Fuzzer: Add a flag to import another module in --translate-to-fuzz (#7949)

-ttf --fuzz-import=foo.wasm will generate a fuzz new file, and that file
will import parts of the given foo.wasm. So far, this imports a subset
of the functions of that other module.

Use this in the Two fuzzer as well as in ClusterFuzz.

Add fuzz_shell.js support for importing a second module as "primary".
We had that for --fuzz-split mode, and this just expands that to any
time we have a second module.

Author: kripken

scripts/clusterfuzz/run.py

@@ -123,16 +123,21 @@ def get_random_initial_content():
 # allows us to debug any such failures that we run into.
 retry = True
 
+# Temporary files to clean up
+temp_files = []
+
 
 # Generate a random wasm file, and return a string that creates a typed array of
 # those bytes, suitable for use in a JS file, in the form
 #
 #   new Uint8Array([..wasm_contents..])
 #
 # Receives the testcase index and the output dir.
-def get_wasm_contents(i, output_dir):
-    input_data_file_path = os.path.join(output_dir, f'{i}.input')
-    wasm_file_path = os.path.join(output_dir, f'{i}.wasm')
+#
+# Also returns the name of the wasm file.
+def get_wasm_contents(name, output_dir, extra_args=[]):
+    input_data_file_path = os.path.join(output_dir, f'{name}.input')
+    wasm_file_path = os.path.join(output_dir, f'{name}.wasm')
 
     # wasm-opt may fail to run in rare cases (when the fuzzer emits code it
     # detects as invalid). Just try again in such a case.
@@ -144,7 +149,7 @@ def get_wasm_contents(i, output_dir):
 
         # Generate a command to use wasm-opt with the proper args to generate
         # wasm content from the input data.
-        cmd = [FUZZER_BINARY_PATH] + FUZZER_ARGS
+        cmd = [FUZZER_BINARY_PATH] + FUZZER_ARGS + extra_args
         cmd += ['-o', wasm_file_path, input_data_file_path]
 
         # Sometimes use a file from the initial content testcases.
@@ -177,16 +182,19 @@ def get_wasm_contents(i, output_dir):
     with open(wasm_file_path, 'rb') as file:
         wasm_contents = file.read()
 
-    # Clean up temp files.
-    os.remove(wasm_file_path)
-    os.remove(input_data_file_path)
+    # Note temp files.
+    global temp_files
+    temp_files += [
+        wasm_file_path,
+        input_data_file_path
+    ]
 
     # Convert to a string, and wrap into a typed array.
     wasm_contents = ','.join([str(c) for c in wasm_contents])
     js = f'new Uint8Array([{wasm_contents}])'
     if initial_content:
         js = f'{js} /* using initial content {os.path.basename(initial_content)} */'
-    return js
+    return js, wasm_file_path
 
 
 # Returns the contents of a .js fuzz file, given the index of the testcase and
@@ -198,17 +206,22 @@ def get_js_file_contents(i, output_dir):
 
     # Prepend the wasm contents, so they are used (rather than the normal
     # mechanism where the wasm file's name is provided in argv).
-    wasm_contents = get_wasm_contents(i, output_dir)
+    wasm_contents, wasm_file = get_wasm_contents(i, output_dir)
     pre = f'var binary = {wasm_contents};\n'
     bytes = wasm_contents.count(',')
 
     # Sometimes add a second wasm file as well.
     has_second = False
     if system_random.random() < 0.333:
         has_second = True
-        wasm_contents = get_wasm_contents(i, output_dir)
-        pre += f'var secondBinary = {wasm_contents};\n'
-        bytes += wasm_contents.count(',')
+        # Most of the time, import the first file.
+        args = []
+        if system_random.random() < 0.8:
+            args = [f'--fuzz-import={wasm_file}']
+        second_wasm_contents, second_wasm_file = \
+            get_wasm_contents(f'{i}_second', output_dir, args)
+        pre += f'var secondBinary = {second_wasm_contents};\n'
+        bytes += second_wasm_contents.count(',')
 
     js = pre + '\n' + js
 
@@ -243,7 +256,9 @@ def get_js_file_contents(i, output_dir):
     ]
     if has_second:
         extra_js_operations += [
-            'build(secondBinary)',
+            # Build the second binary, marking it as second so it imports the
+            # first.
+            'build(secondBinary, true)',
         ]
 
     for i in range(num):
@@ -307,6 +322,11 @@ def main(argv):
 
     print(f'Created {num} testcases.')
 
+    for temp in temp_files:
+        os.remove(temp)
+
+    print('Cleaned up.')
+
 
 if __name__ == '__main__':
     main(sys.argv)

scripts/fuzz_opt.py

@@ -602,6 +602,7 @@ def note_ignored_vm_run(reason, extra_text='', amount=1):
     ignored_vm_run_reasons[reason] += amount
 
 
+# Run a VM command, and filter out known issues.
 def run_vm(cmd):
     def filter_known_issues(output):
         known_issues = [
@@ -753,6 +754,8 @@ def __init__(self):
     # care about their relationship.
     def handle_pair(self, input, before_wasm, after_wasm, opts):
         self.handle(before_wasm)
+        # Add some visual space between the independent parts.
+        print('\n')
         self.handle(after_wasm)
 
     def can_run_on_wasm(self, wasm):
@@ -1791,6 +1794,9 @@ def handle(self, wasm):
             second_input = abspath('second_input.dat')
             make_random_input(random_size(), second_input)
             args = [second_input, '-ttf', '-o', second_wasm]
+            # Most of the time, use the first wasm as an import to the second.
+            if random.random() < 0.8:
+                args += ['--fuzz-import=' + wasm]
             run([in_bin('wasm-opt')] + args + GEN_ARGS + FEATURE_OPTS)
 
         # The binaryen interpreter only supports a single file, so we run them
@@ -1812,6 +1818,20 @@ def handle(self, wasm):
             # We may fail to instantiate the modules for valid reasons, such as
             # an active segment being out of bounds. There is no point to
             # continue in such cases, as no exports are called.
+
+            # But, check 'primary' is not in the V8 error. That might indicate a
+            # problem in the imports of --fuzz-import. To do this, run the d8
+            # command directly, without the usual filtering of run_d8_wasm.
+            cmd = [shared.V8] + shared.V8_OPTS + get_v8_extra_flags() + [
+                get_fuzz_shell_js(),
+                '--',
+                wasm,
+                second_wasm
+            ]
+            out = run(cmd)
+            assert '"primary"' not in out, out
+
+            note_ignored_vm_run('Two instantiate error')
             return
 
         # Make sure that fuzz_shell.js actually executed all exports from both
@@ -1845,6 +1865,7 @@ def can_run_on_wasm(self, wasm):
         # mode. We also cannot run shared-everything code in d8 yet. We also
         # cannot compare if there are NaNs (as optimizations can lead to
         # different outputs).
+        # TODO: relax some of these
         if CLOSED_WORLD:
             return False
         if NANS:

scripts/fuzz_shell.js

@@ -435,7 +435,7 @@ if (secondBinary) {
 // Compile and instantiate a wasm file. Receives the binary to build, and
 // whether it is the second one.
 function build(binary, isSecond) {
-  if (fuzzSplit && isSecond) {
+  if (isSecond) {
     assert(secondBinary);
     // Provide the primary module's exports to the secondary.
     imports['primary'] = exports;

src/tools/fuzzing.h

@@ -132,6 +132,9 @@ class TranslateToFuzzReader {
   void setPreserveImportsAndExports(bool preserveImportsAndExports_) {
     preserveImportsAndExports = preserveImportsAndExports_;
   }
+  void setImportedModule(std::string importedModule_) {
+    importedModule = importedModule_;
+  }
 
   void build();
 
@@ -157,6 +160,9 @@ class TranslateToFuzzReader {
   // existing testcase (using initial-content).
   bool preserveImportsAndExports = false;
 
+  // An optional module to import from.
+  std::optional<std::string> importedModule;
+
   // Whether we allow the fuzzer to add unreachable code when generating changes
   // to existing code. This is randomized during startup, but could be an option
   // like the above options eventually if we find that useful.
@@ -365,6 +371,8 @@ class TranslateToFuzzReader {
 
   void addHangLimitChecks(Function* func);
 
+  void useImportedModule();
+
   // Recombination and mutation
 
   // Recombination and mutation can replace a node with another node of the same

src/tools/fuzzing/fuzzing.cpp

@@ -24,6 +24,7 @@
 #include "ir/type-updating.h"
 #include "support/string.h"
 #include "tools/fuzzing/heap-types.h"
+#include "wasm-io.h"
 
 namespace wasm {
 
@@ -361,7 +362,12 @@ void TranslateToFuzzReader::build() {
   addImportLoggingSupport();
   addImportCallingSupport();
   addImportSleepSupport();
+
+  // First, modify initial functions. That includes removing imports. Then,
+  // use the imported module, which are function imports that we allow.
   modifyInitialFunctions();
+  useImportedModule();
+
   processFunctions();
   if (fuzzParams->HANG_LIMIT > 0) {
     addHangLimitSupport();
@@ -1158,6 +1164,39 @@ void TranslateToFuzzReader::addHashMemorySupport() {
   }
 }
 
+void TranslateToFuzzReader::useImportedModule() {
+  if (!importedModule) {
+    return;
+  }
+
+  Module imported;
+  imported.features = FeatureSet::All;
+  ModuleReader().read(*importedModule, imported);
+
+  // Add some of the module's exported functions as imports, at a random rate.
+  auto rate = upTo(100);
+  for (auto& exp : imported.exports) {
+    if (exp->kind != ExternalKind::Function || upTo(100) > rate) {
+      continue;
+    }
+
+    auto* func = imported.getFunction(*exp->getInternalName());
+    auto name =
+      Names::getValidFunctionName(wasm, "primary_" + exp->name.toString());
+    // We can import it as its own type, or any (declared) supertype.
+    auto type = getSuperType(func->type);
+    auto import = builder.makeFunction(name, type, {});
+    import->module = "primary";
+    import->base = exp->name;
+    wasm.addFunction(std::move(import));
+  }
+
+  // TODO: All other imports: globals, memories, tables, etc. We must, as we do
+  //       with functions, take care to run this *after* the removal of those
+  //       imports (as normally we remove them all, as the fuzzer harness will
+  //       not provide them, but an imported module is the exception).
+}
+
 TranslateToFuzzReader::FunctionCreationContext::FunctionCreationContext(
   TranslateToFuzzReader& parent, Function* func)
   : parent(parent), func(func) {
@@ -1553,7 +1592,7 @@ Function* TranslateToFuzzReader::addFunction() {
     wasm.addExport(
       Builder::makeExport(func->name, func->name, ExternalKind::Function));
   }
-  // add some to an elem segment
+  // add some to an elem segment TODO we could do this for imported funcs too
   while (oneIn(3) && !random.finished()) {
     auto type = Type(func->type, NonNullable);
     std::vector<ElementSegment*> compatibleSegments;

src/tools/wasm-opt.cpp

@@ -87,6 +87,7 @@ int main(int argc, const char* argv[]) {
   bool fuzzMemory = true;
   bool fuzzOOB = true;
   bool fuzzPreserveImportsAndExports = false;
+  std::string fuzzImport;
   std::string emitSpecWrapper;
   std::string emitWasm2CWrapper;
   std::string inputSourceMapFilename;
@@ -211,6 +212,13 @@ For more on how to optimize effectively, see
          [&](Options* o, const std::string& arguments) {
            fuzzPreserveImportsAndExports = true;
          })
+    .add(
+      "--fuzz-import",
+      "",
+      "a module to use as an import in -ttf mode",
+      WasmOptOption,
+      Options::Arguments::One,
+      [&](Options* o, const std::string& arguments) { fuzzImport = arguments; })
     .add("--emit-spec-wrapper",
          "-esw",
          "Emit a wasm spec interpreter wrapper file that can run the wasm with "
@@ -344,6 +352,9 @@ For more on how to optimize effectively, see
     reader.setAllowMemory(fuzzMemory);
     reader.setAllowOOB(fuzzOOB);
     reader.setPreserveImportsAndExports(fuzzPreserveImportsAndExports);
+    if (!fuzzImport.empty()) {
+      reader.setImportedModule(fuzzImport);
+    }
     reader.build();
     if (options.passOptions.validate) {
       if (!WasmValidator().validate(wasm, options.passOptions)) {

test/lit/fuzz-import.wast

@@ -0,0 +1,22 @@
+;; Test the flag to import from a given module in fuzzer generation.
+
+;; Generate fuzz output using this wat as initial contents, and importing the
+;; side file.
+;; RUN: wasm-opt %s.ttf --initial-fuzz=%s -all -ttf --fuzz-import=%s.import \
+;; RUN:          -S -o - | filecheck %s
+
+(module
+  ;; This existing import will be made a non-import, but the ones from the
+  ;; imported module will be ok.
+  (import "existing" "foo" (func $import))
+)
+
+;; CHECK-NOT:      (import "existing"
+
+;; We must see an import from the primary module.
+;; XXX This does depend on random choices in the fuzzer. We do have many chances
+;;     to emit one such import (see the large file on the side), but if this
+;;     turns out to be too unlikely, we can remove this test in favor of a unit
+;;     test or the fuzzer.
+;; CHECK:      (import "primary"
+