fuzzing: Add initial API call fuzzer
We only generate *valid* sequences of API calls. To do this, we keep track of what objects we've already created in earlier API calls via the `Scope` struct. To generate even-more-pathological sequences of API calls, we use [swarm testing]: > In swarm testing, the usual practice of potentially including all features > in every test case is abandoned. Rather, a large “swarm” of randomly > generated configurations, each of which omits some features, is used, with > configurations receiving equal resources. [swarm testing]: https://www.cs.utah.edu/~regehr/papers/swarm12.pdf There are more public APIs and instance introspection APIs that we have than this fuzzer exercises right now. We will need a better generator of valid Wasm than `wasm-opt -ttf` to really get the most out of those currently-unexercised APIs, since the Wasm modules generated by `wasm-opt -ttf` don't import and export a huge variety of things.
This commit is contained in:
Nick Fitzgerald
@@ -12,11 +12,11 @@
|
||||
|
||||
pub mod dummy;
|
||||
|
||||
use dummy::dummy_imports;
|
||||
use dummy::{dummy_imports, dummy_value};
|
||||
use std::cell::RefCell;
|
||||
use std::collections::HashMap;
|
||||
use std::rc::Rc;
|
||||
use wasmtime::{Config, Engine, HostRef, Instance, Module, Store};
|
||||
use wasmtime::*;
|
||||
use wasmtime_environ::{isa, settings};
|
||||
use wasmtime_jit::{native, CompilationStrategy, CompiledModule, Compiler, NullResolver};
|
||||
|
||||
@@ -83,3 +83,127 @@ pub fn compile(wasm: &[u8], compilation_strategy: CompilationStrategy) {
|
||||
let global_exports = Rc::new(RefCell::new(HashMap::new()));
|
||||
let _ = CompiledModule::new(&mut compiler, wasm, &mut resolver, global_exports, false);
|
||||
}
|
||||
|
||||
/// Invoke the given API calls.
|
||||
pub fn make_api_calls(api: crate::generators::api::ApiCalls) {
|
||||
use crate::generators::api::ApiCall;
|
||||
|
||||
let mut config: Option<Config> = None;
|
||||
let mut engine: Option<HostRef<Engine>> = None;
|
||||
let mut store: Option<HostRef<Store>> = None;
|
||||
let mut modules: HashMap<usize, HostRef<Module>> = Default::default();
|
||||
let mut instances: HashMap<usize, HostRef<Instance>> = Default::default();
|
||||
|
||||
for call in api.calls {
|
||||
match call {
|
||||
ApiCall::ConfigNew => {
|
||||
assert!(config.is_none());
|
||||
config = Some(Config::new());
|
||||
}
|
||||
|
||||
ApiCall::ConfigDebugInfo(b) => {
|
||||
config.as_mut().unwrap().debug_info(b);
|
||||
}
|
||||
|
||||
ApiCall::EngineNew => {
|
||||
assert!(engine.is_none());
|
||||
engine = Some(HostRef::new(Engine::new(config.as_ref().unwrap())));
|
||||
}
|
||||
|
||||
ApiCall::StoreNew => {
|
||||
assert!(store.is_none());
|
||||
store = Some(HostRef::new(Store::new(engine.as_ref().unwrap())));
|
||||
}
|
||||
|
||||
ApiCall::ModuleNew { id, wasm } => {
|
||||
let module = HostRef::new(match Module::new(store.as_ref().unwrap(), &wasm.wasm) {
|
||||
Ok(m) => m,
|
||||
Err(_) => continue,
|
||||
});
|
||||
let old = modules.insert(id, module);
|
||||
assert!(old.is_none());
|
||||
}
|
||||
|
||||
ApiCall::ModuleDrop { id } => {
|
||||
drop(modules.remove(&id));
|
||||
}
|
||||
|
||||
ApiCall::InstanceNew { id, module } => {
|
||||
let module = match modules.get(&module) {
|
||||
Some(m) => m,
|
||||
None => continue,
|
||||
};
|
||||
|
||||
let imports = {
|
||||
let module = module.borrow();
|
||||
match dummy_imports(store.as_ref().unwrap(), module.imports()) {
|
||||
Ok(imps) => imps,
|
||||
Err(_) => {
|
||||
// There are some value types that we can't synthesize a
|
||||
// dummy value for (e.g. anyrefs) and for modules that
|
||||
// import things of these types we skip instantiation.
|
||||
continue;
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
// Don't unwrap this: there can be instantiation-/link-time errors that
|
||||
// aren't caught during validation or compilation. For example, an imported
|
||||
// table might not have room for an element segment that we want to
|
||||
// initialize into it.
|
||||
if let Ok(instance) = Instance::new(store.as_ref().unwrap(), &module, &imports) {
|
||||
instances.insert(id, HostRef::new(instance));
|
||||
}
|
||||
}
|
||||
|
||||
ApiCall::InstanceDrop { id } => {
|
||||
drop(instances.remove(&id));
|
||||
}
|
||||
|
||||
ApiCall::CallExportedFunc { instance, nth } => {
|
||||
let instance = match instances.get(&instance) {
|
||||
Some(i) => i,
|
||||
None => {
|
||||
// Note that we aren't guaranteed to instantiate valid
|
||||
// modules, see comments in `InstanceNew` for details on
|
||||
// that. But the API call generator can't know if
|
||||
// instantiation failed, so we might not actually have
|
||||
// this instance. When that's the case, just skip the
|
||||
// API call and keep going.
|
||||
continue;
|
||||
}
|
||||
};
|
||||
|
||||
let funcs = {
|
||||
let instance = instance.borrow();
|
||||
instance
|
||||
.exports()
|
||||
.iter()
|
||||
.filter_map(|e| match e {
|
||||
Extern::Func(f) => Some(f.clone()),
|
||||
_ => None,
|
||||
})
|
||||
.collect::<Vec<_>>()
|
||||
};
|
||||
|
||||
if funcs.is_empty() {
|
||||
continue;
|
||||
}
|
||||
|
||||
let nth = nth % funcs.len();
|
||||
let f = funcs[nth].borrow();
|
||||
let ty = f.r#type();
|
||||
let params = match ty
|
||||
.params()
|
||||
.iter()
|
||||
.map(|valty| dummy_value(valty))
|
||||
.collect::<Result<Vec<_>, _>>()
|
||||
{
|
||||
Ok(p) => p,
|
||||
Err(_) => continue,
|
||||
};
|
||||
let _ = f.call(¶ms);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user