diff --git a/crates/fuzzing/Cargo.toml b/crates/fuzzing/Cargo.toml index a476c37131..152cdeae64 100644 --- a/crates/fuzzing/Cargo.toml +++ b/crates/fuzzing/Cargo.toml @@ -18,6 +18,7 @@ env_logger = { version = "0.7.1", optional = true } log = "0.4.8" wasmparser = "0.42.1" wasmprinter = "0.2.0" +wasmtime = { path = "../api" } wasmtime-jit = { path = "../jit" } [dev-dependencies] diff --git a/crates/fuzzing/src/oracles.rs b/crates/fuzzing/src/oracles.rs index d47952dc8b..889ed8a043 100644 --- a/crates/fuzzing/src/oracles.rs +++ b/crates/fuzzing/src/oracles.rs @@ -10,10 +10,14 @@ //! When an oracle finds a bug, it should report it to the fuzzing engine by //! panicking. +pub mod dummy; + use cranelift_codegen::settings; +use dummy::dummy_imports; use std::cell::RefCell; use std::collections::HashMap; use std::rc::Rc; +use wasmtime::{Config, Engine, HostRef, Instance, Module, Store}; use wasmtime_jit::{CompilationStrategy, CompiledModule, Compiler, NullResolver}; fn host_isa() -> Box { @@ -33,18 +37,33 @@ pub fn instantiate(wasm: &[u8], compilation_strategy: CompilationStrategy) { return; } - let isa = host_isa(); - let mut compiler = Compiler::new(isa, compilation_strategy); - let mut imports_resolver = NullResolver {}; + let mut config = Config::new(); + config.strategy(compilation_strategy); + + let engine = HostRef::new(Engine::new(&config)); + let store = HostRef::new(Store::new(&engine)); + + let module = + HostRef::new(Module::new(&store, wasm).expect("Failed to compile a valid Wasm module!")); + + let imports = { + let module = module.borrow(); + match dummy_imports(&store, module.imports()) { + Ok(imps) => imps, + Err(_) => { + // There are some value types that we can't synthesize a + // dummy value for (e.g. anyrefs) and for modules that + // import things of these types we skip instantiation. + return; + } + } + }; - wasmtime_jit::instantiate( - &mut compiler, - wasm, - &mut imports_resolver, - Default::default(), - true, - ) - .expect("failed to instantiate valid Wasm!"); + // Don't unwrap this: there can be instantiation-/link-time errors that + // aren't caught during validation or compilation. For example, an imported + // table might not have room for an element segment that we want to + // initialize into it. + let _result = Instance::new(&store, &module, &imports); } /// Compile the Wasm buffer, and implicitly fail if we have an unexpected diff --git a/crates/fuzzing/src/oracles/dummy.rs b/crates/fuzzing/src/oracles/dummy.rs new file mode 100644 index 0000000000..58a8605e88 --- /dev/null +++ b/crates/fuzzing/src/oracles/dummy.rs @@ -0,0 +1,97 @@ +//! Dummy implementations of things that a Wasm module can import. + +use std::rc::Rc; +use wasmtime::{ + Callable, Extern, ExternType, Func, FuncType, Global, GlobalType, HostRef, ImportType, Memory, + MemoryType, Store, Table, TableType, Trap, Val, ValType, +}; + +/// Create a set of dummy functions/globals/etc for the given imports. +pub fn dummy_imports( + store: &HostRef, + import_tys: &[ImportType], +) -> Result, HostRef> { + let mut imports = Vec::with_capacity(import_tys.len()); + for imp in import_tys { + imports.push(match imp.r#type() { + ExternType::ExternFunc(func_ty) => { + Extern::Func(HostRef::new(DummyFunc::new(&store, func_ty.clone()))) + } + ExternType::ExternGlobal(global_ty) => { + Extern::Global(HostRef::new(dummy_global(&store, global_ty.clone())?)) + } + ExternType::ExternTable(table_ty) => { + Extern::Table(HostRef::new(dummy_table(&store, table_ty.clone())?)) + } + ExternType::ExternMemory(mem_ty) => { + Extern::Memory(HostRef::new(dummy_memory(&store, mem_ty.clone()))) + } + }); + } + Ok(imports) +} + +/// A function that doesn't do anything but return the default (zero) value for +/// the function's type. +#[derive(Debug)] +pub struct DummyFunc(FuncType); + +impl DummyFunc { + /// Construct a new dummy `Func`. + pub fn new(store: &HostRef, ty: FuncType) -> Func { + let callable = DummyFunc(ty.clone()); + Func::new(store, ty, Rc::new(callable) as _) + } +} + +impl Callable for DummyFunc { + fn call(&self, _params: &[Val], results: &mut [Val]) -> Result<(), HostRef> { + for (ret_ty, result) in self.0.results().iter().zip(results) { + *result = dummy_value(ret_ty)?; + } + + Ok(()) + } +} + +/// Construct a dummy value for the given value type. +pub fn dummy_value(val_ty: &ValType) -> Result> { + Ok(match val_ty { + ValType::I32 => Val::I32(0), + ValType::I64 => Val::I64(0), + ValType::F32 => Val::F32(0), + ValType::F64 => Val::F64(0), + ValType::V128 => { + return Err(HostRef::new(Trap::new( + "dummy_value: unsupported function return type: v128".to_string(), + ))) + } + ValType::AnyRef => { + return Err(HostRef::new(Trap::new( + "dummy_value: unsupported function return type: anyref".to_string(), + ))) + } + ValType::FuncRef => { + return Err(HostRef::new(Trap::new( + "dummy_value: unsupported function return type: funcref".to_string(), + ))) + } + }) +} + +/// Construct a dummy global for the given global type. +pub fn dummy_global(store: &HostRef, ty: GlobalType) -> Result> { + let val = dummy_value(ty.content())?; + Ok(Global::new(store, ty, val)) +} + +/// Construct a dummy table for the given table type. +pub fn dummy_table(store: &HostRef, ty: TableType) -> Result> { + let init_val = dummy_value(&ty.element())?; + Ok(Table::new(store, ty, init_val)) +} + +/// Construct a dummy memory for the given memory type. +pub fn dummy_memory(store: &HostRef, ty: MemoryType) -> Memory { + Memory::new(store, ty) +}