1 //! Oracles. 2 //! 3 //! Oracles take a test case and determine whether we have a bug. For example, 4 //! one of the simplest oracles is to take a Wasm binary as our input test case, 5 //! validate and instantiate it, and (implicitly) check that no assertions 6 //! failed or segfaults happened. A more complicated oracle might compare the 7 //! result of executing a Wasm file with and without optimizations enabled, and 8 //! make sure that the two executions are observably identical. 9 //! 10 //! When an oracle finds a bug, it should report it to the fuzzing engine by 11 //! panicking. 12 13 pub mod component_api; 14 pub mod component_async; 15 #[cfg(feature = "fuzz-spec-interpreter")] 16 pub mod diff_spec; 17 pub mod diff_wasmi; 18 pub mod diff_wasmtime; 19 pub mod dummy; 20 pub mod engine; 21 pub mod memory; 22 mod stacks; 23 24 use self::diff_wasmtime::WasmtimeInstance; 25 use self::engine::{DiffEngine, DiffInstance}; 26 use crate::generators::GcOps; 27 use crate::generators::{self, CompilerStrategy, DiffValue, DiffValueType}; 28 use crate::single_module_fuzzer::KnownValid; 29 use crate::{YieldN, block_on}; 30 use arbitrary::Arbitrary; 31 pub use stacks::check_stacks; 32 use std::future::Future; 33 use std::pin::Pin; 34 use std::sync::atomic::{AtomicBool, AtomicUsize, Ordering::SeqCst}; 35 use std::sync::{Arc, Condvar, Mutex}; 36 use std::task::{Context, Poll}; 37 use std::time::{Duration, Instant}; 38 use wasmtime::*; 39 use wasmtime_wast::WastContext; 40 41 #[cfg(not(any(windows, target_arch = "s390x", target_arch = "riscv64")))] 42 mod diff_v8; 43 44 static CNT: AtomicUsize = AtomicUsize::new(0); 45 46 /// Logs a wasm file to the filesystem to make it easy to figure out what wasm 47 /// was used when debugging. 48 pub fn log_wasm(wasm: &[u8]) { 49 super::init_fuzzing(); 50 51 if !log::log_enabled!(log::Level::Debug) { 52 return; 53 } 54 55 let i = CNT.fetch_add(1, SeqCst); 56 let name = format!("testcase{i}.wasm"); 57 std::fs::write(&name, wasm).expect("failed to write wasm file"); 58 log::debug!("wrote wasm file to `{name}`"); 59 let wat = format!("testcase{i}.wat"); 60 match wasmprinter::print_bytes(wasm) { 61 Ok(s) => std::fs::write(&wat, s).expect("failed to write wat file"), 62 // If wasmprinter failed remove a `*.wat` file, if any, to avoid 63 // confusing a preexisting one with this wasm which failed to get 64 // printed. 65 Err(e) => { 66 log::debug!("failed to print to wat: {e}"); 67 drop(std::fs::remove_file(&wat)) 68 } 69 } 70 } 71 72 /// The `T` in `Store<T>` for fuzzing stores, used to limit resource 73 /// consumption during fuzzing. 74 #[derive(Clone)] 75 pub struct StoreLimits(Arc<LimitsState>); 76 77 struct LimitsState { 78 /// Remaining memory, in bytes, left to allocate 79 remaining_memory: AtomicUsize, 80 /// Remaining amount of memory that's allowed to be copied via a growth. 81 remaining_copy_allowance: AtomicUsize, 82 /// Whether or not an allocation request has been denied 83 oom: AtomicBool, 84 } 85 86 /// Allow up to 1G which is well below the 2G limit on OSS-Fuzz and should allow 87 /// most interesting behavior. 88 const MAX_MEMORY: usize = 1 << 30; 89 90 /// Allow up to 4G of bytes to be copied (conservatively) which should enable 91 /// growth up to `MAX_MEMORY` or at least up to a relatively large amount. 92 const MAX_MEMORY_MOVED: usize = 4 << 30; 93 94 impl StoreLimits { 95 /// Creates the default set of limits for all fuzzing stores. 96 pub fn new() -> StoreLimits { 97 StoreLimits(Arc::new(LimitsState { 98 remaining_memory: AtomicUsize::new(MAX_MEMORY), 99 remaining_copy_allowance: AtomicUsize::new(MAX_MEMORY_MOVED), 100 oom: AtomicBool::new(false), 101 })) 102 } 103 104 fn alloc(&mut self, amt: usize) -> bool { 105 log::trace!("alloc {amt:#x} bytes"); 106 107 // Assume that on each allocation of memory that all previous 108 // allocations of memory are moved. This is pretty coarse but is used to 109 // help prevent against fuzz test cases that just move tons of bytes 110 // around continuously. This assumes that all previous memory was 111 // allocated in a single linear memory and growing by `amt` will require 112 // moving all the bytes to a new location. This isn't actually required 113 // all the time nor does it accurately reflect what happens all the 114 // time, but it's a coarse approximation that should be "good enough" 115 // for allowing interesting fuzz behaviors to happen while not timing 116 // out just copying bytes around. 117 let prev_size = MAX_MEMORY - self.0.remaining_memory.load(SeqCst); 118 if self 119 .0 120 .remaining_copy_allowance 121 .fetch_update(SeqCst, SeqCst, |remaining| remaining.checked_sub(prev_size)) 122 .is_err() 123 { 124 self.0.oom.store(true, SeqCst); 125 log::debug!("-> too many bytes moved, rejecting allocation"); 126 return false; 127 } 128 129 // If we're allowed to move the bytes, then also check if we're allowed 130 // to actually have this much residence at once. 131 match self 132 .0 133 .remaining_memory 134 .fetch_update(SeqCst, SeqCst, |remaining| remaining.checked_sub(amt)) 135 { 136 Ok(_) => true, 137 Err(_) => { 138 self.0.oom.store(true, SeqCst); 139 log::debug!("-> OOM hit"); 140 false 141 } 142 } 143 } 144 145 fn is_oom(&self) -> bool { 146 self.0.oom.load(SeqCst) 147 } 148 } 149 150 impl ResourceLimiter for StoreLimits { 151 fn memory_growing( 152 &mut self, 153 current: usize, 154 desired: usize, 155 _maximum: Option<usize>, 156 ) -> Result<bool> { 157 Ok(self.alloc(desired - current)) 158 } 159 160 fn table_growing( 161 &mut self, 162 current: usize, 163 desired: usize, 164 _maximum: Option<usize>, 165 ) -> Result<bool> { 166 let delta = (desired - current).saturating_mul(std::mem::size_of::<usize>()); 167 Ok(self.alloc(delta)) 168 } 169 } 170 171 /// Methods of timing out execution of a WebAssembly module 172 #[derive(Clone, Debug)] 173 pub enum Timeout { 174 /// No timeout is used, it should be guaranteed via some other means that 175 /// the input does not infinite loop. 176 None, 177 /// Fuel-based timeouts are used where the specified fuel is all that the 178 /// provided wasm module is allowed to consume. 179 Fuel(u64), 180 /// An epoch-interruption-based timeout is used with a sleeping 181 /// thread bumping the epoch counter after the specified duration. 182 Epoch(Duration), 183 } 184 185 /// Instantiate the Wasm buffer, and implicitly fail if we have an unexpected 186 /// panic or segfault or anything else that can be detected "passively". 187 /// 188 /// The engine will be configured using provided config. 189 pub fn instantiate( 190 wasm: &[u8], 191 known_valid: KnownValid, 192 config: &generators::Config, 193 timeout: Timeout, 194 ) { 195 let mut store = config.to_store(); 196 197 let module = match compile_module(store.engine(), wasm, known_valid, config) { 198 Some(module) => module, 199 None => return, 200 }; 201 202 let mut timeout_state = HelperThread::default(); 203 match timeout { 204 Timeout::Fuel(fuel) => store.set_fuel(fuel).unwrap(), 205 206 // If a timeout is requested then we spawn a helper thread to wait for 207 // the requested time and then send us a signal to get interrupted. We 208 // also arrange for the thread's sleep to get interrupted if we return 209 // early (or the wasm returns within the time limit), which allows the 210 // thread to get torn down. 211 // 212 // This prevents us from creating a huge number of sleeping threads if 213 // this function is executed in a loop, like it does on nightly fuzzing 214 // infrastructure. 215 Timeout::Epoch(timeout) => { 216 let engine = store.engine().clone(); 217 timeout_state.run_periodically(timeout, move || engine.increment_epoch()); 218 } 219 Timeout::None => {} 220 } 221 222 instantiate_with_dummy(&mut store, &module); 223 } 224 225 /// Represents supported commands to the `instantiate_many` function. 226 #[derive(Arbitrary, Debug)] 227 pub enum Command { 228 /// Instantiates a module. 229 /// 230 /// The value is the index of the module to instantiate. 231 /// 232 /// The module instantiated will be this value modulo the number of modules provided to `instantiate_many`. 233 Instantiate(usize), 234 /// Terminates a "running" instance. 235 /// 236 /// The value is the index of the instance to terminate. 237 /// 238 /// The instance terminated will be this value modulo the number of currently running 239 /// instances. 240 /// 241 /// If no instances are running, the command will be ignored. 242 Terminate(usize), 243 } 244 245 /// Instantiates many instances from the given modules. 246 /// 247 /// The engine will be configured using the provided config. 248 /// 249 /// The modules are expected to *not* have start functions as no timeouts are configured. 250 pub fn instantiate_many( 251 modules: &[Vec<u8>], 252 known_valid: KnownValid, 253 config: &generators::Config, 254 commands: &[Command], 255 ) { 256 log::debug!("instantiate_many: {commands:#?}"); 257 258 assert!(!config.module_config.config.allow_start_export); 259 260 let engine = Engine::new(&config.to_wasmtime()).unwrap(); 261 262 let modules = modules 263 .iter() 264 .enumerate() 265 .filter_map( 266 |(i, bytes)| match compile_module(&engine, bytes, known_valid, config) { 267 Some(m) => { 268 log::debug!("successfully compiled module {i}"); 269 Some(m) 270 } 271 None => { 272 log::debug!("failed to compile module {i}"); 273 None 274 } 275 }, 276 ) 277 .collect::<Vec<_>>(); 278 279 // If no modules were valid, we're done 280 if modules.is_empty() { 281 return; 282 } 283 284 // This stores every `Store` where a successful instantiation takes place 285 let mut stores = Vec::new(); 286 let limits = StoreLimits::new(); 287 288 for command in commands { 289 match command { 290 Command::Instantiate(index) => { 291 let index = *index % modules.len(); 292 log::info!("instantiating {index}"); 293 let module = &modules[index]; 294 let mut store = Store::new(&engine, limits.clone()); 295 config.configure_store(&mut store); 296 297 if instantiate_with_dummy(&mut store, module).is_some() { 298 stores.push(Some(store)); 299 } else { 300 log::warn!("instantiation failed"); 301 } 302 } 303 Command::Terminate(index) => { 304 if stores.is_empty() { 305 continue; 306 } 307 let index = *index % stores.len(); 308 309 log::info!("dropping {index}"); 310 stores.swap_remove(index); 311 } 312 } 313 } 314 } 315 316 fn compile_module( 317 engine: &Engine, 318 bytes: &[u8], 319 known_valid: KnownValid, 320 config: &generators::Config, 321 ) -> Option<Module> { 322 log_wasm(bytes); 323 324 fn is_pcc_error(e: &anyhow::Error) -> bool { 325 // NOTE: please keep this predicate in sync with the display format of CodegenError, 326 // defined in `wasmtime/cranelift/codegen/src/result.rs` 327 e.to_string().to_lowercase().contains("proof-carrying-code") 328 } 329 330 match config.compile(engine, bytes) { 331 Ok(module) => Some(module), 332 Err(e) if is_pcc_error(&e) => { 333 panic!("pcc error in input: {e:#?}"); 334 } 335 Err(_) if known_valid == KnownValid::No => None, 336 Err(e) => { 337 if let generators::InstanceAllocationStrategy::Pooling(c) = &config.wasmtime.strategy { 338 // When using the pooling allocator, accept failures to compile 339 // when arbitrary table element limits have been exceeded as 340 // there is currently no way to constrain the generated module 341 // table types. 342 let string = format!("{e:?}"); 343 if string.contains("minimum element size") { 344 return None; 345 } 346 347 // Allow modules-failing-to-compile which exceed the requested 348 // size for each instance. This is something that is difficult 349 // to control and ensure it always succeeds, so we simply have a 350 // "random" instance size limit and if a module doesn't fit we 351 // move on to the next fuzz input. 352 if string.contains("instance allocation for this module requires") { 353 return None; 354 } 355 356 // If the pooling allocator is more restrictive on the number of 357 // tables and memories than we allowed wasm-smith to generate 358 // then allow compilation errors along those lines. 359 if c.max_tables_per_module < (config.module_config.config.max_tables as u32) 360 && string.contains("defined tables count") 361 && string.contains("exceeds the per-instance limit") 362 { 363 return None; 364 } 365 366 if c.max_memories_per_module < (config.module_config.config.max_memories as u32) 367 && string.contains("defined memories count") 368 && string.contains("exceeds the per-instance limit") 369 { 370 return None; 371 } 372 } 373 374 panic!("failed to compile module: {e:?}"); 375 } 376 } 377 } 378 379 /// Create a Wasmtime [`Instance`] from a [`Module`] and fill in all imports 380 /// with dummy values (e.g., zeroed values, immediately-trapping functions). 381 /// Also, this function catches certain fuzz-related instantiation failures and 382 /// returns `None` instead of panicking. 383 /// 384 /// TODO: we should implement tracing versions of these dummy imports that 385 /// record a trace of the order that imported functions were called in and with 386 /// what values. Like the results of exported functions, calls to imports should 387 /// also yield the same values for each configuration, and we should assert 388 /// that. 389 pub fn instantiate_with_dummy(store: &mut Store<StoreLimits>, module: &Module) -> Option<Instance> { 390 // Creation of imports can fail due to resource limit constraints, and then 391 // instantiation can naturally fail for a number of reasons as well. Bundle 392 // the two steps together to match on the error below. 393 let linker = dummy::dummy_linker(store, module); 394 if let Err(e) = &linker { 395 log::warn!("failed to create dummy linker: {e:?}"); 396 } 397 let instance = linker.and_then(|l| l.instantiate(&mut *store, module)); 398 unwrap_instance(store, instance) 399 } 400 401 fn unwrap_instance( 402 store: &Store<StoreLimits>, 403 instance: anyhow::Result<Instance>, 404 ) -> Option<Instance> { 405 let e = match instance { 406 Ok(i) => return Some(i), 407 Err(e) => e, 408 }; 409 410 log::debug!("failed to instantiate: {e:?}"); 411 412 // If the instantiation hit OOM for some reason then that's ok, it's 413 // expected that fuzz-generated programs try to allocate lots of 414 // stuff. 415 if store.data().is_oom() { 416 return None; 417 } 418 419 // Allow traps which can happen normally with `unreachable` or a timeout or 420 // such. 421 if e.is::<Trap>() 422 // Also allow failures to instantiate as a result of hitting pooling 423 // limits. 424 || e.is::<wasmtime::PoolConcurrencyLimitError>() 425 // And GC heap OOMs. 426 || e.is::<wasmtime::GcHeapOutOfMemory<()>>() 427 // And thrown exceptions. 428 || e.is::<wasmtime::ThrownException>() 429 { 430 return None; 431 } 432 433 let string = e.to_string(); 434 435 // Currently we instantiate with a `Linker` which can't instantiate 436 // every single module under the sun due to using name-based resolution 437 // rather than positional-based resolution 438 if string.contains("incompatible import type") { 439 return None; 440 } 441 442 // Everything else should be a bug in the fuzzer or a bug in wasmtime 443 panic!("failed to instantiate: {e:?}"); 444 } 445 446 /// Evaluate the function identified by `name` in two different engine 447 /// instances--`lhs` and `rhs`. 448 /// 449 /// Returns `Ok(true)` if more evaluations can happen or `Ok(false)` if the 450 /// instances may have drifted apart and no more evaluations can happen. 451 /// 452 /// # Panics 453 /// 454 /// This will panic if the evaluation is different between engines (e.g., 455 /// results are different, hashed instance is different, one side traps, etc.). 456 pub fn differential( 457 lhs: &mut dyn DiffInstance, 458 lhs_engine: &dyn DiffEngine, 459 rhs: &mut WasmtimeInstance, 460 name: &str, 461 args: &[DiffValue], 462 result_tys: &[DiffValueType], 463 ) -> anyhow::Result<bool> { 464 log::debug!("Evaluating: `{name}` with {args:?}"); 465 let lhs_results = match lhs.evaluate(name, args, result_tys) { 466 Ok(Some(results)) => Ok(results), 467 Err(e) => Err(e), 468 // this engine couldn't execute this type signature, so discard this 469 // execution by returning success. 470 Ok(None) => return Ok(true), 471 }; 472 log::debug!(" -> lhs results on {}: {:?}", lhs.name(), &lhs_results); 473 474 let rhs_results = rhs 475 .evaluate(name, args, result_tys) 476 // wasmtime should be able to invoke any signature, so unwrap this result 477 .map(|results| results.unwrap()); 478 log::debug!(" -> rhs results on {}: {:?}", rhs.name(), &rhs_results); 479 480 // If Wasmtime hit its OOM condition, which is possible since it's set 481 // somewhat low while fuzzing, then don't return an error but return 482 // `false` indicating that differential fuzzing must stop. There's no 483 // guarantee the other engine has the same OOM limits as Wasmtime, and 484 // it's assumed that Wasmtime is configured to have a more conservative 485 // limit than the other engine. 486 if rhs.is_oom() { 487 return Ok(false); 488 } 489 490 match DiffEqResult::new(lhs_engine, lhs_results, rhs_results) { 491 DiffEqResult::Success(lhs, rhs) => assert_eq!(lhs, rhs), 492 DiffEqResult::Poisoned => return Ok(false), 493 DiffEqResult::Failed => {} 494 } 495 496 for (global, ty) in rhs.exported_globals() { 497 log::debug!("Comparing global `{global}`"); 498 let lhs = match lhs.get_global(&global, ty) { 499 Some(val) => val, 500 None => continue, 501 }; 502 let rhs = rhs.get_global(&global, ty).unwrap(); 503 assert_eq!(lhs, rhs); 504 } 505 for (memory, shared) in rhs.exported_memories() { 506 log::debug!("Comparing memory `{memory}`"); 507 let lhs = match lhs.get_memory(&memory, shared) { 508 Some(val) => val, 509 None => continue, 510 }; 511 let rhs = rhs.get_memory(&memory, shared).unwrap(); 512 if lhs == rhs { 513 continue; 514 } 515 eprintln!("differential memory is {} bytes long", lhs.len()); 516 eprintln!("wasmtime memory is {} bytes long", rhs.len()); 517 panic!("memories have differing values"); 518 } 519 520 Ok(true) 521 } 522 523 /// Result of comparing the result of two operations during differential 524 /// execution. 525 pub enum DiffEqResult<T, U> { 526 /// Both engines succeeded. 527 Success(T, U), 528 /// The result has reached the state where engines may have diverged and 529 /// results can no longer be compared. 530 Poisoned, 531 /// Both engines failed with the same error message, and internal state 532 /// should still match between the two engines. 533 Failed, 534 } 535 536 fn wasmtime_trap_is_non_deterministic(trap: &Trap) -> bool { 537 match trap { 538 // Allocations being too large for the GC are 539 // implementation-defined. 540 Trap::AllocationTooLarge | 541 // Stack size, and therefore when overflow happens, is 542 // implementation-defined. 543 Trap::StackOverflow => true, 544 _ => false, 545 } 546 } 547 548 fn wasmtime_error_is_non_deterministic(error: &wasmtime::Error) -> bool { 549 match error.downcast_ref::<Trap>() { 550 Some(trap) => wasmtime_trap_is_non_deterministic(trap), 551 552 // For general, unknown errors, we can't rely on this being 553 // a deterministic Wasm failure that both engines handled 554 // identically, leaving Wasm in identical states. We could 555 // just as easily be hitting engine-specific failures, like 556 // different implementation-defined limits. So simply poison 557 // this execution and move on to the next test. 558 None => true, 559 } 560 } 561 562 impl<T, U> DiffEqResult<T, U> { 563 /// Computes the differential result from executing in two different 564 /// engines. 565 pub fn new( 566 lhs_engine: &dyn DiffEngine, 567 lhs_result: Result<T>, 568 rhs_result: Result<U>, 569 ) -> DiffEqResult<T, U> { 570 match (lhs_result, rhs_result) { 571 (Ok(lhs_result), Ok(rhs_result)) => DiffEqResult::Success(lhs_result, rhs_result), 572 573 // Handle all non-deterministic errors by poisoning this execution's 574 // state, so that we simply move on to the next test. 575 (Err(lhs), _) if lhs_engine.is_non_deterministic_error(&lhs) => { 576 log::debug!("lhs failed non-deterministically: {lhs:?}"); 577 DiffEqResult::Poisoned 578 } 579 (_, Err(rhs)) if wasmtime_error_is_non_deterministic(&rhs) => { 580 log::debug!("rhs failed non-deterministically: {rhs:?}"); 581 DiffEqResult::Poisoned 582 } 583 584 // Both sides failed deterministically. Check that the trap and 585 // state at the time of failure is the same. 586 (Err(lhs), Err(rhs)) => { 587 let rhs = rhs 588 .downcast::<Trap>() 589 .expect("non-traps handled in earlier match arm"); 590 591 debug_assert!( 592 !lhs_engine.is_non_deterministic_error(&lhs), 593 "non-deterministic traps handled in earlier match arm", 594 ); 595 debug_assert!( 596 !wasmtime_trap_is_non_deterministic(&rhs), 597 "non-deterministic traps handled in earlier match arm", 598 ); 599 600 lhs_engine.assert_error_match(&lhs, &rhs); 601 DiffEqResult::Failed 602 } 603 604 // A real bug is found if only one side fails. 605 (Ok(_), Err(err)) => panic!("only the `rhs` failed for this input: {err:?}"), 606 (Err(err), Ok(_)) => panic!("only the `lhs` failed for this input: {err:?}"), 607 } 608 } 609 } 610 611 /// Invoke the given API calls. 612 pub fn make_api_calls(api: generators::api::ApiCalls) { 613 use crate::generators::api::ApiCall; 614 use std::collections::HashMap; 615 616 let mut store: Option<Store<StoreLimits>> = None; 617 let mut modules: HashMap<usize, Module> = Default::default(); 618 let mut instances: HashMap<usize, Instance> = Default::default(); 619 620 for call in api.calls { 621 match call { 622 ApiCall::StoreNew(config) => { 623 log::trace!("creating store"); 624 assert!(store.is_none()); 625 store = Some(config.to_store()); 626 } 627 628 ApiCall::ModuleNew { id, wasm } => { 629 log::debug!("creating module: {id}"); 630 log_wasm(&wasm); 631 let module = match Module::new(store.as_ref().unwrap().engine(), &wasm) { 632 Ok(m) => m, 633 Err(_) => continue, 634 }; 635 let old = modules.insert(id, module); 636 assert!(old.is_none()); 637 } 638 639 ApiCall::ModuleDrop { id } => { 640 log::trace!("dropping module: {id}"); 641 drop(modules.remove(&id)); 642 } 643 644 ApiCall::InstanceNew { id, module } => { 645 log::trace!("instantiating module {module} as {id}"); 646 let module = match modules.get(&module) { 647 Some(m) => m, 648 None => continue, 649 }; 650 651 let store = store.as_mut().unwrap(); 652 if let Some(instance) = instantiate_with_dummy(store, module) { 653 instances.insert(id, instance); 654 } 655 } 656 657 ApiCall::InstanceDrop { id } => { 658 log::trace!("dropping instance {id}"); 659 instances.remove(&id); 660 } 661 662 ApiCall::CallExportedFunc { instance, nth } => { 663 log::trace!("calling instance export {instance} / {nth}"); 664 let instance = match instances.get(&instance) { 665 Some(i) => i, 666 None => { 667 // Note that we aren't guaranteed to instantiate valid 668 // modules, see comments in `InstanceNew` for details on 669 // that. But the API call generator can't know if 670 // instantiation failed, so we might not actually have 671 // this instance. When that's the case, just skip the 672 // API call and keep going. 673 continue; 674 } 675 }; 676 let store = store.as_mut().unwrap(); 677 678 let funcs = instance 679 .exports(&mut *store) 680 .filter_map(|e| match e.into_extern() { 681 Extern::Func(f) => Some(f), 682 _ => None, 683 }) 684 .collect::<Vec<_>>(); 685 686 if funcs.is_empty() { 687 continue; 688 } 689 690 let nth = nth % funcs.len(); 691 let f = &funcs[nth]; 692 let ty = f.ty(&store); 693 if let Some(params) = ty 694 .params() 695 .map(|p| p.default_value()) 696 .collect::<Option<Vec<_>>>() 697 { 698 let mut results = vec![Val::I32(0); ty.results().len()]; 699 let _ = f.call(store, ¶ms, &mut results); 700 } 701 } 702 } 703 } 704 } 705 706 /// Executes the wast `test` with the `config` specified. 707 /// 708 /// Ensures that wast tests pass regardless of the `Config`. 709 pub fn wast_test(u: &mut arbitrary::Unstructured<'_>) -> arbitrary::Result<()> { 710 crate::init_fuzzing(); 711 712 let mut fuzz_config: generators::Config = u.arbitrary()?; 713 fuzz_config.module_config.shared_memory = true; 714 let test: generators::WastTest = u.arbitrary()?; 715 716 let test = &test.test; 717 718 if test.config.component_model_async() || u.arbitrary()? { 719 fuzz_config.enable_async(u)?; 720 } 721 722 // Discard tests that allocate a lot of memory as we don't want to OOM the 723 // fuzzer and we also limit memory growth which would cause the test to 724 // fail. 725 if test.config.hogs_memory.unwrap_or(false) { 726 return Err(arbitrary::Error::IncorrectFormat); 727 } 728 729 // Transform `fuzz_config` to be valid for `test` and make sure that this 730 // test is supposed to pass. 731 let wast_config = fuzz_config.make_wast_test_compliant(test); 732 if test.should_fail(&wast_config) { 733 return Err(arbitrary::Error::IncorrectFormat); 734 } 735 736 // Winch requires AVX and AVX2 for SIMD tests to pass so don't run the test 737 // if either isn't enabled. 738 if fuzz_config.wasmtime.compiler_strategy == CompilerStrategy::Winch 739 && test.config.simd() 740 && (fuzz_config 741 .wasmtime 742 .codegen_flag("has_avx") 743 .is_some_and(|value| value == "false") 744 || fuzz_config 745 .wasmtime 746 .codegen_flag("has_avx2") 747 .is_some_and(|value| value == "false")) 748 { 749 log::warn!( 750 "Skipping Wast test because Winch doesn't support SIMD tests with AVX or AVX2 disabled" 751 ); 752 return Err(arbitrary::Error::IncorrectFormat); 753 } 754 755 // Fuel and epochs don't play well with threads right now, so exclude any 756 // thread-spawning test if it looks like threads are spawned in that case. 757 if fuzz_config.wasmtime.consume_fuel || fuzz_config.wasmtime.epoch_interruption { 758 if test.contents.contains("(thread") { 759 return Err(arbitrary::Error::IncorrectFormat); 760 } 761 } 762 763 log::debug!("running {:?}", test.path); 764 let async_ = if fuzz_config.wasmtime.async_config == generators::AsyncConfig::Disabled { 765 wasmtime_wast::Async::No 766 } else { 767 wasmtime_wast::Async::Yes 768 }; 769 log::debug!("async: {async_:?}"); 770 let engine = Engine::new(&fuzz_config.to_wasmtime()).unwrap(); 771 let mut wast_context = WastContext::new(&engine, async_, move |store| { 772 fuzz_config.configure_store_epoch_and_fuel(store); 773 }); 774 wast_context 775 .register_spectest(&wasmtime_wast::SpectestConfig { 776 use_shared_memory: true, 777 suppress_prints: true, 778 }) 779 .unwrap(); 780 wast_context 781 .run_wast(test.path.to_str().unwrap(), test.contents.as_bytes()) 782 .unwrap(); 783 Ok(()) 784 } 785 786 /// Execute a series of `gc` operations. 787 /// 788 /// Returns the number of `gc` operations which occurred throughout the test 789 /// case -- used to test below that gc happens reasonably soon and eventually. 790 pub fn gc_ops(mut fuzz_config: generators::Config, mut ops: GcOps) -> Result<usize> { 791 let expected_drops = Arc::new(AtomicUsize::new(0)); 792 let num_dropped = Arc::new(AtomicUsize::new(0)); 793 794 let num_gcs = Arc::new(AtomicUsize::new(0)); 795 { 796 fuzz_config.wasmtime.consume_fuel = true; 797 let mut store = fuzz_config.to_store(); 798 store.set_fuel(1_000).unwrap(); 799 800 let wasm = ops.to_wasm_binary(); 801 log_wasm(&wasm); 802 let module = match compile_module(store.engine(), &wasm, KnownValid::No, &fuzz_config) { 803 Some(m) => m, 804 None => return Ok(0), 805 }; 806 807 let mut linker = Linker::new(store.engine()); 808 809 // To avoid timeouts, limit the number of explicit GCs we perform per 810 // test case. 811 const MAX_GCS: usize = 5; 812 813 let func_ty = FuncType::new( 814 store.engine(), 815 vec![], 816 vec![ValType::EXTERNREF, ValType::EXTERNREF, ValType::EXTERNREF], 817 ); 818 let func = Func::new(&mut store, func_ty, { 819 let num_dropped = num_dropped.clone(); 820 let expected_drops = expected_drops.clone(); 821 let num_gcs = num_gcs.clone(); 822 move |mut caller: Caller<'_, StoreLimits>, _params, results| { 823 log::info!("gc_ops: GC"); 824 if num_gcs.fetch_add(1, SeqCst) < MAX_GCS { 825 caller.gc(None); 826 } 827 828 let a = ExternRef::new( 829 &mut caller, 830 CountDrops::new(&expected_drops, num_dropped.clone()), 831 )?; 832 let b = ExternRef::new( 833 &mut caller, 834 CountDrops::new(&expected_drops, num_dropped.clone()), 835 )?; 836 let c = ExternRef::new( 837 &mut caller, 838 CountDrops::new(&expected_drops, num_dropped.clone()), 839 )?; 840 841 log::info!("gc_ops: gc() -> ({a:?}, {b:?}, {c:?})"); 842 results[0] = Some(a).into(); 843 results[1] = Some(b).into(); 844 results[2] = Some(c).into(); 845 Ok(()) 846 } 847 }); 848 linker.define(&store, "", "gc", func).unwrap(); 849 850 linker 851 .func_wrap("", "take_refs", { 852 let expected_drops = expected_drops.clone(); 853 move |caller: Caller<'_, StoreLimits>, 854 a: Option<Rooted<ExternRef>>, 855 b: Option<Rooted<ExternRef>>, 856 c: Option<Rooted<ExternRef>>| 857 -> Result<()> { 858 log::info!("gc_ops: take_refs({a:?}, {b:?}, {c:?})",); 859 860 // Do the assertion on each ref's inner data, even though it 861 // all points to the same atomic, so that if we happen to 862 // run into a use-after-free bug with one of these refs we 863 // are more likely to trigger a segfault. 864 if let Some(a) = a { 865 let a = a 866 .data(&caller)? 867 .unwrap() 868 .downcast_ref::<CountDrops>() 869 .unwrap(); 870 assert!(a.0.load(SeqCst) <= expected_drops.load(SeqCst)); 871 } 872 if let Some(b) = b { 873 let b = b 874 .data(&caller)? 875 .unwrap() 876 .downcast_ref::<CountDrops>() 877 .unwrap(); 878 assert!(b.0.load(SeqCst) <= expected_drops.load(SeqCst)); 879 } 880 if let Some(c) = c { 881 let c = c 882 .data(&caller)? 883 .unwrap() 884 .downcast_ref::<CountDrops>() 885 .unwrap(); 886 assert!(c.0.load(SeqCst) <= expected_drops.load(SeqCst)); 887 } 888 Ok(()) 889 } 890 }) 891 .unwrap(); 892 893 let func_ty = FuncType::new( 894 store.engine(), 895 vec![], 896 vec![ValType::EXTERNREF, ValType::EXTERNREF, ValType::EXTERNREF], 897 ); 898 let func = Func::new(&mut store, func_ty, { 899 let num_dropped = num_dropped.clone(); 900 let expected_drops = expected_drops.clone(); 901 move |mut caller, _params, results| { 902 log::info!("gc_ops: make_refs"); 903 904 let a = ExternRef::new( 905 &mut caller, 906 CountDrops::new(&expected_drops, num_dropped.clone()), 907 )?; 908 let b = ExternRef::new( 909 &mut caller, 910 CountDrops::new(&expected_drops, num_dropped.clone()), 911 )?; 912 let c = ExternRef::new( 913 &mut caller, 914 CountDrops::new(&expected_drops, num_dropped.clone()), 915 )?; 916 917 log::info!("gc_ops: make_refs() -> ({a:?}, {b:?}, {c:?})"); 918 919 results[0] = Some(a).into(); 920 results[1] = Some(b).into(); 921 results[2] = Some(c).into(); 922 923 Ok(()) 924 } 925 }); 926 linker.define(&store, "", "make_refs", func).unwrap(); 927 928 let func_ty = FuncType::new( 929 store.engine(), 930 vec![ValType::Ref(RefType::new(false, HeapType::Any))], 931 vec![], 932 ); 933 934 let func = Func::new(&mut store, func_ty, { 935 move |_caller: Caller<'_, StoreLimits>, _params, _results| { 936 log::info!("gc_ops: take_struct(<ref any>)"); 937 Ok(()) 938 } 939 }); 940 941 linker.define(&store, "", "take_struct", func).unwrap(); 942 943 for imp in module.imports() { 944 if imp.module() == "" { 945 let name = imp.name(); 946 if name.starts_with("take_struct_") { 947 if let wasmtime::ExternType::Func(ft) = imp.ty() { 948 let imp_name = name.to_string(); 949 let func = 950 Func::new(&mut store, ft.clone(), move |_caller, _params, _results| { 951 log::info!("gc_ops: {imp_name}(<typed structref>)"); 952 Ok(()) 953 }); 954 linker.define(&store, "", name, func).unwrap(); 955 } 956 } 957 } 958 } 959 960 let instance = linker.instantiate(&mut store, &module).unwrap(); 961 let run = instance.get_func(&mut store, "run").unwrap(); 962 963 { 964 let mut scope = RootScope::new(&mut store); 965 966 log::info!( 967 "gc_ops: begin allocating {} externref arguments", 968 ops.limits.num_globals 969 ); 970 let args: Vec<_> = (0..ops.limits.num_params) 971 .map(|_| { 972 Ok(Val::ExternRef(Some(ExternRef::new( 973 &mut scope, 974 CountDrops::new(&expected_drops, num_dropped.clone()), 975 )?))) 976 }) 977 .collect::<Result<_>>()?; 978 log::info!( 979 "gc_ops: end allocating {} externref arguments", 980 ops.limits.num_globals 981 ); 982 983 // The generated function should always return a trap. The only two 984 // valid traps are table-out-of-bounds which happens through `table.get` 985 // and `table.set` generated or an out-of-fuel trap. Otherwise any other 986 // error is unexpected and should fail fuzzing. 987 log::info!("gc_ops: calling into Wasm `run` function"); 988 let err = run.call(&mut scope, &args, &mut []).unwrap_err(); 989 if err.is::<GcHeapOutOfMemory<CountDrops>>() || err.is::<GcHeapOutOfMemory<()>>() { 990 // Accept GC OOM as an allowed outcome for this fuzzer. 991 } else { 992 let trap = err 993 .downcast::<Trap>() 994 .expect("if not GC oom, error should be a Wasm trap"); 995 match trap { 996 Trap::TableOutOfBounds | Trap::OutOfFuel | Trap::AllocationTooLarge => {} 997 _ => panic!("unexpected trap: {trap}"), 998 } 999 } 1000 } 1001 1002 // Do a final GC after running the Wasm. 1003 store.gc(None); 1004 } 1005 1006 assert_eq!(num_dropped.load(SeqCst), expected_drops.load(SeqCst)); 1007 return Ok(num_gcs.load(SeqCst)); 1008 1009 struct CountDrops(Arc<AtomicUsize>); 1010 1011 impl CountDrops { 1012 fn new(expected_drops: &AtomicUsize, num_dropped: Arc<AtomicUsize>) -> Self { 1013 let expected = expected_drops.fetch_add(1, SeqCst); 1014 log::info!( 1015 "CountDrops::new: expected drops: {expected} -> {}", 1016 expected + 1 1017 ); 1018 Self(num_dropped) 1019 } 1020 } 1021 1022 impl Drop for CountDrops { 1023 fn drop(&mut self) { 1024 let drops = self.0.fetch_add(1, SeqCst); 1025 log::info!("CountDrops::drop: actual drops: {drops} -> {}", drops + 1); 1026 } 1027 } 1028 } 1029 1030 #[derive(Default)] 1031 struct HelperThread { 1032 state: Arc<HelperThreadState>, 1033 thread: Option<std::thread::JoinHandle<()>>, 1034 } 1035 1036 #[derive(Default)] 1037 struct HelperThreadState { 1038 should_exit: Mutex<bool>, 1039 should_exit_cvar: Condvar, 1040 } 1041 1042 impl HelperThread { 1043 fn run_periodically(&mut self, dur: Duration, mut closure: impl FnMut() + Send + 'static) { 1044 let state = self.state.clone(); 1045 self.thread = Some(std::thread::spawn(move || { 1046 // Using our mutex/condvar we wait here for the first of `dur` to 1047 // pass or the `HelperThread` instance to get dropped. 1048 let mut should_exit = state.should_exit.lock().unwrap(); 1049 while !*should_exit { 1050 let (lock, result) = state 1051 .should_exit_cvar 1052 .wait_timeout(should_exit, dur) 1053 .unwrap(); 1054 should_exit = lock; 1055 // If we timed out for sure then there's no need to continue 1056 // since we'll just abort on the next `checked_sub` anyway. 1057 if result.timed_out() { 1058 closure(); 1059 } 1060 } 1061 })); 1062 } 1063 } 1064 1065 impl Drop for HelperThread { 1066 fn drop(&mut self) { 1067 let thread = match self.thread.take() { 1068 Some(thread) => thread, 1069 None => return, 1070 }; 1071 // Signal our thread that it should exit and wake it up in case it's 1072 // sleeping. 1073 *self.state.should_exit.lock().unwrap() = true; 1074 self.state.should_exit_cvar.notify_one(); 1075 1076 // ... and then wait for the thread to exit to ensure we clean up 1077 // after ourselves. 1078 thread.join().unwrap(); 1079 } 1080 } 1081 1082 /// Instantiates a wasm module and runs its exports with dummy values, all in 1083 /// an async fashion. 1084 /// 1085 /// Attempts to stress yields in host functions to ensure that exiting and 1086 /// resuming a wasm function call works. 1087 pub fn call_async(wasm: &[u8], config: &generators::Config, mut poll_amts: &[u32]) { 1088 let mut store = config.to_store(); 1089 let module = match compile_module(store.engine(), wasm, KnownValid::Yes, config) { 1090 Some(module) => module, 1091 None => return, 1092 }; 1093 1094 // Configure a helper thread to periodically increment the epoch to 1095 // forcibly enable yields-via-epochs if epochs are in use. Note that this 1096 // is required because the wasm isn't otherwise guaranteed to necessarily 1097 // call any imports which will also increment the epoch. 1098 let mut helper_thread = HelperThread::default(); 1099 if let generators::AsyncConfig::YieldWithEpochs { dur, .. } = &config.wasmtime.async_config { 1100 let engine = store.engine().clone(); 1101 helper_thread.run_periodically(*dur, move || engine.increment_epoch()); 1102 } 1103 1104 // Generate a `Linker` where all function imports are custom-built to yield 1105 // periodically and additionally increment the epoch. 1106 let mut imports = Vec::new(); 1107 for import in module.imports() { 1108 let item = match import.ty() { 1109 ExternType::Func(ty) => { 1110 let poll_amt = take_poll_amt(&mut poll_amts); 1111 Func::new_async(&mut store, ty.clone(), move |caller, _, results| { 1112 let ty = ty.clone(); 1113 Box::new(async move { 1114 caller.engine().increment_epoch(); 1115 log::info!("yielding {poll_amt} times in import"); 1116 YieldN(poll_amt).await; 1117 for (ret_ty, result) in ty.results().zip(results) { 1118 *result = ret_ty.default_value().unwrap(); 1119 } 1120 Ok(()) 1121 }) 1122 }) 1123 .into() 1124 } 1125 other_ty => match other_ty.default_value(&mut store) { 1126 Ok(item) => item, 1127 Err(e) => { 1128 log::warn!("couldn't create import for {import:?}: {e:?}"); 1129 return; 1130 } 1131 }, 1132 }; 1133 imports.push(item); 1134 } 1135 1136 // Run the instantiation process, asynchronously, and if everything 1137 // succeeds then pull out the instance. 1138 // log::info!("starting instantiation"); 1139 let instance = block_on(Timeout { 1140 future: Instance::new_async(&mut store, &module, &imports), 1141 polls: take_poll_amt(&mut poll_amts), 1142 end: Instant::now() + Duration::from_millis(2_000), 1143 }); 1144 let instance = match instance { 1145 Ok(instantiation_result) => match unwrap_instance(&store, instantiation_result) { 1146 Some(instance) => instance, 1147 None => { 1148 log::info!("instantiation hit a nominal error"); 1149 return; // resource exhaustion or limits met 1150 } 1151 }, 1152 Err(_) => { 1153 log::info!("instantiation failed to complete"); 1154 return; // Timed out or ran out of polls 1155 } 1156 }; 1157 1158 // Run each export of the instance in the same manner as instantiation 1159 // above. Dummy values are passed in for argument values here: 1160 // 1161 // TODO: this should probably be more clever about passing in arguments for 1162 // example they might be used as pointers or something and always using 0 1163 // isn't too interesting. 1164 let funcs = instance 1165 .exports(&mut store) 1166 .filter_map(|e| { 1167 let name = e.name().to_string(); 1168 let func = e.into_extern().into_func()?; 1169 Some((name, func)) 1170 }) 1171 .collect::<Vec<_>>(); 1172 for (name, func) in funcs { 1173 let ty = func.ty(&store); 1174 let params = ty 1175 .params() 1176 .map(|ty| ty.default_value().unwrap()) 1177 .collect::<Vec<_>>(); 1178 let mut results = ty 1179 .results() 1180 .map(|ty| ty.default_value().unwrap()) 1181 .collect::<Vec<_>>(); 1182 1183 log::info!("invoking export {name:?}"); 1184 let future = func.call_async(&mut store, ¶ms, &mut results); 1185 match block_on(Timeout { 1186 future, 1187 polls: take_poll_amt(&mut poll_amts), 1188 end: Instant::now() + Duration::from_millis(2_000), 1189 }) { 1190 // On success or too many polls, try the next export. 1191 Ok(_) | Err(Exhausted::Polls) => {} 1192 1193 // If time ran out then stop the current test case as we might have 1194 // already sucked up a lot of time for this fuzz test case so don't 1195 // keep it going. 1196 Err(Exhausted::Time) => return, 1197 } 1198 } 1199 1200 fn take_poll_amt(polls: &mut &[u32]) -> u32 { 1201 match polls.split_first() { 1202 Some((a, rest)) => { 1203 *polls = rest; 1204 *a 1205 } 1206 None => 0, 1207 } 1208 } 1209 1210 /// Helper future for applying a timeout to `future` up to either when `end` 1211 /// is the current time or `polls` polls happen. 1212 /// 1213 /// Note that this helps to time out infinite loops in wasm, for example. 1214 struct Timeout<F> { 1215 future: F, 1216 /// If the future isn't ready by this time then the `Timeout<F>` future 1217 /// will return `None`. 1218 end: Instant, 1219 /// If the future doesn't resolve itself in this many calls to `poll` 1220 /// then the `Timeout<F>` future will return `None`. 1221 polls: u32, 1222 } 1223 1224 enum Exhausted { 1225 Time, 1226 Polls, 1227 } 1228 1229 impl<F: Future> Future for Timeout<F> { 1230 type Output = Result<F::Output, Exhausted>; 1231 1232 fn poll(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Self::Output> { 1233 let (end, polls, future) = unsafe { 1234 let me = self.get_unchecked_mut(); 1235 (me.end, &mut me.polls, Pin::new_unchecked(&mut me.future)) 1236 }; 1237 match future.poll(cx) { 1238 Poll::Ready(val) => Poll::Ready(Ok(val)), 1239 Poll::Pending => { 1240 if Instant::now() >= end { 1241 log::warn!("future operation timed out"); 1242 return Poll::Ready(Err(Exhausted::Time)); 1243 } 1244 if *polls == 0 { 1245 log::warn!("future operation ran out of polls"); 1246 return Poll::Ready(Err(Exhausted::Polls)); 1247 } 1248 *polls -= 1; 1249 Poll::Pending 1250 } 1251 } 1252 } 1253 } 1254 } 1255 1256 #[cfg(test)] 1257 mod tests { 1258 use super::*; 1259 use crate::test::{gen_until_pass, test_n_times}; 1260 use wasmparser::{Validator, WasmFeatures}; 1261 1262 // Test that the `gc_ops` fuzzer eventually runs the gc function in the host. 1263 // We've historically had issues where this fuzzer accidentally wasn't fuzzing 1264 // anything for a long time so this is an attempt to prevent that from happening 1265 // again. 1266 #[test] 1267 fn gc_ops_eventually_gcs() { 1268 // Skip if we're under emulation because some fuzz configurations will do 1269 // large address space reservations that QEMU doesn't handle well. 1270 if std::env::var("WASMTIME_TEST_NO_HOG_MEMORY").is_ok() { 1271 return; 1272 } 1273 1274 let ok = gen_until_pass(|(config, test), _| { 1275 let result = gc_ops(config, test)?; 1276 Ok(result > 0) 1277 }); 1278 1279 if !ok { 1280 panic!("gc was never found"); 1281 } 1282 } 1283 1284 #[test] 1285 fn module_generation_uses_expected_proposals() { 1286 // Proposals that Wasmtime supports. Eventually a module should be 1287 // generated that needs these proposals. 1288 let mut expected = WasmFeatures::MUTABLE_GLOBAL 1289 | WasmFeatures::FLOATS 1290 | WasmFeatures::SIGN_EXTENSION 1291 | WasmFeatures::SATURATING_FLOAT_TO_INT 1292 | WasmFeatures::MULTI_VALUE 1293 | WasmFeatures::BULK_MEMORY 1294 | WasmFeatures::REFERENCE_TYPES 1295 | WasmFeatures::SIMD 1296 | WasmFeatures::MULTI_MEMORY 1297 | WasmFeatures::RELAXED_SIMD 1298 | WasmFeatures::TAIL_CALL 1299 | WasmFeatures::WIDE_ARITHMETIC 1300 | WasmFeatures::MEMORY64 1301 | WasmFeatures::FUNCTION_REFERENCES 1302 | WasmFeatures::GC 1303 | WasmFeatures::GC_TYPES 1304 | WasmFeatures::CUSTOM_PAGE_SIZES 1305 | WasmFeatures::EXTENDED_CONST 1306 | WasmFeatures::EXCEPTIONS; 1307 1308 // All other features that wasmparser supports, which is presumably a 1309 // superset of the features that wasm-smith supports, are listed here as 1310 // unexpected. This means, for example, that if wasm-smith updates to 1311 // include a new proposal by default that wasmtime implements then it 1312 // will be required to be listed above. 1313 let unexpected = WasmFeatures::all() ^ expected; 1314 1315 let ok = gen_until_pass(|config: generators::Config, u| { 1316 let wasm = config.generate(u, None)?.to_bytes(); 1317 1318 // Double-check the module is valid 1319 Validator::new_with_features(WasmFeatures::all()).validate_all(&wasm)?; 1320 1321 // If any of the unexpected features are removed then this module 1322 // should always be valid, otherwise something went wrong. 1323 for feature in unexpected.iter() { 1324 let ok = 1325 Validator::new_with_features(WasmFeatures::all() ^ feature).validate_all(&wasm); 1326 if ok.is_err() { 1327 anyhow::bail!("generated a module with {feature:?} but that wasn't expected"); 1328 } 1329 } 1330 1331 // If any of `expected` is removed and the module fails to validate, 1332 // then that means the module requires that feature. Remove that 1333 // from the set of features we're then expecting. 1334 for feature in expected.iter() { 1335 let ok = 1336 Validator::new_with_features(WasmFeatures::all() ^ feature).validate_all(&wasm); 1337 if ok.is_err() { 1338 expected ^= feature; 1339 } 1340 } 1341 1342 Ok(expected.is_empty()) 1343 }); 1344 1345 if !ok { 1346 panic!("never generated wasm module using {expected:?}"); 1347 } 1348 } 1349 1350 #[test] 1351 fn wast_smoke_test() { 1352 test_n_times(50, |(), u| super::wast_test(u)); 1353 } 1354 } 1355