diff --git a/.devcontainer/requirements.txt b/.devcontainer/requirements.txt index f8473e2729..a8ed4b65d6 100644 --- a/.devcontainer/requirements.txt +++ b/.devcontainer/requirements.txt @@ -2,3 +2,4 @@ black nose pycparser pylint +requests diff --git a/build-scripts/build_llvm.py b/build-scripts/build_llvm.py index 3d241355b4..68ef640e39 100755 --- a/build-scripts/build_llvm.py +++ b/build-scripts/build_llvm.py @@ -304,7 +304,7 @@ def main(): "default": { "repo": "https://github.com/llvm/llvm-project.git", "repo_ssh": "git@github.com:llvm/llvm-project.git", - "branch": "release/18.x", + "branch": "llvmorg-18.1.8", }, } diff --git a/build-scripts/config_common.cmake b/build-scripts/config_common.cmake index e1fd26dcbe..234578d306 100644 --- a/build-scripts/config_common.cmake +++ b/build-scripts/config_common.cmake @@ -196,7 +196,11 @@ if (NOT WAMR_BUILD_SANITIZER STREQUAL "") message(FATAL_ERROR "Unsupported sanitizers: ${INVALID_SANITIZERS}") endif() # common flags for all sanitizers - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -O0 -fno-omit-frame-pointer -fno-sanitize-recover=all") + # clang: warning: the object size sanitizer has no effect at -O0, but is explicitly enabled ... [-Winvalid-command-line-argument] + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -O1 -fno-omit-frame-pointer -fno-sanitize-recover=all -fno-sanitize=alignment") + if(CMAKE_C_COMPILER_ID MATCHES ".*Clang") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fno-sanitize=unsigned-integer-overflow") + endif() if(SANITIZER_FLAGS) string(REPLACE ";" "," SANITIZER_FLAGS_STR "${SANITIZER_FLAGS}") set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=${SANITIZER_FLAGS_STR}") diff --git a/build-scripts/unsupported_combination.cmake b/build-scripts/unsupported_combination.cmake index 50c56fc822..4284be32bf 100644 --- a/build-scripts/unsupported_combination.cmake +++ b/build-scripts/unsupported_combination.cmake @@ -61,7 +61,6 @@ endfunction() # Below are the unsupported combinations checks # Please keep this list in sync with tests/unit/unsupported-features/CMakeLists.txt # and tests/wamr-test-suites/test_wamr.sh -cmake_print_variables(WAMR_BUILD_INTERP WAMR_BUILD_FAST_INTERP WAMR_BUILD_JIT WAMR_BUILD_EXCE_HANDLING) if(WAMR_BUILD_EXCE_HANDLING EQUAL 1) check_aot_mode_error("Unsupported build configuration: EXCE_HANDLING + AOT") diff --git a/tests/fuzz/wasm-mutator-fuzz/CMakeLists.txt b/tests/fuzz/wasm-mutator-fuzz/CMakeLists.txt index 500ad8fe3c..de0f6aebb8 100644 --- a/tests/fuzz/wasm-mutator-fuzz/CMakeLists.txt +++ b/tests/fuzz/wasm-mutator-fuzz/CMakeLists.txt @@ -172,21 +172,19 @@ set(IWASM_DIR ${REPO_ROOT_DIR}/core/iwasm) # Global setting add_compile_options(-Wno-unused-command-line-argument) -# Enable fuzzer -add_definitions(-DWASM_ENABLE_FUZZ_TEST=1) -# '-fsanitize=vptr' not allowed with '-fno-rtti -# But, LLVM by default, disables the use of `rtti` in the compiler -add_compile_options(-fsanitize=fuzzer -fno-sanitize=vptr) -add_link_options(-fsanitize=fuzzer -fno-sanitize=vptr) - # Enable sanitizers if not in oss-fuzz environment set(CFLAGS_ENV $ENV{CFLAGS}) -string(FIND "${CFLAGS_ENV}" "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION" FUZZ_POS) + string(FIND "${CFLAGS_ENV}" "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION" FUZZ_POS) if (FUZZ_POS GREATER -1) set(IN_OSS_FUZZ 1) else() set(IN_OSS_FUZZ 0) endif() +# Enable fuzzer +add_definitions(-DWASM_ENABLE_FUZZ_TEST=1) + +include(${CMAKE_CURRENT_LIST_DIR}/sanitizer_flags.cmake) + add_subdirectory(aot-compiler) add_subdirectory(wasm-mutator) diff --git a/tests/fuzz/wasm-mutator-fuzz/aot-compiler/CMakeLists.txt b/tests/fuzz/wasm-mutator-fuzz/aot-compiler/CMakeLists.txt index 5ca33906a5..120902dafc 100644 --- a/tests/fuzz/wasm-mutator-fuzz/aot-compiler/CMakeLists.txt +++ b/tests/fuzz/wasm-mutator-fuzz/aot-compiler/CMakeLists.txt @@ -1,12 +1,6 @@ # Copyright (C) 2025 Intel Corporation. All rights reserved. # SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception -# Set default build options with the ability to override from the command line -if(NOT WAMR_BUILD_INTERP) - set(WAMR_BUILD_INTERP 1) -endif() - -set(WAMR_BUILD_WAMR_COMPILER 1) set(WAMR_BUILD_AOT 0) set(WAMR_BUILD_INTERP 1) set(WAMR_BUILD_JIT 0) @@ -67,17 +61,6 @@ target_link_directories(aotclib PUBLIC ${LLVM_LIBRARY_DIR}) target_link_libraries(aotclib PUBLIC ${REQUIRED_LLVM_LIBS}) -if(NOT IN_OSS_FUZZ) - message(STATUS "Enable ASan and UBSan in non-oss-fuzz environment for aotclib") - target_compile_options(aotclib PUBLIC - -fprofile-instr-generate -fcoverage-mapping - -fno-sanitize-recover=all - -fsanitize=address,undefined - -fsanitize=float-divide-by-zero,unsigned-integer-overflow,local-bounds,nullability - -fno-sanitize=alignment - ) - target_link_options(aotclib PUBLIC -fsanitize=address,undefined -fprofile-instr-generate) -endif() - -add_executable(aot_compiler_fuzz aot_compiler_fuzz.cc) +add_executable(aot_compiler_fuzz aot_compiler_fuzz.cc ../common/fuzzer_common.cc) +target_include_directories(aot_compiler_fuzz PRIVATE ../common) target_link_libraries(aot_compiler_fuzz PRIVATE stdc++ aotclib) diff --git a/tests/fuzz/wasm-mutator-fuzz/aot-compiler/aot_compiler_fuzz.cc b/tests/fuzz/wasm-mutator-fuzz/aot-compiler/aot_compiler_fuzz.cc index c8ec4c0d52..6c0d62d0d2 100644 --- a/tests/fuzz/wasm-mutator-fuzz/aot-compiler/aot_compiler_fuzz.cc +++ b/tests/fuzz/wasm-mutator-fuzz/aot-compiler/aot_compiler_fuzz.cc @@ -11,6 +11,7 @@ #include "aot_export.h" #include "wasm_export.h" #include "bh_read_file.h" +#include "../common/fuzzer_common.h" static void handle_aot_recent_error(const char *tag) @@ -27,23 +28,28 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { wasm_module_t module = NULL; - char error_buf[128] = { 0 }; + char error_buf[ERROR_BUF_SIZE] = { 0 }; AOTCompOption option = { 0 }; aot_comp_data_t comp_data = NULL; aot_comp_context_t comp_ctx = NULL; + uint8 *aot_file_buf = NULL; + uint32 aot_file_size = 0; + wasm_module_t aot_module = NULL; + wasm_module_inst_t inst = NULL; - /* libfuzzer don't allow to modify the given Data, so make a copy here */ - std::vector myData(Data, Data + Size); - + /* libfuzzer don't allow to modify the given Data, but get_package_type and + * wasm_runtime_load only read the data, so we can safely use const_cast */ if (Size >= 4 - && get_package_type(myData.data(), Size) != Wasm_Module_Bytecode) { + && get_package_type(const_cast(Data), Size) + != Wasm_Module_Bytecode) { printf("Invalid wasm file: magic header not detected\n"); return 0; } wasm_runtime_init(); - module = wasm_runtime_load((uint8_t *)myData.data(), Size, error_buf, 120); + module = wasm_runtime_load(const_cast(Data), Size, error_buf, + MAX_ERROR_BUF_SIZE); if (!module) { std::cout << "[LOADING] " << error_buf << std::endl; goto DESTROY_RUNTIME; @@ -78,6 +84,34 @@ LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) goto DESTROY_COMP_CTX; } + aot_file_buf = aot_emit_aot_file_buf(comp_ctx, comp_data, &aot_file_size); + if (!aot_file_buf) { + handle_aot_recent_error("[EMITTING AOT FILE]"); + goto DESTROY_COMP_CTX; + } + + aot_module = wasm_runtime_load(aot_file_buf, aot_file_size, error_buf, + ERROR_BUF_SIZE); + if (!aot_module) { + std::cout << "[LOADING AOT MODULE] " << error_buf << std::endl; + goto RELEASE_AOT_FILE_BUF; + } + + inst = wasm_runtime_instantiate(aot_module, 1024 * 8, 0, error_buf, + ERROR_BUF_SIZE); + if (!inst) { + std::cout << "[INSTANTIATING AOT MODULE] " << error_buf << std::endl; + goto UNLOAD_AOT_MODULE; + } + + execute_export_functions(module, inst); + +DEINSTANTIZE_AOT_MODULE: + wasm_runtime_deinstantiate(inst); +UNLOAD_AOT_MODULE: + wasm_runtime_unload(aot_module); +RELEASE_AOT_FILE_BUF: + wasm_runtime_free(aot_file_buf); DESTROY_COMP_CTX: aot_destroy_comp_context(comp_ctx); DESTROY_COMP_DATA: diff --git a/tests/fuzz/wasm-mutator-fuzz/common/fuzzer_common.cc b/tests/fuzz/wasm-mutator-fuzz/common/fuzzer_common.cc new file mode 100644 index 0000000000..6e373dbd73 --- /dev/null +++ b/tests/fuzz/wasm-mutator-fuzz/common/fuzzer_common.cc @@ -0,0 +1,142 @@ +// Copyright (C) 2025 Intel Corporation. All rights reserved. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception + +#include "fuzzer_common.h" +#include + +void +print_execution_args(const wasm_export_t &export_type, + const std::vector &args, unsigned param_count) +{ + std::cout << "[EXECUTION] " << export_type.name << "("; + for (unsigned p_i = 0; p_i < param_count; p_i++) { + if (p_i != 0) { + std::cout << ", "; + } + + switch (args[p_i].kind) { + case WASM_I32: + std::cout << "i32:" << args[p_i].of.i32; + break; + case WASM_I64: + std::cout << "i64:" << args[p_i].of.i64; + break; + case WASM_F32: + std::cout << "f32:" << args[p_i].of.f32; + break; + case WASM_F64: + std::cout << "f64:" << args[p_i].of.f64; + break; + case WASM_EXTERNREF: + std::cout << "externref:" << args[p_i].of.foreign; + break; + default: + // because aft is_supported_val_kind() check, so we can safely + // return as WASM_FUNCREF + std::cout << "funcref:" << args[p_i].of.ref; + break; + } + } + std::cout << ")" << std::endl; +} + +bool +execute_export_functions(wasm_module_t module, wasm_module_inst_t inst) +{ + int32_t export_count = wasm_runtime_get_export_count(module); + + for (int e_i = 0; e_i < export_count; e_i++) { + wasm_export_t export_type = { 0 }; + wasm_runtime_get_export_type(module, e_i, &export_type); + + if (export_type.kind != WASM_IMPORT_EXPORT_KIND_FUNC) { + continue; + } + + wasm_function_inst_t func = + wasm_runtime_lookup_function(inst, export_type.name); + if (!func) { + std::cout << "Failed to lookup function: " << export_type.name + << std::endl; + continue; + } + + wasm_func_type_t func_type = export_type.u.func_type; + uint32_t param_count = wasm_func_type_get_param_count(func_type); + + /* build arguments with capacity reservation */ + std::vector args; + args.reserve(param_count); // Optimization: prevent reallocations + for (unsigned p_i = 0; p_i < param_count; p_i++) { + wasm_valkind_t param_type = + wasm_func_type_get_param_valkind(func_type, p_i); + + if (!is_supported_val_kind(param_type)) { + std::cout + << "Bypass execution because of unsupported value kind: " + << param_type << std::endl; + return true; + } + + wasm_val_t arg = pre_defined_val(param_type); + args.push_back(arg); + } + + /* build results storage */ + uint32_t result_count = wasm_func_type_get_result_count(func_type); + std::vector results( + result_count); // Optimization: direct initialization + + print_execution_args(export_type, args, param_count); + + /* execute the function */ + wasm_exec_env_t exec_env = wasm_runtime_get_exec_env_singleton(inst); + if (!exec_env) { + std::cout << "Failed to get exec env" << std::endl; + return false; + } + + bool ret = + wasm_runtime_call_wasm_a(exec_env, func, result_count, + results.data(), param_count, args.data()); + if (!ret) { + const char *exception = wasm_runtime_get_exception(inst); + if (!exception) { + std::cout << "[EXECUTION] " << export_type.name + << "() failed. No exception info." << std::endl; + } + else { + std::cout << "[EXECUTION] " << export_type.name << "() failed. " + << exception << std::endl; + } + } + + wasm_runtime_clear_exception(inst); + } + + return true; +} + +void +report_fuzzer_error(FuzzerErrorPhase phase, const char *message) +{ + const char *phase_name = ""; + switch (phase) { + case FuzzerErrorPhase::LOADING: + phase_name = "LOADING"; + break; + case FuzzerErrorPhase::INSTANTIATING: + phase_name = "INSTANTIATING"; + break; + case FuzzerErrorPhase::COMPILING: + phase_name = "COMPILING"; + break; + case FuzzerErrorPhase::EXECUTION: + phase_name = "EXECUTION"; + break; + case FuzzerErrorPhase::CLEANUP: + phase_name = "CLEANUP"; + break; + } + std::cout << "[" << phase_name << "] " << message << std::endl; +} \ No newline at end of file diff --git a/tests/fuzz/wasm-mutator-fuzz/common/fuzzer_common.h b/tests/fuzz/wasm-mutator-fuzz/common/fuzzer_common.h new file mode 100644 index 0000000000..365562c901 --- /dev/null +++ b/tests/fuzz/wasm-mutator-fuzz/common/fuzzer_common.h @@ -0,0 +1,77 @@ +// Copyright (C) 2025 Intel Corporation. All rights reserved. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception + +#ifndef FUZZER_COMMON_H +#define FUZZER_COMMON_H + +#include "wasm_export.h" +#include +#include + +// Constants for consistent buffer sizes +constexpr size_t ERROR_BUF_SIZE = 128; +constexpr size_t MAX_ERROR_BUF_SIZE = 120; // Used in wasm_runtime_load + +// Error phases for consistent reporting +enum class FuzzerErrorPhase { + LOADING, + INSTANTIATING, + COMPILING, + EXECUTION, + CLEANUP +}; + +// Small inline helper functions + +// Check if a value kind is supported by the fuzzer +static inline bool +is_supported_val_kind(wasm_valkind_t kind) +{ + return kind == WASM_I32 || kind == WASM_I64 || kind == WASM_F32 + || kind == WASM_F64 || kind == WASM_EXTERNREF + || kind == WASM_FUNCREF; +} + +// Generate a predefined value for a given value kind +static inline wasm_val_t +pre_defined_val(wasm_valkind_t kind) +{ + if (kind == WASM_I32) { + return wasm_val_t{ .kind = WASM_I32, .of = { .i32 = 2025 } }; + } + else if (kind == WASM_I64) { + return wasm_val_t{ .kind = WASM_I64, .of = { .i64 = 168 } }; + } + else if (kind == WASM_F32) { + return wasm_val_t{ .kind = WASM_F32, .of = { .f32 = 3.14159f } }; + } + else if (kind == WASM_F64) { + return wasm_val_t{ .kind = WASM_F64, .of = { .f64 = 2.71828 } }; + } + else if (kind == WASM_EXTERNREF) { + return wasm_val_t{ .kind = WASM_EXTERNREF, + .of = { .foreign = 0xabcddead } }; + } + // because aft is_supported_val_kind() check, so we can safely return as + // WASM_FUNCREF + else { + return wasm_val_t{ .kind = WASM_FUNCREF, .of = { .ref = nullptr } }; + } +} + +// Function declarations (implemented in fuzzer_common.cc) + +// Print execution arguments for debugging +void +print_execution_args(const wasm_export_t &export_type, + const std::vector &args, unsigned param_count); + +// Execute all export functions in a module +bool +execute_export_functions(wasm_module_t module, wasm_module_inst_t inst); + +// Helper for consistent error reporting +void +report_fuzzer_error(FuzzerErrorPhase phase, const char *message); + +#endif // FUZZER_COMMON_H \ No newline at end of file diff --git a/tests/fuzz/wasm-mutator-fuzz/sanitizer_flags.cmake b/tests/fuzz/wasm-mutator-fuzz/sanitizer_flags.cmake new file mode 100644 index 0000000000..3c7e767955 --- /dev/null +++ b/tests/fuzz/wasm-mutator-fuzz/sanitizer_flags.cmake @@ -0,0 +1,30 @@ +if(NOT IN_OSS_FUZZ) + message(STATUS "Enable ASan and UBSan in non-oss-fuzz environment for vmlib") + + add_compile_options(-fprofile-instr-generate -fcoverage-mapping) + + # + # Sync up with the content of infra/base-images/base-builder/Dockerfile in oss-fuzz + # + + # SANITIZER_FLAGS_address + add_compile_options(-fsanitize=address -fsanitize-address-use-after-scope) + + # SANITIZER_FLAGS_undefined + add_compile_options( + -fsanitize=array-bounds,bool,builtin,enum,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unsigned-integer-overflow,unreachable,vla-bound,vptr + -fno-sanitize-recover=array-bounds,bool,builtin,enum,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr + ) + + add_link_options(-fsanitize=address,undefined -fprofile-instr-generate) +endif() + +# Always disable unsigned-integer-overflow +if(CMAKE_C_COMPILER_ID MATCHES ".*Clang") + add_compile_options(-fno-sanitize=unsigned-integer-overflow) +endif() + +# '-fsanitize=vptr' not allowed with '-fno-rtti +# But, LLVM by default, disables the use of `rtti` in the compiler +add_compile_options(-fsanitize=fuzzer -fno-sanitize=vptr) +add_link_options(-fsanitize=fuzzer -fno-sanitize=vptr) diff --git a/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/CMakeLists.txt b/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/CMakeLists.txt index b501baecf2..e33b1826e8 100644 --- a/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/CMakeLists.txt +++ b/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/CMakeLists.txt @@ -6,45 +6,49 @@ if(CUSTOM_MUTATOR EQUAL 1) endif() # Set default build options with the ability to override from the command line -if(NOT WAMR_BUILD_INTERP) +if(NOT DEFINED WAMR_BUILD_INTERP) set(WAMR_BUILD_INTERP 1) endif() -if(NOT WAMR_BUILD_AOT) +if(NOT DEFINED WAMR_BUILD_AOT) set(WAMR_BUILD_AOT 1) endif() -if(NOT WAMR_BUILD_JIT) +if(NOT DEFINED WAMR_BUILD_JIT) set(WAMR_BUILD_JIT 0) endif() -if(NOT WAMR_BUILD_LIBC_BUILTIN) +if(NOT DEFINED WAMR_BUILD_LIBC_BUILTIN) set(WAMR_BUILD_LIBC_BUILTIN 0) endif() -if(NOT WAMR_BUILD_LIBC_WASI) +if(NOT DEFINED WAMR_BUILD_LIBC_WASI) set(WAMR_BUILD_LIBC_WASI 1) endif() -if(NOT WAMR_BUILD_FAST_INTERP) +if(NOT DEFINED WAMR_BUILD_FAST_INTERP) set(WAMR_BUILD_FAST_INTERP 1) endif() -if(NOT WAMR_BUILD_MULTI_MODULE) +if(NOT DEFINED WAMR_BUILD_MULTI_MODULE) set(WAMR_BUILD_MULTI_MODULE 0) endif() -if(NOT WAMR_BUILD_LIB_PTHREAD) +if(NOT DEFINED WAMR_BUILD_LIB_PTHREAD) set(WAMR_BUILD_LIB_PTHREAD 0) endif() -if(NOT WAMR_BUILD_MINI_LOADER) +if(NOT DEFINED WAMR_BUILD_MINI_LOADER) set(WAMR_BUILD_MINI_LOADER 0) endif() -set(WAMR_BUILD_SIMD 1) +if(NOT DEFINED WAMR_BUILD_SIMD) + set(WAMR_BUILD_SIMD 1) +endif() + set(WAMR_BUILD_REF_TYPES 1) -set(WAMR_BUILD_GC 1) +# disable it since it is not fully supported +set(WAMR_BUILD_GC 0) include(${REPO_ROOT_DIR}/build-scripts/runtime_lib.cmake) include(${REPO_ROOT_DIR}/core/shared/utils/uncommon/shared_uncommon.cmake) @@ -54,17 +58,6 @@ target_include_directories(vmlib PUBLIC ${RUNTIME_LIB_HEADER_LIST}) target_link_directories(vmlib PUBLIC ${RUNTIME_LIB_LINK_LIST}) target_link_libraries(vmlib PUBLIC ${REQUIRED_LLVM_LIBS}) -add_executable(wasm_mutator_fuzz wasm_mutator_fuzz.cc) +add_executable(wasm_mutator_fuzz wasm_mutator_fuzz.cc ../common/fuzzer_common.cc) +target_include_directories(wasm_mutator_fuzz PRIVATE ../common) target_link_libraries(wasm_mutator_fuzz PRIVATE vmlib m) - -if(NOT IN_OSS_FUZZ) - message(STATUS "Enable ASan and UBSan in non-oss-fuzz environment for vmlib") - target_compile_options(vmlib PUBLIC - -fprofile-instr-generate -fcoverage-mapping - -fno-sanitize-recover=all - -fsanitize=address,undefined - -fsanitize=float-divide-by-zero,unsigned-integer-overflow,local-bounds,nullability - -fno-sanitize=alignment - ) - target_link_options(vmlib PUBLIC -fsanitize=address,undefined -fprofile-instr-generate) -endif() diff --git a/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/wasm_mutator_fuzz.cc b/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/wasm_mutator_fuzz.cc index 391d899cf4..233e1e1c3b 100644 --- a/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/wasm_mutator_fuzz.cc +++ b/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/wasm_mutator_fuzz.cc @@ -10,166 +10,21 @@ #include #include #include +#include "../common/fuzzer_common.h" using namespace std; -static bool -is_supported_val_kind(wasm_valkind_t kind) -{ - return kind == WASM_I32 || kind == WASM_I64 || kind == WASM_F32 - || kind == WASM_F64 || kind == WASM_EXTERNREF - || kind == WASM_FUNCREF; -} - -static wasm_val_t -pre_defined_val(wasm_valkind_t kind) -{ - if (kind == WASM_I32) { - return wasm_val_t{ .kind = WASM_I32, .of = { .i32 = 2025 } }; - } - else if (kind == WASM_I64) { - return wasm_val_t{ .kind = WASM_I64, .of = { .i64 = 168 } }; - } - else if (kind == WASM_F32) { - return wasm_val_t{ .kind = WASM_F32, .of = { .f32 = 3.14159f } }; - } - else if (kind == WASM_F64) { - return wasm_val_t{ .kind = WASM_F64, .of = { .f64 = 2.71828 } }; - } - else if (kind == WASM_EXTERNREF) { - return wasm_val_t{ .kind = WASM_EXTERNREF, - .of = { .foreign = 0xabcddead } }; - } - // because aft is_supported_val_kind() check, so we can safely return as - // WASM_FUNCREF - else { - return wasm_val_t{ .kind = WASM_FUNCREF, .of = { .ref = nullptr } }; - } -} -void -print_execution_args(const wasm_export_t &export_type, - const std::vector &args, unsigned param_count) -{ - std::cout << "[EXECUTION] " << export_type.name << "("; - for (unsigned p_i = 0; p_i < param_count; p_i++) { - if (p_i != 0) { - std::cout << ", "; - } - - switch (args[p_i].kind) { - case WASM_I32: - std::cout << "i32:" << args[p_i].of.i32; - break; - case WASM_I64: - std::cout << "i64:" << args[p_i].of.i64; - break; - case WASM_F32: - std::cout << "f32:" << args[p_i].of.f32; - break; - case WASM_F64: - std::cout << "f64:" << args[p_i].of.f64; - break; - case WASM_EXTERNREF: - std::cout << "externref:" << args[p_i].of.foreign; - break; - default: - // because aft is_supported_val_kind() check, so we can safely - // return as WASM_FUNCREF - std::cout << "funcref:" << args[p_i].of.ref; - break; - } - } - std::cout << ")" << std::endl; -} - -static bool -execute_export_functions(wasm_module_t module, wasm_module_inst_t inst) -{ - int32_t export_count = wasm_runtime_get_export_count(module); - - for (int e_i = 0; e_i < export_count; e_i++) { - wasm_export_t export_type = { 0 }; - wasm_runtime_get_export_type(module, e_i, &export_type); - - if (export_type.kind != WASM_IMPORT_EXPORT_KIND_FUNC) { - continue; - } - - wasm_function_inst_t func = - wasm_runtime_lookup_function(inst, export_type.name); - if (!func) { - std::cout << "Failed to lookup function: " << export_type.name - << std::endl; - continue; - } - - wasm_func_type_t func_type = export_type.u.func_type; - uint32_t param_count = wasm_func_type_get_param_count(func_type); - - /* build arguments */ - std::vector args; - for (unsigned p_i = 0; p_i < param_count; p_i++) { - wasm_valkind_t param_type = - wasm_func_type_get_param_valkind(func_type, p_i); - - if (!is_supported_val_kind(param_type)) { - std::cout - << "Bypass execution because of unsupported value kind: " - << param_type << std::endl; - return true; - } - - wasm_val_t arg = pre_defined_val(param_type); - args.push_back(arg); - } - - /* build results storage */ - uint32_t result_count = wasm_func_type_get_result_count(func_type); - std::vector results = std::vector(result_count); - - print_execution_args(export_type, args, param_count); - - /* execute the function */ - wasm_exec_env_t exec_env = wasm_runtime_get_exec_env_singleton(inst); - if (!exec_env) { - std::cout << "Failed to get exec env" << std::endl; - return false; - } - - bool ret = - wasm_runtime_call_wasm_a(exec_env, func, result_count, - results.data(), param_count, args.data()); - if (!ret) { - const char *exception = wasm_runtime_get_exception(inst); - if (!exception) { - std::cout << "[EXECUTION] " << export_type.name - << "() failed. No exception info." << std::endl; - } - else { - std::cout << "[EXECUTION] " << export_type.name << "() failed. " - << exception << std::endl; - } - } - - wasm_runtime_clear_exception(inst); - } - - return true; -} - extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { - /* libfuzzer don't allow us to modify the given Data, so we copy the data - * here */ - std::vector myData(Data, Data + Size); - + /* libfuzzer don't allow us to modify the given Data, but wasm_runtime_load + * only reads the data, so we can safely use const_cast */ /* init runtime environment */ wasm_runtime_init(); - char error_buf[128] = { 0 }; - wasm_module_t module = - wasm_runtime_load((uint8_t *)myData.data(), Size, error_buf, 120); + char error_buf[ERROR_BUF_SIZE] = { 0 }; + wasm_module_t module = wasm_runtime_load(const_cast(Data), Size, + error_buf, MAX_ERROR_BUF_SIZE); if (!module) { std::cout << "[LOADING] " << error_buf << std::endl; wasm_runtime_destroy(); @@ -177,8 +32,9 @@ LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) return 0; } - wasm_module_inst_t inst = wasm_runtime_instantiate( - module, 8 * 1024 * 1024, 16 * 1024 * 1024, error_buf, 120); + wasm_module_inst_t inst = + wasm_runtime_instantiate(module, 8 * 1024 * 1024, 16 * 1024 * 1024, + error_buf, MAX_ERROR_BUF_SIZE); if (!inst) { std::cout << "[INSTANTIATE] " << error_buf << std::endl; wasm_runtime_unload(module); @@ -237,42 +93,29 @@ LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size, size_t MaxSize, return LLVMFuzzerMutate(Data, Size, MaxSize); } - /* 3.read modified file */ - int read_len = 0; - int file_len = 0; - int res = 0; - uint8_t *buf = NULL; + /* 3.read modified file using RAII container */ FILE *fread_fp = fopen("./modified.wasm", "rb"); if (NULL == fread_fp) { printf("Faild to open modified.wasm file!\n"); exit(0); } - fseek(fread_fp, 0, SEEK_END); /* location to file end */ - file_len = ftell(fread_fp); /* get file size */ - buf = (uint8_t *)malloc(file_len); + fseek(fread_fp, 0, SEEK_END); /* location to file end */ + long file_len = ftell(fread_fp); /* get file size */ + fseek(fread_fp, 0, SEEK_SET); /* location to file start */ - if (NULL != buf) { - fseek(fread_fp, 0, SEEK_SET); /* location to file start */ - read_len = fread(buf, 1, file_len, fread_fp); - if ((read_len == file_len) && (read_len < MaxSize)) { - /* 4.fill Data buffer */ - memcpy(Data, buf, read_len); - res = read_len; - } - else { - res = 0; - } - } - else { - res = 0; - } - - memset(buf, 0, file_len); - free(buf); + std::vector buf(file_len); + size_t read_len = fread(buf.data(), 1, file_len, fread_fp); fclose(fread_fp); fread_fp = NULL; + int res = 0; + if (read_len == static_cast(file_len) && read_len < MaxSize) { + /* 4.fill Data buffer */ + memcpy(Data, buf.data(), read_len); + res = static_cast(read_len); + } + return res; } else {