feat(fuzz): add a new fuzzing target about aot compiler (#4121)

support llvm-jit running mode as another fuzzing target

Author: lum1n0us

build-scripts/version.cmake

@@ -3,7 +3,7 @@
 
 if(NOT WAMR_ROOT_DIR)
   # if from wamr-compiler
-  set(WAMR_ROOT_DIR ${CMAKE_CURRENT_SOURCE_DIR}/..)
+  set(WAMR_ROOT_DIR ${CMAKE_CURRENT_LIST_DIR}/..)
 endif()
 
 set(WAMR_VERSION_MAJOR 2)

core/iwasm/compilation/aot_llvm.c

@@ -2520,7 +2520,8 @@ aot_compiler_init(void)
     LLVMInitializeCore(LLVMGetGlobalPassRegistry());
 #endif
 
-#if WASM_ENABLE_WAMR_COMPILER != 0
+/* fuzzing only use host targets for simple */
+#if WASM_ENABLE_WAMR_COMPILER != 0 && WASM_ENABLE_FUZZ_TEST == 0
     /* Init environment of all targets for AOT compiler */
     LLVMInitializeAllTargetInfos();
     LLVMInitializeAllTargets();

tests/fuzz/wasm-mutator-fuzz/CMakeLists.txt

@@ -1,170 +1,101 @@
 # Copyright (C) 2019 Intel Corporation. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 
-cmake_minimum_required (VERSION 3.14)
+cmake_minimum_required(VERSION 3.14)
 
-if (NOT DEFINED CMAKE_C_COMPILER)
-set (CMAKE_C_COMPILER "clang")
-endif ()
-if (NOT DEFINED CMAKE_CXX_COMPILER)
-set (CMAKE_CXX_COMPILER "clang++")
-endif ()
+project(wamr_fuzzing LANGUAGES ASM C CXX)
 
-project(wasm_mutator)
+include(CMakePrintHelpers)
 
-set (CMAKE_BUILD_TYPE Debug)
+# Ensure Clang is used as the compiler
+if(NOT CMAKE_C_COMPILER_ID STREQUAL "Clang"
+    OR NOT CMAKE_ASM_COMPILER_ID STREQUAL "Clang")
+  message(FATAL_ERROR "Please use Clang as the C compiler for libFuzzer compatibility.")
+endif()
+
+#
+# Global settings
+#
+set(CMAKE_BUILD_TYPE Debug)
+set(CMAKE_C_STANDARD 11)
+set(CMAKE_CXX_STANDARD 17)
 
-string (TOLOWER ${CMAKE_HOST_SYSTEM_NAME} WAMR_BUILD_PLATFORM)
+string(TOLOWER ${CMAKE_HOST_SYSTEM_NAME} WAMR_BUILD_PLATFORM)
 
 # Reset default linker flags
-set (CMAKE_SHARED_LIBRARY_LINK_C_FLAGS "")
-set (CMAKE_SHARED_LIBRARY_LINK_CXX_FLAGS "")
-
-set (CMAKE_C_STANDARD 11)
-set (CMAKE_CXX_STANDARD 17)
-
-# Set WAMR_BUILD_TARGET, currently values supported:
-# "X86_64", "AMD_64", "X86_32", "AARCH64[sub]", "ARM[sub]", "THUMB[sub]",
-# "MIPS", "XTENSA", "RISCV64[sub]", "RISCV32[sub]"
-if (NOT DEFINED WAMR_BUILD_TARGET)
-  if (CMAKE_SYSTEM_PROCESSOR MATCHES "^(arm64|aarch64)")
-    set (WAMR_BUILD_TARGET "AARCH64")
-  elseif (CMAKE_SYSTEM_PROCESSOR STREQUAL "riscv64")
-    set (WAMR_BUILD_TARGET "RISCV64")
-  elseif (CMAKE_SIZEOF_VOID_P EQUAL 8)
-    # Build as X86_64 by default in 64-bit platform
-    set (WAMR_BUILD_TARGET "X86_64")
-  elseif (CMAKE_SIZEOF_VOID_P EQUAL 4)
-    # Build as X86_32 by default in 32-bit platform
-    set (WAMR_BUILD_TARGET "X86_32")
-  else ()
+set(CMAKE_SHARED_LIBRARY_LINK_C_FLAGS "")
+set(CMAKE_SHARED_LIBRARY_LINK_CXX_FLAGS "")
+
+# Check if the compiler supports the sanitizer flags
+include(CheckCXXCompilerFlag)
+check_cxx_compiler_flag("-fsanitize=address"   HAS_ADDRESS_SANITIZER)
+check_cxx_compiler_flag("-fsanitize=memory"    HAS_MEMORY_SANITIZER)
+check_cxx_compiler_flag("-fsanitize=undefined" HAS_UNDEFINED_SANITIZER)
+
+# Determine WAMR_BUILD_TARGET based on system properties
+if(NOT DEFINED WAMR_BUILD_TARGET)
+  if(CMAKE_SYSTEM_PROCESSOR MATCHES "^(arm64|aarch64)")
+    set(WAMR_BUILD_TARGET "AARCH64")
+  elseif(CMAKE_SYSTEM_PROCESSOR STREQUAL "riscv64")
+    set(WAMR_BUILD_TARGET "RISCV64")
+  elseif(CMAKE_SIZEOF_VOID_P EQUAL 8)
+    set(WAMR_BUILD_TARGET "X86_64")
+  elseif(CMAKE_SIZEOF_VOID_P EQUAL 4)
+    set(WAMR_BUILD_TARGET "X86_32")
+  else()
     message(SEND_ERROR "Unsupported build target platform!")
-  endif ()
-endif ()
+  endif()
+endif()
 
-if (APPLE)
+if(APPLE)
   add_definitions(-DBH_PLATFORM_DARWIN)
-endif ()
+endif()
+
+# Disable hardware bound check and enable AOT validator
+set(WAMR_DISABLE_HW_BOUND_CHECK 1)
+set(WAMR_BUILD_AOT_VALIDATOR 1)
+
+set(REPO_ROOT_DIR ${CMAKE_CURRENT_LIST_DIR}/../../..)
+message(STATUS "REPO_ROOT_DIR: ${REPO_ROOT_DIR}")
+
+# Use LLVM_DIR from command line if defined
+# LLVM_DIR should be something like /path/to/llvm/build/lib/cmake/llvm
+if(DEFINED LLVM_DIR)
+  set(LLVM_DIR $ENV{LLVM_DIR})
+else()
+  set(LLVM_SRC_ROOT ${REPO_ROOT_DIR}/core/deps/llvm)
+  set(LLVM_BUILD_ROOT ${LLVM_SRC_ROOT}/build)
+  set(LLVM_DIR ${LLVM_BUILD_ROOT}/lib/cmake/llvm)
+endif()
 
-if(CUSTOM_MUTATOR EQUAL 1)
-  add_compile_definitions(CUSTOM_MUTATOR)
+# if LLVM_DIR is an existing directory, use it
+if(NOT EXISTS ${LLVM_DIR})
+  message(FATAL_ERROR "LLVM_DIR not found: ${LLVM_DIR}")
 endif()
 
-if (NOT DEFINED WAMR_BUILD_INTERP)
-  # Enable Interpreter by default
-  set (WAMR_BUILD_INTERP 1)
-endif ()
-
-if (NOT DEFINED WAMR_BUILD_AOT)
-  # Enable AOT by default.
-  set (WAMR_BUILD_AOT 1)
-endif ()
-
-if (NOT DEFINED WAMR_BUILD_JIT)
-  # Disable JIT by default.
-  set (WAMR_BUILD_JIT 0)
-endif ()
-
-if (NOT DEFINED WAMR_BUILD_LIBC_BUILTIN)
-  # Disable libc builtin support by default
-  set (WAMR_BUILD_LIBC_BUILTIN 0)
-endif ()
-
-if (NOT DEFINED WAMR_BUILD_LIBC_WASI)
-  # Enable libc wasi support by default
-  set (WAMR_BUILD_LIBC_WASI 0)
-endif ()
-
-if (NOT DEFINED WAMR_BUILD_FAST_INTERP)
-  # Enable fast interpreter
-  set (WAMR_BUILD_FAST_INTERP 1)
-endif ()
-
-if (NOT DEFINED WAMR_BUILD_MULTI_MODULE)
-  # Disable multiple modules
-  set (WAMR_BUILD_MULTI_MODULE 0)
-endif ()
-
-if (NOT DEFINED WAMR_BUILD_LIB_PTHREAD)
-  # Disable pthread library by default
-  set (WAMR_BUILD_LIB_PTHREAD 0)
-endif ()
-
-if (NOT DEFINED WAMR_BUILD_MINI_LOADER)
-  # Disable wasm mini loader by default
-  set (WAMR_BUILD_MINI_LOADER 0)
-endif ()
-
-if (NOT DEFINED WAMR_BUILD_SIMD)
-  # Enable SIMD by default
-  set (WAMR_BUILD_SIMD 1)
-endif ()
-
-if (NOT DEFINED WAMR_BUILD_REF_TYPES)
-  # Enable reference type by default
-  set (WAMR_BUILD_REF_TYPES 1)
-endif ()
-
-if (NOT DEFINED WAMR_BUILD_DEBUG_INTERP)
-  # Disable Debug feature by default
-  set (WAMR_BUILD_DEBUG_INTERP 0)
-endif ()
-
-if (WAMR_BUILD_DEBUG_INTERP EQUAL 1)
-  set (WAMR_BUILD_FAST_INTERP 0)
-  set (WAMR_BUILD_MINI_LOADER 0)
-  set (WAMR_BUILD_SIMD 0)
-endif ()
-
-# sanitizer may use kHandleSignalExclusive to handle SIGSEGV
-# like `UBSAN_OPTIONS=handle_segv=2:...`
-set (WAMR_DISABLE_HW_BOUND_CHECK 1)
-# Enable aot validator
-set (WAMR_BUILD_AOT_VALIDATOR 1)
-
-set (REPO_ROOT_DIR ${CMAKE_CURRENT_LIST_DIR}/../../..)
-message([ceith]:REPO_ROOT_DIR, ${REPO_ROOT_DIR})
-
-set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS}")
-set (CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}")
-
-add_definitions(-DWAMR_USE_MEM_POOL=0 -DWASM_ENABLE_FUZZ_TEST=1)
+find_package(LLVM REQUIRED CONFIG)
+
+message(STATUS "Found LLVM ${LLVM_PACKAGE_VERSION}")
+message(STATUS "Using LLVMConfig.cmake in: ${LLVM_DIR}")
+
+include_directories(${LLVM_INCLUDE_DIRS})
+separate_arguments(LLVM_DEFINITIONS_LIST NATIVE_COMMAND ${LLVM_DEFINITIONS})
+add_definitions(${LLVM_DEFINITIONS_LIST})
+
+set(SHARED_DIR ${REPO_ROOT_DIR}/core/shared)
+set(IWASM_DIR ${REPO_ROOT_DIR}/core/iwasm)
+
+# Global setting
+add_compile_options(-Wno-unused-command-line-argument)
 
 # Enable fuzzer
+add_definitions(-DWASM_ENABLE_FUZZ_TEST=1)
 add_compile_options(-fsanitize=fuzzer)
 add_link_options(-fsanitize=fuzzer)
 
-# if not calling from oss-fuzz helper, enable all support sanitizers
-# oss-fuzz will define FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION in CFLAGS and CXXFLAGS
+# Enable sanitizers if not in oss-fuzz environment
 set(CFLAGS_ENV $ENV{CFLAGS})
 string(FIND "${CFLAGS_ENV}" "-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION" IN_OSS_FUZZ)
-if (IN_OSS_FUZZ EQUAL -1)
-  message("[ceith]:Enable ASan and UBSan in non-oss-fuzz environment")
-  add_compile_options(
-    -fprofile-instr-generate -fcoverage-mapping
-    -fno-sanitize-recover=all
-    -fsanitize=address,undefined
-    # reference: https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html
-    # -fsanitize=undefined: All of the checks listed above other than float-divide-by-zero,
-    #     unsigned-integer-overflow, implicit-conversion, local-bounds and
-    #     the nullability-* group of checks.
-    #
-    # for now, we disable below from UBSan
-    # -alignment
-    # -implicit-conversion
-    #
-    -fsanitize=float-divide-by-zero,unsigned-integer-overflow,local-bounds,nullability
-    -fno-sanitize=alignment
-  )
-  add_link_options(-fsanitize=address -fprofile-instr-generate)
-endif ()
-
-include(${REPO_ROOT_DIR}/core/shared/utils/uncommon/shared_uncommon.cmake)
-include(${REPO_ROOT_DIR}/build-scripts/runtime_lib.cmake)
-
-add_library(vmlib
-    ${WAMR_RUNTIME_LIB_SOURCE}
-)
-
-add_executable(wasm_mutator_fuzz wasm_mutator_fuzz.cc)
-target_link_libraries(wasm_mutator_fuzz vmlib -lm)
+
+add_subdirectory(aot-compiler)
+add_subdirectory(wasm-mutator)

tests/fuzz/wasm-mutator-fuzz/README.md

@@ -1,44 +1,53 @@
 # WAMR fuzz test framework
 
-## install wasm-tools
+## Install wasm-tools
+
+Download the release suitable for your specific platform from https://github.com/bytecodealliance/wasm-tools/releases/latest, unpack it, and add the executable wasm-tools to the `PATH`. Then, you should be able to verify that the installation was successful by using the following command:
 
 ```bash
-1.git clone https://github.com/bytecodealliance/wasm-tools
-$ cd wasm-tools
-2.This project can be installed and compiled from source with this Cargo command:
-$ cargo install wasm-tools
-3.Installation can be confirmed with:
 $ wasm-tools --version
-4.Subcommands can be explored with:
+# Or learn subcommands with
 $ wasm-tools help
 ```
 
+## Install clang Toolchain
+
+Refer to: https://apt.llvm.org/ and ensure that you have clang installed.
+
+```bash
+$ clang --version
+
+$ clang++ --version
+```
+
 ## Build
 
 ```bash
-mkdir build && cd build
 # Without custom mutator (libfuzzer modify the buffer randomly)
-cmake ..
-# TODO: TBC. `wasm-tools mutate` is not supported yet
-# With custom mutator (wasm-tools mutate)
-cmake .. -DCUSTOM_MUTATOR=1
-make -j$(nproc)
+$ cmake -S . -B build -DCMAKE_TOOLCHAIN_FILE=./clang_toolchain.cmake -DLLVM_DIR=<llvm_install_dir>/lib/cmake/llvm
+
+# TBC: if `wasm-tools mutate` is supported or not
+# Or With custom mutator (wasm-tools mutate)
+$ cmake -S . -B build -DCMAKE_TOOLCHAIN_FILE=./clang_toolchain.cmake -DLLVM_DIR=<llvm_install_dir>/lib/cmake/llvm -DCUSTOM_MUTATOR=1
+
+# Then
+$ cmake --build build
 ```
 
 ## Manually generate wasm file in build
 
-```bash
+````bash
 # wasm-tools smith generate some valid wasm file
 # The generated wasm file is in corpus_dir under build
 # N - Number of files to be generated
-./smith_wasm.sh N 
+$ ./smith_wasm.sh N
 
 # running
 ``` bash
-cd build
-./wasm-mutate-fuzz CORPUS_DIR
- 
-```
+$ ./build/wasm-mutator/wasm_mutator_fuzz ./build/CORPUS_DIR
+
+$ ./build/aot-compiler/aot_compiler_fuzz ./build/CORPUS_DIR
+````
 
 ## Fuzzing Server
 
@@ -49,20 +58,20 @@ $ pip install -r requirements.txt
 
 2. Database Migration
 $ python3 app/manager.py db init
-$ python3 app/manager.py db migrate  
-$ python3 app/manager.py db upgrade  
+$ python3 app/manager.py db migrate
+$ python3 app/manager.py db upgrade
 
 3. Change localhost to your machine's IP address
-$ cd ../portal 
+$ cd ../portal
 $ vim .env   # Change localhost to your machine's IP address  # http://<ip>:16667
 
 4. Run Server and Portal
 $ cd ..   # Switch to the original directory
 If you want to customize the front-end deployment port:  # defaut 9999
-    $ vim .env # Please change the portal_port to the port you want to use 
+    $ vim .env # Please change the portal_port to the port you want to use
 
 The server is deployed on port 16667 by default, If you want to change the server deployment port:
-    $ vim .env # Please change the server_port to the port you want to use 
+    $ vim .env # Please change the server_port to the port you want to use
     $ vim portal/.env # Please change the VITE_SERVER_URL to the port you want to use  # http://ip:<port>