From b94a92f20e84269588a836f2c8d5d24f7cef55fa Mon Sep 17 00:00:00 2001 From: "liang.he@intel.com" Date: Wed, 14 Jan 2026 19:58:16 +0800 Subject: [PATCH 1/8] fix: disable unsigned integer overflow sanitization in build configurations FYI: from https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html `-fsanitize=unsigned-integer-overflow`: Unsigned integer overflow, where the result of an unsigned integer computation cannot be represented in its type. Unlike signed integer overflow, this is not undefined behavior, but it is often unintentional. This sanitizer does not check for lossy implicit conversions performed before such a computation. It brings a more common question: which is better, pre-additional-check or post-additional-check to fix a potential unsigned integer overflow? A pre-additional-check involves using a check to prevent integer overflow from the very beginning. A post-additional-check involves using a check after addition to see if there is an overflow. In this project, post-additional-checking is widely used. let's follow the routine. for performance sensitive logic, use __builtin_add_overflow etc. provide something like https://github.com/yamt/toywasm/blob/9a5622791e99395e26e6e96cef830af3d91a1685/lib/platform.h#L176-L191 and encourage the use of them. ref. https://github.com/bytecodealliance/wasm-micro-runtime/pull/4549#issuecomment-3218687294 --- build-scripts/config_common.cmake | 5 +++- .../aot-compiler/CMakeLists.txt | 14 ++--------- .../wasm-mutator-fuzz/sanitizer_flags.cmake | 25 +++++++++++++++++++ .../wasm-mutator/CMakeLists.txt | 12 +-------- 4 files changed, 32 insertions(+), 24 deletions(-) create mode 100644 tests/fuzz/wasm-mutator-fuzz/sanitizer_flags.cmake diff --git a/build-scripts/config_common.cmake b/build-scripts/config_common.cmake index e1fd26dcbe..8a608eb0fe 100644 --- a/build-scripts/config_common.cmake +++ b/build-scripts/config_common.cmake @@ -196,7 +196,10 @@ if (NOT WAMR_BUILD_SANITIZER STREQUAL "") message(FATAL_ERROR "Unsupported sanitizers: ${INVALID_SANITIZERS}") endif() # common flags for all sanitizers - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -O0 -fno-omit-frame-pointer -fno-sanitize-recover=all") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -O0 -fno-omit-frame-pointer -fno-sanitize-recover=all -fno-sanitize=alignment") + if(CMAKE_C_COMPILER_ID MATCHES ".*Clang") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fno-sanitize=unsigned-integer-overflow") + endif() if(SANITIZER_FLAGS) string(REPLACE ";" "," SANITIZER_FLAGS_STR "${SANITIZER_FLAGS}") set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=${SANITIZER_FLAGS_STR}") diff --git a/tests/fuzz/wasm-mutator-fuzz/aot-compiler/CMakeLists.txt b/tests/fuzz/wasm-mutator-fuzz/aot-compiler/CMakeLists.txt index 5ca33906a5..bb759771d7 100644 --- a/tests/fuzz/wasm-mutator-fuzz/aot-compiler/CMakeLists.txt +++ b/tests/fuzz/wasm-mutator-fuzz/aot-compiler/CMakeLists.txt @@ -67,17 +67,7 @@ target_link_directories(aotclib PUBLIC ${LLVM_LIBRARY_DIR}) target_link_libraries(aotclib PUBLIC ${REQUIRED_LLVM_LIBS}) -if(NOT IN_OSS_FUZZ) - message(STATUS "Enable ASan and UBSan in non-oss-fuzz environment for aotclib") - target_compile_options(aotclib PUBLIC - -fprofile-instr-generate -fcoverage-mapping - -fno-sanitize-recover=all - -fsanitize=address,undefined - -fsanitize=float-divide-by-zero,unsigned-integer-overflow,local-bounds,nullability - -fno-sanitize=alignment - ) - target_link_options(aotclib PUBLIC -fsanitize=address,undefined -fprofile-instr-generate) -endif() - add_executable(aot_compiler_fuzz aot_compiler_fuzz.cc) target_link_libraries(aot_compiler_fuzz PRIVATE stdc++ aotclib) + +include(${CMAKE_CURRENT_LIST_DIR}/../sanitizer_flags.cmake) diff --git a/tests/fuzz/wasm-mutator-fuzz/sanitizer_flags.cmake b/tests/fuzz/wasm-mutator-fuzz/sanitizer_flags.cmake new file mode 100644 index 0000000000..385bb5a0f2 --- /dev/null +++ b/tests/fuzz/wasm-mutator-fuzz/sanitizer_flags.cmake @@ -0,0 +1,25 @@ +if(NOT IN_OSS_FUZZ) + message(STATUS "Enable ASan and UBSan in non-oss-fuzz environment for vmlib") + + add_compile_options(-fprofile-instr-generate -fcoverage-mapping) + + # + # Sync up with the content of infra/base-images/base-builder/Dockerfile in oss-fuzz + # + + # SANITIZER_FLAGS_address + add_compile_options(-fsanitize=address -fsanitize-address-use-after-scope) + + # SANITIZER_FLAGS_undefined + add_compile_options( + -fsanitize=array-bounds,bool,builtin,enum,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unsigned-integer-overflow,unreachable,vla-bound,vptr + -fno-sanitize-recover=array-bounds,bool,builtin,enum,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr + ) + + add_link_options(-fsanitize=address,undefined -fprofile-instr-generate) +endif() + +# Always disable unsigned-integer-overflow +if(CMAKE_C_COMPILER_ID MATCHES ".*Clang") + add_compile_options(-fno-sanitize=unsigned-integer-overflow) +endif() diff --git a/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/CMakeLists.txt b/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/CMakeLists.txt index b501baecf2..a311ff9f81 100644 --- a/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/CMakeLists.txt +++ b/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/CMakeLists.txt @@ -57,14 +57,4 @@ target_link_libraries(vmlib PUBLIC ${REQUIRED_LLVM_LIBS}) add_executable(wasm_mutator_fuzz wasm_mutator_fuzz.cc) target_link_libraries(wasm_mutator_fuzz PRIVATE vmlib m) -if(NOT IN_OSS_FUZZ) - message(STATUS "Enable ASan and UBSan in non-oss-fuzz environment for vmlib") - target_compile_options(vmlib PUBLIC - -fprofile-instr-generate -fcoverage-mapping - -fno-sanitize-recover=all - -fsanitize=address,undefined - -fsanitize=float-divide-by-zero,unsigned-integer-overflow,local-bounds,nullability - -fno-sanitize=alignment - ) - target_link_options(vmlib PUBLIC -fsanitize=address,undefined -fprofile-instr-generate) -endif() +include(${CMAKE_CURRENT_LIST_DIR}/../sanitizer_flags.cmake) From f1e34d39c41ecd37bc432e09a3c8c92829f94adb Mon Sep 17 00:00:00 2001 From: "liang.he@intel.com" Date: Fri, 16 Jan 2026 14:52:01 +0800 Subject: [PATCH 2/8] fix: ensure proper definition checks for build options in CMakeLists of wasm-mutator --- build-scripts/unsupported_combination.cmake | 1 - .../wasm-mutator/CMakeLists.txt | 23 +++++++++++-------- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/build-scripts/unsupported_combination.cmake b/build-scripts/unsupported_combination.cmake index 50c56fc822..4284be32bf 100644 --- a/build-scripts/unsupported_combination.cmake +++ b/build-scripts/unsupported_combination.cmake @@ -61,7 +61,6 @@ endfunction() # Below are the unsupported combinations checks # Please keep this list in sync with tests/unit/unsupported-features/CMakeLists.txt # and tests/wamr-test-suites/test_wamr.sh -cmake_print_variables(WAMR_BUILD_INTERP WAMR_BUILD_FAST_INTERP WAMR_BUILD_JIT WAMR_BUILD_EXCE_HANDLING) if(WAMR_BUILD_EXCE_HANDLING EQUAL 1) check_aot_mode_error("Unsupported build configuration: EXCE_HANDLING + AOT") diff --git a/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/CMakeLists.txt b/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/CMakeLists.txt index a311ff9f81..3693a6e0b7 100644 --- a/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/CMakeLists.txt +++ b/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/CMakeLists.txt @@ -6,43 +6,46 @@ if(CUSTOM_MUTATOR EQUAL 1) endif() # Set default build options with the ability to override from the command line -if(NOT WAMR_BUILD_INTERP) +if(NOT DEFINED WAMR_BUILD_INTERP) set(WAMR_BUILD_INTERP 1) endif() -if(NOT WAMR_BUILD_AOT) +if(NOT DEFINED WAMR_BUILD_AOT) set(WAMR_BUILD_AOT 1) endif() -if(NOT WAMR_BUILD_JIT) +if(NOT DEFINED WAMR_BUILD_JIT) set(WAMR_BUILD_JIT 0) endif() -if(NOT WAMR_BUILD_LIBC_BUILTIN) +if(NOT DEFINED WAMR_BUILD_LIBC_BUILTIN) set(WAMR_BUILD_LIBC_BUILTIN 0) endif() -if(NOT WAMR_BUILD_LIBC_WASI) +if(NOT DEFINED WAMR_BUILD_LIBC_WASI) set(WAMR_BUILD_LIBC_WASI 1) endif() -if(NOT WAMR_BUILD_FAST_INTERP) +if(NOT DEFINED WAMR_BUILD_FAST_INTERP) set(WAMR_BUILD_FAST_INTERP 1) endif() -if(NOT WAMR_BUILD_MULTI_MODULE) +if(NOT DEFINED WAMR_BUILD_MULTI_MODULE) set(WAMR_BUILD_MULTI_MODULE 0) endif() -if(NOT WAMR_BUILD_LIB_PTHREAD) +if(NOT DEFINED WAMR_BUILD_LIB_PTHREAD) set(WAMR_BUILD_LIB_PTHREAD 0) endif() -if(NOT WAMR_BUILD_MINI_LOADER) +if(NOT DEFINED WAMR_BUILD_MINI_LOADER) set(WAMR_BUILD_MINI_LOADER 0) endif() -set(WAMR_BUILD_SIMD 1) +if(NOT DEFINED WAMR_BUILD_SIMD) + set(WAMR_BUILD_SIMD 1) +endif() + set(WAMR_BUILD_REF_TYPES 1) set(WAMR_BUILD_GC 1) From 7fe2d3b33cd0ffc1d33cf9b0918c2002f0b40150 Mon Sep 17 00:00:00 2001 From: "liang.he@intel.com" Date: Fri, 16 Jan 2026 17:02:39 +0800 Subject: [PATCH 3/8] optimize how to involve sanitizer flags --- tests/fuzz/wasm-mutator-fuzz/CMakeLists.txt | 32 ++++++++++--------- .../aot-compiler/CMakeLists.txt | 2 -- .../wasm-mutator/CMakeLists.txt | 2 -- 3 files changed, 17 insertions(+), 19 deletions(-) diff --git a/tests/fuzz/wasm-mutator-fuzz/CMakeLists.txt b/tests/fuzz/wasm-mutator-fuzz/CMakeLists.txt index 500ad8fe3c..50f7241cbb 100644 --- a/tests/fuzz/wasm-mutator-fuzz/CMakeLists.txt +++ b/tests/fuzz/wasm-mutator-fuzz/CMakeLists.txt @@ -172,21 +172,23 @@ set(IWASM_DIR ${REPO_ROOT_DIR}/core/iwasm) # Global setting add_compile_options(-Wno-unused-command-line-argument) -# Enable fuzzer -add_definitions(-DWASM_ENABLE_FUZZ_TEST=1) -# '-fsanitize=vptr' not allowed with '-fno-rtti -# But, LLVM by default, disables the use of `rtti` in the compiler -add_compile_options(-fsanitize=fuzzer -fno-sanitize=vptr) -add_link_options(-fsanitize=fuzzer -fno-sanitize=vptr) - -# Enable sanitizers if not in oss-fuzz environment -set(CFLAGS_ENV $ENV{CFLAGS}) -string(FIND "${CFLAGS_ENV}" "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION" FUZZ_POS) -if (FUZZ_POS GREATER -1) - set(IN_OSS_FUZZ 1) -else() - set(IN_OSS_FUZZ 0) -endif() +# # Enable fuzzer +# add_definitions(-DWASM_ENABLE_FUZZ_TEST=1) +# # '-fsanitize=vptr' not allowed with '-fno-rtti +# # But, LLVM by default, disables the use of `rtti` in the compiler +# add_compile_options(-fsanitize=fuzzer -fno-sanitize=vptr) +# add_link_options(-fsanitize=fuzzer -fno-sanitize=vptr) + +# # Enable sanitizers if not in oss-fuzz environment +# set(CFLAGS_ENV $ENV{CFLAGS}) +# string(FIND "${CFLAGS_ENV}" "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION" FUZZ_POS) +# if (FUZZ_POS GREATER -1) +# set(IN_OSS_FUZZ 1) +# else() +# set(IN_OSS_FUZZ 0) +# endif() + +# include(${CMAKE_CURRENT_LIST_DIR}/../sanitizer_flags.cmake) add_subdirectory(aot-compiler) add_subdirectory(wasm-mutator) diff --git a/tests/fuzz/wasm-mutator-fuzz/aot-compiler/CMakeLists.txt b/tests/fuzz/wasm-mutator-fuzz/aot-compiler/CMakeLists.txt index bb759771d7..527a47b4ee 100644 --- a/tests/fuzz/wasm-mutator-fuzz/aot-compiler/CMakeLists.txt +++ b/tests/fuzz/wasm-mutator-fuzz/aot-compiler/CMakeLists.txt @@ -69,5 +69,3 @@ target_link_libraries(aotclib PUBLIC ${REQUIRED_LLVM_LIBS}) add_executable(aot_compiler_fuzz aot_compiler_fuzz.cc) target_link_libraries(aot_compiler_fuzz PRIVATE stdc++ aotclib) - -include(${CMAKE_CURRENT_LIST_DIR}/../sanitizer_flags.cmake) diff --git a/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/CMakeLists.txt b/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/CMakeLists.txt index 3693a6e0b7..dc1febb529 100644 --- a/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/CMakeLists.txt +++ b/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/CMakeLists.txt @@ -59,5 +59,3 @@ target_link_libraries(vmlib PUBLIC ${REQUIRED_LLVM_LIBS}) add_executable(wasm_mutator_fuzz wasm_mutator_fuzz.cc) target_link_libraries(wasm_mutator_fuzz PRIVATE vmlib m) - -include(${CMAKE_CURRENT_LIST_DIR}/../sanitizer_flags.cmake) From 84a32739be4165fa4a574b3bf87685444c7e009a Mon Sep 17 00:00:00 2001 From: "liang.he@intel.com" Date: Fri, 16 Jan 2026 18:03:52 +0800 Subject: [PATCH 4/8] fix: update LLVM branch and refine sanitizer flags in CMake configurations --- build-scripts/build_llvm.py | 2 +- tests/fuzz/wasm-mutator-fuzz/CMakeLists.txt | 30 ++++++++----------- .../wasm-mutator-fuzz/sanitizer_flags.cmake | 5 ++++ 3 files changed, 19 insertions(+), 18 deletions(-) diff --git a/build-scripts/build_llvm.py b/build-scripts/build_llvm.py index 3d241355b4..68ef640e39 100755 --- a/build-scripts/build_llvm.py +++ b/build-scripts/build_llvm.py @@ -304,7 +304,7 @@ def main(): "default": { "repo": "https://github.com/llvm/llvm-project.git", "repo_ssh": "git@github.com:llvm/llvm-project.git", - "branch": "release/18.x", + "branch": "llvmorg-18.1.8", }, } diff --git a/tests/fuzz/wasm-mutator-fuzz/CMakeLists.txt b/tests/fuzz/wasm-mutator-fuzz/CMakeLists.txt index 50f7241cbb..de0f6aebb8 100644 --- a/tests/fuzz/wasm-mutator-fuzz/CMakeLists.txt +++ b/tests/fuzz/wasm-mutator-fuzz/CMakeLists.txt @@ -172,23 +172,19 @@ set(IWASM_DIR ${REPO_ROOT_DIR}/core/iwasm) # Global setting add_compile_options(-Wno-unused-command-line-argument) -# # Enable fuzzer -# add_definitions(-DWASM_ENABLE_FUZZ_TEST=1) -# # '-fsanitize=vptr' not allowed with '-fno-rtti -# # But, LLVM by default, disables the use of `rtti` in the compiler -# add_compile_options(-fsanitize=fuzzer -fno-sanitize=vptr) -# add_link_options(-fsanitize=fuzzer -fno-sanitize=vptr) - -# # Enable sanitizers if not in oss-fuzz environment -# set(CFLAGS_ENV $ENV{CFLAGS}) -# string(FIND "${CFLAGS_ENV}" "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION" FUZZ_POS) -# if (FUZZ_POS GREATER -1) -# set(IN_OSS_FUZZ 1) -# else() -# set(IN_OSS_FUZZ 0) -# endif() - -# include(${CMAKE_CURRENT_LIST_DIR}/../sanitizer_flags.cmake) +# Enable sanitizers if not in oss-fuzz environment +set(CFLAGS_ENV $ENV{CFLAGS}) + string(FIND "${CFLAGS_ENV}" "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION" FUZZ_POS) +if (FUZZ_POS GREATER -1) + set(IN_OSS_FUZZ 1) +else() + set(IN_OSS_FUZZ 0) +endif() + +# Enable fuzzer +add_definitions(-DWASM_ENABLE_FUZZ_TEST=1) + +include(${CMAKE_CURRENT_LIST_DIR}/sanitizer_flags.cmake) add_subdirectory(aot-compiler) add_subdirectory(wasm-mutator) diff --git a/tests/fuzz/wasm-mutator-fuzz/sanitizer_flags.cmake b/tests/fuzz/wasm-mutator-fuzz/sanitizer_flags.cmake index 385bb5a0f2..3c7e767955 100644 --- a/tests/fuzz/wasm-mutator-fuzz/sanitizer_flags.cmake +++ b/tests/fuzz/wasm-mutator-fuzz/sanitizer_flags.cmake @@ -23,3 +23,8 @@ endif() if(CMAKE_C_COMPILER_ID MATCHES ".*Clang") add_compile_options(-fno-sanitize=unsigned-integer-overflow) endif() + +# '-fsanitize=vptr' not allowed with '-fno-rtti +# But, LLVM by default, disables the use of `rtti` in the compiler +add_compile_options(-fsanitize=fuzzer -fno-sanitize=vptr) +add_link_options(-fsanitize=fuzzer -fno-sanitize=vptr) From e41465dedeec53a7b4e33996e53ba3524ce3b4dc Mon Sep 17 00:00:00 2001 From: "liang.he@intel.com" Date: Mon, 19 Jan 2026 10:41:32 +0800 Subject: [PATCH 5/8] fix: add requests package to development requirements --- .devcontainer/requirements.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/.devcontainer/requirements.txt b/.devcontainer/requirements.txt index f8473e2729..a8ed4b65d6 100644 --- a/.devcontainer/requirements.txt +++ b/.devcontainer/requirements.txt @@ -2,3 +2,4 @@ black nose pycparser pylint +requests From c6adf0ea130b20fe05a3ec8a5a7a2c775fb70ae9 Mon Sep 17 00:00:00 2001 From: "liang.he@intel.com" Date: Mon, 19 Jan 2026 15:44:49 +0800 Subject: [PATCH 6/8] fix: update AOT compiler configuration and enhance error handling in fuzz tests --- .../aot-compiler/CMakeLists.txt | 6 ---- .../aot-compiler/aot_compiler_fuzz.cc | 29 +++++++++++++++++++ 2 files changed, 29 insertions(+), 6 deletions(-) diff --git a/tests/fuzz/wasm-mutator-fuzz/aot-compiler/CMakeLists.txt b/tests/fuzz/wasm-mutator-fuzz/aot-compiler/CMakeLists.txt index 527a47b4ee..23e30aed12 100644 --- a/tests/fuzz/wasm-mutator-fuzz/aot-compiler/CMakeLists.txt +++ b/tests/fuzz/wasm-mutator-fuzz/aot-compiler/CMakeLists.txt @@ -1,12 +1,6 @@ # Copyright (C) 2025 Intel Corporation. All rights reserved. # SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception -# Set default build options with the ability to override from the command line -if(NOT WAMR_BUILD_INTERP) - set(WAMR_BUILD_INTERP 1) -endif() - -set(WAMR_BUILD_WAMR_COMPILER 1) set(WAMR_BUILD_AOT 0) set(WAMR_BUILD_INTERP 1) set(WAMR_BUILD_JIT 0) diff --git a/tests/fuzz/wasm-mutator-fuzz/aot-compiler/aot_compiler_fuzz.cc b/tests/fuzz/wasm-mutator-fuzz/aot-compiler/aot_compiler_fuzz.cc index c8ec4c0d52..69f67edf9e 100644 --- a/tests/fuzz/wasm-mutator-fuzz/aot-compiler/aot_compiler_fuzz.cc +++ b/tests/fuzz/wasm-mutator-fuzz/aot-compiler/aot_compiler_fuzz.cc @@ -31,6 +31,10 @@ LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) AOTCompOption option = { 0 }; aot_comp_data_t comp_data = NULL; aot_comp_context_t comp_ctx = NULL; + uint8 *aot_file_buf = NULL; + uint32 aot_file_size = 0; + wasm_module_t aot_module = NULL; + wasm_module_inst_t inst = NULL; /* libfuzzer don't allow to modify the given Data, so make a copy here */ std::vector myData(Data, Data + Size); @@ -78,6 +82,31 @@ LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) goto DESTROY_COMP_CTX; } + aot_file_buf = aot_emit_aot_file_buf(comp_ctx, comp_data, &aot_file_size); + if (!aot_file_buf) { + handle_aot_recent_error("[EMITTING AOT FILE]"); + goto DESTROY_COMP_CTX; + } + + aot_module = + wasm_runtime_load(aot_file_buf, aot_file_size, error_buf, 128); + if (!aot_module) { + std::cout << "[LOADING AOT MODULE] " << error_buf << std::endl; + goto RELEASE_AOT_FILE_BUF; + } + + inst = wasm_runtime_instantiate(aot_module, 1024*8, 0, error_buf, 128); + if (!inst) { + std::cout << "[INSTANTIATING AOT MODULE] " << error_buf << std::endl; + goto UNLOAD_AOT_MODULE; + } + +DEINSTANTIZE_AOT_MODULE: + wasm_runtime_deinstantiate(inst); +UNLOAD_AOT_MODULE: + wasm_runtime_unload(aot_module); +RELEASE_AOT_FILE_BUF: + wasm_runtime_free(aot_file_buf); DESTROY_COMP_CTX: aot_destroy_comp_context(comp_ctx); DESTROY_COMP_DATA: From 5797660e9d8a5837a83a140081c7cd5e45b6ef17 Mon Sep 17 00:00:00 2001 From: lum1n0us Date: Sun, 15 Feb 2026 19:04:14 +0800 Subject: [PATCH 7/8] fix: enhance AOT execution by adding support for predefined values and improving argument printing --- .../aot-compiler/aot_compiler_fuzz.cc | 146 ++++++++++++++++++ .../wasm-mutator/CMakeLists.txt | 3 +- 2 files changed, 148 insertions(+), 1 deletion(-) diff --git a/tests/fuzz/wasm-mutator-fuzz/aot-compiler/aot_compiler_fuzz.cc b/tests/fuzz/wasm-mutator-fuzz/aot-compiler/aot_compiler_fuzz.cc index 69f67edf9e..e956c996bb 100644 --- a/tests/fuzz/wasm-mutator-fuzz/aot-compiler/aot_compiler_fuzz.cc +++ b/tests/fuzz/wasm-mutator-fuzz/aot-compiler/aot_compiler_fuzz.cc @@ -23,6 +23,150 @@ handle_aot_recent_error(const char *tag) std::cout << tag << " " << error << std::endl; } +static bool +is_supported_val_kind(wasm_valkind_t kind) +{ + return kind == WASM_I32 || kind == WASM_I64 || kind == WASM_F32 + || kind == WASM_F64 || kind == WASM_EXTERNREF + || kind == WASM_FUNCREF; +} + +static wasm_val_t +pre_defined_val(wasm_valkind_t kind) +{ + if (kind == WASM_I32) { + return wasm_val_t{ .kind = WASM_I32, .of = { .i32 = 2025 } }; + } + else if (kind == WASM_I64) { + return wasm_val_t{ .kind = WASM_I64, .of = { .i64 = 168 } }; + } + else if (kind == WASM_F32) { + return wasm_val_t{ .kind = WASM_F32, .of = { .f32 = 3.14159f } }; + } + else if (kind == WASM_F64) { + return wasm_val_t{ .kind = WASM_F64, .of = { .f64 = 2.71828 } }; + } + else if (kind == WASM_EXTERNREF) { + return wasm_val_t{ .kind = WASM_EXTERNREF, + .of = { .foreign = 0xabcddead } }; + } + // because aft is_supported_val_kind() check, so we can safely return as + // WASM_FUNCREF + else { + return wasm_val_t{ .kind = WASM_FUNCREF, .of = { .ref = nullptr } }; + } +} +void +print_execution_args(const wasm_export_t &export_type, + const std::vector &args, unsigned param_count) +{ + std::cout << "[EXECUTION] " << export_type.name << "("; + for (unsigned p_i = 0; p_i < param_count; p_i++) { + if (p_i != 0) { + std::cout << ", "; + } + + switch (args[p_i].kind) { + case WASM_I32: + std::cout << "i32:" << args[p_i].of.i32; + break; + case WASM_I64: + std::cout << "i64:" << args[p_i].of.i64; + break; + case WASM_F32: + std::cout << "f32:" << args[p_i].of.f32; + break; + case WASM_F64: + std::cout << "f64:" << args[p_i].of.f64; + break; + case WASM_EXTERNREF: + std::cout << "externref:" << args[p_i].of.foreign; + break; + default: + // because aft is_supported_val_kind() check, so we can safely + // return as WASM_FUNCREF + std::cout << "funcref:" << args[p_i].of.ref; + break; + } + } + std::cout << ")" << std::endl; +} + +static bool +execute_export_functions(wasm_module_t module, wasm_module_inst_t inst) +{ + int32_t export_count = wasm_runtime_get_export_count(module); + + for (int e_i = 0; e_i < export_count; e_i++) { + wasm_export_t export_type = { 0 }; + wasm_runtime_get_export_type(module, e_i, &export_type); + + if (export_type.kind != WASM_IMPORT_EXPORT_KIND_FUNC) { + continue; + } + + wasm_function_inst_t func = + wasm_runtime_lookup_function(inst, export_type.name); + if (!func) { + std::cout << "Failed to lookup function: " << export_type.name + << std::endl; + continue; + } + + wasm_func_type_t func_type = export_type.u.func_type; + uint32_t param_count = wasm_func_type_get_param_count(func_type); + + /* build arguments */ + std::vector args; + for (unsigned p_i = 0; p_i < param_count; p_i++) { + wasm_valkind_t param_type = + wasm_func_type_get_param_valkind(func_type, p_i); + + if (!is_supported_val_kind(param_type)) { + std::cout + << "Bypass execution because of unsupported value kind: " + << param_type << std::endl; + return true; + } + + wasm_val_t arg = pre_defined_val(param_type); + args.push_back(arg); + } + + /* build results storage */ + uint32_t result_count = wasm_func_type_get_result_count(func_type); + std::vector results = std::vector(result_count); + + print_execution_args(export_type, args, param_count); + + /* execute the function */ + wasm_exec_env_t exec_env = wasm_runtime_get_exec_env_singleton(inst); + if (!exec_env) { + std::cout << "Failed to get exec env" << std::endl; + return false; + } + + bool ret = + wasm_runtime_call_wasm_a(exec_env, func, result_count, + results.data(), param_count, args.data()); + if (!ret) { + const char *exception = wasm_runtime_get_exception(inst); + if (!exception) { + std::cout << "[EXECUTION] " << export_type.name + << "() failed. No exception info." << std::endl; + } + else { + std::cout << "[EXECUTION] " << export_type.name << "() failed. " + << exception << std::endl; + } + } + + wasm_runtime_clear_exception(inst); + } + + return true; +} + extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { @@ -101,6 +245,8 @@ LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) goto UNLOAD_AOT_MODULE; } + execute_export_functions(module, inst); + DEINSTANTIZE_AOT_MODULE: wasm_runtime_deinstantiate(inst); UNLOAD_AOT_MODULE: diff --git a/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/CMakeLists.txt b/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/CMakeLists.txt index dc1febb529..3790963b38 100644 --- a/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/CMakeLists.txt +++ b/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/CMakeLists.txt @@ -47,7 +47,8 @@ if(NOT DEFINED WAMR_BUILD_SIMD) endif() set(WAMR_BUILD_REF_TYPES 1) -set(WAMR_BUILD_GC 1) +# disable it since it is not fully supported +set(WAMR_BUILD_GC 0) include(${REPO_ROOT_DIR}/build-scripts/runtime_lib.cmake) include(${REPO_ROOT_DIR}/core/shared/utils/uncommon/shared_uncommon.cmake) From b182bed225aab19b8783ebed671cc6148dada875 Mon Sep 17 00:00:00 2001 From: lum1n0us Date: Mon, 16 Feb 2026 09:24:58 +0800 Subject: [PATCH 8/8] fix: refactor AOT fuzz testing by consolidating common functions and improving argument handling --- build-scripts/config_common.cmake | 3 +- .../aot-compiler/CMakeLists.txt | 3 +- .../aot-compiler/aot_compiler_fuzz.cc | 165 ++------------ .../wasm-mutator-fuzz/common/fuzzer_common.cc | 142 +++++++++++++ .../wasm-mutator-fuzz/common/fuzzer_common.h | 77 +++++++ .../wasm-mutator/CMakeLists.txt | 3 +- .../wasm-mutator/wasm_mutator_fuzz.cc | 201 ++---------------- 7 files changed, 259 insertions(+), 335 deletions(-) create mode 100644 tests/fuzz/wasm-mutator-fuzz/common/fuzzer_common.cc create mode 100644 tests/fuzz/wasm-mutator-fuzz/common/fuzzer_common.h diff --git a/build-scripts/config_common.cmake b/build-scripts/config_common.cmake index 8a608eb0fe..234578d306 100644 --- a/build-scripts/config_common.cmake +++ b/build-scripts/config_common.cmake @@ -196,7 +196,8 @@ if (NOT WAMR_BUILD_SANITIZER STREQUAL "") message(FATAL_ERROR "Unsupported sanitizers: ${INVALID_SANITIZERS}") endif() # common flags for all sanitizers - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -O0 -fno-omit-frame-pointer -fno-sanitize-recover=all -fno-sanitize=alignment") + # clang: warning: the object size sanitizer has no effect at -O0, but is explicitly enabled ... [-Winvalid-command-line-argument] + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -O1 -fno-omit-frame-pointer -fno-sanitize-recover=all -fno-sanitize=alignment") if(CMAKE_C_COMPILER_ID MATCHES ".*Clang") set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fno-sanitize=unsigned-integer-overflow") endif() diff --git a/tests/fuzz/wasm-mutator-fuzz/aot-compiler/CMakeLists.txt b/tests/fuzz/wasm-mutator-fuzz/aot-compiler/CMakeLists.txt index 23e30aed12..120902dafc 100644 --- a/tests/fuzz/wasm-mutator-fuzz/aot-compiler/CMakeLists.txt +++ b/tests/fuzz/wasm-mutator-fuzz/aot-compiler/CMakeLists.txt @@ -61,5 +61,6 @@ target_link_directories(aotclib PUBLIC ${LLVM_LIBRARY_DIR}) target_link_libraries(aotclib PUBLIC ${REQUIRED_LLVM_LIBS}) -add_executable(aot_compiler_fuzz aot_compiler_fuzz.cc) +add_executable(aot_compiler_fuzz aot_compiler_fuzz.cc ../common/fuzzer_common.cc) +target_include_directories(aot_compiler_fuzz PRIVATE ../common) target_link_libraries(aot_compiler_fuzz PRIVATE stdc++ aotclib) diff --git a/tests/fuzz/wasm-mutator-fuzz/aot-compiler/aot_compiler_fuzz.cc b/tests/fuzz/wasm-mutator-fuzz/aot-compiler/aot_compiler_fuzz.cc index e956c996bb..6c0d62d0d2 100644 --- a/tests/fuzz/wasm-mutator-fuzz/aot-compiler/aot_compiler_fuzz.cc +++ b/tests/fuzz/wasm-mutator-fuzz/aot-compiler/aot_compiler_fuzz.cc @@ -11,6 +11,7 @@ #include "aot_export.h" #include "wasm_export.h" #include "bh_read_file.h" +#include "../common/fuzzer_common.h" static void handle_aot_recent_error(const char *tag) @@ -23,155 +24,11 @@ handle_aot_recent_error(const char *tag) std::cout << tag << " " << error << std::endl; } -static bool -is_supported_val_kind(wasm_valkind_t kind) -{ - return kind == WASM_I32 || kind == WASM_I64 || kind == WASM_F32 - || kind == WASM_F64 || kind == WASM_EXTERNREF - || kind == WASM_FUNCREF; -} - -static wasm_val_t -pre_defined_val(wasm_valkind_t kind) -{ - if (kind == WASM_I32) { - return wasm_val_t{ .kind = WASM_I32, .of = { .i32 = 2025 } }; - } - else if (kind == WASM_I64) { - return wasm_val_t{ .kind = WASM_I64, .of = { .i64 = 168 } }; - } - else if (kind == WASM_F32) { - return wasm_val_t{ .kind = WASM_F32, .of = { .f32 = 3.14159f } }; - } - else if (kind == WASM_F64) { - return wasm_val_t{ .kind = WASM_F64, .of = { .f64 = 2.71828 } }; - } - else if (kind == WASM_EXTERNREF) { - return wasm_val_t{ .kind = WASM_EXTERNREF, - .of = { .foreign = 0xabcddead } }; - } - // because aft is_supported_val_kind() check, so we can safely return as - // WASM_FUNCREF - else { - return wasm_val_t{ .kind = WASM_FUNCREF, .of = { .ref = nullptr } }; - } -} -void -print_execution_args(const wasm_export_t &export_type, - const std::vector &args, unsigned param_count) -{ - std::cout << "[EXECUTION] " << export_type.name << "("; - for (unsigned p_i = 0; p_i < param_count; p_i++) { - if (p_i != 0) { - std::cout << ", "; - } - - switch (args[p_i].kind) { - case WASM_I32: - std::cout << "i32:" << args[p_i].of.i32; - break; - case WASM_I64: - std::cout << "i64:" << args[p_i].of.i64; - break; - case WASM_F32: - std::cout << "f32:" << args[p_i].of.f32; - break; - case WASM_F64: - std::cout << "f64:" << args[p_i].of.f64; - break; - case WASM_EXTERNREF: - std::cout << "externref:" << args[p_i].of.foreign; - break; - default: - // because aft is_supported_val_kind() check, so we can safely - // return as WASM_FUNCREF - std::cout << "funcref:" << args[p_i].of.ref; - break; - } - } - std::cout << ")" << std::endl; -} - -static bool -execute_export_functions(wasm_module_t module, wasm_module_inst_t inst) -{ - int32_t export_count = wasm_runtime_get_export_count(module); - - for (int e_i = 0; e_i < export_count; e_i++) { - wasm_export_t export_type = { 0 }; - wasm_runtime_get_export_type(module, e_i, &export_type); - - if (export_type.kind != WASM_IMPORT_EXPORT_KIND_FUNC) { - continue; - } - - wasm_function_inst_t func = - wasm_runtime_lookup_function(inst, export_type.name); - if (!func) { - std::cout << "Failed to lookup function: " << export_type.name - << std::endl; - continue; - } - - wasm_func_type_t func_type = export_type.u.func_type; - uint32_t param_count = wasm_func_type_get_param_count(func_type); - - /* build arguments */ - std::vector args; - for (unsigned p_i = 0; p_i < param_count; p_i++) { - wasm_valkind_t param_type = - wasm_func_type_get_param_valkind(func_type, p_i); - - if (!is_supported_val_kind(param_type)) { - std::cout - << "Bypass execution because of unsupported value kind: " - << param_type << std::endl; - return true; - } - - wasm_val_t arg = pre_defined_val(param_type); - args.push_back(arg); - } - - /* build results storage */ - uint32_t result_count = wasm_func_type_get_result_count(func_type); - std::vector results = std::vector(result_count); - - print_execution_args(export_type, args, param_count); - - /* execute the function */ - wasm_exec_env_t exec_env = wasm_runtime_get_exec_env_singleton(inst); - if (!exec_env) { - std::cout << "Failed to get exec env" << std::endl; - return false; - } - - bool ret = - wasm_runtime_call_wasm_a(exec_env, func, result_count, - results.data(), param_count, args.data()); - if (!ret) { - const char *exception = wasm_runtime_get_exception(inst); - if (!exception) { - std::cout << "[EXECUTION] " << export_type.name - << "() failed. No exception info." << std::endl; - } - else { - std::cout << "[EXECUTION] " << export_type.name << "() failed. " - << exception << std::endl; - } - } - - wasm_runtime_clear_exception(inst); - } - - return true; -} - extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { wasm_module_t module = NULL; - char error_buf[128] = { 0 }; + char error_buf[ERROR_BUF_SIZE] = { 0 }; AOTCompOption option = { 0 }; aot_comp_data_t comp_data = NULL; aot_comp_context_t comp_ctx = NULL; @@ -180,18 +37,19 @@ LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) wasm_module_t aot_module = NULL; wasm_module_inst_t inst = NULL; - /* libfuzzer don't allow to modify the given Data, so make a copy here */ - std::vector myData(Data, Data + Size); - + /* libfuzzer don't allow to modify the given Data, but get_package_type and + * wasm_runtime_load only read the data, so we can safely use const_cast */ if (Size >= 4 - && get_package_type(myData.data(), Size) != Wasm_Module_Bytecode) { + && get_package_type(const_cast(Data), Size) + != Wasm_Module_Bytecode) { printf("Invalid wasm file: magic header not detected\n"); return 0; } wasm_runtime_init(); - module = wasm_runtime_load((uint8_t *)myData.data(), Size, error_buf, 120); + module = wasm_runtime_load(const_cast(Data), Size, error_buf, + MAX_ERROR_BUF_SIZE); if (!module) { std::cout << "[LOADING] " << error_buf << std::endl; goto DESTROY_RUNTIME; @@ -232,14 +90,15 @@ LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) goto DESTROY_COMP_CTX; } - aot_module = - wasm_runtime_load(aot_file_buf, aot_file_size, error_buf, 128); + aot_module = wasm_runtime_load(aot_file_buf, aot_file_size, error_buf, + ERROR_BUF_SIZE); if (!aot_module) { std::cout << "[LOADING AOT MODULE] " << error_buf << std::endl; goto RELEASE_AOT_FILE_BUF; } - inst = wasm_runtime_instantiate(aot_module, 1024*8, 0, error_buf, 128); + inst = wasm_runtime_instantiate(aot_module, 1024 * 8, 0, error_buf, + ERROR_BUF_SIZE); if (!inst) { std::cout << "[INSTANTIATING AOT MODULE] " << error_buf << std::endl; goto UNLOAD_AOT_MODULE; diff --git a/tests/fuzz/wasm-mutator-fuzz/common/fuzzer_common.cc b/tests/fuzz/wasm-mutator-fuzz/common/fuzzer_common.cc new file mode 100644 index 0000000000..6e373dbd73 --- /dev/null +++ b/tests/fuzz/wasm-mutator-fuzz/common/fuzzer_common.cc @@ -0,0 +1,142 @@ +// Copyright (C) 2025 Intel Corporation. All rights reserved. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception + +#include "fuzzer_common.h" +#include + +void +print_execution_args(const wasm_export_t &export_type, + const std::vector &args, unsigned param_count) +{ + std::cout << "[EXECUTION] " << export_type.name << "("; + for (unsigned p_i = 0; p_i < param_count; p_i++) { + if (p_i != 0) { + std::cout << ", "; + } + + switch (args[p_i].kind) { + case WASM_I32: + std::cout << "i32:" << args[p_i].of.i32; + break; + case WASM_I64: + std::cout << "i64:" << args[p_i].of.i64; + break; + case WASM_F32: + std::cout << "f32:" << args[p_i].of.f32; + break; + case WASM_F64: + std::cout << "f64:" << args[p_i].of.f64; + break; + case WASM_EXTERNREF: + std::cout << "externref:" << args[p_i].of.foreign; + break; + default: + // because aft is_supported_val_kind() check, so we can safely + // return as WASM_FUNCREF + std::cout << "funcref:" << args[p_i].of.ref; + break; + } + } + std::cout << ")" << std::endl; +} + +bool +execute_export_functions(wasm_module_t module, wasm_module_inst_t inst) +{ + int32_t export_count = wasm_runtime_get_export_count(module); + + for (int e_i = 0; e_i < export_count; e_i++) { + wasm_export_t export_type = { 0 }; + wasm_runtime_get_export_type(module, e_i, &export_type); + + if (export_type.kind != WASM_IMPORT_EXPORT_KIND_FUNC) { + continue; + } + + wasm_function_inst_t func = + wasm_runtime_lookup_function(inst, export_type.name); + if (!func) { + std::cout << "Failed to lookup function: " << export_type.name + << std::endl; + continue; + } + + wasm_func_type_t func_type = export_type.u.func_type; + uint32_t param_count = wasm_func_type_get_param_count(func_type); + + /* build arguments with capacity reservation */ + std::vector args; + args.reserve(param_count); // Optimization: prevent reallocations + for (unsigned p_i = 0; p_i < param_count; p_i++) { + wasm_valkind_t param_type = + wasm_func_type_get_param_valkind(func_type, p_i); + + if (!is_supported_val_kind(param_type)) { + std::cout + << "Bypass execution because of unsupported value kind: " + << param_type << std::endl; + return true; + } + + wasm_val_t arg = pre_defined_val(param_type); + args.push_back(arg); + } + + /* build results storage */ + uint32_t result_count = wasm_func_type_get_result_count(func_type); + std::vector results( + result_count); // Optimization: direct initialization + + print_execution_args(export_type, args, param_count); + + /* execute the function */ + wasm_exec_env_t exec_env = wasm_runtime_get_exec_env_singleton(inst); + if (!exec_env) { + std::cout << "Failed to get exec env" << std::endl; + return false; + } + + bool ret = + wasm_runtime_call_wasm_a(exec_env, func, result_count, + results.data(), param_count, args.data()); + if (!ret) { + const char *exception = wasm_runtime_get_exception(inst); + if (!exception) { + std::cout << "[EXECUTION] " << export_type.name + << "() failed. No exception info." << std::endl; + } + else { + std::cout << "[EXECUTION] " << export_type.name << "() failed. " + << exception << std::endl; + } + } + + wasm_runtime_clear_exception(inst); + } + + return true; +} + +void +report_fuzzer_error(FuzzerErrorPhase phase, const char *message) +{ + const char *phase_name = ""; + switch (phase) { + case FuzzerErrorPhase::LOADING: + phase_name = "LOADING"; + break; + case FuzzerErrorPhase::INSTANTIATING: + phase_name = "INSTANTIATING"; + break; + case FuzzerErrorPhase::COMPILING: + phase_name = "COMPILING"; + break; + case FuzzerErrorPhase::EXECUTION: + phase_name = "EXECUTION"; + break; + case FuzzerErrorPhase::CLEANUP: + phase_name = "CLEANUP"; + break; + } + std::cout << "[" << phase_name << "] " << message << std::endl; +} \ No newline at end of file diff --git a/tests/fuzz/wasm-mutator-fuzz/common/fuzzer_common.h b/tests/fuzz/wasm-mutator-fuzz/common/fuzzer_common.h new file mode 100644 index 0000000000..365562c901 --- /dev/null +++ b/tests/fuzz/wasm-mutator-fuzz/common/fuzzer_common.h @@ -0,0 +1,77 @@ +// Copyright (C) 2025 Intel Corporation. All rights reserved. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception + +#ifndef FUZZER_COMMON_H +#define FUZZER_COMMON_H + +#include "wasm_export.h" +#include +#include + +// Constants for consistent buffer sizes +constexpr size_t ERROR_BUF_SIZE = 128; +constexpr size_t MAX_ERROR_BUF_SIZE = 120; // Used in wasm_runtime_load + +// Error phases for consistent reporting +enum class FuzzerErrorPhase { + LOADING, + INSTANTIATING, + COMPILING, + EXECUTION, + CLEANUP +}; + +// Small inline helper functions + +// Check if a value kind is supported by the fuzzer +static inline bool +is_supported_val_kind(wasm_valkind_t kind) +{ + return kind == WASM_I32 || kind == WASM_I64 || kind == WASM_F32 + || kind == WASM_F64 || kind == WASM_EXTERNREF + || kind == WASM_FUNCREF; +} + +// Generate a predefined value for a given value kind +static inline wasm_val_t +pre_defined_val(wasm_valkind_t kind) +{ + if (kind == WASM_I32) { + return wasm_val_t{ .kind = WASM_I32, .of = { .i32 = 2025 } }; + } + else if (kind == WASM_I64) { + return wasm_val_t{ .kind = WASM_I64, .of = { .i64 = 168 } }; + } + else if (kind == WASM_F32) { + return wasm_val_t{ .kind = WASM_F32, .of = { .f32 = 3.14159f } }; + } + else if (kind == WASM_F64) { + return wasm_val_t{ .kind = WASM_F64, .of = { .f64 = 2.71828 } }; + } + else if (kind == WASM_EXTERNREF) { + return wasm_val_t{ .kind = WASM_EXTERNREF, + .of = { .foreign = 0xabcddead } }; + } + // because aft is_supported_val_kind() check, so we can safely return as + // WASM_FUNCREF + else { + return wasm_val_t{ .kind = WASM_FUNCREF, .of = { .ref = nullptr } }; + } +} + +// Function declarations (implemented in fuzzer_common.cc) + +// Print execution arguments for debugging +void +print_execution_args(const wasm_export_t &export_type, + const std::vector &args, unsigned param_count); + +// Execute all export functions in a module +bool +execute_export_functions(wasm_module_t module, wasm_module_inst_t inst); + +// Helper for consistent error reporting +void +report_fuzzer_error(FuzzerErrorPhase phase, const char *message); + +#endif // FUZZER_COMMON_H \ No newline at end of file diff --git a/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/CMakeLists.txt b/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/CMakeLists.txt index 3790963b38..e33b1826e8 100644 --- a/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/CMakeLists.txt +++ b/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/CMakeLists.txt @@ -58,5 +58,6 @@ target_include_directories(vmlib PUBLIC ${RUNTIME_LIB_HEADER_LIST}) target_link_directories(vmlib PUBLIC ${RUNTIME_LIB_LINK_LIST}) target_link_libraries(vmlib PUBLIC ${REQUIRED_LLVM_LIBS}) -add_executable(wasm_mutator_fuzz wasm_mutator_fuzz.cc) +add_executable(wasm_mutator_fuzz wasm_mutator_fuzz.cc ../common/fuzzer_common.cc) +target_include_directories(wasm_mutator_fuzz PRIVATE ../common) target_link_libraries(wasm_mutator_fuzz PRIVATE vmlib m) diff --git a/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/wasm_mutator_fuzz.cc b/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/wasm_mutator_fuzz.cc index 391d899cf4..233e1e1c3b 100644 --- a/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/wasm_mutator_fuzz.cc +++ b/tests/fuzz/wasm-mutator-fuzz/wasm-mutator/wasm_mutator_fuzz.cc @@ -10,166 +10,21 @@ #include #include #include +#include "../common/fuzzer_common.h" using namespace std; -static bool -is_supported_val_kind(wasm_valkind_t kind) -{ - return kind == WASM_I32 || kind == WASM_I64 || kind == WASM_F32 - || kind == WASM_F64 || kind == WASM_EXTERNREF - || kind == WASM_FUNCREF; -} - -static wasm_val_t -pre_defined_val(wasm_valkind_t kind) -{ - if (kind == WASM_I32) { - return wasm_val_t{ .kind = WASM_I32, .of = { .i32 = 2025 } }; - } - else if (kind == WASM_I64) { - return wasm_val_t{ .kind = WASM_I64, .of = { .i64 = 168 } }; - } - else if (kind == WASM_F32) { - return wasm_val_t{ .kind = WASM_F32, .of = { .f32 = 3.14159f } }; - } - else if (kind == WASM_F64) { - return wasm_val_t{ .kind = WASM_F64, .of = { .f64 = 2.71828 } }; - } - else if (kind == WASM_EXTERNREF) { - return wasm_val_t{ .kind = WASM_EXTERNREF, - .of = { .foreign = 0xabcddead } }; - } - // because aft is_supported_val_kind() check, so we can safely return as - // WASM_FUNCREF - else { - return wasm_val_t{ .kind = WASM_FUNCREF, .of = { .ref = nullptr } }; - } -} -void -print_execution_args(const wasm_export_t &export_type, - const std::vector &args, unsigned param_count) -{ - std::cout << "[EXECUTION] " << export_type.name << "("; - for (unsigned p_i = 0; p_i < param_count; p_i++) { - if (p_i != 0) { - std::cout << ", "; - } - - switch (args[p_i].kind) { - case WASM_I32: - std::cout << "i32:" << args[p_i].of.i32; - break; - case WASM_I64: - std::cout << "i64:" << args[p_i].of.i64; - break; - case WASM_F32: - std::cout << "f32:" << args[p_i].of.f32; - break; - case WASM_F64: - std::cout << "f64:" << args[p_i].of.f64; - break; - case WASM_EXTERNREF: - std::cout << "externref:" << args[p_i].of.foreign; - break; - default: - // because aft is_supported_val_kind() check, so we can safely - // return as WASM_FUNCREF - std::cout << "funcref:" << args[p_i].of.ref; - break; - } - } - std::cout << ")" << std::endl; -} - -static bool -execute_export_functions(wasm_module_t module, wasm_module_inst_t inst) -{ - int32_t export_count = wasm_runtime_get_export_count(module); - - for (int e_i = 0; e_i < export_count; e_i++) { - wasm_export_t export_type = { 0 }; - wasm_runtime_get_export_type(module, e_i, &export_type); - - if (export_type.kind != WASM_IMPORT_EXPORT_KIND_FUNC) { - continue; - } - - wasm_function_inst_t func = - wasm_runtime_lookup_function(inst, export_type.name); - if (!func) { - std::cout << "Failed to lookup function: " << export_type.name - << std::endl; - continue; - } - - wasm_func_type_t func_type = export_type.u.func_type; - uint32_t param_count = wasm_func_type_get_param_count(func_type); - - /* build arguments */ - std::vector args; - for (unsigned p_i = 0; p_i < param_count; p_i++) { - wasm_valkind_t param_type = - wasm_func_type_get_param_valkind(func_type, p_i); - - if (!is_supported_val_kind(param_type)) { - std::cout - << "Bypass execution because of unsupported value kind: " - << param_type << std::endl; - return true; - } - - wasm_val_t arg = pre_defined_val(param_type); - args.push_back(arg); - } - - /* build results storage */ - uint32_t result_count = wasm_func_type_get_result_count(func_type); - std::vector results = std::vector(result_count); - - print_execution_args(export_type, args, param_count); - - /* execute the function */ - wasm_exec_env_t exec_env = wasm_runtime_get_exec_env_singleton(inst); - if (!exec_env) { - std::cout << "Failed to get exec env" << std::endl; - return false; - } - - bool ret = - wasm_runtime_call_wasm_a(exec_env, func, result_count, - results.data(), param_count, args.data()); - if (!ret) { - const char *exception = wasm_runtime_get_exception(inst); - if (!exception) { - std::cout << "[EXECUTION] " << export_type.name - << "() failed. No exception info." << std::endl; - } - else { - std::cout << "[EXECUTION] " << export_type.name << "() failed. " - << exception << std::endl; - } - } - - wasm_runtime_clear_exception(inst); - } - - return true; -} - extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { - /* libfuzzer don't allow us to modify the given Data, so we copy the data - * here */ - std::vector myData(Data, Data + Size); - + /* libfuzzer don't allow us to modify the given Data, but wasm_runtime_load + * only reads the data, so we can safely use const_cast */ /* init runtime environment */ wasm_runtime_init(); - char error_buf[128] = { 0 }; - wasm_module_t module = - wasm_runtime_load((uint8_t *)myData.data(), Size, error_buf, 120); + char error_buf[ERROR_BUF_SIZE] = { 0 }; + wasm_module_t module = wasm_runtime_load(const_cast(Data), Size, + error_buf, MAX_ERROR_BUF_SIZE); if (!module) { std::cout << "[LOADING] " << error_buf << std::endl; wasm_runtime_destroy(); @@ -177,8 +32,9 @@ LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) return 0; } - wasm_module_inst_t inst = wasm_runtime_instantiate( - module, 8 * 1024 * 1024, 16 * 1024 * 1024, error_buf, 120); + wasm_module_inst_t inst = + wasm_runtime_instantiate(module, 8 * 1024 * 1024, 16 * 1024 * 1024, + error_buf, MAX_ERROR_BUF_SIZE); if (!inst) { std::cout << "[INSTANTIATE] " << error_buf << std::endl; wasm_runtime_unload(module); @@ -237,42 +93,29 @@ LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size, size_t MaxSize, return LLVMFuzzerMutate(Data, Size, MaxSize); } - /* 3.read modified file */ - int read_len = 0; - int file_len = 0; - int res = 0; - uint8_t *buf = NULL; + /* 3.read modified file using RAII container */ FILE *fread_fp = fopen("./modified.wasm", "rb"); if (NULL == fread_fp) { printf("Faild to open modified.wasm file!\n"); exit(0); } - fseek(fread_fp, 0, SEEK_END); /* location to file end */ - file_len = ftell(fread_fp); /* get file size */ - buf = (uint8_t *)malloc(file_len); + fseek(fread_fp, 0, SEEK_END); /* location to file end */ + long file_len = ftell(fread_fp); /* get file size */ + fseek(fread_fp, 0, SEEK_SET); /* location to file start */ - if (NULL != buf) { - fseek(fread_fp, 0, SEEK_SET); /* location to file start */ - read_len = fread(buf, 1, file_len, fread_fp); - if ((read_len == file_len) && (read_len < MaxSize)) { - /* 4.fill Data buffer */ - memcpy(Data, buf, read_len); - res = read_len; - } - else { - res = 0; - } - } - else { - res = 0; - } - - memset(buf, 0, file_len); - free(buf); + std::vector buf(file_len); + size_t read_len = fread(buf.data(), 1, file_len, fread_fp); fclose(fread_fp); fread_fp = NULL; + int res = 0; + if (read_len == static_cast(file_len) && read_len < MaxSize) { + /* 4.fill Data buffer */ + memcpy(Data, buf.data(), read_len); + res = static_cast(read_len); + } + return res; } else {