Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[fuzzing] execute every exported function #3959

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

[fuzzing] execute every exported function #3959

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
4e0bef5
Enhance wasm mutator fuzz tests by adding export function execution a…
lum1n0us Dec 15, 2024
5ced3ae
Enhance wasm mutator fuzz tests with improved argument logging
lum1n0us Dec 23, 2024
7d51962
Refactor wasm mutator fuzz tests to use simpler random number generat…
lum1n0us Dec 24, 2024
5f0f852
Remove unnecessary inclusion of <bits/stdc++.h>
lum1n0us Dec 24, 2024
bb52418
use --fuel to limit loop size
lum1n0us Dec 24, 2024
59b1581
Refactor wasm interpreter to use predefined values and enhance argume…
lum1n0us Jan 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions core/iwasm/interpreter/wasm_interp_fast.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1670,7 +1670,8 @@ wasm_interp_call_func_bytecode(WASMModuleInstance *module,
{
uint32 ret_idx;
WASMFuncType *func_type;
uint32 off, ret_offset;
int32 off;
uint32 ret_offset;
uint8 *ret_types;
if (cur_func->is_import_func)
func_type = cur_func->u.func_import->func_type;
Expand All @@ -1682,9 +1683,9 @@ wasm_interp_call_func_bytecode(WASMModuleInstance *module,
ret_offset = prev_frame->ret_offset;

for (ret_idx = 0,
off = sizeof(int16) * (func_type->result_count - 1);
off = (int32)sizeof(int16) * (func_type->result_count - 1);
ret_idx < func_type->result_count;
ret_idx++, off -= sizeof(int16)) {
ret_idx++, off -= (int32)sizeof(int16)) {
if (ret_types[ret_idx] == VALUE_TYPE_I64
|| ret_types[ret_idx] == VALUE_TYPE_F64) {
PUT_I64_TO_ADDR(prev_frame->lp + ret_offset,
Expand Down
4 changes: 3 additions & 1 deletion tests/fuzz/wasm-mutator-fuzz/smith_wasm.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,9 @@ function try_generate_wasm()
printf -- "-- output ${GENERATED_WASM_NAME} in %d retries\n" $try_i
}

WASM_SHAPE=" --allow-invalid-funcs true \
WASM_SHAPE=" --ensure-termination \
--export-everything true \
--fuel 7 \
--generate-custom-sections true \
--min-funcs 5 \
--max-instructions 1024 \
Expand Down
145 changes: 144 additions & 1 deletion tests/fuzz/wasm-mutator-fuzz/wasm_mutator_fuzz.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,149 @@

using namespace std;

static bool
is_supported_val_kind(wasm_valkind_t kind)
{
return kind == WASM_I32 || kind == WASM_I64 || kind == WASM_F32
|| kind == WASM_F64 || kind == WASM_EXTERNREF
|| kind == WASM_FUNCREF;
}

static wasm_val_t
pre_defined_val(wasm_valkind_t kind)
{
if (kind == WASM_I32) {
return wasm_val_t{ .kind = WASM_I32, .of = { .i32 = 2025 } };
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be better to generate random value to cover more value range?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😄 It makes it easier to replicate the issue that led to the failure. In a fuzzing issue report, you typically only get the error information generated by XSAN, with no accompanying logs. Using random values as function parameters can make it challenging to identify the exact combination that triggered the problem.

🤔 Additionally, I'm looking for a way to run opcodes with random operands. It appears to be a variant of the LLVMFuzzerTestOneInput() function. Perhaps I should create a new test LLVMFuzzerTestOneInput() to execute each opcode individually, allowing the fuzzer to supply random operands.

}
else if (kind == WASM_I64) {
return wasm_val_t{ .kind = WASM_I64, .of = { .i64 = 168 } };
}
else if (kind == WASM_F32) {
return wasm_val_t{ .kind = WASM_F32, .of = { .f32 = 3.14159f } };
}
else if (kind == WASM_F64) {
return wasm_val_t{ .kind = WASM_F64, .of = { .f64 = 2.71828 } };
}
else if (kind == WASM_EXTERNREF) {
return wasm_val_t{ .kind = WASM_EXTERNREF,
.of = { .foreign = 0xabcddead } };
}
// because aft is_supported_val_kind() check, so we can safely return as
// WASM_FUNCREF
else {
return wasm_val_t{ .kind = WASM_FUNCREF, .of = { .ref = nullptr } };
}
}
void
print_execution_args(const wasm_export_t &export_type,
const std::vector<wasm_val_t> &args, unsigned param_count)
{
std::cout << "[EXECUTION] " << export_type.name << "(";
for (unsigned p_i = 0; p_i < param_count; p_i++) {
if (p_i != 0) {
std::cout << ", ";
}

switch (args[p_i].kind) {
case WASM_I32:
std::cout << "i32:" << args[p_i].of.i32;
break;
case WASM_I64:
std::cout << "i64:" << args[p_i].of.i64;
break;
case WASM_F32:
std::cout << "f32:" << args[p_i].of.f32;
break;
case WASM_F64:
std::cout << "f64:" << args[p_i].of.f64;
break;
case WASM_EXTERNREF:
std::cout << "externref:" << args[p_i].of.foreign;
break;
default:
// because aft is_supported_val_kind() check, so we can safely
// return as WASM_FUNCREF
std::cout << "funcref:" << args[p_i].of.ref;
break;
}
}
std::cout << ")" << std::endl;
}

static bool
execute_export_functions(wasm_module_t module, wasm_module_inst_t inst)
{
int32_t export_count = wasm_runtime_get_export_count(module);

for (int e_i = 0; e_i < export_count; e_i++) {
wasm_export_t export_type = { 0 };
wasm_runtime_get_export_type(module, e_i, &export_type);

if (export_type.kind != WASM_IMPORT_EXPORT_KIND_FUNC) {
continue;
}

wasm_function_inst_t func =
wasm_runtime_lookup_function(inst, export_type.name);
if (!func) {
std::cout << "Failed to lookup function: " << export_type.name
<< std::endl;
continue;
}

wasm_func_type_t func_type = export_type.u.func_type;
uint32_t param_count = wasm_func_type_get_param_count(func_type);

/* build arguments */
std::vector<wasm_val_t> args;
for (unsigned p_i = 0; p_i < param_count; p_i++) {
wasm_valkind_t param_type =
wasm_func_type_get_param_valkind(func_type, p_i);

if (!is_supported_val_kind(param_type)) {
std::cout
<< "Bypass execution because of unsupported value kind: "
<< param_type << std::endl;
return true;
}

wasm_val_t arg = pre_defined_val(param_type);
args.push_back(arg);
}

/* build results storage */
uint32_t result_count = wasm_func_type_get_result_count(func_type);
std::vector<wasm_val_t> results = std::vector<wasm_val_t>(result_count);

print_execution_args(export_type, args, param_count);

/* execute the function */
wasm_exec_env_t exec_env = wasm_runtime_get_exec_env_singleton(inst);
if (!exec_env) {
std::cout << "Failed to get exec env" << std::endl;
return false;
}

bool ret = wasm_runtime_call_wasm_a(exec_env, func, result_count,
results.data(), param_count, args.data());
if (!ret) {
const char *exception = wasm_runtime_get_exception(inst);
if (!exception) {
std::cout << "[EXECUTION] " << export_type.name
<< "() failed. No exception info." << std::endl;
}
else {
std::cout << "[EXECUTION] " << export_type.name << "() failed. "
<< exception << std::endl;
}
}

wasm_runtime_clear_exception(inst);
}

return true;
}

extern "C" int
LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{
Expand Down Expand Up @@ -43,7 +186,7 @@ LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
return 0;
}

std::cout << "PASS" << std::endl;
execute_export_functions(module, inst);

wasm_runtime_deinstantiate(inst);
wasm_runtime_unload(module);
Expand Down
Loading