1 //! Oracles. 2 //! 3 //! Oracles take a test case and determine whether we have a bug. For example, 4 //! one of the simplest oracles is to take a Wasm binary as our input test case, 5 //! validate and instantiate it, and (implicitly) check that no assertions 6 //! failed or segfaults happened. A more complicated oracle might compare the 7 //! result of executing a Wasm file with and without optimizations enabled, and 8 //! make sure that the two executions are observably identical. 9 //! 10 //! When an oracle finds a bug, it should report it to the fuzzing engine by 11 //! panicking. 12 13 #[cfg(feature = "fuzz-spec-interpreter")] 14 pub mod diff_spec; 15 pub mod diff_wasmi; 16 pub mod diff_wasmtime; 17 pub mod dummy; 18 pub mod engine; 19 pub mod memory; 20 mod stacks; 21 22 use self::diff_wasmtime::WasmtimeInstance; 23 use self::engine::{DiffEngine, DiffInstance}; 24 use crate::generators::{self, CompilerStrategy, DiffValue, DiffValueType}; 25 use crate::single_module_fuzzer::KnownValid; 26 use arbitrary::Arbitrary; 27 pub use stacks::check_stacks; 28 use std::future::Future; 29 use std::pin::Pin; 30 use std::sync::atomic::{AtomicBool, AtomicUsize, Ordering::SeqCst}; 31 use std::sync::{Arc, Condvar, Mutex}; 32 use std::task::{Context, Poll}; 33 use std::time::{Duration, Instant}; 34 use wasmtime::*; 35 use wasmtime_wast::WastContext; 36 37 #[cfg(not(any(windows, target_arch = "s390x", target_arch = "riscv64")))] 38 mod diff_v8; 39 40 static CNT: AtomicUsize = AtomicUsize::new(0); 41 42 /// Logs a wasm file to the filesystem to make it easy to figure out what wasm 43 /// was used when debugging. 44 pub fn log_wasm(wasm: &[u8]) { 45 super::init_fuzzing(); 46 47 if !log::log_enabled!(log::Level::Debug) { 48 return; 49 } 50 51 let i = CNT.fetch_add(1, SeqCst); 52 let name = format!("testcase{i}.wasm"); 53 std::fs::write(&name, wasm).expect("failed to write wasm file"); 54 log::debug!("wrote wasm file to `{}`", name); 55 let wat = format!("testcase{i}.wat"); 56 match wasmprinter::print_bytes(wasm) { 57 Ok(s) => std::fs::write(&wat, s).expect("failed to write wat file"), 58 // If wasmprinter failed remove a `*.wat` file, if any, to avoid 59 // confusing a preexisting one with this wasm which failed to get 60 // printed. 61 Err(_) => drop(std::fs::remove_file(&wat)), 62 } 63 } 64 65 /// The `T` in `Store<T>` for fuzzing stores, used to limit resource 66 /// consumption during fuzzing. 67 #[derive(Clone)] 68 pub struct StoreLimits(Arc<LimitsState>); 69 70 struct LimitsState { 71 /// Remaining memory, in bytes, left to allocate 72 remaining_memory: AtomicUsize, 73 /// Remaining amount of memory that's allowed to be copied via a growth. 74 remaining_copy_allowance: AtomicUsize, 75 /// Whether or not an allocation request has been denied 76 oom: AtomicBool, 77 } 78 79 /// Allow up to 1G which is well below the 2G limit on OSS-Fuzz and should allow 80 /// most interesting behavior. 81 const MAX_MEMORY: usize = 1 << 30; 82 83 /// Allow up to 4G of bytes to be copied (conservatively) which should enable 84 /// growth up to `MAX_MEMORY` or at least up to a relatively large amount. 85 const MAX_MEMORY_MOVED: usize = 4 << 30; 86 87 impl StoreLimits { 88 /// Creates the default set of limits for all fuzzing stores. 89 pub fn new() -> StoreLimits { 90 StoreLimits(Arc::new(LimitsState { 91 remaining_memory: AtomicUsize::new(MAX_MEMORY), 92 remaining_copy_allowance: AtomicUsize::new(MAX_MEMORY_MOVED), 93 oom: AtomicBool::new(false), 94 })) 95 } 96 97 fn alloc(&mut self, amt: usize) -> bool { 98 log::trace!("alloc {amt:#x} bytes"); 99 100 // Assume that on each allocation of memory that all previous 101 // allocations of memory are moved. This is pretty coarse but is used to 102 // help prevent against fuzz test cases that just move tons of bytes 103 // around continuously. This assumes that all previous memory was 104 // allocated in a single linear memory and growing by `amt` will require 105 // moving all the bytes to a new location. This isn't actually required 106 // all the time nor does it accurately reflect what happens all the 107 // time, but it's a coarse approximation that should be "good enough" 108 // for allowing interesting fuzz behaviors to happen while not timing 109 // out just copying bytes around. 110 let prev_size = MAX_MEMORY - self.0.remaining_memory.load(SeqCst); 111 if self 112 .0 113 .remaining_copy_allowance 114 .fetch_update(SeqCst, SeqCst, |remaining| remaining.checked_sub(prev_size)) 115 .is_err() 116 { 117 self.0.oom.store(true, SeqCst); 118 log::debug!("-> too many bytes moved, rejecting allocation"); 119 return false; 120 } 121 122 // If we're allowed to move the bytes, then also check if we're allowed 123 // to actually have this much residence at once. 124 match self 125 .0 126 .remaining_memory 127 .fetch_update(SeqCst, SeqCst, |remaining| remaining.checked_sub(amt)) 128 { 129 Ok(_) => true, 130 Err(_) => { 131 self.0.oom.store(true, SeqCst); 132 log::debug!("-> OOM hit"); 133 false 134 } 135 } 136 } 137 138 fn is_oom(&self) -> bool { 139 self.0.oom.load(SeqCst) 140 } 141 } 142 143 impl ResourceLimiter for StoreLimits { 144 fn memory_growing( 145 &mut self, 146 current: usize, 147 desired: usize, 148 _maximum: Option<usize>, 149 ) -> Result<bool> { 150 Ok(self.alloc(desired - current)) 151 } 152 153 fn table_growing( 154 &mut self, 155 current: usize, 156 desired: usize, 157 _maximum: Option<usize>, 158 ) -> Result<bool> { 159 let delta = (desired - current).saturating_mul(std::mem::size_of::<usize>()); 160 Ok(self.alloc(delta)) 161 } 162 } 163 164 /// Methods of timing out execution of a WebAssembly module 165 #[derive(Clone, Debug)] 166 pub enum Timeout { 167 /// No timeout is used, it should be guaranteed via some other means that 168 /// the input does not infinite loop. 169 None, 170 /// Fuel-based timeouts are used where the specified fuel is all that the 171 /// provided wasm module is allowed to consume. 172 Fuel(u64), 173 /// An epoch-interruption-based timeout is used with a sleeping 174 /// thread bumping the epoch counter after the specified duration. 175 Epoch(Duration), 176 } 177 178 /// Instantiate the Wasm buffer, and implicitly fail if we have an unexpected 179 /// panic or segfault or anything else that can be detected "passively". 180 /// 181 /// The engine will be configured using provided config. 182 pub fn instantiate( 183 wasm: &[u8], 184 known_valid: KnownValid, 185 config: &generators::Config, 186 timeout: Timeout, 187 ) { 188 let mut store = config.to_store(); 189 190 let module = match compile_module(store.engine(), wasm, known_valid, config) { 191 Some(module) => module, 192 None => return, 193 }; 194 195 let mut timeout_state = HelperThread::default(); 196 match timeout { 197 Timeout::Fuel(fuel) => store.set_fuel(fuel).unwrap(), 198 199 // If a timeout is requested then we spawn a helper thread to wait for 200 // the requested time and then send us a signal to get interrupted. We 201 // also arrange for the thread's sleep to get interrupted if we return 202 // early (or the wasm returns within the time limit), which allows the 203 // thread to get torn down. 204 // 205 // This prevents us from creating a huge number of sleeping threads if 206 // this function is executed in a loop, like it does on nightly fuzzing 207 // infrastructure. 208 Timeout::Epoch(timeout) => { 209 let engine = store.engine().clone(); 210 timeout_state.run_periodically(timeout, move || engine.increment_epoch()); 211 } 212 Timeout::None => {} 213 } 214 215 instantiate_with_dummy(&mut store, &module); 216 } 217 218 /// Represents supported commands to the `instantiate_many` function. 219 #[derive(Arbitrary, Debug)] 220 pub enum Command { 221 /// Instantiates a module. 222 /// 223 /// The value is the index of the module to instantiate. 224 /// 225 /// The module instantiated will be this value modulo the number of modules provided to `instantiate_many`. 226 Instantiate(usize), 227 /// Terminates a "running" instance. 228 /// 229 /// The value is the index of the instance to terminate. 230 /// 231 /// The instance terminated will be this value modulo the number of currently running 232 /// instances. 233 /// 234 /// If no instances are running, the command will be ignored. 235 Terminate(usize), 236 } 237 238 /// Instantiates many instances from the given modules. 239 /// 240 /// The engine will be configured using the provided config. 241 /// 242 /// The modules are expected to *not* have start functions as no timeouts are configured. 243 pub fn instantiate_many( 244 modules: &[Vec<u8>], 245 known_valid: KnownValid, 246 config: &generators::Config, 247 commands: &[Command], 248 ) { 249 log::debug!("instantiate_many: {commands:#?}"); 250 251 assert!(!config.module_config.config.allow_start_export); 252 253 let engine = Engine::new(&config.to_wasmtime()).unwrap(); 254 255 let modules = modules 256 .iter() 257 .enumerate() 258 .filter_map( 259 |(i, bytes)| match compile_module(&engine, bytes, known_valid, config) { 260 Some(m) => { 261 log::debug!("successfully compiled module {i}"); 262 Some(m) 263 } 264 None => { 265 log::debug!("failed to compile module {i}"); 266 None 267 } 268 }, 269 ) 270 .collect::<Vec<_>>(); 271 272 // If no modules were valid, we're done 273 if modules.is_empty() { 274 return; 275 } 276 277 // This stores every `Store` where a successful instantiation takes place 278 let mut stores = Vec::new(); 279 let limits = StoreLimits::new(); 280 281 for command in commands { 282 match command { 283 Command::Instantiate(index) => { 284 let index = *index % modules.len(); 285 log::info!("instantiating {}", index); 286 let module = &modules[index]; 287 let mut store = Store::new(&engine, limits.clone()); 288 config.configure_store(&mut store); 289 290 if instantiate_with_dummy(&mut store, module).is_some() { 291 stores.push(Some(store)); 292 } else { 293 log::warn!("instantiation failed"); 294 } 295 } 296 Command::Terminate(index) => { 297 if stores.is_empty() { 298 continue; 299 } 300 let index = *index % stores.len(); 301 302 log::info!("dropping {}", index); 303 stores.swap_remove(index); 304 } 305 } 306 } 307 } 308 309 fn compile_module( 310 engine: &Engine, 311 bytes: &[u8], 312 known_valid: KnownValid, 313 config: &generators::Config, 314 ) -> Option<Module> { 315 log_wasm(bytes); 316 317 fn is_pcc_error(e: &anyhow::Error) -> bool { 318 // NOTE: please keep this predicate in sync with the display format of CodegenError, 319 // defined in `wasmtime/cranelift/codegen/src/result.rs` 320 e.to_string().to_lowercase().contains("proof-carrying-code") 321 } 322 323 match config.compile(engine, bytes) { 324 Ok(module) => Some(module), 325 Err(e) if is_pcc_error(&e) => { 326 panic!("pcc error in input: {e:#?}"); 327 } 328 Err(_) if known_valid == KnownValid::No => None, 329 Err(e) => { 330 if let generators::InstanceAllocationStrategy::Pooling(c) = &config.wasmtime.strategy { 331 // When using the pooling allocator, accept failures to compile 332 // when arbitrary table element limits have been exceeded as 333 // there is currently no way to constrain the generated module 334 // table types. 335 let string = e.to_string(); 336 if string.contains("minimum element size") { 337 return None; 338 } 339 340 // Allow modules-failing-to-compile which exceed the requested 341 // size for each instance. This is something that is difficult 342 // to control and ensure it always succeeds, so we simply have a 343 // "random" instance size limit and if a module doesn't fit we 344 // move on to the next fuzz input. 345 if string.contains("instance allocation for this module requires") { 346 return None; 347 } 348 349 // If the pooling allocator is more restrictive on the number of 350 // tables and memories than we allowed wasm-smith to generate 351 // then allow compilation errors along those lines. 352 if c.max_tables_per_module < (config.module_config.config.max_tables as u32) 353 && string.contains("defined tables count") 354 && string.contains("exceeds the per-instance limit") 355 { 356 return None; 357 } 358 359 if c.max_memories_per_module < (config.module_config.config.max_memories as u32) 360 && string.contains("defined memories count") 361 && string.contains("exceeds the per-instance limit") 362 { 363 return None; 364 } 365 } 366 367 panic!("failed to compile module: {e:?}"); 368 } 369 } 370 } 371 372 /// Create a Wasmtime [`Instance`] from a [`Module`] and fill in all imports 373 /// with dummy values (e.g., zeroed values, immediately-trapping functions). 374 /// Also, this function catches certain fuzz-related instantiation failures and 375 /// returns `None` instead of panicking. 376 /// 377 /// TODO: we should implement tracing versions of these dummy imports that 378 /// record a trace of the order that imported functions were called in and with 379 /// what values. Like the results of exported functions, calls to imports should 380 /// also yield the same values for each configuration, and we should assert 381 /// that. 382 pub fn instantiate_with_dummy(store: &mut Store<StoreLimits>, module: &Module) -> Option<Instance> { 383 // Creation of imports can fail due to resource limit constraints, and then 384 // instantiation can naturally fail for a number of reasons as well. Bundle 385 // the two steps together to match on the error below. 386 let linker = dummy::dummy_linker(store, module); 387 if let Err(e) = &linker { 388 log::warn!("failed to create dummy linker: {e:?}"); 389 } 390 let instance = linker.and_then(|l| l.instantiate(&mut *store, module)); 391 unwrap_instance(store, instance) 392 } 393 394 fn unwrap_instance( 395 store: &Store<StoreLimits>, 396 instance: anyhow::Result<Instance>, 397 ) -> Option<Instance> { 398 let e = match instance { 399 Ok(i) => return Some(i), 400 Err(e) => e, 401 }; 402 403 log::debug!("failed to instantiate: {e:?}"); 404 405 // If the instantiation hit OOM for some reason then that's ok, it's 406 // expected that fuzz-generated programs try to allocate lots of 407 // stuff. 408 if store.data().is_oom() { 409 return None; 410 } 411 412 // Allow traps which can happen normally with `unreachable` or a 413 // timeout or such 414 if e.is::<Trap>() { 415 return None; 416 } 417 418 let string = e.to_string(); 419 420 // Currently we instantiate with a `Linker` which can't instantiate 421 // every single module under the sun due to using name-based resolution 422 // rather than positional-based resolution 423 if string.contains("incompatible import type") { 424 return None; 425 } 426 427 // Also allow failures to instantiate as a result of hitting pooling limits. 428 if e.is::<wasmtime::PoolConcurrencyLimitError>() { 429 return None; 430 } 431 432 // Everything else should be a bug in the fuzzer or a bug in wasmtime 433 panic!("failed to instantiate: {e:?}"); 434 } 435 436 /// Evaluate the function identified by `name` in two different engine 437 /// instances--`lhs` and `rhs`. 438 /// 439 /// Returns `Ok(true)` if more evaluations can happen or `Ok(false)` if the 440 /// instances may have drifted apart and no more evaluations can happen. 441 /// 442 /// # Panics 443 /// 444 /// This will panic if the evaluation is different between engines (e.g., 445 /// results are different, hashed instance is different, one side traps, etc.). 446 pub fn differential( 447 lhs: &mut dyn DiffInstance, 448 lhs_engine: &dyn DiffEngine, 449 rhs: &mut WasmtimeInstance, 450 name: &str, 451 args: &[DiffValue], 452 result_tys: &[DiffValueType], 453 ) -> anyhow::Result<bool> { 454 log::debug!("Evaluating: `{}` with {:?}", name, args); 455 let lhs_results = match lhs.evaluate(name, args, result_tys) { 456 Ok(Some(results)) => Ok(results), 457 Err(e) => Err(e), 458 // this engine couldn't execute this type signature, so discard this 459 // execution by returning success. 460 Ok(None) => return Ok(true), 461 }; 462 log::debug!(" -> lhs results on {}: {:?}", lhs.name(), &lhs_results); 463 464 let rhs_results = rhs 465 .evaluate(name, args, result_tys) 466 // wasmtime should be able to invoke any signature, so unwrap this result 467 .map(|results| results.unwrap()); 468 log::debug!(" -> rhs results on {}: {:?}", rhs.name(), &rhs_results); 469 470 // If Wasmtime hit its OOM condition, which is possible since it's set 471 // somewhat low while fuzzing, then don't return an error but return 472 // `false` indicating that differential fuzzing must stop. There's no 473 // guarantee the other engine has the same OOM limits as Wasmtime, and 474 // it's assumed that Wasmtime is configured to have a more conservative 475 // limit than the other engine. 476 if rhs.is_oom() { 477 return Ok(false); 478 } 479 480 match DiffEqResult::new(lhs_engine, lhs_results, rhs_results) { 481 DiffEqResult::Success(lhs, rhs) => assert_eq!(lhs, rhs), 482 DiffEqResult::Poisoned => return Ok(false), 483 DiffEqResult::Failed => {} 484 } 485 486 for (global, ty) in rhs.exported_globals() { 487 log::debug!("Comparing global `{global}`"); 488 let lhs = match lhs.get_global(&global, ty) { 489 Some(val) => val, 490 None => continue, 491 }; 492 let rhs = rhs.get_global(&global, ty).unwrap(); 493 assert_eq!(lhs, rhs); 494 } 495 for (memory, shared) in rhs.exported_memories() { 496 log::debug!("Comparing memory `{memory}`"); 497 let lhs = match lhs.get_memory(&memory, shared) { 498 Some(val) => val, 499 None => continue, 500 }; 501 let rhs = rhs.get_memory(&memory, shared).unwrap(); 502 if lhs == rhs { 503 continue; 504 } 505 eprintln!("differential memory is {} bytes long", lhs.len()); 506 eprintln!("wasmtime memory is {} bytes long", rhs.len()); 507 panic!("memories have differing values"); 508 } 509 510 Ok(true) 511 } 512 513 /// Result of comparing the result of two operations during differential 514 /// execution. 515 pub enum DiffEqResult<T, U> { 516 /// Both engines succeeded. 517 Success(T, U), 518 /// The result has reached the state where engines may have diverged and 519 /// results can no longer be compared. 520 Poisoned, 521 /// Both engines failed with the same error message, and internal state 522 /// should still match between the two engines. 523 Failed, 524 } 525 526 fn wasmtime_trap_is_non_deterministic(trap: &Trap) -> bool { 527 match trap { 528 // Allocations being too large for the GC are 529 // implementation-defined. 530 Trap::AllocationTooLarge | 531 // Stack size, and therefore when overflow happens, is 532 // implementation-defined. 533 Trap::StackOverflow => true, 534 _ => false, 535 } 536 } 537 538 fn wasmtime_error_is_non_deterministic(error: &wasmtime::Error) -> bool { 539 match error.downcast_ref::<Trap>() { 540 Some(trap) => wasmtime_trap_is_non_deterministic(trap), 541 542 // For general, unknown errors, we can't rely on this being 543 // a deterministic Wasm failure that both engines handled 544 // identically, leaving Wasm in identical states. We could 545 // just as easily be hitting engine-specific failures, like 546 // different implementation-defined limits. So simply poison 547 // this execution and move on to the next test. 548 None => true, 549 } 550 } 551 552 impl<T, U> DiffEqResult<T, U> { 553 /// Computes the differential result from executing in two different 554 /// engines. 555 pub fn new( 556 lhs_engine: &dyn DiffEngine, 557 lhs_result: Result<T>, 558 rhs_result: Result<U>, 559 ) -> DiffEqResult<T, U> { 560 match (lhs_result, rhs_result) { 561 (Ok(lhs_result), Ok(rhs_result)) => DiffEqResult::Success(lhs_result, rhs_result), 562 563 // Handle all non-deterministic errors by poisoning this execution's 564 // state, so that we simply move on to the next test. 565 (Err(lhs), _) if lhs_engine.is_non_deterministic_error(&lhs) => { 566 log::debug!("lhs failed non-deterministically: {lhs:?}"); 567 DiffEqResult::Poisoned 568 } 569 (_, Err(rhs)) if wasmtime_error_is_non_deterministic(&rhs) => { 570 log::debug!("rhs failed non-deterministically: {rhs:?}"); 571 DiffEqResult::Poisoned 572 } 573 574 // Both sides failed deterministically. Check that the trap and 575 // state at the time of failure is the same. 576 (Err(lhs), Err(rhs)) => { 577 let rhs = rhs 578 .downcast::<Trap>() 579 .expect("non-traps handled in earlier match arm"); 580 581 debug_assert!( 582 !lhs_engine.is_non_deterministic_error(&lhs), 583 "non-deterministic traps handled in earlier match arm", 584 ); 585 debug_assert!( 586 !wasmtime_trap_is_non_deterministic(&rhs), 587 "non-deterministic traps handled in earlier match arm", 588 ); 589 590 lhs_engine.assert_error_match(&lhs, &rhs); 591 DiffEqResult::Failed 592 } 593 594 // A real bug is found if only one side fails. 595 (Ok(_), Err(err)) => panic!("only the `rhs` failed for this input: {err:?}"), 596 (Err(err), Ok(_)) => panic!("only the `lhs` failed for this input: {err:?}"), 597 } 598 } 599 } 600 601 /// Invoke the given API calls. 602 pub fn make_api_calls(api: generators::api::ApiCalls) { 603 use crate::generators::api::ApiCall; 604 use std::collections::HashMap; 605 606 let mut store: Option<Store<StoreLimits>> = None; 607 let mut modules: HashMap<usize, Module> = Default::default(); 608 let mut instances: HashMap<usize, Instance> = Default::default(); 609 610 for call in api.calls { 611 match call { 612 ApiCall::StoreNew(config) => { 613 log::trace!("creating store"); 614 assert!(store.is_none()); 615 store = Some(config.to_store()); 616 } 617 618 ApiCall::ModuleNew { id, wasm } => { 619 log::debug!("creating module: {}", id); 620 log_wasm(&wasm); 621 let module = match Module::new(store.as_ref().unwrap().engine(), &wasm) { 622 Ok(m) => m, 623 Err(_) => continue, 624 }; 625 let old = modules.insert(id, module); 626 assert!(old.is_none()); 627 } 628 629 ApiCall::ModuleDrop { id } => { 630 log::trace!("dropping module: {}", id); 631 drop(modules.remove(&id)); 632 } 633 634 ApiCall::InstanceNew { id, module } => { 635 log::trace!("instantiating module {} as {}", module, id); 636 let module = match modules.get(&module) { 637 Some(m) => m, 638 None => continue, 639 }; 640 641 let store = store.as_mut().unwrap(); 642 if let Some(instance) = instantiate_with_dummy(store, module) { 643 instances.insert(id, instance); 644 } 645 } 646 647 ApiCall::InstanceDrop { id } => { 648 log::trace!("dropping instance {}", id); 649 instances.remove(&id); 650 } 651 652 ApiCall::CallExportedFunc { instance, nth } => { 653 log::trace!("calling instance export {} / {}", instance, nth); 654 let instance = match instances.get(&instance) { 655 Some(i) => i, 656 None => { 657 // Note that we aren't guaranteed to instantiate valid 658 // modules, see comments in `InstanceNew` for details on 659 // that. But the API call generator can't know if 660 // instantiation failed, so we might not actually have 661 // this instance. When that's the case, just skip the 662 // API call and keep going. 663 continue; 664 } 665 }; 666 let store = store.as_mut().unwrap(); 667 668 let funcs = instance 669 .exports(&mut *store) 670 .filter_map(|e| match e.into_extern() { 671 Extern::Func(f) => Some(f), 672 _ => None, 673 }) 674 .collect::<Vec<_>>(); 675 676 if funcs.is_empty() { 677 continue; 678 } 679 680 let nth = nth % funcs.len(); 681 let f = &funcs[nth]; 682 let ty = f.ty(&store); 683 if let Ok(params) = dummy::dummy_values(ty.params()) { 684 let mut results = vec![Val::I32(0); ty.results().len()]; 685 let _ = f.call(store, ¶ms, &mut results); 686 } 687 } 688 } 689 } 690 } 691 692 /// Executes the wast `test` with the `config` specified. 693 /// 694 /// Ensures that wast tests pass regardless of the `Config`. 695 pub fn wast_test(u: &mut arbitrary::Unstructured<'_>) -> arbitrary::Result<()> { 696 crate::init_fuzzing(); 697 698 let mut fuzz_config: generators::Config = u.arbitrary()?; 699 let test: generators::WastTest = u.arbitrary()?; 700 if u.arbitrary()? { 701 fuzz_config.enable_async(u)?; 702 } 703 704 let test = &test.test; 705 706 // Discard tests that allocate a lot of memory as we don't want to OOM the 707 // fuzzer and we also limit memory growth which would cause the test to 708 // fail. 709 if test.config.hogs_memory.unwrap_or(false) { 710 return Err(arbitrary::Error::IncorrectFormat); 711 } 712 713 // Transform `fuzz_config` to be valid for `test` and make sure that this 714 // test is supposed to pass. 715 let wast_config = fuzz_config.make_wast_test_compliant(test); 716 if test.should_fail(&wast_config) { 717 return Err(arbitrary::Error::IncorrectFormat); 718 } 719 720 // Winch requires AVX and AVX2 for SIMD tests to pass so don't run the test 721 // if either isn't enabled. 722 if fuzz_config.wasmtime.compiler_strategy == CompilerStrategy::Winch 723 && test.config.simd() 724 && (fuzz_config 725 .wasmtime 726 .codegen_flag("has_avx") 727 .is_some_and(|value| value == "false") 728 || fuzz_config 729 .wasmtime 730 .codegen_flag("has_avx2") 731 .is_some_and(|value| value == "false")) 732 { 733 log::warn!( 734 "Skipping Wast test because Winch doesn't support SIMD tests with AVX or AVX2 disabled" 735 ); 736 return Err(arbitrary::Error::IncorrectFormat); 737 } 738 739 // Fuel and epochs don't play well with threads right now, so exclude any 740 // thread-spawning test if it looks like threads are spawned in that case. 741 if fuzz_config.wasmtime.consume_fuel || fuzz_config.wasmtime.epoch_interruption { 742 if test.contents.contains("(thread") { 743 return Err(arbitrary::Error::IncorrectFormat); 744 } 745 } 746 747 log::debug!("running {:?}", test.path); 748 let async_ = if fuzz_config.wasmtime.async_config == generators::AsyncConfig::Disabled { 749 wasmtime_wast::Async::No 750 } else { 751 wasmtime_wast::Async::Yes 752 }; 753 let mut wast_context = WastContext::new(fuzz_config.to_store(), async_); 754 wast_context 755 .register_spectest(&wasmtime_wast::SpectestConfig { 756 use_shared_memory: true, 757 suppress_prints: true, 758 }) 759 .unwrap(); 760 wast_context 761 .run_buffer(test.path.to_str().unwrap(), test.contents.as_bytes()) 762 .unwrap(); 763 Ok(()) 764 } 765 766 /// Execute a series of `table.get` and `table.set` operations. 767 /// 768 /// Returns the number of `gc` operations which occurred throughout the test 769 /// case -- used to test below that gc happens reasonably soon and eventually. 770 pub fn table_ops( 771 mut fuzz_config: generators::Config, 772 ops: generators::table_ops::TableOps, 773 ) -> Result<usize> { 774 let expected_drops = Arc::new(AtomicUsize::new(ops.num_params as usize)); 775 let num_dropped = Arc::new(AtomicUsize::new(0)); 776 777 let num_gcs = Arc::new(AtomicUsize::new(0)); 778 { 779 fuzz_config.wasmtime.consume_fuel = true; 780 let mut store = fuzz_config.to_store(); 781 store.set_fuel(1_000).unwrap(); 782 783 let wasm = ops.to_wasm_binary(); 784 log_wasm(&wasm); 785 let module = match compile_module(store.engine(), &wasm, KnownValid::No, &fuzz_config) { 786 Some(m) => m, 787 None => return Ok(0), 788 }; 789 790 let mut linker = Linker::new(store.engine()); 791 792 // To avoid timeouts, limit the number of explicit GCs we perform per 793 // test case. 794 const MAX_GCS: usize = 5; 795 796 let func_ty = FuncType::new( 797 store.engine(), 798 vec![], 799 vec![ValType::EXTERNREF, ValType::EXTERNREF, ValType::EXTERNREF], 800 ); 801 let func = Func::new(&mut store, func_ty, { 802 let num_dropped = num_dropped.clone(); 803 let expected_drops = expected_drops.clone(); 804 let num_gcs = num_gcs.clone(); 805 move |mut caller: Caller<'_, StoreLimits>, _params, results| { 806 log::info!("table_ops: GC"); 807 if num_gcs.fetch_add(1, SeqCst) < MAX_GCS { 808 caller.gc(); 809 } 810 811 let a = ExternRef::new(&mut caller, CountDrops(num_dropped.clone()))?; 812 let b = ExternRef::new(&mut caller, CountDrops(num_dropped.clone()))?; 813 let c = ExternRef::new(&mut caller, CountDrops(num_dropped.clone()))?; 814 815 log::info!("table_ops: gc() -> ({:?}, {:?}, {:?})", a, b, c); 816 817 expected_drops.fetch_add(3, SeqCst); 818 results[0] = Some(a).into(); 819 results[1] = Some(b).into(); 820 results[2] = Some(c).into(); 821 Ok(()) 822 } 823 }); 824 linker.define(&store, "", "gc", func).unwrap(); 825 826 linker 827 .func_wrap("", "take_refs", { 828 let expected_drops = expected_drops.clone(); 829 move |caller: Caller<'_, StoreLimits>, 830 a: Option<Rooted<ExternRef>>, 831 b: Option<Rooted<ExternRef>>, 832 c: Option<Rooted<ExternRef>>| 833 -> Result<()> { 834 log::info!("table_ops: take_refs({a:?}, {b:?}, {c:?})",); 835 836 // Do the assertion on each ref's inner data, even though it 837 // all points to the same atomic, so that if we happen to 838 // run into a use-after-free bug with one of these refs we 839 // are more likely to trigger a segfault. 840 if let Some(a) = a { 841 let a = a 842 .data(&caller)? 843 .unwrap() 844 .downcast_ref::<CountDrops>() 845 .unwrap(); 846 assert!(a.0.load(SeqCst) <= expected_drops.load(SeqCst)); 847 } 848 if let Some(b) = b { 849 let b = b 850 .data(&caller)? 851 .unwrap() 852 .downcast_ref::<CountDrops>() 853 .unwrap(); 854 assert!(b.0.load(SeqCst) <= expected_drops.load(SeqCst)); 855 } 856 if let Some(c) = c { 857 let c = c 858 .data(&caller)? 859 .unwrap() 860 .downcast_ref::<CountDrops>() 861 .unwrap(); 862 assert!(c.0.load(SeqCst) <= expected_drops.load(SeqCst)); 863 } 864 Ok(()) 865 } 866 }) 867 .unwrap(); 868 869 let func_ty = FuncType::new( 870 store.engine(), 871 vec![], 872 vec![ValType::EXTERNREF, ValType::EXTERNREF, ValType::EXTERNREF], 873 ); 874 let func = Func::new(&mut store, func_ty, { 875 let num_dropped = num_dropped.clone(); 876 let expected_drops = expected_drops.clone(); 877 move |mut caller, _params, results| { 878 log::info!("table_ops: make_refs"); 879 880 let a = ExternRef::new(&mut caller, CountDrops(num_dropped.clone()))?; 881 let b = ExternRef::new(&mut caller, CountDrops(num_dropped.clone()))?; 882 let c = ExternRef::new(&mut caller, CountDrops(num_dropped.clone()))?; 883 expected_drops.fetch_add(3, SeqCst); 884 885 log::info!("table_ops: make_refs() -> ({:?}, {:?}, {:?})", a, b, c); 886 887 results[0] = Some(a).into(); 888 results[1] = Some(b).into(); 889 results[2] = Some(c).into(); 890 891 Ok(()) 892 } 893 }); 894 linker.define(&store, "", "make_refs", func).unwrap(); 895 896 let instance = linker.instantiate(&mut store, &module).unwrap(); 897 let run = instance.get_func(&mut store, "run").unwrap(); 898 899 { 900 let mut scope = RootScope::new(&mut store); 901 902 log::info!( 903 "table_ops: begin allocating {} externref arguments", 904 ops.num_globals 905 ); 906 let args: Vec<_> = (0..ops.num_params) 907 .map(|_| { 908 Ok(Val::ExternRef(Some(ExternRef::new( 909 &mut scope, 910 CountDrops(num_dropped.clone()), 911 )?))) 912 }) 913 .collect::<Result<_>>()?; 914 log::info!( 915 "table_ops: end allocating {} externref arguments", 916 ops.num_globals 917 ); 918 919 // The generated function should always return a trap. The only two 920 // valid traps are table-out-of-bounds which happens through `table.get` 921 // and `table.set` generated or an out-of-fuel trap. Otherwise any other 922 // error is unexpected and should fail fuzzing. 923 log::info!("table_ops: calling into Wasm `run` function"); 924 let trap = run 925 .call(&mut scope, &args, &mut []) 926 .unwrap_err() 927 .downcast::<Trap>() 928 .unwrap(); 929 930 match trap { 931 Trap::TableOutOfBounds | Trap::OutOfFuel => {} 932 _ => panic!("unexpected trap: {trap}"), 933 } 934 } 935 936 // Do a final GC after running the Wasm. 937 store.gc(); 938 } 939 940 assert_eq!(num_dropped.load(SeqCst), expected_drops.load(SeqCst)); 941 return Ok(num_gcs.load(SeqCst)); 942 943 struct CountDrops(Arc<AtomicUsize>); 944 945 impl Drop for CountDrops { 946 fn drop(&mut self) { 947 self.0.fetch_add(1, SeqCst); 948 } 949 } 950 } 951 952 #[derive(Default)] 953 struct HelperThread { 954 state: Arc<HelperThreadState>, 955 thread: Option<std::thread::JoinHandle<()>>, 956 } 957 958 #[derive(Default)] 959 struct HelperThreadState { 960 should_exit: Mutex<bool>, 961 should_exit_cvar: Condvar, 962 } 963 964 impl HelperThread { 965 fn run_periodically(&mut self, dur: Duration, mut closure: impl FnMut() + Send + 'static) { 966 let state = self.state.clone(); 967 self.thread = Some(std::thread::spawn(move || { 968 // Using our mutex/condvar we wait here for the first of `dur` to 969 // pass or the `HelperThread` instance to get dropped. 970 let mut should_exit = state.should_exit.lock().unwrap(); 971 while !*should_exit { 972 let (lock, result) = state 973 .should_exit_cvar 974 .wait_timeout(should_exit, dur) 975 .unwrap(); 976 should_exit = lock; 977 // If we timed out for sure then there's no need to continue 978 // since we'll just abort on the next `checked_sub` anyway. 979 if result.timed_out() { 980 closure(); 981 } 982 } 983 })); 984 } 985 } 986 987 impl Drop for HelperThread { 988 fn drop(&mut self) { 989 let thread = match self.thread.take() { 990 Some(thread) => thread, 991 None => return, 992 }; 993 // Signal our thread that it should exit and wake it up in case it's 994 // sleeping. 995 *self.state.should_exit.lock().unwrap() = true; 996 self.state.should_exit_cvar.notify_one(); 997 998 // ... and then wait for the thread to exit to ensure we clean up 999 // after ourselves. 1000 thread.join().unwrap(); 1001 } 1002 } 1003 1004 /// Generate and execute a `crate::generators::component_types::TestCase` using the specified `input` to create 1005 /// arbitrary types and values. 1006 pub fn dynamic_component_api_target(input: &mut arbitrary::Unstructured) -> arbitrary::Result<()> { 1007 use crate::generators::component_types; 1008 use wasmtime::component::{Component, Linker, Val}; 1009 use wasmtime_test_util::component::FuncExt; 1010 use wasmtime_test_util::component_fuzz::{ 1011 TestCase, Type, EXPORT_FUNCTION, IMPORT_FUNCTION, MAX_TYPE_DEPTH, 1012 }; 1013 1014 crate::init_fuzzing(); 1015 1016 let mut types = Vec::new(); 1017 let mut type_fuel = 500; 1018 1019 for _ in 0..5 { 1020 types.push(Type::generate(input, MAX_TYPE_DEPTH, &mut type_fuel)?); 1021 } 1022 let params = (0..input.int_in_range(0..=5)?) 1023 .map(|_| input.choose(&types)) 1024 .collect::<arbitrary::Result<Vec<_>>>()?; 1025 let result = if input.arbitrary()? { 1026 Some(input.choose(&types)?) 1027 } else { 1028 None 1029 }; 1030 1031 let case = TestCase { 1032 params, 1033 result, 1034 encoding1: input.arbitrary()?, 1035 encoding2: input.arbitrary()?, 1036 }; 1037 1038 let mut config = wasmtime_test_util::component::config(); 1039 config.debug_adapter_modules(input.arbitrary()?); 1040 let engine = Engine::new(&config).unwrap(); 1041 let mut store = Store::new(&engine, (Vec::new(), None)); 1042 let wat = case.declarations().make_component(); 1043 let wat = wat.as_bytes(); 1044 log_wasm(wat); 1045 let component = Component::new(&engine, wat).unwrap(); 1046 let mut linker = Linker::new(&engine); 1047 1048 linker 1049 .root() 1050 .func_new(IMPORT_FUNCTION, { 1051 move |mut cx: StoreContextMut<'_, (Vec<Val>, Option<Vec<Val>>)>, 1052 params: &[Val], 1053 results: &mut [Val]| 1054 -> Result<()> { 1055 log::trace!("received params {params:?}"); 1056 let (expected_args, expected_results) = cx.data_mut(); 1057 assert_eq!(params.len(), expected_args.len()); 1058 for (expected, actual) in expected_args.iter().zip(params) { 1059 assert_eq!(expected, actual); 1060 } 1061 results.clone_from_slice(&expected_results.take().unwrap()); 1062 log::trace!("returning results {results:?}"); 1063 Ok(()) 1064 } 1065 }) 1066 .unwrap(); 1067 1068 let instance = linker.instantiate(&mut store, &component).unwrap(); 1069 let func = instance.get_func(&mut store, EXPORT_FUNCTION).unwrap(); 1070 let param_tys = func.params(&store); 1071 let result_tys = func.results(&store); 1072 1073 while input.arbitrary()? { 1074 let params = param_tys 1075 .iter() 1076 .map(|(_, ty)| component_types::arbitrary_val(ty, input)) 1077 .collect::<arbitrary::Result<Vec<_>>>()?; 1078 let results = result_tys 1079 .iter() 1080 .map(|ty| component_types::arbitrary_val(ty, input)) 1081 .collect::<arbitrary::Result<Vec<_>>>()?; 1082 1083 *store.data_mut() = (params.clone(), Some(results.clone())); 1084 1085 log::trace!("passing params {params:?}"); 1086 let mut actual = vec![Val::Bool(false); results.len()]; 1087 func.call_and_post_return(&mut store, ¶ms, &mut actual) 1088 .unwrap(); 1089 log::trace!("received results {actual:?}"); 1090 assert_eq!(actual, results); 1091 } 1092 1093 Ok(()) 1094 } 1095 1096 /// Instantiates a wasm module and runs its exports with dummy values, all in 1097 /// an async fashion. 1098 /// 1099 /// Attempts to stress yields in host functions to ensure that exiting and 1100 /// resuming a wasm function call works. 1101 pub fn call_async(wasm: &[u8], config: &generators::Config, mut poll_amts: &[u32]) { 1102 let mut store = config.to_store(); 1103 let module = match compile_module(store.engine(), wasm, KnownValid::Yes, config) { 1104 Some(module) => module, 1105 None => return, 1106 }; 1107 1108 // Configure a helper thread to periodically increment the epoch to 1109 // forcibly enable yields-via-epochs if epochs are in use. Note that this 1110 // is required because the wasm isn't otherwise guaranteed to necessarily 1111 // call any imports which will also increment the epoch. 1112 let mut helper_thread = HelperThread::default(); 1113 if let generators::AsyncConfig::YieldWithEpochs { dur, .. } = &config.wasmtime.async_config { 1114 let engine = store.engine().clone(); 1115 helper_thread.run_periodically(*dur, move || engine.increment_epoch()); 1116 } 1117 1118 // Generate a `Linker` where all function imports are custom-built to yield 1119 // periodically and additionally increment the epoch. 1120 let mut imports = Vec::new(); 1121 for import in module.imports() { 1122 let item = match import.ty() { 1123 ExternType::Func(ty) => { 1124 let poll_amt = take_poll_amt(&mut poll_amts); 1125 Func::new_async(&mut store, ty.clone(), move |caller, _, results| { 1126 let ty = ty.clone(); 1127 Box::new(async move { 1128 caller.engine().increment_epoch(); 1129 log::info!("yielding {} times in import", poll_amt); 1130 YieldN(poll_amt).await; 1131 for (ret_ty, result) in ty.results().zip(results) { 1132 *result = dummy::dummy_value(ret_ty)?; 1133 } 1134 Ok(()) 1135 }) 1136 }) 1137 .into() 1138 } 1139 other_ty => match dummy::dummy_extern(&mut store, other_ty) { 1140 Ok(item) => item, 1141 Err(e) => { 1142 log::warn!("couldn't create import: {}", e); 1143 return; 1144 } 1145 }, 1146 }; 1147 imports.push(item); 1148 } 1149 1150 // Run the instantiation process, asynchronously, and if everything 1151 // succeeds then pull out the instance. 1152 // log::info!("starting instantiation"); 1153 let instance = run(Timeout { 1154 future: Instance::new_async(&mut store, &module, &imports), 1155 polls: take_poll_amt(&mut poll_amts), 1156 end: Instant::now() + Duration::from_millis(2_000), 1157 }); 1158 let instance = match instance { 1159 Ok(instantiation_result) => match unwrap_instance(&store, instantiation_result) { 1160 Some(instance) => instance, 1161 None => { 1162 log::info!("instantiation hit a nominal error"); 1163 return; // resource exhaustion or limits met 1164 } 1165 }, 1166 Err(_) => { 1167 log::info!("instantiation failed to complete"); 1168 return; // Timed out or ran out of polls 1169 } 1170 }; 1171 1172 // Run each export of the instance in the same manner as instantiation 1173 // above. Dummy values are passed in for argument values here: 1174 // 1175 // TODO: this should probably be more clever about passing in arguments for 1176 // example they might be used as pointers or something and always using 0 1177 // isn't too interesting. 1178 let funcs = instance 1179 .exports(&mut store) 1180 .filter_map(|e| { 1181 let name = e.name().to_string(); 1182 let func = e.into_extern().into_func()?; 1183 Some((name, func)) 1184 }) 1185 .collect::<Vec<_>>(); 1186 for (name, func) in funcs { 1187 let ty = func.ty(&store); 1188 let params = ty 1189 .params() 1190 .map(|ty| dummy::dummy_value(ty).unwrap()) 1191 .collect::<Vec<_>>(); 1192 let mut results = ty 1193 .results() 1194 .map(|ty| dummy::dummy_value(ty).unwrap()) 1195 .collect::<Vec<_>>(); 1196 1197 log::info!("invoking export {:?}", name); 1198 let future = func.call_async(&mut store, ¶ms, &mut results); 1199 match run(Timeout { 1200 future, 1201 polls: take_poll_amt(&mut poll_amts), 1202 end: Instant::now() + Duration::from_millis(2_000), 1203 }) { 1204 // On success or too many polls, try the next export. 1205 Ok(_) | Err(Exhausted::Polls) => {} 1206 1207 // If time ran out then stop the current test case as we might have 1208 // already sucked up a lot of time for this fuzz test case so don't 1209 // keep it going. 1210 Err(Exhausted::Time) => return, 1211 } 1212 } 1213 1214 fn take_poll_amt(polls: &mut &[u32]) -> u32 { 1215 match polls.split_first() { 1216 Some((a, rest)) => { 1217 *polls = rest; 1218 *a 1219 } 1220 None => 0, 1221 } 1222 } 1223 1224 /// Helper future to yield N times before resolving. 1225 struct YieldN(u32); 1226 1227 impl Future for YieldN { 1228 type Output = (); 1229 1230 fn poll(mut self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<()> { 1231 if self.0 == 0 { 1232 Poll::Ready(()) 1233 } else { 1234 self.0 -= 1; 1235 cx.waker().wake_by_ref(); 1236 Poll::Pending 1237 } 1238 } 1239 } 1240 1241 /// Helper future for applying a timeout to `future` up to either when `end` 1242 /// is the current time or `polls` polls happen. 1243 /// 1244 /// Note that this helps to time out infinite loops in wasm, for example. 1245 struct Timeout<F> { 1246 future: F, 1247 /// If the future isn't ready by this time then the `Timeout<F>` future 1248 /// will return `None`. 1249 end: Instant, 1250 /// If the future doesn't resolve itself in this many calls to `poll` 1251 /// then the `Timeout<F>` future will return `None`. 1252 polls: u32, 1253 } 1254 1255 enum Exhausted { 1256 Time, 1257 Polls, 1258 } 1259 1260 impl<F: Future> Future for Timeout<F> { 1261 type Output = Result<F::Output, Exhausted>; 1262 1263 fn poll(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Self::Output> { 1264 let (end, polls, future) = unsafe { 1265 let me = self.get_unchecked_mut(); 1266 (me.end, &mut me.polls, Pin::new_unchecked(&mut me.future)) 1267 }; 1268 match future.poll(cx) { 1269 Poll::Ready(val) => Poll::Ready(Ok(val)), 1270 Poll::Pending => { 1271 if Instant::now() >= end { 1272 log::warn!("future operation timed out"); 1273 return Poll::Ready(Err(Exhausted::Time)); 1274 } 1275 if *polls == 0 { 1276 log::warn!("future operation ran out of polls"); 1277 return Poll::Ready(Err(Exhausted::Polls)); 1278 } 1279 *polls -= 1; 1280 Poll::Pending 1281 } 1282 } 1283 } 1284 } 1285 1286 fn run<F: Future>(future: F) -> F::Output { 1287 let mut f = Box::pin(future); 1288 let mut cx = Context::from_waker(futures::task::noop_waker_ref()); 1289 loop { 1290 match f.as_mut().poll(&mut cx) { 1291 Poll::Ready(val) => break val, 1292 Poll::Pending => {} 1293 } 1294 } 1295 } 1296 } 1297 1298 #[cfg(test)] 1299 mod tests { 1300 use super::*; 1301 use arbitrary::Unstructured; 1302 use rand::prelude::*; 1303 use wasmparser::{Validator, WasmFeatures}; 1304 1305 fn gen_until_pass<T: for<'a> Arbitrary<'a>>( 1306 mut f: impl FnMut(T, &mut Unstructured<'_>) -> Result<bool>, 1307 ) -> bool { 1308 let mut rng = SmallRng::seed_from_u64(0); 1309 let mut buf = vec![0; 2048]; 1310 let n = 3000; 1311 for _ in 0..n { 1312 rng.fill_bytes(&mut buf); 1313 let mut u = Unstructured::new(&buf); 1314 1315 if let Ok(config) = u.arbitrary() { 1316 if f(config, &mut u).unwrap() { 1317 return true; 1318 } 1319 } 1320 } 1321 false 1322 } 1323 1324 /// Runs `f` with random data until it returns `Ok(())` `iters` times. 1325 fn test_n_times<T: for<'a> Arbitrary<'a>>( 1326 iters: u32, 1327 mut f: impl FnMut(T, &mut Unstructured<'_>) -> arbitrary::Result<()>, 1328 ) { 1329 let mut to_test = 0..iters; 1330 let ok = gen_until_pass(|a, b| { 1331 if f(a, b).is_ok() { 1332 Ok(to_test.next().is_none()) 1333 } else { 1334 Ok(false) 1335 } 1336 }); 1337 assert!(ok); 1338 } 1339 1340 // Test that the `table_ops` fuzzer eventually runs the gc function in the host. 1341 // We've historically had issues where this fuzzer accidentally wasn't fuzzing 1342 // anything for a long time so this is an attempt to prevent that from happening 1343 // again. 1344 #[test] 1345 fn table_ops_eventually_gcs() { 1346 // Skip if we're under emulation because some fuzz configurations will do 1347 // large address space reservations that QEMU doesn't handle well. 1348 if std::env::var("WASMTIME_TEST_NO_HOG_MEMORY").is_ok() { 1349 return; 1350 } 1351 1352 let ok = gen_until_pass(|(config, test), _| { 1353 let result = table_ops(config, test)?; 1354 Ok(result > 0) 1355 }); 1356 1357 if !ok { 1358 panic!("gc was never found"); 1359 } 1360 } 1361 1362 #[test] 1363 fn module_generation_uses_expected_proposals() { 1364 // Proposals that Wasmtime supports. Eventually a module should be 1365 // generated that needs these proposals. 1366 let mut expected = WasmFeatures::MUTABLE_GLOBAL 1367 | WasmFeatures::FLOATS 1368 | WasmFeatures::SIGN_EXTENSION 1369 | WasmFeatures::SATURATING_FLOAT_TO_INT 1370 | WasmFeatures::MULTI_VALUE 1371 | WasmFeatures::BULK_MEMORY 1372 | WasmFeatures::REFERENCE_TYPES 1373 | WasmFeatures::SIMD 1374 | WasmFeatures::MULTI_MEMORY 1375 | WasmFeatures::RELAXED_SIMD 1376 | WasmFeatures::THREADS 1377 | WasmFeatures::TAIL_CALL 1378 | WasmFeatures::WIDE_ARITHMETIC 1379 | WasmFeatures::MEMORY64 1380 | WasmFeatures::FUNCTION_REFERENCES 1381 | WasmFeatures::GC 1382 | WasmFeatures::GC_TYPES 1383 | WasmFeatures::CUSTOM_PAGE_SIZES 1384 | WasmFeatures::EXTENDED_CONST; 1385 1386 // All other features that wasmparser supports, which is presumably a 1387 // superset of the features that wasm-smith supports, are listed here as 1388 // unexpected. This means, for example, that if wasm-smith updates to 1389 // include a new proposal by default that wasmtime implements then it 1390 // will be required to be listed above. 1391 let unexpected = WasmFeatures::all() ^ expected; 1392 1393 let ok = gen_until_pass(|config: generators::Config, u| { 1394 let wasm = config.generate(u, None)?.to_bytes(); 1395 1396 // Double-check the module is valid 1397 Validator::new_with_features(WasmFeatures::all()).validate_all(&wasm)?; 1398 1399 // If any of the unexpected features are removed then this module 1400 // should always be valid, otherwise something went wrong. 1401 for feature in unexpected.iter() { 1402 let ok = 1403 Validator::new_with_features(WasmFeatures::all() ^ feature).validate_all(&wasm); 1404 if ok.is_err() { 1405 anyhow::bail!("generated a module with {feature:?} but that wasn't expected"); 1406 } 1407 } 1408 1409 // If any of `expected` is removed and the module fails to validate, 1410 // then that means the module requires that feature. Remove that 1411 // from the set of features we're then expecting. 1412 for feature in expected.iter() { 1413 let ok = 1414 Validator::new_with_features(WasmFeatures::all() ^ feature).validate_all(&wasm); 1415 if ok.is_err() { 1416 expected ^= feature; 1417 } 1418 } 1419 1420 Ok(expected.is_empty()) 1421 }); 1422 1423 if !ok { 1424 panic!("never generated wasm module using {expected:?}"); 1425 } 1426 } 1427 1428 #[test] 1429 fn wast_smoke_test() { 1430 test_n_times(50, |(), u| super::wast_test(u)); 1431 } 1432 } 1433