gnh1201/wasm-micro-runtime
1
0
Fork 0
mirror of https://github.com/bytecodealliance/wasm-micro-runtime.git synced 2025-02-06 06:55:07 +00:00
Code Issues Actions 9 Packages Projects Releases Wiki Activity

[fuzzing] Enable instantiation (#3958)

Browse Source 
- Increase input seed size for wasm-tools to generate larger WebAssembly modules
- Add instantiation in wasm mutator fuzz tests
This commit is contained in:
liang.he 2024-12-19 16:51:20 +08:00 committed by GitHub
parent 8d51a3c7a8
commit f8f37c8ebb
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 46 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
tests/fuzz/wasm-mutator-fuzz/README.md
View File

@ -19,6 +19,7 @@ $ wasm-tools help
mkdir build && cd build mkdir build && cd build
# Without custom mutator (libfuzzer modify the buffer randomly) # Without custom mutator (libfuzzer modify the buffer randomly)
cmake .. cmake ..
# TODO: TBC. `wasm-tools mutate` is not supported yet
# With custom mutator (wasm-tools mutate) # With custom mutator (wasm-tools mutate)
cmake .. -DCUSTOM_MUTATOR=1 cmake .. -DCUSTOM_MUTATOR=1
make -j$(nproc) make -j$(nproc)

38
tests/fuzz/wasm-mutator-fuzz/smith_wasm.sh
View File

@ -33,36 +33,36 @@ function try_generate_wasm()
local try_i=0 local try_i=0
until [[ -f $GENERATED_WASM_NAME ]]; do until [[ -f $GENERATED_WASM_NAME ]]; do
head -c 100 /dev/urandom | wasm-tools smith $SMITH_OPTIONS -o $GENERATED_WASM_NAME >/dev/null 2>&1 # Larger input seeds tend to generate larger WebAssembly modules. (256KB)
head -c 262144 /dev/urandom | wasm-tools smith $SMITH_OPTIONS -o $GENERATED_WASM_NAME >/dev/null 2>&1
try_i=$((try_i+1)) try_i=$((try_i+1))
done done
printf -- "-- output ${GENERATED_WASM_NAME} in %d retries\n" $try_i printf -- "-- output ${GENERATED_WASM_NAME} in %d retries\n" $try_i
} }
# try_generate_wasm "--min-memories=1 --min-tables=1" "test_min.wasm" WASM_SHAPE=" --allow-invalid-funcs true \
--generate-custom-sections true \
--min-funcs 5 \
--max-instructions 1024 \
--min-globals 10"
WASM_MVP_FEATURES=" --bulk-memory-enabled true \
--multi-value-enabled true \
--reference-types-enabled true \
--simd-enabled true \
--tail-call-enabled true"
for i in $(seq 1 $EXPECTED_NUM) for i in $(seq 1 $EXPECTED_NUM)
do do
# by default
try_generate_wasm "" test_$i.wasm
# with different features
# mvp # mvp
try_generate_wasm "--min-memories=1 --min-tables=1" test_min_$i.wasm try_generate_wasm "${WASM_SHAPE} ${WASM_MVP_FEATURES}" test_mvp_$i.wasm
try_generate_wasm "--min-memories=1 --min-tables=1 --bulk-memory-enabled true" test_bulk_$i.wasm
try_generate_wasm "--min-memories=1 --min-tables=1 --reference-types-enabled true" test_ref_$i.wasm
try_generate_wasm "--min-memories=1 --min-tables=1 --multi-value-enabled true" test_multi_$i.wasm
try_generate_wasm "--min-memories=1 --min-tables=1 --simd-enabled true" test_simd_$i.wasm
try_generate_wasm "--min-memories=1 --min-tables=1 --tail-call-enabled true " test_tail_$i.wasm
# enable me when compiling iwasm with those features # other proposals
#try_generate_wasm "--min-memories=1 --min-tables=1 --threads-enabled true" test_thread_$i.wasm try_generate_wasm "${WASM_SHAPE} --exceptions-enabled true" test_exception_$i.wasm
#try_generate_wasm "--min-memories=1 --min-tables=1 --memory64-enabled true" test_memory64_$i.wasm try_generate_wasm "${WASM_SHAPE} --gc-enabled true" test_gc_$i.wasm
#try_generate_wasm "--min-memories=1 --min-tables=1 --exceptions-enabled true" test_exception_$i.wasm try_generate_wasm "${WASM_SHAPE} --memory64-enabled true" test_memory64_$i.wasm
#try_generate_wasm "--min-memories=1 --min-tables=1 --gc-enabled true" test_gc_$i.wasm try_generate_wasm "${WASM_SHAPE} --threads-enabled true" test_threads_$i.wasm
# with custom-section
try_generate_wasm "--min-memories=1 --min-tables=1 --generate-custom-sections true" test_custom_$i.wasm
done done
printf "Done\n" printf "Done\n"

42
tests/fuzz/wasm-mutator-fuzz/wasm_mutator_fuzz.cc
View File

@ -13,31 +13,41 @@
using namespace std; using namespace std;
extern "C" WASMModuleCommon *
wasm_runtime_load(uint8 *buf, uint32 size, char *error_buf,
uint32 error_buf_size);
extern "C" WASMModuleInstanceCommon *
wasm_runtime_instantiate(WASMModuleCommon *module, uint32 stack_size,
uint32 heap_size, char *error_buf,
uint32 error_buf_size);
extern "C" int extern "C" int
LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{ {
/* libfuzzer don't allow us to modify the given Data, so we copy the data /* libfuzzer don't allow us to modify the given Data, so we copy the data
* here */ * here */
std::vector<uint8_t> myData(Data, Data + Size); std::vector<uint8_t> myData(Data, Data + Size);
/* init runtime environment */ /* init runtime environment */
wasm_runtime_init(); wasm_runtime_init();
wasm_module_t module =
wasm_runtime_load((uint8_t *)myData.data(), Size, nullptr, 0);
if (module) {
wasm_runtime_unload(module);
}
/* destroy runtime environment */
wasm_runtime_destroy();
char error_buf[128] = { 0 };
wasm_module_t module =
wasm_runtime_load((uint8_t *)myData.data(), Size, error_buf, 120);
if (!module) {
std::cout << "[LOADING] " << error_buf << std::endl;
wasm_runtime_destroy();
/* return SUCCESS because the failure has been handled */
return 0;
}
wasm_module_inst_t inst = wasm_runtime_instantiate(
module, 8 * 1024 * 1024, 16 * 1024 * 1024, error_buf, 120);
if (!inst) {
std::cout << "[INSTANTIATE] " << error_buf << std::endl;
wasm_runtime_unload(module);
wasm_runtime_destroy();
/* return SUCCESS because the failure has been handled */
return 0;
}
std::cout << "PASS" << std::endl;
wasm_runtime_deinstantiate(inst);
wasm_runtime_unload(module);
wasm_runtime_destroy();
return 0; /* Values other than 0 and -1 are reserved for future use. */ return 0; /* Values other than 0 and -1 are reserved for future use. */
} }