[fuzzing] Enable instantiation (#3958)

- Increase input seed size for wasm-tools to generate larger WebAssembly modules - Add instantiation in wasm mutator fuzz tests
2025-10-31 13:17:31 +00:00 · 2024-12-19 16:51:20 +08:00 · 2024-12-19 16:51:20 +08:00 · f8f37c8ebb
commit f8f37c8ebb
parent 8d51a3c7a8
3 changed files with 46 additions and 35 deletions
--- a/tests/fuzz/wasm-mutator-fuzz/README.md
+++ b/tests/fuzz/wasm-mutator-fuzz/README.md
@ -19,6 +19,7 @@ $ wasm-tools help
 mkdir build && cd build
 # Without custom mutator (libfuzzer modify the buffer randomly)
 cmake ..
+# TODO: TBC. `wasm-tools mutate` is not supported yet
 # With custom mutator (wasm-tools mutate)
 cmake .. -DCUSTOM_MUTATOR=1
 make -j$(nproc)
--- a/tests/fuzz/wasm-mutator-fuzz/smith_wasm.sh
+++ b/tests/fuzz/wasm-mutator-fuzz/smith_wasm.sh
@ -33,36 +33,36 @@ function try_generate_wasm()

    local try_i=0
    until [[ -f $GENERATED_WASM_NAME ]]; do
-        head -c 100 /dev/urandom | wasm-tools smith $SMITH_OPTIONS -o $GENERATED_WASM_NAME  >/dev/null 2>&1
+        # Larger input seeds tend to generate larger WebAssembly modules. (256KB)
+        head -c 262144 /dev/urandom | wasm-tools smith $SMITH_OPTIONS -o $GENERATED_WASM_NAME  >/dev/null 2>&1
        try_i=$((try_i+1))
    done

    printf -- "-- output ${GENERATED_WASM_NAME} in %d retries\n" $try_i
 }

-# try_generate_wasm "--min-memories=1 --min-tables=1" "test_min.wasm"
+WASM_SHAPE=" --allow-invalid-funcs true \
+--generate-custom-sections true \
+--min-funcs 5 \
+--max-instructions 1024 \
+--min-globals 10"
+
+WASM_MVP_FEATURES=" --bulk-memory-enabled true \
+--multi-value-enabled true \
+--reference-types-enabled true \
+--simd-enabled true \
+--tail-call-enabled true"

 for i in $(seq 1 $EXPECTED_NUM)
 do
-    # by default
-    try_generate_wasm "" test_$i.wasm
-
-    # with different features
    # mvp
-    try_generate_wasm "--min-memories=1 --min-tables=1" test_min_$i.wasm
-    try_generate_wasm "--min-memories=1 --min-tables=1 --bulk-memory-enabled true" test_bulk_$i.wasm
-    try_generate_wasm "--min-memories=1 --min-tables=1 --reference-types-enabled true" test_ref_$i.wasm
-    try_generate_wasm "--min-memories=1 --min-tables=1 --multi-value-enabled true" test_multi_$i.wasm
-    try_generate_wasm "--min-memories=1 --min-tables=1 --simd-enabled true" test_simd_$i.wasm
-    try_generate_wasm "--min-memories=1 --min-tables=1 --tail-call-enabled true " test_tail_$i.wasm
+    try_generate_wasm "${WASM_SHAPE} ${WASM_MVP_FEATURES}" test_mvp_$i.wasm

-    # enable me when compiling iwasm with those features
-    #try_generate_wasm "--min-memories=1 --min-tables=1 --threads-enabled true" test_thread_$i.wasm
-    #try_generate_wasm "--min-memories=1 --min-tables=1 --memory64-enabled true" test_memory64_$i.wasm
-    #try_generate_wasm "--min-memories=1 --min-tables=1 --exceptions-enabled true" test_exception_$i.wasm
-    #try_generate_wasm "--min-memories=1 --min-tables=1 --gc-enabled true" test_gc_$i.wasm
-    # with custom-section
-    try_generate_wasm "--min-memories=1 --min-tables=1 --generate-custom-sections true" test_custom_$i.wasm
+    # other proposals
+    try_generate_wasm "${WASM_SHAPE} --exceptions-enabled true" test_exception_$i.wasm
+    try_generate_wasm "${WASM_SHAPE} --gc-enabled true" test_gc_$i.wasm
+    try_generate_wasm "${WASM_SHAPE} --memory64-enabled true" test_memory64_$i.wasm
+    try_generate_wasm "${WASM_SHAPE} --threads-enabled true" test_threads_$i.wasm
 done

 printf "Done\n"
--- a/tests/fuzz/wasm-mutator-fuzz/wasm_mutator_fuzz.cc
+++ b/tests/fuzz/wasm-mutator-fuzz/wasm_mutator_fuzz.cc
@ -13,31 +13,41 @@

 using namespace std;

-extern "C" WASMModuleCommon *
-wasm_runtime_load(uint8 *buf, uint32 size, char *error_buf,
-                  uint32 error_buf_size);
-
-extern "C" WASMModuleInstanceCommon *
-wasm_runtime_instantiate(WASMModuleCommon *module, uint32 stack_size,
-                         uint32 heap_size, char *error_buf,
-                         uint32 error_buf_size);
-
 extern "C" int
 LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
 {
    /* libfuzzer don't allow us to modify the given Data, so we copy the data
     * here */
    std::vector<uint8_t> myData(Data, Data + Size);
+
    /* init runtime environment */
    wasm_runtime_init();
-    wasm_module_t module =
-        wasm_runtime_load((uint8_t *)myData.data(), Size, nullptr, 0);
-    if (module) {
-        wasm_runtime_unload(module);
-    }
-    /* destroy runtime environment */
-    wasm_runtime_destroy();

+    char error_buf[128] = { 0 };
+    wasm_module_t module =
+        wasm_runtime_load((uint8_t *)myData.data(), Size, error_buf, 120);
+    if (!module) {
+        std::cout << "[LOADING] " << error_buf << std::endl;
+        wasm_runtime_destroy();
+        /* return SUCCESS because the failure has been handled */
+        return 0;
+    }
+
+    wasm_module_inst_t inst = wasm_runtime_instantiate(
+        module, 8 * 1024 * 1024, 16 * 1024 * 1024, error_buf, 120);
+    if (!inst) {
+        std::cout << "[INSTANTIATE] " << error_buf << std::endl;
+        wasm_runtime_unload(module);
+        wasm_runtime_destroy();
+        /* return SUCCESS because the failure has been handled */
+        return 0;
+    }
+
+    std::cout << "PASS" << std::endl;
+
+    wasm_runtime_deinstantiate(inst);
+    wasm_runtime_unload(module);
+    wasm_runtime_destroy();
    return 0; /* Values other than 0 and -1 are reserved for future use. */
 }