T0b1/wasmtime
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update differential fuzzing configuration (#4386)

Browse Source 
* Update differential fuzzing configuration

This uses some new features of `wasm-smith` and additionally tweaks the
existing fuzz configuration:

* More than one function is now allowed to be generated. There's no
  particular reason to limit differential execution to just one and we
  may want to explore other interesting module shapes.

* More than one function type is now allowed to possibly allow more
  interesting `block` types.

* Memories are now allowed to grow beyond one page, but still say small
  by staying underneath 10 pages.

* Tables are now always limited in their growth to ensure consistent
  behavior across engines (e.g. with the pooling allocator vs v8).

* The `export_everything` feature is used instead of specifying a
  min/max number of exports.

The `wasmi` differential fuzzer was updated to still work if memory is
exported, but otherwise the v8 differential fuzzer already worked if a
function was exported but a memory wasn't. Both fuzzers continue to
execute only the first exported function.

Also notable from this update is that the `SwarmConfig` from
`wasm-smith` will now include an arbitrary `allowed_instructions`
configuration which may help explore the space of interesting modules
more effectively.

* Fix typos
This commit is contained in:
Alex Crichton
2022-07-05 16:14:31 -05:00
committed by GitHub
parent 308a0fcc06
commit 52ad76ed7c
2 changed files with 31 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
crates/fuzzing/src/oracles.rs
View File

@@ -718,17 +718,11 @@ pub fn differential_wasmi_execution(wasm: &[u8], config: &generators::Config) ->
// Introspect wasmtime module to find name of an exported function and of an
// exported memory.
let (func_name, ty) = first_exported_function(&wasmtime_module)?;
let memory_name = first_exported_memory(&wasmtime_module)?;
let wasmi_mem_export = wasmi_instance.export_by_name(memory_name).unwrap();
let wasmi_mem = wasmi_mem_export.as_memory().unwrap();
let wasmi_main_export = wasmi_instance.export_by_name(func_name).unwrap();
let wasmi_main = wasmi_main_export.as_func().unwrap();
let wasmi_val = wasmi::FuncInstance::invoke(&wasmi_main, &[], &mut wasmi::NopExternals);
let wasmtime_mem = wasmtime_instance
.get_memory(&mut wasmtime_store, memory_name)
.expect("memory export is present");
let wasmtime_main = wasmtime_instance
.get_func(&mut wasmtime_store, func_name)
.expect("function export is present");
@@ -759,6 +753,17 @@ pub fn differential_wasmi_execution(wasm: &[u8], config: &generators::Config) ->
}
}
// Compare linear memories if there's an exported linear memory
let memory_name = match first_exported_memory(&wasmtime_module) {
Some(name) => name,
None => return Some(()),
};
let wasmi_mem_export = wasmi_instance.export_by_name(memory_name).unwrap();
let wasmi_mem = wasmi_mem_export.as_memory().unwrap();
let wasmtime_mem = wasmtime_instance
.get_memory(&mut wasmtime_store, memory_name)
.expect("memory export is present");
if wasmi_mem.current_size().0 != wasmtime_mem.size(&wasmtime_store) as usize {
panic!("resulting memories are not the same size");
}