86 lines
3.3 KiB
Rust
86 lines
3.3 KiB
Rust
//! Oracles.
|
|
//!
|
|
//! Oracles take a test case and determine whether we have a bug. For example,
|
|
//! one of the simplest oracles is to take a Wasm binary as our input test case,
|
|
//! validate and instantiate it, and (implicitly) check that no assertions
|
|
//! failed or segfaults happened. A more complicated oracle might compare the
|
|
//! result of executing a Wasm file with and without optimizations enabled, and
|
|
//! make sure that the two executions are observably identical.
|
|
//!
|
|
//! When an oracle finds a bug, it should report it to the fuzzing engine by
|
|
//! panicking.
|
|
|
|
pub mod dummy;
|
|
|
|
use cranelift_codegen::settings;
|
|
use dummy::dummy_imports;
|
|
use std::cell::RefCell;
|
|
use std::collections::HashMap;
|
|
use std::rc::Rc;
|
|
use wasmtime::{Config, Engine, HostRef, Instance, Module, Store};
|
|
use wasmtime_jit::{CompilationStrategy, CompiledModule, Compiler, NullResolver};
|
|
|
|
fn host_isa() -> Box<dyn cranelift_codegen::isa::TargetIsa> {
|
|
let flag_builder = settings::builder();
|
|
let isa_builder = cranelift_native::builder().expect("host machine is not a supported target");
|
|
isa_builder.finish(settings::Flags::new(flag_builder))
|
|
}
|
|
|
|
/// Instantiate the Wasm buffer, and implicitly fail if we have an unexpected
|
|
/// panic or segfault or anything else that can be detected "passively".
|
|
///
|
|
/// Performs initial validation, and returns early if the Wasm is invalid.
|
|
///
|
|
/// You can control which compiler is used via passing a `CompilationStrategy`.
|
|
pub fn instantiate(wasm: &[u8], compilation_strategy: CompilationStrategy) {
|
|
if wasmparser::validate(wasm, None).is_err() {
|
|
return;
|
|
}
|
|
|
|
let mut config = Config::new();
|
|
config.strategy(compilation_strategy);
|
|
|
|
let engine = HostRef::new(Engine::new(&config));
|
|
let store = HostRef::new(Store::new(&engine));
|
|
|
|
let module =
|
|
HostRef::new(Module::new(&store, wasm).expect("Failed to compile a valid Wasm module!"));
|
|
|
|
let imports = {
|
|
let module = module.borrow();
|
|
match dummy_imports(&store, module.imports()) {
|
|
Ok(imps) => imps,
|
|
Err(_) => {
|
|
// There are some value types that we can't synthesize a
|
|
// dummy value for (e.g. anyrefs) and for modules that
|
|
// import things of these types we skip instantiation.
|
|
return;
|
|
}
|
|
}
|
|
};
|
|
|
|
// Don't unwrap this: there can be instantiation-/link-time errors that
|
|
// aren't caught during validation or compilation. For example, an imported
|
|
// table might not have room for an element segment that we want to
|
|
// initialize into it.
|
|
let _result = Instance::new(&store, &module, &imports);
|
|
}
|
|
|
|
/// Compile the Wasm buffer, and implicitly fail if we have an unexpected
|
|
/// panic or segfault or anything else that can be detected "passively".
|
|
///
|
|
/// Performs initial validation, and returns early if the Wasm is invalid.
|
|
///
|
|
/// You can control which compiler is used via passing a `CompilationStrategy`.
|
|
pub fn compile(wasm: &[u8], compilation_strategy: CompilationStrategy) {
|
|
if wasmparser::validate(wasm, None).is_err() {
|
|
return;
|
|
}
|
|
|
|
let isa = host_isa();
|
|
let mut compiler = Compiler::new(isa, compilation_strategy);
|
|
let mut resolver = NullResolver {};
|
|
let global_exports = Rc::new(RefCell::new(HashMap::new()));
|
|
let _ = CompiledModule::new(&mut compiler, wasm, &mut resolver, global_exports, false);
|
|
}
|