Enable simd fuzzing on oss-fuzz (#3152)

* Enable simd fuzzing on oss-fuzz This commit generally enables the simd feature while fuzzing, which should affect almost all fuzzers. For fuzzers that just throw random data at the wall and see what sticks, this means that they'll now be able to throw simd-shaped data at the wall and have it stick. For wasm-smith-based fuzzers this commit also updates wasm-smith to 0.6.0 which allows further configuring the `SwarmConfig` after generation, notably allowing `instantiate-swarm` to generate modules using simd using `wasm-smith`. This should much more reliably feed simd-related things into the fuzzers. Finally, this commit updates wasmtime to avoid usage of the general `wasm_smith::Module` generator to instead use a Wasmtime-specific custom default configuration which enables various features we have implemented. * Allow dummy table creation to fail Tables might creation for imports may exceed the memory limit on the store, which we'll want to gracefully recover from and not fail the fuzzers.
2021-08-05 16:24:42 -05:00
parent 214c5f862d
commit bb85366a3b
12 changed files with 110 additions and 47 deletions
--- a/fuzz/Cargo.toml
+++ b/fuzz/Cargo.toml
@@ -20,7 +20,7 @@ target-lexicon = "0.12"
 peepmatic-fuzzing = { path = "../cranelift/peepmatic/crates/fuzzing", optional = true }
 wasmtime = { path = "../crates/wasmtime" }
 wasmtime-fuzzing = { path = "../crates/fuzzing" }
-wasm-smith = "0.5.0"
+wasm-smith = "0.6.0"

 [features]
 # Leave a stub feature with no side-effects in place for now: the OSS-Fuzz
--- a/fuzz/fuzz_targets/differential.rs
+++ b/fuzz/fuzz_targets/differential.rs
@@ -6,7 +6,7 @@ use wasmtime_fuzzing::{generators, oracles};
 fuzz_target!(|data: (
    generators::DifferentialConfig,
    generators::DifferentialConfig,
-    wasm_smith::Module,
+    generators::GeneratedModule,
 )| {
    let (lhs, rhs, mut wasm) = data;
    wasm.ensure_termination(1000);
--- a/fuzz/fuzz_targets/instantiate-swarm.rs
+++ b/fuzz/fuzz_targets/instantiate-swarm.rs
@@ -1,24 +1,41 @@
 #![no_main]

+use libfuzzer_sys::arbitrary::{Result, Unstructured};
 use libfuzzer_sys::fuzz_target;
 use std::time::Duration;
-use wasm_smith::{Config, ConfiguredModule, SwarmConfig};
+use wasm_smith::{ConfiguredModule, SwarmConfig};
 use wasmtime::Strategy;
 use wasmtime_fuzzing::oracles::{self, Timeout};

-fuzz_target!(|pair: (bool, ConfiguredModule<SwarmConfig>)| {
-    let (timeout_with_time, module) = pair;
-    let mut cfg = wasmtime_fuzzing::fuzz_default_config(Strategy::Auto).unwrap();
-    cfg.wasm_multi_memory(true);
-    cfg.wasm_module_linking(module.config().module_linking_enabled());
-    oracles::instantiate_with_config(
-        &module.to_bytes(),
-        true,
-        cfg,
-        if timeout_with_time {
-            Timeout::Time(Duration::from_secs(20))
-        } else {
-            Timeout::Fuel(100_000)
-        },
-    );
+fuzz_target!(|data: &[u8]| {
+    // errors in `run` have to do with not enough input in `data`, which we
+    // ignore here since it doesn't affect how we'd like to fuzz.
+    drop(run(data));
 });
+
+fn run(data: &[u8]) -> Result<()> {
+    let mut u = Unstructured::new(data);
+    let timeout = if u.arbitrary()? {
+        Timeout::Time(Duration::from_secs(20))
+    } else {
+        Timeout::Fuel(100_000)
+    };
+
+    // Further configure `SwarmConfig` after we generate one to enable features
+    // that aren't otherwise enabled by default. We want to test all of these in
+    // Wasmtime.
+    let mut config: SwarmConfig = u.arbitrary()?;
+    config.simd_enabled = u.arbitrary()?;
+    config.module_linking_enabled = u.arbitrary()?;
+    // Don't generate modules that allocate more than 6GB
+    config.max_memory_pages = 6 << 30;
+    let module = ConfiguredModule::new(config.clone(), &mut u)?;
+
+    let mut cfg = wasmtime_fuzzing::fuzz_default_config(Strategy::Auto).unwrap();
+    cfg.wasm_multi_memory(config.max_memories > 1);
+    cfg.wasm_module_linking(config.module_linking_enabled);
+    cfg.wasm_simd(config.simd_enabled);
+
+    oracles::instantiate_with_config(&module.to_bytes(), true, cfg, timeout);
+    Ok(())
+}
--- a/fuzz/fuzz_targets/instantiate-wasm-smith.rs
+++ b/fuzz/fuzz_targets/instantiate-wasm-smith.rs
@@ -1,11 +1,10 @@
 #![no_main]

 use libfuzzer_sys::fuzz_target;
-use wasm_smith::Module;
 use wasmtime::Strategy;
-use wasmtime_fuzzing::oracles;
+use wasmtime_fuzzing::{generators::GeneratedModule, oracles};

-fuzz_target!(|module: Module| {
+fuzz_target!(|module: GeneratedModule| {
    let mut module = module;
    module.ensure_termination(1000);
    let wasm_bytes = module.to_bytes();