41eb225765
* Add the instance allocation strategy to generated fuzzing configs. This commit adds support for generating configs with arbitrary instance allocation strategies. With this, the pooling allocator will be fuzzed as part of the existing fuzz targets. * Refine maximum constants for arbitrary module limits. * Add an `instantiate-many` fuzz target. This commit adds a new `instantiate-many` fuzz target that will attempt to instantiate and terminate modules in an arbitrary order. It generates up to 5 modules, from which a random sequence of instances will be created. The primary benefactor of this fuzz target is the pooling instance allocator. * Allow no aliasing in generated modules when using the pooling allocator. This commit prevents aliases in the generated modules as they might count against the configured import limits of the pooling allocator. As the existing module linking proposal implementation will eventually be deprecated in favor of the component model proposal, it isn't very important that we test aliases in generated modules with the pooling allocator. * Improve distribution of memory config in fuzzing. The previous commit attempted to provide a 32-bit upper bound to 64-bit arbitrary values, which skewed the distribution heavily in favor of the upper bound. This commit removes the constraint and instead uses arbitrary 32-bit values that are converted to 64-bit values in the `Arbitrary` implementation.
49 lines
1.6 KiB
Rust
49 lines
1.6 KiB
Rust
#![no_main]
|
|
|
|
use libfuzzer_sys::arbitrary::{Result, Unstructured};
|
|
use libfuzzer_sys::fuzz_target;
|
|
use wasmtime_fuzzing::generators::InstanceAllocationStrategy;
|
|
use wasmtime_fuzzing::oracles::Timeout;
|
|
use wasmtime_fuzzing::{generators, oracles};
|
|
|
|
fuzz_target!(|data: &[u8]| {
|
|
// errors in `run` have to do with not enough input in `data`, which we
|
|
// ignore here since it doesn't affect how we'd like to fuzz.
|
|
drop(run(data));
|
|
});
|
|
|
|
fn run(data: &[u8]) -> Result<()> {
|
|
let mut u = Unstructured::new(data);
|
|
let mut config: generators::Config = u.arbitrary()?;
|
|
|
|
// Pick either fuel, duration-based, or module-based timeout. Note that the
|
|
// module-based timeout is implemented with wasm-smith's
|
|
// `ensure_termination` option.
|
|
let timeout = if u.arbitrary()? {
|
|
config.generate_timeout(&mut u)?
|
|
} else {
|
|
Timeout::None
|
|
};
|
|
|
|
// Enable module linking for this fuzz target specifically
|
|
config.module_config.config.module_linking_enabled = u.arbitrary()?;
|
|
|
|
// When using the pooling allocator without a timeout, we must
|
|
// allow at least 1 more global because the `ensure_termination` call below
|
|
// will define one.
|
|
if let Timeout::None = timeout {
|
|
if let InstanceAllocationStrategy::Pooling { module_limits, .. } =
|
|
&mut config.wasmtime.strategy
|
|
{
|
|
module_limits.globals += 1;
|
|
}
|
|
}
|
|
|
|
let mut module = config.module_config.generate(&mut u)?;
|
|
if let Timeout::None = timeout {
|
|
module.ensure_termination(1000);
|
|
}
|
|
oracles::instantiate(&module.to_bytes(), true, &config, timeout);
|
|
Ok(())
|
|
}
|