Replace binaryen -ttf based fuzzing with wasm-smith (#2336)

This commit removes the binaryen support for fuzzing from wasmtime,
instead switching over to `wasm-smith`. In general it's great to have
what fuzzing we can, but our binaryen support suffers from a few issues:

* The Rust crate, binaryen-sys, seems largely unmaintained at this
  point. While we could likely take ownership and/or send PRs to update
  the crate it seems like the maintenance is largely on us at this point.

* Currently the binaryen-sys crate doesn't support fuzzing anything
  beyond MVP wasm, but we're interested at least in features like bulk
  memory and reference types. Additionally we'll also be interested in
  features like module-linking. New features would require either
  implementation work in binaryen or the binaryen-sys crate to support.

* We have 4-5 fuzz-bugs right now related to timeouts simply in
  generating a module for wasmtime to fuzz. One investigation along
  these lines in the past revealed a bug in binaryen itself, and in any
  case these bugs would otherwise need to get investigated, reported,
  and possibly fixed ourselves in upstream binaryen.

Overall I'm not sure at this point if maintaining binaryen fuzzing is
worth it with the advent of `wasm-smith` which has similar goals for
wasm module generation, but is much more readily maintainable on our
end.

Additonally in this commit I've added a fuzzer for wasm-smith's
`SwarmConfig`-based fuzzer which should expand the coverage of tested
modules.

Closes #2163

fuzz/Cargo.toml

@@ -31,26 +31,17 @@ path = "fuzz_targets/instantiate.rs"
 test = false
 doc = false
 
-[[bin]]
-name = "instantiate_translated"
-path = "fuzz_targets/instantiate_translated.rs"
-test = false
-doc = false
-required-features = ["binaryen"]
-
 [[bin]]
 name = "api_calls"
 path = "fuzz_targets/api_calls.rs"
 test = false
 doc = false
-required-features = ["binaryen"]
 
 [[bin]]
 name = "differential"
 path = "fuzz_targets/differential.rs"
 test = false
 doc = false
-required-features = ["binaryen"]
 
 [[bin]]
 name = "spectests"
@@ -99,15 +90,18 @@ test = false
 doc = false
 required-features = ["peepmatic-fuzzing"]
 
-[features]
-binaryen = ["wasmtime-fuzzing/binaryen"]
-
 [[bin]]
 name = "instantiate-wasm-smith"
 path = "fuzz_targets/instantiate-wasm-smith.rs"
 test = false
 doc = false
 
+[[bin]]
+name = "instantiate-swarm"
+path = "fuzz_targets/instantiate-swarm.rs"
+test = false
+doc = false
+
 [[bin]]
 name = "instantiate-maybe-invalid"
 path = "fuzz_targets/instantiate-maybe-invalid.rs"

fuzz/fuzz_targets/differential.rs

@@ -6,8 +6,9 @@ use wasmtime_fuzzing::{generators, oracles};
 fuzz_target!(|data: (
     generators::DifferentialConfig,
     generators::DifferentialConfig,
-    generators::WasmOptTtf
+    wasm_smith::Module,
 )| {
-    let (lhs, rhs, wasm) = data;
+    let (lhs, rhs, mut wasm) = data;
+    wasm.ensure_termination(1000);
     oracles::differential_execution(&wasm, &[lhs, rhs]);
 });

fuzz/fuzz_targets/instantiate-swarm.rs

@@ -0,0 +1,13 @@
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+use std::time::Duration;
+use wasm_smith::{ConfiguredModule, SwarmConfig};
+use wasmtime::Strategy;
+use wasmtime_fuzzing::oracles;
+
+fuzz_target!(|module: ConfiguredModule<SwarmConfig>| {
+    let mut cfg = wasmtime_fuzzing::fuzz_default_config(Strategy::Auto).unwrap();
+    cfg.wasm_multi_memory(true);
+    oracles::instantiate_with_config(&module.to_bytes(), cfg, Some(Duration::from_secs(20)));
+});

fuzz/fuzz_targets/instantiate_translated.rs

@@ -1,9 +0,0 @@
-#![no_main]
-
-use libfuzzer_sys::fuzz_target;
-use wasmtime::Strategy;
-use wasmtime_fuzzing::{generators, oracles};
-
-fuzz_target!(|data: generators::WasmOptTtf| {
-    oracles::instantiate(&data.wasm, Strategy::Auto);
-});