bytecodealliance · lum1n0us · Jan 14, 2026 · Jan 16, 2026 · Jan 16, 2026 · Jan 16, 2026
@@ -2,3 +2,4 @@ black
 nose
 pycparser
 pylint
+requests
@@ -304,7 +304,7 @@ def main():
         "default": {
             "repo": "https://github.com/llvm/llvm-project.git",
             "repo_ssh": "git@github.com:llvm/llvm-project.git",
-            "branch": "release/18.x",
+            "branch": "llvmorg-18.1.8",
         },
     }
 

@@ -196,7 +196,11 @@ if (NOT WAMR_BUILD_SANITIZER STREQUAL "")
     message(FATAL_ERROR "Unsupported sanitizers: ${INVALID_SANITIZERS}")
   endif()
   # common flags for all sanitizers
-  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -O0 -fno-omit-frame-pointer -fno-sanitize-recover=all")
+  # clang: warning: the object size sanitizer has no effect at -O0, but is explicitly enabled ... [-Winvalid-command-line-argument]
+  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -O1 -fno-omit-frame-pointer -fno-sanitize-recover=all -fno-sanitize=alignment")
+  if(CMAKE_C_COMPILER_ID MATCHES ".*Clang")
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fno-sanitize=unsigned-integer-overflow")
+  endif()
   if(SANITIZER_FLAGS)
     string(REPLACE ";" "," SANITIZER_FLAGS_STR "${SANITIZER_FLAGS}")
     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=${SANITIZER_FLAGS_STR}")

@@ -61,7 +61,6 @@ endfunction()
 # Below are the unsupported combinations checks
 # Please keep this list in sync with tests/unit/unsupported-features/CMakeLists.txt
 # and tests/wamr-test-suites/test_wamr.sh
-cmake_print_variables(WAMR_BUILD_INTERP WAMR_BUILD_FAST_INTERP WAMR_BUILD_JIT WAMR_BUILD_EXCE_HANDLING)
 
 if(WAMR_BUILD_EXCE_HANDLING EQUAL 1)
   check_aot_mode_error("Unsupported build configuration: EXCE_HANDLING + AOT")

@@ -172,21 +172,19 @@ set(IWASM_DIR ${REPO_ROOT_DIR}/core/iwasm)
 # Global setting
 add_compile_options(-Wno-unused-command-line-argument)
 
-# Enable fuzzer
-add_definitions(-DWASM_ENABLE_FUZZ_TEST=1)
-# '-fsanitize=vptr' not allowed with '-fno-rtti
-# But, LLVM by default, disables the use of `rtti` in the compiler
-add_compile_options(-fsanitize=fuzzer -fno-sanitize=vptr)
-add_link_options(-fsanitize=fuzzer -fno-sanitize=vptr)
-
 # Enable sanitizers if not in oss-fuzz environment
 set(CFLAGS_ENV $ENV{CFLAGS})
-string(FIND "${CFLAGS_ENV}" "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION" FUZZ_POS)
+  string(FIND "${CFLAGS_ENV}" "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION" FUZZ_POS)
 if (FUZZ_POS GREATER -1)
   set(IN_OSS_FUZZ 1)
 else()
   set(IN_OSS_FUZZ 0)
 endif()
 
+# Enable fuzzer
+add_definitions(-DWASM_ENABLE_FUZZ_TEST=1)
+
+include(${CMAKE_CURRENT_LIST_DIR}/sanitizer_flags.cmake)
+
 add_subdirectory(aot-compiler)
 add_subdirectory(wasm-mutator)
@@ -1,12 +1,6 @@
 # Copyright (C) 2025 Intel Corporation. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 
-# Set default build options with the ability to override from the command line
-if(NOT WAMR_BUILD_INTERP)
-  set(WAMR_BUILD_INTERP 1)
-endif()
-
-set(WAMR_BUILD_WAMR_COMPILER 1)
 set(WAMR_BUILD_AOT 0)
 set(WAMR_BUILD_INTERP 1)
 set(WAMR_BUILD_JIT 0)
@@ -67,17 +61,6 @@ target_link_directories(aotclib PUBLIC ${LLVM_LIBRARY_DIR})
 
 target_link_libraries(aotclib PUBLIC ${REQUIRED_LLVM_LIBS})
 
-if(NOT IN_OSS_FUZZ)
-  message(STATUS "Enable ASan and UBSan in non-oss-fuzz environment for aotclib")
-  target_compile_options(aotclib PUBLIC
-    -fprofile-instr-generate -fcoverage-mapping
-    -fno-sanitize-recover=all
-    -fsanitize=address,undefined
-    -fsanitize=float-divide-by-zero,unsigned-integer-overflow,local-bounds,nullability
-    -fno-sanitize=alignment
-  )
-  target_link_options(aotclib PUBLIC -fsanitize=address,undefined -fprofile-instr-generate)
-endif()
-
-add_executable(aot_compiler_fuzz aot_compiler_fuzz.cc)
+add_executable(aot_compiler_fuzz aot_compiler_fuzz.cc ../common/fuzzer_common.cc)
+target_include_directories(aot_compiler_fuzz PRIVATE ../common)
 target_link_libraries(aot_compiler_fuzz PRIVATE stdc++ aotclib)
@@ -11,6 +11,7 @@
 #include "aot_export.h"
 #include "wasm_export.h"
 #include "bh_read_file.h"
+#include "../common/fuzzer_common.h"
 
 static void
 handle_aot_recent_error(const char *tag)
@@ -27,23 +28,28 @@ extern "C" int
 LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
 {
     wasm_module_t module = NULL;
-    char error_buf[128] = { 0 };
+    char error_buf[ERROR_BUF_SIZE] = { 0 };
     AOTCompOption option = { 0 };
     aot_comp_data_t comp_data = NULL;
     aot_comp_context_t comp_ctx = NULL;
+    uint8 *aot_file_buf = NULL;
+    uint32 aot_file_size = 0;
+    wasm_module_t aot_module = NULL;
+    wasm_module_inst_t inst = NULL;
 
-    /* libfuzzer don't allow to modify the given Data, so make a copy here */
-    std::vector<uint8_t> myData(Data, Data + Size);
-
+    /* libfuzzer don't allow to modify the given Data, but get_package_type and
+     * wasm_runtime_load only read the data, so we can safely use const_cast */
     if (Size >= 4
-        && get_package_type(myData.data(), Size) != Wasm_Module_Bytecode) {
+        && get_package_type(const_cast<uint8_t *>(Data), Size)
+               != Wasm_Module_Bytecode) {
         printf("Invalid wasm file: magic header not detected\n");
         return 0;
     }
 
     wasm_runtime_init();
 
-    module = wasm_runtime_load((uint8_t *)myData.data(), Size, error_buf, 120);
+    module = wasm_runtime_load(const_cast<uint8_t *>(Data), Size, error_buf,
+                               MAX_ERROR_BUF_SIZE);
     if (!module) {
         std::cout << "[LOADING] " << error_buf << std::endl;
         goto DESTROY_RUNTIME;
@@ -78,6 +84,34 @@ LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
         goto DESTROY_COMP_CTX;
     }
 
+    aot_file_buf = aot_emit_aot_file_buf(comp_ctx, comp_data, &aot_file_size);
+    if (!aot_file_buf) {
+        handle_aot_recent_error("[EMITTING AOT FILE]");
+        goto DESTROY_COMP_CTX;
+    }
+
+    aot_module = wasm_runtime_load(aot_file_buf, aot_file_size, error_buf,
+                                   ERROR_BUF_SIZE);
+    if (!aot_module) {
+        std::cout << "[LOADING AOT MODULE] " << error_buf << std::endl;
+        goto RELEASE_AOT_FILE_BUF;
+    }
+
+    inst = wasm_runtime_instantiate(aot_module, 1024 * 8, 0, error_buf,
+                                    ERROR_BUF_SIZE);
+    if (!inst) {
+        std::cout << "[INSTANTIATING AOT MODULE] " << error_buf << std::endl;
+        goto UNLOAD_AOT_MODULE;
+    }
+
+    execute_export_functions(module, inst);
+
+DEINSTANTIZE_AOT_MODULE:
+    wasm_runtime_deinstantiate(inst);
+UNLOAD_AOT_MODULE:
+    wasm_runtime_unload(aot_module);
+RELEASE_AOT_FILE_BUF:
+    wasm_runtime_free(aot_file_buf);
 DESTROY_COMP_CTX:
     aot_destroy_comp_context(comp_ctx);
 DESTROY_COMP_DATA:

@@ -0,0 +1,142 @@
+// Copyright (C) 2025 Intel Corporation. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+
+#include "fuzzer_common.h"
+#include <iostream>
+
+void
+print_execution_args(const wasm_export_t &export_type,
+                     const std::vector<wasm_val_t> &args, unsigned param_count)
+{
+    std::cout << "[EXECUTION] " << export_type.name << "(";
+    for (unsigned p_i = 0; p_i < param_count; p_i++) {
+        if (p_i != 0) {
+            std::cout << ", ";
+        }
+
+        switch (args[p_i].kind) {
+            case WASM_I32:
+                std::cout << "i32:" << args[p_i].of.i32;
+                break;
+            case WASM_I64:
+                std::cout << "i64:" << args[p_i].of.i64;
+                break;
+            case WASM_F32:
+                std::cout << "f32:" << args[p_i].of.f32;
+                break;
+            case WASM_F64:
+                std::cout << "f64:" << args[p_i].of.f64;
+                break;
+            case WASM_EXTERNREF:
+                std::cout << "externref:" << args[p_i].of.foreign;
+                break;
+            default:
+                // because aft is_supported_val_kind() check, so we can safely
+                // return as WASM_FUNCREF
+                std::cout << "funcref:" << args[p_i].of.ref;
+                break;
+        }
+    }
+    std::cout << ")" << std::endl;
+}
+
+bool
+execute_export_functions(wasm_module_t module, wasm_module_inst_t inst)
+{
+    int32_t export_count = wasm_runtime_get_export_count(module);
+
+    for (int e_i = 0; e_i < export_count; e_i++) {
+        wasm_export_t export_type = { 0 };
+        wasm_runtime_get_export_type(module, e_i, &export_type);
+
+        if (export_type.kind != WASM_IMPORT_EXPORT_KIND_FUNC) {
+            continue;
+        }
+
+        wasm_function_inst_t func =
+            wasm_runtime_lookup_function(inst, export_type.name);
+        if (!func) {
+            std::cout << "Failed to lookup function: " << export_type.name
+                      << std::endl;
+            continue;
+        }
+
+        wasm_func_type_t func_type = export_type.u.func_type;
+        uint32_t param_count = wasm_func_type_get_param_count(func_type);
+
+        /* build arguments with capacity reservation */
+        std::vector<wasm_val_t> args;
+        args.reserve(param_count); // Optimization: prevent reallocations
+        for (unsigned p_i = 0; p_i < param_count; p_i++) {
+            wasm_valkind_t param_type =
+                wasm_func_type_get_param_valkind(func_type, p_i);
+
+            if (!is_supported_val_kind(param_type)) {
+                std::cout
+                    << "Bypass execution because of unsupported value kind: "
+                    << param_type << std::endl;
+                return true;
+            }
+
+            wasm_val_t arg = pre_defined_val(param_type);
+            args.push_back(arg);
+        }
+
+        /* build results storage */
+        uint32_t result_count = wasm_func_type_get_result_count(func_type);
+        std::vector<wasm_val_t> results(
+            result_count); // Optimization: direct initialization
+
+        print_execution_args(export_type, args, param_count);
+
+        /* execute the function */
+        wasm_exec_env_t exec_env = wasm_runtime_get_exec_env_singleton(inst);
+        if (!exec_env) {
+            std::cout << "Failed to get exec env" << std::endl;
+            return false;
+        }
+
+        bool ret =
+            wasm_runtime_call_wasm_a(exec_env, func, result_count,
+                                     results.data(), param_count, args.data());
+        if (!ret) {
+            const char *exception = wasm_runtime_get_exception(inst);
+            if (!exception) {
+                std::cout << "[EXECUTION] " << export_type.name
+                          << "() failed. No exception info." << std::endl;
+            }
+            else {
+                std::cout << "[EXECUTION] " << export_type.name << "() failed. "
+                          << exception << std::endl;
+            }
+        }
+
+        wasm_runtime_clear_exception(inst);
+    }
+
+    return true;
+}
+
+void
+report_fuzzer_error(FuzzerErrorPhase phase, const char *message)
+{
+    const char *phase_name = "";
+    switch (phase) {
+        case FuzzerErrorPhase::LOADING:
+            phase_name = "LOADING";
+            break;
+        case FuzzerErrorPhase::INSTANTIATING:
+            phase_name = "INSTANTIATING";
+            break;
+        case FuzzerErrorPhase::COMPILING:
+            phase_name = "COMPILING";
+            break;
+        case FuzzerErrorPhase::EXECUTION:
+            phase_name = "EXECUTION";
+            break;
+        case FuzzerErrorPhase::CLEANUP:
+            phase_name = "CLEANUP";
+            break;
+    }
+    std::cout << "[" << phase_name << "] " << message << std::endl;
+}
@@ -0,0 +1,77 @@
+// Copyright (C) 2025 Intel Corporation. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+
+#ifndef FUZZER_COMMON_H
+#define FUZZER_COMMON_H
+
+#include "wasm_export.h"
+#include <iostream>
+#include <vector>
+
+// Constants for consistent buffer sizes
+constexpr size_t ERROR_BUF_SIZE = 128;
+constexpr size_t MAX_ERROR_BUF_SIZE = 120; // Used in wasm_runtime_load
+
+// Error phases for consistent reporting
+enum class FuzzerErrorPhase {
+    LOADING,
+    INSTANTIATING,
+    COMPILING,
+    EXECUTION,
+    CLEANUP
+};
+
+// Small inline helper functions
+
+// Check if a value kind is supported by the fuzzer
+static inline bool
+is_supported_val_kind(wasm_valkind_t kind)
+{
+    return kind == WASM_I32 || kind == WASM_I64 || kind == WASM_F32
+           || kind == WASM_F64 || kind == WASM_EXTERNREF
+           || kind == WASM_FUNCREF;
+}
+
+// Generate a predefined value for a given value kind
+static inline wasm_val_t
+pre_defined_val(wasm_valkind_t kind)
+{
+    if (kind == WASM_I32) {
+        return wasm_val_t{ .kind = WASM_I32, .of = { .i32 = 2025 } };
+    }
+    else if (kind == WASM_I64) {
+        return wasm_val_t{ .kind = WASM_I64, .of = { .i64 = 168 } };
+    }
+    else if (kind == WASM_F32) {
+        return wasm_val_t{ .kind = WASM_F32, .of = { .f32 = 3.14159f } };
+    }
+    else if (kind == WASM_F64) {
+        return wasm_val_t{ .kind = WASM_F64, .of = { .f64 = 2.71828 } };
+    }
+    else if (kind == WASM_EXTERNREF) {
+        return wasm_val_t{ .kind = WASM_EXTERNREF,
+                           .of = { .foreign = 0xabcddead } };
+    }
+    // because aft is_supported_val_kind() check, so we can safely return as
+    // WASM_FUNCREF
+    else {
+        return wasm_val_t{ .kind = WASM_FUNCREF, .of = { .ref = nullptr } };
+    }
+}
+
+// Function declarations (implemented in fuzzer_common.cc)
+
+// Print execution arguments for debugging
+void
+print_execution_args(const wasm_export_t &export_type,
+                     const std::vector<wasm_val_t> &args, unsigned param_count);
+
+// Execute all export functions in a module
+bool
+execute_export_functions(wasm_module_t module, wasm_module_inst_t inst);
+
+// Helper for consistent error reporting
+void
+report_fuzzer_error(FuzzerErrorPhase phase, const char *message);
+
+#endif // FUZZER_COMMON_H
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,3 +2,4 @@ black @@
     nose
     pycparser
     pylint
+    requests