 const MAX_MEMORY_MOVED: usize = 4 << 30; 86 87 impl StoreLimits { 88 /// Creates the default set of limits for all fuzzing stores. 89 pub fn new() -> StoreLimits { 90 StoreLimits(Arc::new(LimitsState { 91 remaining_memory: AtomicUsize::new(MAX_MEMORY), 92 remaining_copy_allowance: AtomicUsize::new(MAX_MEMORY_MOVED), 93 oom: AtomicBool::new(false), 94 })) 95 } 96 97 fn alloc(&mut self, amt: usize) -> bool { 98 log::trace!("alloc {amt:#x} bytes"); 99 100 // Assume that on each allocation of memory that all previous 101 // allocations of memory are moved. This is pretty coarse but is used to 102 // help prevent against fuzz test cases that just move tons of bytes 103 // around continuously. This assumes that all previous memory was 104 // allocated in a single linear memory and growing by `amt` will require 105 // moving all the bytes to a new location. This isn't actually required 106 // all the time nor does it accurately reflect what happens all the 107 // time, but it's a coarse approximation that should be "good enough" 108 // for allowing interesting fuzz behaviors to happen while not timing 109 // out just copying bytes around. 110 let prev_size = MAX_MEMORY - self.0.remaining_memory.load(SeqCst); 111 if self 112 .0 113 .remaining_copy_allowance 114 .fetch_update(SeqCst, SeqCst, |remaining| remaining.checked_sub(prev_size)) 115 .is_err() 116 { 117 self.0.oom.store(true, SeqCst); 118 log::debug!("-> too many bytes moved, rejecting allocation"); 119 return false; 120 } 121 122 // If we're allowed to move the bytes, then also check if we're allowed 123 // to actually have this much residence at once. 124 match self 125 .0 126 .remaining_memory 127 .fetch_update(SeqCst, SeqCst, |remaining| remaining.checked_sub(amt)) 128 { 129 Ok(_) => true, 130 Err(_) => { 131 self.0.oom.store(true, SeqCst); 132 log::debug!("-> OOM hit"); 133 false 134 } 135 } 136 } 137 138 fn is_oom(&self) -> bool { 139 self.0.oom.load(SeqCst) 140 } 141 } 142 143 impl ResourceLimiter for StoreLimits { 144 fn memory_growing( 145 &mut self, 146 current: usize, 147 desired: usize, 148 _maximum: Option<usize>, 149 ) -> Result<bool> { 150 Ok(self.alloc(desired - current)) 151 } 152 153 fn table_growing( 154 &mut self, 155 current: usize, 156 desired: usize, 157 _maximum: Option<usize>, 158 ) -> Result<bool> { 159 let delta = (desired - current).saturating_mul(std::mem::size_of::<usize>()); 160 Ok(self.alloc(delta)) 161 } 162 } 163 164 /// Methods of timing out execution of a WebAssembly module 165 #[derive(Clone, Debug)] 166 pub enum Timeout { 167 /// No timeout is used, it should be guaranteed via some other means that 168 /// the input does not infinite loop. 169 None, 170 /// Fuel-based timeouts are used where the specified fuel is all that the 171 /// provided wasm module is allowed to consume. 172 Fuel(u64), 173 /// An epoch-interruption-based timeout is used with a sleeping 174 /// thread bumping the epoch counter after the specified duration. 175 Epoch(Duration), 176 } 177 178 /// Instantiate the Wasm buffer, and implicitly fail if we have an unexpected 179 /// panic or segfault or anything else that can be detected "passively". 180 /// 181 /// The engine will be configured using provided config. 182 pub fn instantiate( 183 wasm: &[u8], 184 known_valid: KnownValid, 185 config: &generators::Config, 186 timeout: Timeout, 187 ) { 188 let mut store = config.to_store(); 189 190 let module = match compile_module(store.engine(), wasm, known_valid, config) { 191 Some(module) => module, 192 None => return, 193 }; 194 195 let mut timeout_state = HelperThread::default(); 196 match timeout { 197 Timeout::Fuel(fuel) => store.set_fuel(fuel).unwrap(), 198 199 // If a timeout is requested then we spawn a helper thread to wait for 200 // the requested time and then send us a signal to get interrupted. We 201 // also arrange for the thread's sleep to get interrupted if we return 202 // early (or the wasm returns within the time limit), which allows the 203 // thread to get torn down. 204 // 205 // This prevents us from creating a huge number of sleeping threads if 206 // this function is executed in a loop, like it does on nightly fuzzing 207 // infrastructure. 208 Timeout::Epoch(timeout) => { 209 let engine = store.engine().clone(); 210 timeout_state.run_periodically(timeout, move || engine.increment_epoch()); 211 } 212 Timeout::None => {} 213 } 214 215 instantiate_with_dummy(&mut store, &module); 216 } 217 218 /// Represents supported commands to the `instantiate_many` function. 219 #[derive(Arbitrary, Debug)] 220 pub enum Command { 221 /// Instantiates a module. 222 /// 223 /// The value is the index of the module to instantiate. 224 /// 225 /// The module instantiated will be this value modulo the number of modules provided to `instantiate_many`. 226 Instantiate(usize), 227 /// Terminates a "running" instance. 228 /// 229 /// The value is the index of the instance to terminate. 230 /// 231 /// The instance terminated will be this value modulo the number of currently running 232 /// instances. 233 /// 234 /// If no instances are running, the command will be ignored. 235 Terminate(usize), 236 } 237 238 /// Instantiates many instances from the given modules. 239 /// 240 /// The engine will be configured using the provided config. 241 /// 242 /// The modules are expected to *not* have start functions as no timeouts are configured. 243 pub fn instantiate_many( 244 modules: &[Vec<u8>], 245 known_valid: KnownValid, 246 config: &generators::Config, 247 commands: &[Command], 248 ) { 249 assert!(!config.module_config.config.allow_start_export); 250 251 let engine = Engine::new(&config.to_wasmtime()).unwrap(); 252 253 let modules = modules 254 .iter() 255 .filter_map(|bytes| compile_module(&engine, bytes, known_valid, config)) 256 .collect::<Vec<_>>(); 257 258 // If no modules were valid, we're done 259 if modules.is_empty() { 260 return; 261 } 262 263 // This stores every `Store` where a successful instantiation takes place 264 let mut stores = Vec::new(); 265 let limits = StoreLimits::new(); 266 267 for command in commands { 268 match command { 269 Command::Instantiate(index) => { 270 let index = *index % modules.len(); 271 log::info!("instantiating {}", index); 272 let module = &modules[index]; 273 let mut store = Store::new(&engine, limits.clone()); 274 config.configure_store(&mut store); 275 276 if instantiate_with_dummy(&mut store, module).is_some() { 277 stores.push(Some(store)); 278 } else { 279 log::warn!("instantiation failed"); 280 } 281 } 282 Command::Terminate(index) => { 283 if stores.is_empty() { 284 continue; 285 } 286 let index = *index % stores.len(); 287 288 log::info!("dropping {}", index); 289 stores.swap_remove(index); 290 } 291 } 292 } 293 } 294 295 fn compile_module( 296 engine: &Engine, 297 bytes: &[u8], 298 known_valid: KnownValid, 299 config: &generators::Config, 300 ) -> Option<Module> { 301 log_wasm(bytes); 302 303 fn is_pcc_error(e: &anyhow::Error) -> bool { 304 // NOTE: please keep this predicate in sync with the display format of CodegenError, 305 // defined in `wasmtime/cranelift/codegen/src/result.rs` 306 e.to_string().to_lowercase().contains("proof-carrying-code") 307 } 308 309 match config.compile(engine, bytes) { 310 Ok(module) => Some(module), 311 Err(e) if is_pcc_error(&e) => { 312 panic!("pcc error in input: {e:#?}"); 313 } 314 Err(_) if known_valid == KnownValid::No => None, 315 Err(e) => { 316 if let generators::InstanceAllocationStrategy::Pooling(c) = &config.wasmtime.strategy { 317 // When using the pooling allocator, accept failures to compile 318 // when arbitrary table element limits have been exceeded as 319 // there is currently no way to constrain the generated module 320 // table types. 321 let string = e.to_string(); 322 if string.contains("minimum element size") { 323 return None; 324 } 325 326 // Allow modules-failing-to-compile which exceed the requested 327 // size for each instance. This is something that is difficult 328 // to control and ensure it always succeeds, so we simply have a 329 // "random" instance size limit and if a module doesn't fit we 330 // move on to the next fuzz input. 331 if string.contains("instance allocation for this module requires") { 332 return None; 333 } 334 335 // If the pooling allocator is more restrictive on the number of 336 // tables and memories than we allowed wasm-smith to generate 337 // then allow compilation errors along those lines. 338 if c.max_tables_per_module < (config.module_config.config.max_tables as u32) 339 && string.contains("defined tables count") 340 && string.contains("exceeds the per-instance limit") 341 { 342 return None; 343 } 344 345 if c.max_memories_per_module < (config.module_config.config.max_memories as u32) 346 && string.contains("defined memories count") 347 && string.contains("exceeds the per-instance limit") 348 { 349 return None; 350 } 351 } 352 353 panic!("failed to compile module: {e:?}"); 354 } 355 } 356 } 357 358 /// Create a Wasmtime [`Instance`] from a [`Module`] and fill in all imports 359 /// with dummy values (e.g., zeroed values, immediately-trapping functions). 360 /// Also, this function catches certain fuzz-related instantiation failures and 361 /// returns `None` instead of panicking. 362 /// 363 /// TODO: we should implement tracing versions of these dummy imports that 364 /// record a trace of the order that imported functions were called in and with 365 /// what values. Like the results of exported functions, calls to imports should 366 /// also yield the same values for each configuration, and we should assert 367 /// that. 368 pub fn instantiate_with_dummy(store: &mut Store<StoreLimits>, module: &Module) -> Option<Instance> { 369 // Creation of imports can fail due to resource limit constraints, and then 370 // instantiation can naturally fail for a number of reasons as well. Bundle 371 // the two steps together to match on the error below. 372 let instance = 373 dummy::dummy_linker(store, module).and_then(|l| l.instantiate(&mut *store, module)); 374 unwrap_instance(store, instance) 375 } 376 377 fn unwrap_instance( 378 store: &Store<StoreLimits>, 379 instance: anyhow::Result<Instance>, 380 ) -> Option<Instance> { 381 let e = match instance { 382 Ok(i) => return Some(i), 383 Err(e) => e, 384 }; 385 386 // If the instantiation hit OOM for some reason then that's ok, it's 387 // expected that fuzz-generated programs try to allocate lots of 388 // stuff. 389 if store.data().is_oom() { 390 log::debug!("failed to instantiate: OOM"); 391 return None; 392 } 393 394 // Allow traps which can happen normally with `unreachable` or a 395 // timeout or such 396 if let Some(trap) = e.downcast_ref::<Trap>() { 397 log::debug!("failed to instantiate: {}", trap); 398 return None; 399 } 400 401 let string = e.to_string(); 402 // Currently we instantiate with a `Linker` which can't instantiate 403 // every single module under the sun due to using name-based resolution 404 // rather than positional-based resolution 405 if string.contains("incompatible import type") { 406 log::debug!("failed to instantiate: {}", string); 407 return None; 408 } 409 410 // Also allow failures to instantiate as a result of hitting pooling limits. 411 if e.is::<wasmtime::PoolConcurrencyLimitError>() { 412 log::debug!("failed to instantiate: {}", string); 413 return None; 414 } 415 416 // Everything else should be a bug in the fuzzer or a bug in wasmtime 417 panic!("failed to instantiate: {e:?}"); 418 } 419 420 /// Evaluate the function identified by `name` in two different engine 421 /// instances--`lhs` and `rhs`. 422 /// 423 /// Returns `Ok(true)` if more evaluations can happen or `Ok(false)` if the 424 /// instances may have drifted apart and no more evaluations can happen. 425 /// 426 /// # Panics 427 /// 428 /// This will panic if the evaluation is different between engines (e.g., 429 /// results are different, hashed instance is different, one side traps, etc.). 430 pub fn differential( 431 lhs: &mut dyn DiffInstance, 432 lhs_engine: &dyn DiffEngine, 433 rhs: &mut WasmtimeInstance, 434 name: &str, 435 args: &[DiffValue], 436 result_tys: &[DiffValueType], 437 ) -> anyhow::Result<bool> { 438 log::debug!("Evaluating: `{}` with {:?}", name, args); 439 let lhs_results = match lhs.evaluate(name, args, result_tys) { 440 Ok(Some(results)) => Ok(results), 441 Err(e) => Err(e), 442 // this engine couldn't execute this type signature, so discard this 443 // execution by returning success. 444 Ok(None) => return Ok(true), 445 }; 446 log::debug!(" -> lhs results on {}: {:?}", lhs.name(), &lhs_results); 447 448 let rhs_results = rhs 449 .evaluate(name, args, result_tys) 450 // wasmtime should be able to invoke any signature, so unwrap this result 451 .map(|results| results.unwrap()); 452 log::debug!(" -> rhs results on {}: {:?}", rhs.name(), &rhs_results); 453 454 // If Wasmtime hit its OOM condition, which is possible since it's set 455 // somewhat low while fuzzing, then don't return an error but return 456 // `false` indicating that differential fuzzing must stop. There's no 457 // guarantee the other engine has the same OOM limits as Wasmtime, and 458 // it's assumed that Wasmtime is configured to have a more conservative 459 // limit than the other engine. 460 if rhs.is_oom() { 461 return Ok(false); 462 } 463 464 match DiffEqResult::new(lhs_engine, lhs_results, rhs_results) { 465 DiffEqResult::Success(lhs, rhs) => assert_eq!(lhs, rhs), 466 DiffEqResult::Poisoned => return Ok(false), 467 DiffEqResult::Failed => {} 468 } 469 470 for (global, ty) in rhs.exported_globals() { 471 log::debug!("Comparing global `{global}`"); 472 let lhs = match lhs.get_global(&global, ty) { 473 Some(val) => val, 474 None => continue, 475 }; 476 let rhs = rhs.get_global(&global, ty).unwrap(); 477 assert_eq!(lhs, rhs); 478 } 479 for (memory, shared) in rhs.exported_memories() { 480 log::debug!("Comparing memory `{memory}`"); 481 let lhs = match lhs.get_memory(&memory, shared) { 482 Some(val) => val, 483 None => continue, 484 }; 485 let rhs = rhs.get_memory(&memory, shared).unwrap(); 486 if lhs == rhs { 487 continue; 488 } 489 eprintln!("differential memory is {} bytes long", lhs.len()); 490 eprintln!("wasmtime memory is {} bytes long", rhs.len()); 491 panic!("memories have differing values"); 492 } 493 494 Ok(true) 495 } 496 497 /// Result of comparing the result of two operations during differential 498 /// execution. 499 pub enum DiffEqResult<T, U> { 500 /// Both engines succeeded. 501 Success(T, U), 502 /// The result has reached the state where engines may have diverged and 503 /// results can no longer be compared. 504 Poisoned, 505 /// Both engines failed with the same error message, and internal state 506 /// should still match between the two engines. 507 Failed, 508 } 509 510 impl<T, U> DiffEqResult<T, U> { 511 /// Computes the differential result from executing in two different 512 /// engines. 513 pub fn new( 514 lhs_engine: &dyn DiffEngine, 515 lhs_result: Result<T>, 516 rhs_result: Result<U>, 517 ) -> DiffEqResult<T, U> { 518 match (lhs_result, rhs_result) { 519 (Ok(lhs_result), Ok(rhs_result)) => DiffEqResult::Success(lhs_result, rhs_result), 520 521 // Both sides failed. Check that the trap and state at the time of 522 // failure is the same, when possible. 523 (Err(lhs), Err(rhs)) => { 524 let rhs = match rhs.downcast::<Trap>() { 525 Ok(trap) => trap, 526 527 // For general, unknown errors, we can't rely on this being 528 // a deterministic Wasm failure that both engines handled 529 // identically, leaving Wasm in identical states. We could 530 // just as easily be hitting engine-specific failures, like 531 // different implementation-defined limits. So simply report 532 // failure and move on to the next test. 533 Err(err) => { 534 log::debug!("rhs failed: {err:?}"); 535 return DiffEqResult::Failed; 536 } 537 }; 538 539 // Even some traps are nondeterministic, and we can't rely on 540 // the errors matching or leaving Wasm in the same state. 541 let poisoned = 542 // Allocations being too large for the GC are 543 // implementation-defined. 544 rhs == Trap::AllocationTooLarge 545 // Stack size, and therefore when overflow happens, is 546 // implementation-defined. 547 || rhs == Trap::StackOverflow 548 || lhs_engine.is_stack_overflow(&lhs); 549 if poisoned { 550 return DiffEqResult::Poisoned; 551 } 552 553 lhs_engine.assert_error_match(&lhs, &rhs); 554 DiffEqResult::Failed 555 } 556 // A real bug is found if only one side fails. 557 (Ok(_), Err(err)) => panic!("only the `rhs` failed for this input: {err:?}"), 558 (Err(err), Ok(_)) => panic!("only the `lhs` failed for this input: {err:?}"), 559 } 560 } 561 } 562 563 /// Invoke the given API calls. 564 pub fn make_api_calls(api: generators::api::ApiCalls) { 565 use crate::generators::api::ApiCall; 566 use std::collections::HashMap; 567 568 let mut store: Option<Store<StoreLimits>> = None; 569 let mut modules: HashMap<usize, Module> = Default::default(); 570 let mut instances: HashMap<usize, Instance> = Default::default(); 571 572 for call in api.calls { 573 match call { 574 ApiCall::StoreNew(config) => { 575 log::trace!("creating store"); 576 assert!(store.is_none()); 577 store = Some(config.to_store()); 578 } 579 580 ApiCall::ModuleNew { id, wasm } => { 581 log::debug!("creating module: {}", id); 582 log_wasm(&wasm); 583 let module = match Module::new(store.as_ref().unwrap().engine(), &wasm) { 584 Ok(m) => m, 585 Err(_) => continue, 586 }; 587 let old = modules.insert(id, module); 588 assert!(old.is_none()); 589 } 590 591 ApiCall::ModuleDrop { id } => { 592 log::trace!("dropping module: {}", id); 593 drop(modules.remove(&id)); 594 } 595 596 ApiCall::InstanceNew { id, module } => { 597 log::trace!("instantiating module {} as {}", module, id); 598 let module = match modules.get(&module) { 599 Some(m) => m, 600 None => continue, 601 }; 602 603 let store = store.as_mut().unwrap(); 604 if let Some(instance) = instantiate_with_dummy(store, module) { 605 instances.insert(id, instance); 606 } 607 } 608 609 ApiCall::InstanceDrop { id } => { 610 log::trace!("dropping instance {}", id); 611 instances.remove(&id); 612 } 613 614 ApiCall::CallExportedFunc { instance, nth } => { 615 log::trace!("calling instance export {} / {}", instance, nth); 616 let instance = match instances.get(&instance) { 617 Some(i) => i, 618 None => { 619 // Note that we aren't guaranteed to instantiate valid 620 // modules, see comments in `InstanceNew` for details on 621 // that. But the API call generator can't know if 622 // instantiation failed, so we might not actually have 623 // this instance. When that's the case, just skip the 624 // API call and keep going. 625 continue; 626 } 627 }; 628 let store = store.as_mut().unwrap(); 629 630 let funcs = instance 631 .exports(&mut *store) 632 .filter_map(|e| match e.into_extern() { 633 Extern::Func(f) => Some(f), 634 _ => None, 635 }) 636 .collect::<Vec<_>>(); 637 638 if funcs.is_empty() { 639 continue; 640 } 641 642 let nth = nth % funcs.len(); 643 let f = &funcs[nth]; 644 let ty = f.ty(&store); 645 if let Ok(params) = dummy::dummy_values(ty.params()) { 646 let mut results = vec![Val::I32(0); ty.results().len()]; 647 let _ = f.call(store, ¶ms, &mut results); 648 } 649 } 650 } 651 } 652 } 653 654 /// Executes the wast `test` with the `config` specified. 655 /// 656 /// Ensures that wast tests pass regardless of the `Config`. 657 pub fn wast_test(mut fuzz_config: generators::Config, test: generators::WastTest) { 658 crate::init_fuzzing(); 659 let test = &test.test; 660 661 // Discard tests that allocate a lot of memory as we don't want to OOM the 662 // fuzzer and we also limit memory growth which would cause the test to 663 // fail. 664 if test.config.hogs_memory.unwrap_or(false) { 665 return; 666 } 667 668 // Transform `fuzz_config` to be valid for `test` and make sure that this 669 // test is supposed to pass. 670 let wast_config = fuzz_config.make_wast_test_compliant(test); 671 if test.should_fail(&wast_config) { 672 return; 673 } 674 675 // Winch requires AVX and AVX2 for SIMD tests to pass so don't run the test 676 // if either isn't enabled. 677 if fuzz_config.wasmtime.compiler_strategy == CompilerStrategy::Winch 678 && test.config.simd() 679 && (fuzz_config 680 .wasmtime 681 .codegen_flag("has_avx") 682 .is_some_and(|value| value == "false") 683 || fuzz_config 684 .wasmtime 685 .codegen_flag("has_avx2") 686 .is_some_and(|value| value == "false")) 687 { 688 log::warn!( 689 "Skipping Wast test because Winch doesn't support SIMD tests with AVX or AVX2 disabled" 690 ); 691 return; 692 } 693 694 // Fuel and epochs don't play well with threads right now, so exclude any 695 // thread-spawning test if it looks like threads are spawned in that case. 696 if fuzz_config.wasmtime.consume_fuel || fuzz_config.wasmtime.epoch_interruption { 697 if test.contents.contains("(thread") { 698 return; 699 } 700 } 701 702 log::debug!("running {:?}", test.path); 703 let mut wast_context = WastContext::new(fuzz_config.to_store()); 704 wast_context 705 .register_spectest(&wasmtime_wast::SpectestConfig { 706 use_shared_memory: true, 707 suppress_prints: true, 708 }) 709 .unwrap(); 710 wast_context 711 .run_buffer(test.path.to_str().unwrap(), test.contents.as_bytes()) 712 .unwrap(); 713 } 714 715 /// Execute a series of `table.get` and `table.set` operations. 716 /// 717 /// Returns the number of `gc` operations which occurred throughout the test 718 /// case -- used to test below that gc happens reasonably soon and eventually. 719 pub fn table_ops( 720 mut fuzz_config: generators::Config, 721 ops: generators::table_ops::TableOps, 722 ) -> Result<usize> { 723 let expected_drops = Arc::new(AtomicUsize::new(ops.num_params as usize)); 724 let num_dropped = Arc::new(AtomicUsize::new(0)); 725 726 let num_gcs = Arc::new(AtomicUsize::new(0)); 727 { 728 fuzz_config.wasmtime.consume_fuel = true; 729 let mut store = fuzz_config.to_store(); 730 store.set_fuel(1_000).unwrap(); 731 732 let wasm = ops.to_wasm_binary(); 733 log_wasm(&wasm); 734 let module = match compile_module(store.engine(), &wasm, KnownValid::No, &fuzz_config) { 735 Some(m) => m, 736 None => return Ok(0), 737 }; 738 739 let mut linker = Linker::new(store.engine()); 740 741 // To avoid timeouts, limit the number of explicit GCs we perform per 742 // test case. 743 const MAX_GCS: usize = 5; 744 745 let func_ty = FuncType::new( 746 store.engine(), 747 vec![], 748 vec![ValType::EXTERNREF, ValType::EXTERNREF, ValType::EXTERNREF], 749 ); 750 let func = Func::new(&mut store, func_ty, { 751 let num_dropped = num_dropped.clone(); 752 let expected_drops = expected_drops.clone(); 753 let num_gcs = num_gcs.clone(); 754 move |mut caller: Caller<'_, StoreLimits>, _params, results| { 755 log::info!("table_ops: GC"); 756 if num_gcs.fetch_add(1, SeqCst) < MAX_GCS { 757 caller.gc(); 758 } 759 760 let a = ExternRef::new(&mut caller, CountDrops(num_dropped.clone()))?; 761 let b = ExternRef::new(&mut caller, CountDrops(num_dropped.clone()))?; 762 let c = ExternRef::new(&mut caller, CountDrops(num_dropped.clone()))?; 763 764 log::info!("table_ops: gc() -> ({:?}, {:?}, {:?})", a, b, c); 765 766 expected_drops.fetch_add(3, SeqCst); 767 results[0] = Some(a).into(); 768 results[1] = Some(b).into(); 769 results[2] = Some(c).into(); 770 Ok(()) 771 } 772 }); 773 linker.define(&store, "", "gc", func).unwrap(); 774 775 linker 776 .func_wrap("", "take_refs", { 777 let expected_drops = expected_drops.clone(); 778 move |caller: Caller<'_, StoreLimits>, 779 a: Option<Rooted<ExternRef>>, 780 b: Option<Rooted<ExternRef>>, 781 c: Option<Rooted<ExternRef>>| 782 -> Result<()> { 783 log::info!("table_ops: take_refs({a:?}, {b:?}, {c:?})",); 784 785 // Do the assertion on each ref's inner data, even though it 786 // all points to the same atomic, so that if we happen to 787 // run into a use-after-free bug with one of these refs we 788 // are more likely to trigger a segfault. 789 if let Some(a) = a { 790 let a = a 791 .data(&caller)? 792 .unwrap() 793 .downcast_ref::<CountDrops>() 794 .unwrap(); 795 assert!(a.0.load(SeqCst) <= expected_drops.load(SeqCst)); 796 } 797 if let Some(b) = b { 798 let b = b 799 .data(&caller)? 800 .unwrap() 801 .downcast_ref::<CountDrops>() 802 .unwrap(); 803 assert!(b.0.load(SeqCst) <= expected_drops.load(SeqCst)); 804 } 805 if let Some(c) = c { 806 let c = c 807 .data(&caller)? 808 .unwrap() 809 .downcast_ref::<CountDrops>() 810 .unwrap(); 811 assert!(c.0.load(SeqCst) <= expected_drops.load(SeqCst)); 812 } 813 Ok(()) 814 } 815 }) 816 .unwrap(); 817 818 let func_ty = FuncType::new( 819 store.engine(), 820 vec![], 821 vec![ValType::EXTERNREF, ValType::EXTERNREF, ValType::EXTERNREF], 822 ); 823 let func = Func::new(&mut store, func_ty, { 824 let num_dropped = num_dropped.clone(); 825 let expected_drops = expected_drops.clone(); 826 move |mut caller, _params, results| { 827 log::info!("table_ops: make_refs"); 828 829 let a = ExternRef::new(&mut caller, CountDrops(num_dropped.clone()))?; 830 let b = ExternRef::new(&mut caller, CountDrops(num_dropped.clone()))?; 831 let c = ExternRef::new(&mut caller, CountDrops(num_dropped.clone()))?; 832 expected_drops.fetch_add(3, SeqCst); 833 834 log::info!("table_ops: make_refs() -> ({:?}, {:?}, {:?})", a, b, c); 835 836 results[0] = Some(a).into(); 837 results[1] = Some(b).into(); 838 results[2] = Some(c).into(); 839 840 Ok(()) 841 } 842 }); 843 linker.define(&store, "", "make_refs", func).unwrap(); 844 845 let instance = linker.instantiate(&mut store, &module).unwrap(); 846 let run = instance.get_func(&mut store, "run").unwrap(); 847 848 { 849 let mut scope = RootScope::new(&mut store); 850 851 log::info!( 852 "table_ops: begin allocating {} externref arguments", 853 ops.num_globals 854 ); 855 let args: Vec<_> = (0..ops.num_params) 856 .map(|_| { 857 Ok(Val::ExternRef(Some(ExternRef::new( 858 &mut scope, 859 CountDrops(num_dropped.clone()), 860 )?))) 861 }) 862 .collect::<Result<_>>()?; 863 log::info!( 864 "table_ops: end allocating {} externref arguments", 865 ops.num_globals 866 ); 867 868 // The generated function should always return a trap. The only two 869 // valid traps are table-out-of-bounds which happens through `table.get` 870 // and `table.set` generated or an out-of-fuel trap. Otherwise any other 871 // error is unexpected and should fail fuzzing. 872 log::info!("table_ops: calling into Wasm `run` function"); 873 let trap = run 874 .call(&mut scope, &args, &mut []) 875 .unwrap_err() 876 .downcast::<Trap>() 877 .unwrap(); 878 879 match trap { 880 Trap::TableOutOfBounds | Trap::OutOfFuel => {} 881 _ => panic!("unexpected trap: {trap}"), 882 } 883 } 884 885 // Do a final GC after running the Wasm. 886 store.gc(); 887 } 888 889 assert_eq!(num_dropped.load(SeqCst), expected_drops.load(SeqCst)); 890 return Ok(num_gcs.load(SeqCst)); 891 892 struct CountDrops(Arc<AtomicUsize>); 893 894 impl Drop for CountDrops { 895 fn drop(&mut self) { 896 self.0.fetch_add(1, SeqCst); 897 } 898 } 899 } 900 901 #[derive(Default)] 902 struct HelperThread { 903 state: Arc<HelperThreadState>, 904 thread: Option<std::thread::JoinHandle<()>>, 905 } 906 907 #[derive(Default)] 908 struct HelperThreadState { 909 should_exit: Mutex<bool>, 910 should_exit_cvar: Condvar, 911 } 912 913 impl HelperThread { 914 fn run_periodically(&mut self, dur: Duration, mut closure: impl FnMut() + Send + 'static) { 915 let state = self.state.clone(); 916 self.thread = Some(std::thread::spawn(move || { 917 // Using our mutex/condvar we wait here for the first of `dur` to 918 // pass or the `HelperThread` instance to get dropped. 919 let mut should_exit = state.should_exit.lock().unwrap(); 920 while !*should_exit { 921 let (lock, result) = state 922 .should_exit_cvar 923 .wait_timeout(should_exit, dur) 924 .unwrap(); 925 should_exit = lock; 926 // If we timed out for sure then there's no need to continue 927 // since we'll just abort on the next `checked_sub` anyway. 928 if result.timed_out() { 929 closure(); 930 } 931 } 932 })); 933 } 934 } 935 936 impl Drop for HelperThread { 937 fn drop(&mut self) { 938 let thread = match self.thread.take() { 939 Some(thread) => thread, 940 None => return, 941 }; 942 // Signal our thread that it should exit and wake it up in case it's 943 // sleeping. 944 *self.state.should_exit.lock().unwrap() = true; 945 self.state.should_exit_cvar.notify_one(); 946 947 // ... and then wait for the thread to exit to ensure we clean up 948 // after ourselves. 949 thread.join().unwrap(); 950 } 951 } 952 953 /// Generate and execute a `crate::generators::component_types::TestCase` using the specified `input` to create 954 /// arbitrary types and values. 955 pub fn dynamic_component_api_target(input: &mut arbitrary::Unstructured) -> arbitrary::Result<()> { 956 use crate::generators::component_types; 957 use component_fuzz_util::{TestCase, Type, EXPORT_FUNCTION, IMPORT_FUNCTION, MAX_TYPE_DEPTH}; 958 use component_test_util::FuncExt; 959 use wasmtime::component::{Component, Linker, Val}; 960 961 crate::init_fuzzing(); 962 963 let mut types = Vec::new(); 964 let mut type_fuel = 500; 965 966 for _ in 0..5 { 967 types.push(Type::generate(input, MAX_TYPE_DEPTH, &mut type_fuel)?); 968 } 969 let params = (0..input.int_in_range(0..=5)?) 970 .map(|_| input.choose(&types)) 971 .collect::<arbitrary::Result<Vec<_>>>()?; 972 let results = (0..input.int_in_range(0..=5)?) 973 .map(|_| input.choose(&types)) 974 .collect::<arbitrary::Result<Vec<_>>>()?; 975 976 let case = TestCase { 977 params, 978 results, 979 encoding1: input.arbitrary()?, 980 encoding2: input.arbitrary()?, 981 }; 982 983 let mut config = component_test_util::config(); 984 if case.results.len() > 1 { 985 config.wasm_component_model_multiple_returns(true); 986 } 987 config.debug_adapter_modules(input.arbitrary()?); 988 let engine = Engine::new(&config).unwrap(); 989 let mut store = Store::new(&engine, (Vec::new(), None)); 990 let wat = case.declarations().make_component(); 991 let wat = wat.as_bytes(); 992 log_wasm(wat); 993 let component = Component::new(&engine, wat).unwrap(); 994 let mut linker = Linker::new(&engine); 995 996 linker 997 .root() 998 .func_new(IMPORT_FUNCTION, { 999 move |mut cx: StoreContextMut<'_, (Vec<Val>, Option<Vec<Val>>)>, 1000 params: &[Val], 1001 results: &mut [Val]| 1002 -> Result<()> { 1003 log::trace!("received params {params:?}"); 1004 let (expected_args, expected_results) = cx.data_mut(); 1005 assert_eq!(params.len(), expected_args.len()); 1006 for (expected, actual) in expected_args.iter().zip(params) { 1007 assert_eq!(expected, actual); 1008 } 1009 results.clone_from_slice(&expected_results.take().unwrap()); 1010 log::trace!("returning results {results:?}"); 1011 Ok(()) 1012 } 1013 }) 1014 .unwrap(); 1015 1016 let instance = linker.instantiate(&mut store, &component).unwrap(); 1017 let func = instance.get_func(&mut store, EXPORT_FUNCTION).unwrap(); 1018 let param_tys = func.params(&store); 1019 let result_tys = func.results(&store); 1020 1021 while input.arbitrary()? { 1022 let params = param_tys 1023 .iter() 1024 .map(|(_, ty)| component_types::arbitrary_val(ty, input)) 1025 .collect::<arbitrary::Result<Vec<_>>>()?; 1026 let results = result_tys 1027 .iter() 1028 .map(|ty| component_types::arbitrary_val(ty, input)) 1029 .collect::<arbitrary::Result<Vec<_>>>()?; 1030 1031 *store.data_mut() = (params.clone(), Some(results.clone())); 1032 1033 log::trace!("passing params {params:?}"); 1034 let mut actual = vec![Val::Bool(false); results.len()]; 1035 func.call_and_post_return(&mut store, ¶ms, &mut actual) 1036 .unwrap(); 1037 log::trace!("received results {actual:?}"); 1038 assert_eq!(actual, results); 1039 } 1040 1041 Ok(()) 1042 } 1043 1044 /// Instantiates a wasm module and runs its exports with dummy values, all in 1045 /// an async fashion. 1046 /// 1047 /// Attempts to stress yields in host functions to ensure that exiting and 1048 /// resuming a wasm function call works. 1049 pub fn call_async(wasm: &[u8], config: &generators::Config, mut poll_amts: &[u32]) { 1050 let mut store = config.to_store(); 1051 let module = match compile_module(store.engine(), wasm, KnownValid::Yes, config) { 1052 Some(module) => module, 1053 None => return, 1054 }; 1055 1056 // Configure a helper thread to periodically increment the epoch to 1057 // forcibly enable yields-via-epochs if epochs are in use. Note that this 1058 // is required because the wasm isn't otherwise guaranteed to necessarily 1059 // call any imports which will also increment the epoch. 1060 let mut helper_thread = HelperThread::default(); 1061 if let generators::AsyncConfig::YieldWithEpochs { dur, .. } = &config.wasmtime.async_config { 1062 let engine = store.engine().clone(); 1063 helper_thread.run_periodically(*dur, move || engine.increment_epoch()); 1064 } 1065 1066 // Generate a `Linker` where all function imports are custom-built to yield 1067 // periodically and additionally increment the epoch. 1068 let mut imports = Vec::new(); 1069 for import in module.imports() { 1070 let item = match import.ty() { 1071 ExternType::Func(ty) => { 1072 let poll_amt = take_poll_amt(&mut poll_amts); 1073 Func::new_async(&mut store, ty.clone(), move |caller, _, results| { 1074 let ty = ty.clone(); 1075 Box::new(async move { 1076 caller.engine().increment_epoch(); 1077 log::info!("yielding {} times in import", poll_amt); 1078 YieldN(poll_amt).await; 1079 for (ret_ty, result) in ty.results().zip(results) { 1080 *result = dummy::dummy_value(ret_ty)?; 1081 } 1082 Ok(()) 1083 }) 1084 }) 1085 .into() 1086 } 1087 other_ty => match dummy::dummy_extern(&mut store, other_ty) { 1088 Ok(item) => item, 1089 Err(e) => { 1090 log::warn!("couldn't create import: {}", e); 1091 return; 1092 } 1093 }, 1094 }; 1095 imports.push(item); 1096 } 1097 1098 // Run the instantiation process, asynchronously, and if everything 1099 // succeeds then pull out the instance. 1100 // log::info!("starting instantiation"); 1101 let instance = run(Timeout { 1102 future: Instance::new_async(&mut store, &module, &imports), 1103 polls: take_poll_amt(&mut poll_amts), 1104 end: Instant::now() + Duration::from_millis(2_000), 1105 }); 1106 let instance = match instance { 1107 Ok(instantiation_result) => match unwrap_instance(&store, instantiation_result) { 1108 Some(instance) => instance, 1109 None => { 1110 log::info!("instantiation hit a nominal error"); 1111 return; // resource exhaustion or limits met 1112 } 1113 }, 1114 Err(_) => { 1115 log::info!("instantiation failed to complete"); 1116 return; // Timed out or ran out of polls 1117 } 1118 }; 1119 1120 // Run each export of the instance in the same manner as instantiation 1121 // above. Dummy values are passed in for argument values here: 1122 // 1123 // TODO: this should probably be more clever about passing in arguments for 1124 // example they might be used as pointers or something and always using 0 1125 // isn't too interesting. 1126 let funcs = instance 1127 .exports(&mut store) 1128 .filter_map(|e| { 1129 let name = e.name().to_string(); 1130 let func = e.into_extern().into_func()?; 1131 Some((name, func)) 1132 }) 1133 .collect::<Vec<_>>(); 1134 for (name, func) in funcs { 1135 let ty = func.ty(&store); 1136 let params = ty 1137 .params() 1138 .map(|ty| dummy::dummy_value(ty).unwrap()) 1139 .collect::<Vec<_>>(); 1140 let mut results = ty 1141 .results() 1142 .map(|ty| dummy::dummy_value(ty).unwrap()) 1143 .collect::<Vec<_>>(); 1144 1145 log::info!("invoking export {:?}", name); 1146 let future = func.call_async(&mut store, ¶ms, &mut results); 1147 match run(Timeout { 1148 future, 1149 polls: take_poll_amt(&mut poll_amts), 1150 end: Instant::now() + Duration::from_millis(2_000), 1151 }) { 1152 // On success or too many polls, try the next export. 1153 Ok(_) | Err(Exhausted::Polls) => {} 1154 1155 // If time ran out then stop the current test case as we might have 1156 // already sucked up a lot of time for this fuzz test case so don't 1157 // keep it going. 1158 Err(Exhausted::Time) => return, 1159 } 1160 } 1161 1162 fn take_poll_amt(polls: &mut &[u32]) -> u32 { 1163 match polls.split_first() { 1164 Some((a, rest)) => { 1165 *polls = rest; 1166 *a 1167 } 1168 None => 0, 1169 } 1170 } 1171 1172 /// Helper future to yield N times before resolving. 1173 struct YieldN(u32); 1174 1175 impl Future for YieldN { 1176 type Output = (); 1177 1178 fn poll(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<()> { 1179 if self.0 == 0 { 1180 Poll::Ready(()) 1181 } else { 1182 self.0 -= 1; 1183 cx.waker().wake_by_ref(); 1184 Poll::Pending 1185 } 1186 } 1187 } 1188 1189 /// Helper future for applying a timeout to `future` up to either when `end` 1190 /// is the current time or `polls` polls happen. 1191 /// 1192 /// Note that this helps to time out infinite loops in wasm, for example. 1193 struct Timeout<F> { 1194 future: F, 1195 /// If the future isn't ready by this time then the `Timeout<F>` future 1196 /// will return `None`. 1197 end: Instant, 1198 /// If the future doesn't resolve itself in this many calls to `poll` 1199 /// then the `Timeout<F>` future will return `None`. 1200 polls: u32, 1201 } 1202 1203 enum Exhausted { 1204 Time, 1205 Polls, 1206 } 1207 1208 impl<F: Future> Future for Timeout<F> { 1209 type Output = Result<F::Output, Exhausted>; 1210 1211 fn poll(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Self::Output> { 1212 let (end, polls, future) = unsafe { 1213 let me = self.get_unchecked_mut(); 1214 (me.end, &mut me.polls, Pin::new_unchecked(&mut me.future)) 1215 }; 1216 match future.poll(cx) { 1217 Poll::Ready(val) => Poll::Ready(Ok(val)), 1218 Poll::Pending => { 1219 if Instant::now() >= end { 1220 log::warn!("future operation timed out"); 1221 return Poll::Ready(Err(Exhausted::Time)); 1222 } 1223 if *polls == 0 { 1224 log::warn!("future operation ran out of polls"); 1225 return Poll::Ready(Err(Exhausted::Polls)); 1226 } 1227 *polls -= 1; 1228 Poll::Pending 1229 } 1230 } 1231 } 1232 } 1233 1234 fn run<F: Future>(future: F) -> F::Output { 1235 let mut f = Box::pin(future); 1236 let mut cx = Context::from_waker(futures::task::noop_waker_ref()); 1237 loop { 1238 match f.as_mut().poll(&mut cx) { 1239 Poll::Ready(val) => break val, 1240 Poll::Pending => {} 1241 } 1242 } 1243 } 1244 } 1245 1246 #[cfg(test)] 1247 mod tests { 1248 use super::*; 1249 use arbitrary::Unstructured; 1250 use rand::prelude::*; 1251 use wasmparser::{Validator, WasmFeatures}; 1252 1253 fn gen_until_pass<T: for<'a> Arbitrary<'a>>( 1254 mut f: impl FnMut(T, &mut Unstructured<'_>) -> Result<bool>, 1255 ) -> bool { 1256 let mut rng = SmallRng::seed_from_u64(0); 1257 let mut buf = vec![0; 2048]; 1258 let n = 3000; 1259 for _ in 0..n { 1260 rng.fill_bytes(&mut buf); 1261 let mut u = Unstructured::new(&buf); 1262 1263 if let Ok(config) = u.arbitrary() { 1264 if f(config, &mut u).unwrap() { 1265 return true; 1266 } 1267 } 1268 } 1269 false 1270 } 1271 1272 // Test that the `table_ops` fuzzer eventually runs the gc function in the host. 1273 // We've historically had issues where this fuzzer accidentally wasn't fuzzing 1274 // anything for a long time so this is an attempt to prevent that from happening 1275 // again. 1276 #[test] 1277 fn table_ops_eventually_gcs() { 1278 // Skip if we're under emulation because some fuzz configurations will do 1279 // large address space reservations that QEMU doesn't handle well. 1280 if std::env::var("WASMTIME_TEST_NO_HOG_MEMORY").is_ok() { 1281 return; 1282 } 1283 1284 let ok = gen_until_pass(|(config, test), _| { 1285 let result = table_ops(config, test)?; 1286 Ok(result > 0) 1287 }); 1288 1289 if !ok { 1290 panic!("gc was never found"); 1291 } 1292 } 1293 1294 #[test] 1295 fn module_generation_uses_expected_proposals() { 1296 // Proposals that Wasmtime supports. Eventually a module should be 1297 // generated that needs these proposals. 1298 let mut expected = WasmFeatures::MUTABLE_GLOBAL 1299 | WasmFeatures::FLOATS 1300 | WasmFeatures::SIGN_EXTENSION 1301 | WasmFeatures::SATURATING_FLOAT_TO_INT 1302 | WasmFeatures::MULTI_VALUE 1303 | WasmFeatures::BULK_MEMORY 1304 | WasmFeatures::REFERENCE_TYPES 1305 | WasmFeatures::SIMD 1306 | WasmFeatures::MULTI_MEMORY 1307 | WasmFeatures::RELAXED_SIMD 1308 | WasmFeatures::THREADS 1309 | WasmFeatures::TAIL_CALL 1310 | WasmFeatures::WIDE_ARITHMETIC 1311 | WasmFeatures::MEMORY64 1312 | WasmFeatures::GC_TYPES 1313 | WasmFeatures::CUSTOM_PAGE_SIZES 1314 | WasmFeatures::EXTENDED_CONST; 1315 1316 // All other features that wasmparser supports, which is presumably a 1317 // superset of the features that wasm-smith supports, are listed here as 1318 // unexpected. This means, for example, that if wasm-smith updates to 1319 // include a new proposal by default that wasmtime implements then it 1320 // will be required to be listed above. 1321 let unexpected = WasmFeatures::all() ^ expected; 1322 1323 let ok = gen_until_pass(|config: generators::Config, u| { 1324 let wasm = config.generate(u, None)?.to_bytes(); 1325 1326 // Double-check the module is valid 1327 Validator::new_with_features(WasmFeatures::all()).validate_all(&wasm)?; 1328 1329 // If any of the unexpected features are removed then this module 1330 // should always be valid, otherwise something went wrong. 1331 for feature in unexpected.iter() { 1332 let ok = 1333 Validator::new_with_features(WasmFeatures::all() ^ feature).validate_all(&wasm); 1334 if ok.is_err() { 1335 anyhow::bail!("generated a module with {feature:?} but that wasn't expected"); 1336 } 1337 } 1338 1339 // If any of `expected` is removed and the module fails to validate, 1340 // then that means the module requires that feature. Remove that 1341 // from the set of features we're then expecting. 1342 for feature in expected.iter() { 1343 let ok = 1344 Validator::new_with_features(WasmFeatures::all() ^ feature).validate_all(&wasm); 1345 if ok.is_err() { 1346 expected ^= feature; 1347 } 1348 } 1349 1350 Ok(expected.is_empty()) 1351 }); 1352 1353 if !ok { 1354 panic!("never generated wasm module using {expected:?}"); 1355 } 1356 } 1357 } 1358