github
/
cranelift
mirror of https://github.com/bytecodealliance/wasmtime.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12823 Commits
49 Branches
140 Tags
128 MiB
Tree: 34f504cd98
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '34f504cd98'
${ noResults }
cranelift/fuzz/build.rs

193 lines
6.5 KiB
Raw Normal View History

implement fuzzing for component types (#4537) This addresses #4307. For the static API we generate 100 arbitrary test cases at build time, each of which includes 0-5 parameter types, a result type, and a WAT fragment containing an imported function and an exported function. The exported function calls the imported function, which is implemented by the host. At runtime, the fuzz test selects a test case at random and feeds it zero or more sets of arbitrary parameters and results, checking that values which flow host-to-guest and guest-to-host make the transition unchanged. The fuzz test for the dynamic API follows a similar pattern, the only difference being that test cases are generated at runtime. Signed-off-by: Joel Dice <joel.dice@fermyon.com>
2 years ago
fn main() -> anyhow::Result<()> {
component::generate_static_api_tests()?;
Ok(())
}
mod component {
use anyhow::{anyhow, Context, Error, Result};
Update test case generation for component_api fuzzer (#6315) This commit updates the test case generation for the `component_api` fuzzer to prepare for an update to the `arbitrary` crate. The current algorithm, with the latest `arbitrary` crate, generates a 20MB source file which is a bit egregious. The goal here was to get that under control by altering the parameters of test case generation and additionally changing the structure of what&#39;s generated. The new strategy is to have a limited set of &#34;type fuel&#34; which is consumed as a type is generated. This bounds the maximal size of a type in addition to its depth as prior. Additionally a fixed set of types are generated first and then test cases select from these types as opposed to test cases always generating types for themselves. Coupled together this brings the size of the generated file back into the 200K range as it was before.
2 years ago
use arbitrary::Unstructured;
Update some CI dependencies (#7983) * Update some CI dependencies * Update to the latest nightly toolchain * Update mdbook * Update QEMU for cross-compiled testing * Update `cargo nextest` for usage with MIRI prtest:full * Remove lots of unnecessary imports * Downgrade qemu as 8.2.1 seems to segfault * Remove more imports * Remove unused winch trait method * Fix warnings about unused trait methods * More unused imports * More unused imports
9 months ago
use component_fuzz_util::{Declarations, TestCase, Type, MAX_TYPE_DEPTH};
implement fuzzing for component types (#4537) This addresses #4307. For the static API we generate 100 arbitrary test cases at build time, each of which includes 0-5 parameter types, a result type, and a WAT fragment containing an imported function and an exported function. The exported function calls the imported function, which is implemented by the host. At runtime, the fuzz test selects a test case at random and feeds it zero or more sets of arbitrary parameters and results, checking that values which flow host-to-guest and guest-to-host make the transition unchanged. The fuzz test for the dynamic API follows a similar pattern, the only difference being that test cases are generated at runtime. Signed-off-by: Joel Dice &lt;joel.dice@fermyon.com&gt;
2 years ago
use proc_macro2::TokenStream;
Update test case generation for component_api fuzzer (#6315) This commit updates the test case generation for the `component_api` fuzzer to prepare for an update to the `arbitrary` crate. The current algorithm, with the latest `arbitrary` crate, generates a 20MB source file which is a bit egregious. The goal here was to get that under control by altering the parameters of test case generation and additionally changing the structure of what&#39;s generated. The new strategy is to have a limited set of &#34;type fuel&#34; which is consumed as a type is generated. This bounds the maximal size of a type in addition to its depth as prior. Additionally a fixed set of types are generated first and then test cases select from these types as opposed to test cases always generating types for themselves. Coupled together this brings the size of the generated file back into the 200K range as it was before.
2 years ago
use quote::quote;
implement fuzzing for component types (#4537) This addresses #4307. For the static API we generate 100 arbitrary test cases at build time, each of which includes 0-5 parameter types, a result type, and a WAT fragment containing an imported function and an exported function. The exported function calls the imported function, which is implemented by the host. At runtime, the fuzz test selects a test case at random and feeds it zero or more sets of arbitrary parameters and results, checking that values which flow host-to-guest and guest-to-host make the transition unchanged. The fuzz test for the dynamic API follows a similar pattern, the only difference being that test cases are generated at runtime. Signed-off-by: Joel Dice &lt;joel.dice@fermyon.com&gt;
2 years ago
use rand::rngs::StdRng;
use rand::{Rng, SeedableRng};
use std::env;
use std::fmt::Write;
use std::fs;
use std::iter;
use std::path::PathBuf;
use std::process::Command;
pub fn generate_static_api_tests() -> Result<()> {
println!("cargo:rerun-if-changed=build.rs");
let out_dir = PathBuf::from(
env::var_os("OUT_DIR").expect("The OUT_DIR environment variable must be set"),
);
let mut out = String::new();
write_static_api_tests(&mut out)?;
let output = out_dir.join("static_component_api.rs");
fs::write(&output, out)?;
drop(Command::new("rustfmt").arg(&output).status());
Ok(())
}
fn write_static_api_tests(out: &mut String) -> Result<()> {
let seed = if let Ok(seed) = env::var("WASMTIME_FUZZ_SEED") {
seed.parse::<u64>()
.with_context(|| anyhow!("expected u64 in WASMTIME_FUZZ_SEED"))?
} else {
StdRng::from_entropy().gen()
};
eprintln!(
"using seed {seed} (set WASMTIME_FUZZ_SEED={seed} in your environment to reproduce)"
);
let mut rng = StdRng::seed_from_u64(seed);
Update test case generation for component_api fuzzer (#6315) This commit updates the test case generation for the `component_api` fuzzer to prepare for an update to the `arbitrary` crate. The current algorithm, with the latest `arbitrary` crate, generates a 20MB source file which is a bit egregious. The goal here was to get that under control by altering the parameters of test case generation and additionally changing the structure of what&#39;s generated. The new strategy is to have a limited set of &#34;type fuel&#34; which is consumed as a type is generated. This bounds the maximal size of a type in addition to its depth as prior. Additionally a fixed set of types are generated first and then test cases select from these types as opposed to test cases always generating types for themselves. Coupled together this brings the size of the generated file back into the 200K range as it was before.
2 years ago
const TYPE_COUNT: usize = 50;
const MAX_ARITY: u32 = 5;
implement fuzzing for component types (#4537) This addresses #4307. For the static API we generate 100 arbitrary test cases at build time, each of which includes 0-5 parameter types, a result type, and a WAT fragment containing an imported function and an exported function. The exported function calls the imported function, which is implemented by the host. At runtime, the fuzz test selects a test case at random and feeds it zero or more sets of arbitrary parameters and results, checking that values which flow host-to-guest and guest-to-host make the transition unchanged. The fuzz test for the dynamic API follows a similar pattern, the only difference being that test cases are generated at runtime. Signed-off-by: Joel Dice &lt;joel.dice@fermyon.com&gt;
2 years ago
const TEST_CASE_COUNT: usize = 100;
Update test case generation for component_api fuzzer (#6315) This commit updates the test case generation for the `component_api` fuzzer to prepare for an update to the `arbitrary` crate. The current algorithm, with the latest `arbitrary` crate, generates a 20MB source file which is a bit egregious. The goal here was to get that under control by altering the parameters of test case generation and additionally changing the structure of what&#39;s generated. The new strategy is to have a limited set of &#34;type fuel&#34; which is consumed as a type is generated. This bounds the maximal size of a type in addition to its depth as prior. Additionally a fixed set of types are generated first and then test cases select from these types as opposed to test cases always generating types for themselves. Coupled together this brings the size of the generated file back into the 200K range as it was before.
2 years ago
let mut type_fuel = 1000;
let mut types = Vec::new();
implement fuzzing for component types (#4537) This addresses #4307. For the static API we generate 100 arbitrary test cases at build time, each of which includes 0-5 parameter types, a result type, and a WAT fragment containing an imported function and an exported function. The exported function calls the imported function, which is implemented by the host. At runtime, the fuzz test selects a test case at random and feeds it zero or more sets of arbitrary parameters and results, checking that values which flow host-to-guest and guest-to-host make the transition unchanged. The fuzz test for the dynamic API follows a similar pattern, the only difference being that test cases are generated at runtime. Signed-off-by: Joel Dice &lt;joel.dice@fermyon.com&gt;
2 years ago
let name_counter = &mut 0;
let mut declarations = TokenStream::new();
Update test case generation for component_api fuzzer (#6315) This commit updates the test case generation for the `component_api` fuzzer to prepare for an update to the `arbitrary` crate. The current algorithm, with the latest `arbitrary` crate, generates a 20MB source file which is a bit egregious. The goal here was to get that under control by altering the parameters of test case generation and additionally changing the structure of what&#39;s generated. The new strategy is to have a limited set of &#34;type fuel&#34; which is consumed as a type is generated. This bounds the maximal size of a type in addition to its depth as prior. Additionally a fixed set of types are generated first and then test cases select from these types as opposed to test cases always generating types for themselves. Coupled together this brings the size of the generated file back into the 200K range as it was before.
2 years ago
let mut tests = TokenStream::new();
implement fuzzing for component types (#4537) This addresses #4307. For the static API we generate 100 arbitrary test cases at build time, each of which includes 0-5 parameter types, a result type, and a WAT fragment containing an imported function and an exported function. The exported function calls the imported function, which is implemented by the host. At runtime, the fuzz test selects a test case at random and feeds it zero or more sets of arbitrary parameters and results, checking that values which flow host-to-guest and guest-to-host make the transition unchanged. The fuzz test for the dynamic API follows a similar pattern, the only difference being that test cases are generated at runtime. Signed-off-by: Joel Dice &lt;joel.dice@fermyon.com&gt;
2 years ago
Update test case generation for component_api fuzzer (#6315) This commit updates the test case generation for the `component_api` fuzzer to prepare for an update to the `arbitrary` crate. The current algorithm, with the latest `arbitrary` crate, generates a 20MB source file which is a bit egregious. The goal here was to get that under control by altering the parameters of test case generation and additionally changing the structure of what&#39;s generated. The new strategy is to have a limited set of &#34;type fuel&#34; which is consumed as a type is generated. This bounds the maximal size of a type in addition to its depth as prior. Additionally a fixed set of types are generated first and then test cases select from these types as opposed to test cases always generating types for themselves. Coupled together this brings the size of the generated file back into the 200K range as it was before.
2 years ago
// First generate a set of type to select from.
for _ in 0..TYPE_COUNT {
let ty = gen(&mut rng, |u| {
// Only discount fuel if the generation was successful,
// otherwise we'll get more random data and try again.
let mut fuel = type_fuel;
let ret = Type::generate(u, MAX_TYPE_DEPTH, &mut fuel);
if ret.is_ok() {
type_fuel = fuel;
}
ret
})?;
implement fuzzing for component types (#4537) This addresses #4307. For the static API we generate 100 arbitrary test cases at build time, each of which includes 0-5 parameter types, a result type, and a WAT fragment containing an imported function and an exported function. The exported function calls the imported function, which is implemented by the host. At runtime, the fuzz test selects a test case at random and feeds it zero or more sets of arbitrary parameters and results, checking that values which flow host-to-guest and guest-to-host make the transition unchanged. The fuzz test for the dynamic API follows a similar pattern, the only difference being that test cases are generated at runtime. Signed-off-by: Joel Dice &lt;joel.dice@fermyon.com&gt;
2 years ago
Update test case generation for component_api fuzzer (#6315) This commit updates the test case generation for the `component_api` fuzzer to prepare for an update to the `arbitrary` crate. The current algorithm, with the latest `arbitrary` crate, generates a 20MB source file which is a bit egregious. The goal here was to get that under control by altering the parameters of test case generation and additionally changing the structure of what&#39;s generated. The new strategy is to have a limited set of &#34;type fuel&#34; which is consumed as a type is generated. This bounds the maximal size of a type in addition to its depth as prior. Additionally a fixed set of types are generated first and then test cases select from these types as opposed to test cases always generating types for themselves. Coupled together this brings the size of the generated file back into the 200K range as it was before.
2 years ago
let name = component_fuzz_util::rust_type(&ty, name_counter, &mut declarations);
types.push((name, ty));
}
implement fuzzing for component types (#4537) This addresses #4307. For the static API we generate 100 arbitrary test cases at build time, each of which includes 0-5 parameter types, a result type, and a WAT fragment containing an imported function and an exported function. The exported function calls the imported function, which is implemented by the host. At runtime, the fuzz test selects a test case at random and feeds it zero or more sets of arbitrary parameters and results, checking that values which flow host-to-guest and guest-to-host make the transition unchanged. The fuzz test for the dynamic API follows a similar pattern, the only difference being that test cases are generated at runtime. Signed-off-by: Joel Dice &lt;joel.dice@fermyon.com&gt;
2 years ago
Update test case generation for component_api fuzzer (#6315) This commit updates the test case generation for the `component_api` fuzzer to prepare for an update to the `arbitrary` crate. The current algorithm, with the latest `arbitrary` crate, generates a 20MB source file which is a bit egregious. The goal here was to get that under control by altering the parameters of test case generation and additionally changing the structure of what&#39;s generated. The new strategy is to have a limited set of &#34;type fuel&#34; which is consumed as a type is generated. This bounds the maximal size of a type in addition to its depth as prior. Additionally a fixed set of types are generated first and then test cases select from these types as opposed to test cases always generating types for themselves. Coupled together this brings the size of the generated file back into the 200K range as it was before.
2 years ago
// Next generate a set of static API test cases driven by the above
// types.
for index in 0..TEST_CASE_COUNT {
let (case, rust_params, rust_results) = gen(&mut rng, |u| {
let mut params = Vec::new();
let mut results = Vec::new();
let mut rust_params = TokenStream::new();
let mut rust_results = TokenStream::new();
for _ in 0..u.int_in_range(0..=MAX_ARITY)? {
let (name, ty) = u.choose(&types)?;
params.push(ty);
rust_params.extend(name.clone());
rust_params.extend(quote!(,));
}
for _ in 0..u.int_in_range(0..=MAX_ARITY)? {
let (name, ty) = u.choose(&types)?;
results.push(ty);
rust_results.extend(name.clone());
rust_results.extend(quote!(,));
implement fuzzing for component types (#4537) This addresses #4307. For the static API we generate 100 arbitrary test cases at build time, each of which includes 0-5 parameter types, a result type, and a WAT fragment containing an imported function and an exported function. The exported function calls the imported function, which is implemented by the host. At runtime, the fuzz test selects a test case at random and feeds it zero or more sets of arbitrary parameters and results, checking that values which flow host-to-guest and guest-to-host make the transition unchanged. The fuzz test for the dynamic API follows a similar pattern, the only difference being that test cases are generated at runtime. Signed-off-by: Joel Dice &lt;joel.dice@fermyon.com&gt;
2 years ago
}
Update test case generation for component_api fuzzer (#6315) This commit updates the test case generation for the `component_api` fuzzer to prepare for an update to the `arbitrary` crate. The current algorithm, with the latest `arbitrary` crate, generates a 20MB source file which is a bit egregious. The goal here was to get that under control by altering the parameters of test case generation and additionally changing the structure of what&#39;s generated. The new strategy is to have a limited set of &#34;type fuel&#34; which is consumed as a type is generated. This bounds the maximal size of a type in addition to its depth as prior. Additionally a fixed set of types are generated first and then test cases select from these types as opposed to test cases always generating types for themselves. Coupled together this brings the size of the generated file back into the 200K range as it was before.
2 years ago
let case = TestCase {
params,
results,
encoding1: u.arbitrary()?,
encoding2: u.arbitrary()?,
};
Ok((case, rust_params, rust_results))
})?;
implement fuzzing for component types (#4537) This addresses #4307. For the static API we generate 100 arbitrary test cases at build time, each of which includes 0-5 parameter types, a result type, and a WAT fragment containing an imported function and an exported function. The exported function calls the imported function, which is implemented by the host. At runtime, the fuzz test selects a test case at random and feeds it zero or more sets of arbitrary parameters and results, checking that values which flow host-to-guest and guest-to-host make the transition unchanged. The fuzz test for the dynamic API follows a similar pattern, the only difference being that test cases are generated at runtime. Signed-off-by: Joel Dice &lt;joel.dice@fermyon.com&gt;
2 years ago
let Declarations {
types,
Fix the component_api fuzzer (#6410) This fuzz target was accidentally broken by #6378 and I forgot to update this fuzz target. Namely all the generated types now need names to satisfy possible restrictions depending on the structure. For simplicity everything is given a name to avoid having to special case some vs others which isn&#39;t the purpose of this fuzz target.
1 year ago
type_instantiation_args,
implement fuzzing for component types (#4537) This addresses #4307. For the static API we generate 100 arbitrary test cases at build time, each of which includes 0-5 parameter types, a result type, and a WAT fragment containing an imported function and an exported function. The exported function calls the imported function, which is implemented by the host. At runtime, the fuzz test selects a test case at random and feeds it zero or more sets of arbitrary parameters and results, checking that values which flow host-to-guest and guest-to-host make the transition unchanged. The fuzz test for the dynamic API follows a similar pattern, the only difference being that test cases are generated at runtime. Signed-off-by: Joel Dice &lt;joel.dice@fermyon.com&gt;
2 years ago
params,
Upgrade wasm-tools crates, namely the component model (#4715) * Upgrade wasm-tools crates, namely the component model This commit pulls in the latest versions of all of the `wasm-tools` family of crates. There were two major changes that happened in `wasm-tools` in the meantime: * bytecodealliance/wasm-tools#697 - this commit introduced a new API for more efficiently reading binary operators from a wasm binary. The old `Operator`-based reading was left in place, however, and continues to be what Wasmtime uses. I hope to update Wasmtime in a future PR to use this new API, but for now the biggest change is... * bytecodealliance/wasm-tools#703 - this commit was a major update to the component model AST. This commit almost entirely deals with the fallout of this change. The changes made to the component model were: 1. The `unit` type no longer exists. This was generally a simple change where the `Unit` case in a few different locations were all removed. 2. The `expected` type was renamed to `result`. This similarly was relatively lightweight and mostly just a renaming on the surface. I took this opportunity to rename `val::Result` to `val::ResultVal` and `types::Result` to `types::ResultType` to avoid clashing with the standard library types. The `Option`-based types were handled with this as well. 3. The payload type of `variant` and `result` types are now optional. This affected many locations that calculate flat type representations, ABI information, etc. The `#[derive(ComponentType)]` macro now specifically handles Rust-defined `enum` types which have no payload to the equivalent in the component model. 4. Functions can now return multiple parameters. This changed the signature of invoking component functions because the return value is now bound by `ComponentNamedList` (renamed from `ComponentParams`). This had a large effect in the tests, fuzz test case generation, etc. 5. Function types with 2-or-more parameters/results must uniquely name all parameters/results. This mostly affected the text format used throughout the tests. I haven&#39;t added specifically new tests for multi-return but I changed a number of tests to use it. Additionally I&#39;ve updated the fuzzers to all exercise multi-return as well so I think we should get some good coverage with that. * Update version numbers * Use crates.io
2 years ago
results,
implement fuzzing for component types (#4537) This addresses #4307. For the static API we generate 100 arbitrary test cases at build time, each of which includes 0-5 parameter types, a result type, and a WAT fragment containing an imported function and an exported function. The exported function calls the imported function, which is implemented by the host. At runtime, the fuzz test selects a test case at random and feeds it zero or more sets of arbitrary parameters and results, checking that values which flow host-to-guest and guest-to-host make the transition unchanged. The fuzz test for the dynamic API follows a similar pattern, the only difference being that test cases are generated at runtime. Signed-off-by: Joel Dice &lt;joel.dice@fermyon.com&gt;
2 years ago
import_and_export,
Implement roundtrip fuzzing of component adapters (#4640) * Improve the `component_api` fuzzer on a few dimensions * Update the generated component to use an adapter module. This involves two core wasm instances communicating with each other to test that data flows through everything correctly. The intention here is to fuzz the fused adapter compiler. String encoding options have been plumbed here to exercise differences in string encodings. * Use `Cow&lt;&#39;static, ...&gt;` and `static` declarations for each static test case to try to cut down on rustc codegen time. * Add `Copy` to derivation of fuzzed enums to make `derive(Clone)` smaller. * Use `Store&lt;Box&lt;dyn Any&gt;&gt;` to try to cut down on codegen by monomorphizing fewer `Store&lt;T&gt;` implementation. * Add debug logging to print out what&#39;s flowing in and what&#39;s flowing out for debugging failures. * Improve `Debug` representation of dynamic value types to more closely match their Rust counterparts. * Fix a variant issue with adapter trampolines Previously the offset of the payload was calculated as the discriminant aligned up to the alignment of a singular case, but instead this needs to be aligned up to the alignment of all cases to ensure all cases start at the same location. * Fix a copy/paste error when copying masked integers A 32-bit load was actually doing a 16-bit load by accident since it was copied from the 16-bit load-and-mask case. * Fix f32/i64 conversions in adapter modules The adapter previously erroneously converted the f32 to f64 and then to i64, where instead it should go from f32 to i32 to i64. * Fix zero-sized flags in adapter modules This commit corrects the size calculation for zero-sized flags in adapter modules. cc #4592 * Fix a variant size calculation bug in adapters This fixes the same issue found with variants during normal host-side fuzzing earlier where the size of a variant needs to align up the summation of the discriminant and the maximum case size. * Implement memory growth in libc bump realloc Some fuzz-generated test cases are copying lists large enough to exceed one page of memory so bake in a `memory.grow` to the bump allocator as well. * Avoid adapters of exponential size This commit is an attempt to avoid adapters being exponentially sized with respect to the type hierarchy of the input. Previously all adaptation was done inline within each adapter which meant that if something was structured as `tuple&lt;T, T, T, T, ...&gt;` the translation of `T` would be inlined N times. For very deeply nested types this can quickly create an exponentially sized adapter with types of the form: (type $t0 (list u8)) (type $t1 (tuple $t0 $t0)) (type $t2 (tuple $t1 $t1)) (type $t3 (tuple $t2 $t2)) ;; ... where the translation of `t4` has 8 different copies of translating `t0`. This commit changes the translation of types through memory to almost always go through a helper function. The hope here is that it doesn&#39;t lose too much performance because types already reside in memory. This can still lead to exponentially sized adapter modules to a lesser degree where if the translation all happens on the &#34;stack&#34;, e.g. via `variant`s and their flat representation then many copies of one translation could still be made. For now this commit at least gets the problem under control for fuzzing where fuzzing doesn&#39;t trivially find type hierarchies that take over a minute to codegen the adapter module. One of the main tricky parts of this implementation is that when a function is generated the index that it will be placed at in the final module is not known at that time. To solve this the encoded form of the `Call` instruction is saved in a relocation-style format where the `Call` isn&#39;t encoded but instead saved into a different area for encoding later. When the entire adapter module is encoded to wasm these pseudo-`Call` instructions are encoded as real instructions at that time. * Fix some memory64 issues with string encodings Introduced just before #4623 I had a few mistakes related to 64-bit memories and mixing 32/64-bit memories. * Actually insert into the `translate_mem_funcs` map This... was the whole point of having the map! * Assert memory growth succeeds in bump allocator
2 years ago
encoding1,
encoding2,
implement fuzzing for component types (#4537) This addresses #4307. For the static API we generate 100 arbitrary test cases at build time, each of which includes 0-5 parameter types, a result type, and a WAT fragment containing an imported function and an exported function. The exported function calls the imported function, which is implemented by the host. At runtime, the fuzz test selects a test case at random and feeds it zero or more sets of arbitrary parameters and results, checking that values which flow host-to-guest and guest-to-host make the transition unchanged. The fuzz test for the dynamic API follows a similar pattern, the only difference being that test cases are generated at runtime. Signed-off-by: Joel Dice &lt;joel.dice@fermyon.com&gt;
2 years ago
} = case.declarations();
Update test case generation for component_api fuzzer (#6315) This commit updates the test case generation for the `component_api` fuzzer to prepare for an update to the `arbitrary` crate. The current algorithm, with the latest `arbitrary` crate, generates a 20MB source file which is a bit egregious. The goal here was to get that under control by altering the parameters of test case generation and additionally changing the structure of what&#39;s generated. The new strategy is to have a limited set of &#34;type fuel&#34; which is consumed as a type is generated. This bounds the maximal size of a type in addition to its depth as prior. Additionally a fixed set of types are generated first and then test cases select from these types as opposed to test cases always generating types for themselves. Coupled together this brings the size of the generated file back into the 200K range as it was before.
2 years ago
let test = quote!(#index => component_types::static_api_test::<(#rust_params), (#rust_results)>(
implement fuzzing for component types (#4537) This addresses #4307. For the static API we generate 100 arbitrary test cases at build time, each of which includes 0-5 parameter types, a result type, and a WAT fragment containing an imported function and an exported function. The exported function calls the imported function, which is implemented by the host. At runtime, the fuzz test selects a test case at random and feeds it zero or more sets of arbitrary parameters and results, checking that values which flow host-to-guest and guest-to-host make the transition unchanged. The fuzz test for the dynamic API follows a similar pattern, the only difference being that test cases are generated at runtime. Signed-off-by: Joel Dice &lt;joel.dice@fermyon.com&gt;
2 years ago
input,
Implement roundtrip fuzzing of component adapters (#4640) * Improve the `component_api` fuzzer on a few dimensions * Update the generated component to use an adapter module. This involves two core wasm instances communicating with each other to test that data flows through everything correctly. The intention here is to fuzz the fused adapter compiler. String encoding options have been plumbed here to exercise differences in string encodings. * Use `Cow&lt;&#39;static, ...&gt;` and `static` declarations for each static test case to try to cut down on rustc codegen time. * Add `Copy` to derivation of fuzzed enums to make `derive(Clone)` smaller. * Use `Store&lt;Box&lt;dyn Any&gt;&gt;` to try to cut down on codegen by monomorphizing fewer `Store&lt;T&gt;` implementation. * Add debug logging to print out what&#39;s flowing in and what&#39;s flowing out for debugging failures. * Improve `Debug` representation of dynamic value types to more closely match their Rust counterparts. * Fix a variant issue with adapter trampolines Previously the offset of the payload was calculated as the discriminant aligned up to the alignment of a singular case, but instead this needs to be aligned up to the alignment of all cases to ensure all cases start at the same location. * Fix a copy/paste error when copying masked integers A 32-bit load was actually doing a 16-bit load by accident since it was copied from the 16-bit load-and-mask case. * Fix f32/i64 conversions in adapter modules The adapter previously erroneously converted the f32 to f64 and then to i64, where instead it should go from f32 to i32 to i64. * Fix zero-sized flags in adapter modules This commit corrects the size calculation for zero-sized flags in adapter modules. cc #4592 * Fix a variant size calculation bug in adapters This fixes the same issue found with variants during normal host-side fuzzing earlier where the size of a variant needs to align up the summation of the discriminant and the maximum case size. * Implement memory growth in libc bump realloc Some fuzz-generated test cases are copying lists large enough to exceed one page of memory so bake in a `memory.grow` to the bump allocator as well. * Avoid adapters of exponential size This commit is an attempt to avoid adapters being exponentially sized with respect to the type hierarchy of the input. Previously all adaptation was done inline within each adapter which meant that if something was structured as `tuple&lt;T, T, T, T, ...&gt;` the translation of `T` would be inlined N times. For very deeply nested types this can quickly create an exponentially sized adapter with types of the form: (type $t0 (list u8)) (type $t1 (tuple $t0 $t0)) (type $t2 (tuple $t1 $t1)) (type $t3 (tuple $t2 $t2)) ;; ... where the translation of `t4` has 8 different copies of translating `t0`. This commit changes the translation of types through memory to almost always go through a helper function. The hope here is that it doesn&#39;t lose too much performance because types already reside in memory. This can still lead to exponentially sized adapter modules to a lesser degree where if the translation all happens on the &#34;stack&#34;, e.g. via `variant`s and their flat representation then many copies of one translation could still be made. For now this commit at least gets the problem under control for fuzzing where fuzzing doesn&#39;t trivially find type hierarchies that take over a minute to codegen the adapter module. One of the main tricky parts of this implementation is that when a function is generated the index that it will be placed at in the final module is not known at that time. To solve this the encoded form of the `Call` instruction is saved in a relocation-style format where the `Call` isn&#39;t encoded but instead saved into a different area for encoding later. When the entire adapter module is encoded to wasm these pseudo-`Call` instructions are encoded as real instructions at that time. * Fix some memory64 issues with string encodings Introduced just before #4623 I had a few mistakes related to 64-bit memories and mixing 32/64-bit memories. * Actually insert into the `translate_mem_funcs` map This... was the whole point of having the map! * Assert memory growth succeeds in bump allocator
2 years ago
{
static DECLS: Declarations = Declarations {
types: Cow::Borrowed(#types),
Fix the component_api fuzzer (#6410) This fuzz target was accidentally broken by #6378 and I forgot to update this fuzz target. Namely all the generated types now need names to satisfy possible restrictions depending on the structure. For simplicity everything is given a name to avoid having to special case some vs others which isn&#39;t the purpose of this fuzz target.
1 year ago
type_instantiation_args: Cow::Borrowed(#type_instantiation_args),
Implement roundtrip fuzzing of component adapters (#4640) * Improve the `component_api` fuzzer on a few dimensions * Update the generated component to use an adapter module. This involves two core wasm instances communicating with each other to test that data flows through everything correctly. The intention here is to fuzz the fused adapter compiler. String encoding options have been plumbed here to exercise differences in string encodings. * Use `Cow&lt;&#39;static, ...&gt;` and `static` declarations for each static test case to try to cut down on rustc codegen time. * Add `Copy` to derivation of fuzzed enums to make `derive(Clone)` smaller. * Use `Store&lt;Box&lt;dyn Any&gt;&gt;` to try to cut down on codegen by monomorphizing fewer `Store&lt;T&gt;` implementation. * Add debug logging to print out what&#39;s flowing in and what&#39;s flowing out for debugging failures. * Improve `Debug` representation of dynamic value types to more closely match their Rust counterparts. * Fix a variant issue with adapter trampolines Previously the offset of the payload was calculated as the discriminant aligned up to the alignment of a singular case, but instead this needs to be aligned up to the alignment of all cases to ensure all cases start at the same location. * Fix a copy/paste error when copying masked integers A 32-bit load was actually doing a 16-bit load by accident since it was copied from the 16-bit load-and-mask case. * Fix f32/i64 conversions in adapter modules The adapter previously erroneously converted the f32 to f64 and then to i64, where instead it should go from f32 to i32 to i64. * Fix zero-sized flags in adapter modules This commit corrects the size calculation for zero-sized flags in adapter modules. cc #4592 * Fix a variant size calculation bug in adapters This fixes the same issue found with variants during normal host-side fuzzing earlier where the size of a variant needs to align up the summation of the discriminant and the maximum case size. * Implement memory growth in libc bump realloc Some fuzz-generated test cases are copying lists large enough to exceed one page of memory so bake in a `memory.grow` to the bump allocator as well. * Avoid adapters of exponential size This commit is an attempt to avoid adapters being exponentially sized with respect to the type hierarchy of the input. Previously all adaptation was done inline within each adapter which meant that if something was structured as `tuple&lt;T, T, T, T, ...&gt;` the translation of `T` would be inlined N times. For very deeply nested types this can quickly create an exponentially sized adapter with types of the form: (type $t0 (list u8)) (type $t1 (tuple $t0 $t0)) (type $t2 (tuple $t1 $t1)) (type $t3 (tuple $t2 $t2)) ;; ... where the translation of `t4` has 8 different copies of translating `t0`. This commit changes the translation of types through memory to almost always go through a helper function. The hope here is that it doesn&#39;t lose too much performance because types already reside in memory. This can still lead to exponentially sized adapter modules to a lesser degree where if the translation all happens on the &#34;stack&#34;, e.g. via `variant`s and their flat representation then many copies of one translation could still be made. For now this commit at least gets the problem under control for fuzzing where fuzzing doesn&#39;t trivially find type hierarchies that take over a minute to codegen the adapter module. One of the main tricky parts of this implementation is that when a function is generated the index that it will be placed at in the final module is not known at that time. To solve this the encoded form of the `Call` instruction is saved in a relocation-style format where the `Call` isn&#39;t encoded but instead saved into a different area for encoding later. When the entire adapter module is encoded to wasm these pseudo-`Call` instructions are encoded as real instructions at that time. * Fix some memory64 issues with string encodings Introduced just before #4623 I had a few mistakes related to 64-bit memories and mixing 32/64-bit memories. * Actually insert into the `translate_mem_funcs` map This... was the whole point of having the map! * Assert memory growth succeeds in bump allocator
2 years ago
params: Cow::Borrowed(#params),
Upgrade wasm-tools crates, namely the component model (#4715) * Upgrade wasm-tools crates, namely the component model This commit pulls in the latest versions of all of the `wasm-tools` family of crates. There were two major changes that happened in `wasm-tools` in the meantime: * bytecodealliance/wasm-tools#697 - this commit introduced a new API for more efficiently reading binary operators from a wasm binary. The old `Operator`-based reading was left in place, however, and continues to be what Wasmtime uses. I hope to update Wasmtime in a future PR to use this new API, but for now the biggest change is... * bytecodealliance/wasm-tools#703 - this commit was a major update to the component model AST. This commit almost entirely deals with the fallout of this change. The changes made to the component model were: 1. The `unit` type no longer exists. This was generally a simple change where the `Unit` case in a few different locations were all removed. 2. The `expected` type was renamed to `result`. This similarly was relatively lightweight and mostly just a renaming on the surface. I took this opportunity to rename `val::Result` to `val::ResultVal` and `types::Result` to `types::ResultType` to avoid clashing with the standard library types. The `Option`-based types were handled with this as well. 3. The payload type of `variant` and `result` types are now optional. This affected many locations that calculate flat type representations, ABI information, etc. The `#[derive(ComponentType)]` macro now specifically handles Rust-defined `enum` types which have no payload to the equivalent in the component model. 4. Functions can now return multiple parameters. This changed the signature of invoking component functions because the return value is now bound by `ComponentNamedList` (renamed from `ComponentParams`). This had a large effect in the tests, fuzz test case generation, etc. 5. Function types with 2-or-more parameters/results must uniquely name all parameters/results. This mostly affected the text format used throughout the tests. I haven&#39;t added specifically new tests for multi-return but I changed a number of tests to use it. Additionally I&#39;ve updated the fuzzers to all exercise multi-return as well so I think we should get some good coverage with that. * Update version numbers * Use crates.io
2 years ago
results: Cow::Borrowed(#results),
Implement roundtrip fuzzing of component adapters (#4640) * Improve the `component_api` fuzzer on a few dimensions * Update the generated component to use an adapter module. This involves two core wasm instances communicating with each other to test that data flows through everything correctly. The intention here is to fuzz the fused adapter compiler. String encoding options have been plumbed here to exercise differences in string encodings. * Use `Cow&lt;&#39;static, ...&gt;` and `static` declarations for each static test case to try to cut down on rustc codegen time. * Add `Copy` to derivation of fuzzed enums to make `derive(Clone)` smaller. * Use `Store&lt;Box&lt;dyn Any&gt;&gt;` to try to cut down on codegen by monomorphizing fewer `Store&lt;T&gt;` implementation. * Add debug logging to print out what&#39;s flowing in and what&#39;s flowing out for debugging failures. * Improve `Debug` representation of dynamic value types to more closely match their Rust counterparts. * Fix a variant issue with adapter trampolines Previously the offset of the payload was calculated as the discriminant aligned up to the alignment of a singular case, but instead this needs to be aligned up to the alignment of all cases to ensure all cases start at the same location. * Fix a copy/paste error when copying masked integers A 32-bit load was actually doing a 16-bit load by accident since it was copied from the 16-bit load-and-mask case. * Fix f32/i64 conversions in adapter modules The adapter previously erroneously converted the f32 to f64 and then to i64, where instead it should go from f32 to i32 to i64. * Fix zero-sized flags in adapter modules This commit corrects the size calculation for zero-sized flags in adapter modules. cc #4592 * Fix a variant size calculation bug in adapters This fixes the same issue found with variants during normal host-side fuzzing earlier where the size of a variant needs to align up the summation of the discriminant and the maximum case size. * Implement memory growth in libc bump realloc Some fuzz-generated test cases are copying lists large enough to exceed one page of memory so bake in a `memory.grow` to the bump allocator as well. * Avoid adapters of exponential size This commit is an attempt to avoid adapters being exponentially sized with respect to the type hierarchy of the input. Previously all adaptation was done inline within each adapter which meant that if something was structured as `tuple&lt;T, T, T, T, ...&gt;` the translation of `T` would be inlined N times. For very deeply nested types this can quickly create an exponentially sized adapter with types of the form: (type $t0 (list u8)) (type $t1 (tuple $t0 $t0)) (type $t2 (tuple $t1 $t1)) (type $t3 (tuple $t2 $t2)) ;; ... where the translation of `t4` has 8 different copies of translating `t0`. This commit changes the translation of types through memory to almost always go through a helper function. The hope here is that it doesn&#39;t lose too much performance because types already reside in memory. This can still lead to exponentially sized adapter modules to a lesser degree where if the translation all happens on the &#34;stack&#34;, e.g. via `variant`s and their flat representation then many copies of one translation could still be made. For now this commit at least gets the problem under control for fuzzing where fuzzing doesn&#39;t trivially find type hierarchies that take over a minute to codegen the adapter module. One of the main tricky parts of this implementation is that when a function is generated the index that it will be placed at in the final module is not known at that time. To solve this the encoded form of the `Call` instruction is saved in a relocation-style format where the `Call` isn&#39;t encoded but instead saved into a different area for encoding later. When the entire adapter module is encoded to wasm these pseudo-`Call` instructions are encoded as real instructions at that time. * Fix some memory64 issues with string encodings Introduced just before #4623 I had a few mistakes related to 64-bit memories and mixing 32/64-bit memories. * Actually insert into the `translate_mem_funcs` map This... was the whole point of having the map! * Assert memory growth succeeds in bump allocator
2 years ago
import_and_export: Cow::Borrowed(#import_and_export),
encoding1: #encoding1,
encoding2: #encoding2,
};
&DECLS
implement fuzzing for component types (#4537) This addresses #4307. For the static API we generate 100 arbitrary test cases at build time, each of which includes 0-5 parameter types, a result type, and a WAT fragment containing an imported function and an exported function. The exported function calls the imported function, which is implemented by the host. At runtime, the fuzz test selects a test case at random and feeds it zero or more sets of arbitrary parameters and results, checking that values which flow host-to-guest and guest-to-host make the transition unchanged. The fuzz test for the dynamic API follows a similar pattern, the only difference being that test cases are generated at runtime. Signed-off-by: Joel Dice &lt;joel.dice@fermyon.com&gt;
2 years ago
}
),);
tests.extend(test);
}
let module = quote! {
#[allow(unused_imports)]
Don&#39;t let fuzz targets import `arbitrary` directly (#4806) The version of the `arbitrary` crate used in fuzz targets needs to be the same as the version used in `libfuzzer-sys`. That&#39;s why the latter crate re-exports the former. But we need to make sure to consistently use the re-exported version. That&#39;s most easily done if that&#39;s the only version we have available. However, `fuzz/Cargo.toml` declared a direct dependency on `arbitrary`, making it available for import, and leading to that version being used in a couple places. There were two copies of `arbitrary` built before, even though they were the same version: one with the `derive` feature turned on, through the direct dependency, and one with it turned off when imported through `libfuzzer-sys`. So I haven&#39;t specifically tested this but fuzzer builds might be slightly faster now. I have not removed the build-dep on `arbitrary`, because `build.rs` is not invoked by libFuzzer and so it doesn&#39;t matter what version of `arbitrary` it uses. Our other crates, like `cranelift-fuzzgen` and `wasmtime-fuzzing`, can still accidentally use a different version of `arbitrary` than the fuzz targets which rely on them. This commit only fixes the direct cases within `fuzz/**`.
2 years ago
fn static_component_api_target(input: &mut libfuzzer_sys::arbitrary::Unstructured) -> libfuzzer_sys::arbitrary::Result<()> {
implement fuzzing for component types (#4537) This addresses #4307. For the static API we generate 100 arbitrary test cases at build time, each of which includes 0-5 parameter types, a result type, and a WAT fragment containing an imported function and an exported function. The exported function calls the imported function, which is implemented by the host. At runtime, the fuzz test selects a test case at random and feeds it zero or more sets of arbitrary parameters and results, checking that values which flow host-to-guest and guest-to-host make the transition unchanged. The fuzz test for the dynamic API follows a similar pattern, the only difference being that test cases are generated at runtime. Signed-off-by: Joel Dice &lt;joel.dice@fermyon.com&gt;
2 years ago
use anyhow::Result;
use component_fuzz_util::Declarations;
Don&#39;t let fuzz targets import `arbitrary` directly (#4806) The version of the `arbitrary` crate used in fuzz targets needs to be the same as the version used in `libfuzzer-sys`. That&#39;s why the latter crate re-exports the former. But we need to make sure to consistently use the re-exported version. That&#39;s most easily done if that&#39;s the only version we have available. However, `fuzz/Cargo.toml` declared a direct dependency on `arbitrary`, making it available for import, and leading to that version being used in a couple places. There were two copies of `arbitrary` built before, even though they were the same version: one with the `derive` feature turned on, through the direct dependency, and one with it turned off when imported through `libfuzzer-sys`. So I haven&#39;t specifically tested this but fuzzer builds might be slightly faster now. I have not removed the build-dep on `arbitrary`, because `build.rs` is not invoked by libFuzzer and so it doesn&#39;t matter what version of `arbitrary` it uses. Our other crates, like `cranelift-fuzzgen` and `wasmtime-fuzzing`, can still accidentally use a different version of `arbitrary` than the fuzz targets which rely on them. This commit only fixes the direct cases within `fuzz/**`.
2 years ago
use component_test_util::{self, Float32, Float64};
use libfuzzer_sys::arbitrary::{self, Arbitrary};
use std::borrow::Cow;
implement fuzzing for component types (#4537) This addresses #4307. For the static API we generate 100 arbitrary test cases at build time, each of which includes 0-5 parameter types, a result type, and a WAT fragment containing an imported function and an exported function. The exported function calls the imported function, which is implemented by the host. At runtime, the fuzz test selects a test case at random and feeds it zero or more sets of arbitrary parameters and results, checking that values which flow host-to-guest and guest-to-host make the transition unchanged. The fuzz test for the dynamic API follows a similar pattern, the only difference being that test cases are generated at runtime. Signed-off-by: Joel Dice &lt;joel.dice@fermyon.com&gt;
2 years ago
use std::sync::{Arc, Once};
use wasmtime::component::{ComponentType, Lift, Lower};
use wasmtime_fuzzing::generators::component_types;
const SEED: u64 = #seed;
static ONCE: Once = Once::new();
ONCE.call_once(|| {
eprintln!(
"Seed {SEED} was used to generate static component API fuzz tests.\n\
Set WASMTIME_FUZZ_SEED={SEED} in your environment at build time to reproduce."
);
});
#declarations
match input.int_in_range(0..=(#TEST_CASE_COUNT-1))? {
#tests
_ => unreachable!()
}
}
};
write!(out, "{module}")?;
Ok(())
}
Update test case generation for component_api fuzzer (#6315) This commit updates the test case generation for the `component_api` fuzzer to prepare for an update to the `arbitrary` crate. The current algorithm, with the latest `arbitrary` crate, generates a 20MB source file which is a bit egregious. The goal here was to get that under control by altering the parameters of test case generation and additionally changing the structure of what&#39;s generated. The new strategy is to have a limited set of &#34;type fuel&#34; which is consumed as a type is generated. This bounds the maximal size of a type in addition to its depth as prior. Additionally a fixed set of types are generated first and then test cases select from these types as opposed to test cases always generating types for themselves. Coupled together this brings the size of the generated file back into the 200K range as it was before.
2 years ago
fn gen<T>(
rng: &mut StdRng,
mut f: impl FnMut(&mut Unstructured<'_>) -> arbitrary::Result<T>,
) -> Result<T> {
let mut bytes = Vec::new();
loop {
let count = rng.gen_range(1000..2000);
bytes.extend(iter::repeat_with(|| rng.gen::<u8>()).take(count));
match f(&mut Unstructured::new(&bytes)) {
Ok(ret) => break Ok(ret),
Err(arbitrary::Error::NotEnoughData) => (),
Err(error) => break Err(Error::from(error)),
}
}
}
implement fuzzing for component types (#4537) This addresses #4307. For the static API we generate 100 arbitrary test cases at build time, each of which includes 0-5 parameter types, a result type, and a WAT fragment containing an imported function and an exported function. The exported function calls the imported function, which is implemented by the host. At runtime, the fuzz test selects a test case at random and feeds it zero or more sets of arbitrary parameters and results, checking that values which flow host-to-guest and guest-to-host make the transition unchanged. The fuzz test for the dynamic API follows a similar pattern, the only difference being that test cases are generated at runtime. Signed-off-by: Joel Dice &lt;joel.dice@fermyon.com&gt;
2 years ago
}