WIP enable GC fuzzing

Author: fitzgen

crates/fuzzing/src/generators/config.rs

@@ -522,7 +522,7 @@ impl<'a> Arbitrary<'a> for Config {
 
         config
             .wasmtime
-            .update_module_config(&mut config.module_config.config, u)?;
+            .update_module_config(&mut config.module_config, u)?;
 
         Ok(config)
     }
@@ -599,7 +599,7 @@ impl WasmtimeConfig {
     /// too.
     pub fn update_module_config(
         &mut self,
-        config: &mut wasm_smith::Config,
+        config: &mut ModuleConfig,
         u: &mut Unstructured<'_>,
     ) -> arbitrary::Result<()> {
         match self.compiler_strategy {
@@ -622,10 +622,11 @@ impl WasmtimeConfig {
                 // at this time, so if winch is selected be sure to disable wasm
                 // proposals in `Config` to ensure that Winch can compile the
                 // module that wasm-smith generates.
-                config.relaxed_simd_enabled = false;
-                config.gc_enabled = false;
-                config.tail_call_enabled = false;
-                config.reference_types_enabled = false;
+                config.config.relaxed_simd_enabled = false;
+                config.config.gc_enabled = false;
+                config.config.tail_call_enabled = false;
+                config.config.reference_types_enabled = false;
+                config.function_references_enabled = false;
 
                 // Winch's SIMD implementations require AVX and AVX2.
                 if self
@@ -635,7 +636,7 @@ impl WasmtimeConfig {
                         .codegen_flag("has_avx2")
                         .is_some_and(|value| value == "false")
                 {
-                    config.simd_enabled = false;
+                    config.config.simd_enabled = false;
                 }
 
                 // Tuning  the following engine options is currently not supported
@@ -646,7 +647,7 @@ impl WasmtimeConfig {
             }
 
             CompilerStrategy::CraneliftPulley => {
-                config.threads_enabled = false;
+                config.config.threads_enabled = false;
             }
         }
 
@@ -656,7 +657,8 @@ impl WasmtimeConfig {
         // and for wasm threads that will require some refactoring of the
         // `LinearMemory` trait to bubble up the request that the linear memory
         // not move. Otherwise that just generates a panic right now.
-        if config.threads_enabled || matches!(self.strategy, InstanceAllocationStrategy::Pooling(_))
+        if config.config.threads_enabled
+            || matches!(self.strategy, InstanceAllocationStrategy::Pooling(_))
         {
             self.avoid_custom_unaligned_memory(u)?;
         }
@@ -667,31 +669,38 @@ impl WasmtimeConfig {
             // If the pooling allocator is used, do not allow shared memory to
             // be created. FIXME: see
             // https://github.com/bytecodealliance/wasmtime/issues/4244.
-            config.threads_enabled = false;
+            config.config.threads_enabled = false;
 
             // Ensure the pooling allocator can support the maximal size of
             // memory, picking the smaller of the two to win.
             let min_bytes = config
+                .config
                 .max_memory32_bytes
                 // memory64_bytes is a u128, but since we are taking the min
                 // we can truncate it down to a u64.
-                .min(config.max_memory64_bytes.try_into().unwrap_or(u64::MAX));
+                .min(
+                    config
+                        .config
+                        .max_memory64_bytes
+                        .try_into()
+                        .unwrap_or(u64::MAX),
+                );
             let mut min = min_bytes.min(pooling.max_memory_size as u64);
             if let MemoryConfig::Normal(cfg) = &self.memory_config {
                 min = min.min(cfg.memory_reservation.unwrap_or(0));
             }
             pooling.max_memory_size = min as usize;
-            config.max_memory32_bytes = min;
-            config.max_memory64_bytes = min as u128;
+            config.config.max_memory32_bytes = min;
+            config.config.max_memory64_bytes = min as u128;
 
             // If traps are disallowed then memories must have at least one page
             // of memory so if we still are only allowing 0 pages of memory then
             // increase that to one here.
-            if config.disallow_traps {
+            if config.config.disallow_traps {
                 if pooling.max_memory_size < (1 << 16) {
                     pooling.max_memory_size = 1 << 16;
-                    config.max_memory32_bytes = 1 << 16;
-                    config.max_memory64_bytes = 1 << 16;
+                    config.config.max_memory32_bytes = 1 << 16;
+                    config.config.max_memory64_bytes = 1 << 16;
                     if let MemoryConfig::Normal(cfg) = &mut self.memory_config {
                         match &mut cfg.memory_reservation {
                             Some(size) => *size = (*size).max(pooling.max_memory_size as u64),
@@ -707,13 +716,13 @@ impl WasmtimeConfig {
 
             // Don't allow too many linear memories per instance since massive
             // virtual mappings can fail to get allocated.
-            config.min_memories = config.min_memories.min(10);
-            config.max_memories = config.max_memories.min(10);
+            config.config.min_memories = config.config.min_memories.min(10);
+            config.config.max_memories = config.config.max_memories.min(10);
 
             // Force this pooling allocator to always be able to accommodate the
             // module that may be generated.
-            pooling.total_memories = config.max_memories as u32;
-            pooling.total_tables = config.max_tables as u32;
+            pooling.total_memories = config.config.max_memories as u32;
+            pooling.total_tables = config.config.max_tables as u32;
         }
 
         if !self.signals_based_traps {
@@ -723,7 +732,7 @@ impl WasmtimeConfig {
             // fixable with some more work on the bounds-checks side of things
             // to do a full bounds check even on static memories, but that's
             // left for a future PR.
-            config.threads_enabled = false;
+            config.config.threads_enabled = false;
 
             // Spectre-based heap mitigations require signal handlers so this
             // must always be disabled if signals-based traps are disabled.

crates/fuzzing/src/generators/module.rs

@@ -41,8 +41,8 @@ impl<'a> Arbitrary<'a> for ModuleConfig {
         let _ = config.relaxed_simd_enabled;
         let _ = config.tail_call_enabled;
         let _ = config.extended_const_enabled;
+        let _ = config.gc_enabled;
         config.exceptions_enabled = false;
-        config.gc_enabled = false;
         config.custom_page_sizes_enabled = u.arbitrary()?;
         config.wide_arithmetic_enabled = u.arbitrary()?;
         config.memory64_enabled = u.ratio(1, 20)?;

crates/fuzzing/src/generators/value.rs

@@ -267,6 +267,7 @@ impl PartialEq for DiffValue {
             }
             (Self::FuncRef { null: a }, Self::FuncRef { null: b }) => a == b,
             (Self::ExternRef { null: a }, Self::ExternRef { null: b }) => a == b,
+            (Self::AnyRef { null: a }, Self::AnyRef { null: b }) => a == b,
             _ => false,
         }
     }
@@ -302,7 +303,7 @@ impl TryFrom<wasmtime::ValType> for DiffValueType {
                 (true, HeapType::Any) => Ok(Self::AnyRef),
                 (true, HeapType::I31) => Ok(Self::AnyRef),
                 (true, HeapType::None) => Ok(Self::AnyRef),
-                _ => Err("non-funcref and non-externref reference types are not supported yet"),
+                _ => Err("non-null reference types are not supported yet"),
             },
         }
     }

crates/fuzzing/src/oracles.rs

@@ -369,8 +369,11 @@ pub fn instantiate_with_dummy(store: &mut Store<StoreLimits>, module: &Module) -
     // Creation of imports can fail due to resource limit constraints, and then
     // instantiation can naturally fail for a number of reasons as well. Bundle
     // the two steps together to match on the error below.
-    let instance =
-        dummy::dummy_linker(store, module).and_then(|l| l.instantiate(&mut *store, module));
+    let linker = dummy::dummy_linker(store, module);
+    if let Err(e) = &linker {
+        log::warn!("failed to create dummy linker: {e:?}");
+    }
+    let instance = linker.and_then(|l| l.instantiate(&mut *store, module));
     unwrap_instance(store, instance)
 }
 

crates/fuzzing/src/oracles/diff_wasmtime.rs

@@ -26,13 +26,15 @@ impl WasmtimeEngine {
     ) -> arbitrary::Result<Self> {
         let mut new_config = u.arbitrary::<WasmtimeConfig>()?;
         new_config.compiler_strategy = compiler_strategy;
-        new_config.update_module_config(&mut config.module_config.config, u)?;
+        new_config.update_module_config(&mut config.module_config, u)?;
         new_config.make_compatible_with(&config.wasmtime);
 
         let config = generators::Config {
             wasmtime: new_config,
             module_config: config.module_config.clone(),
         };
+        log::debug!("Created new Wasmtime differential engine with config: {config:?}");
+
         Ok(Self { config })
     }
 }
@@ -118,11 +120,10 @@ impl WasmtimeInstance {
 
         globals
             .into_iter()
-            .map(|(name, global)| {
-                (
-                    name,
-                    global.ty(&self.store).content().clone().try_into().unwrap(),
-                )
+            .filter_map(|(name, global)| {
+                DiffValueType::try_from(global.ty(&self.store).content().clone())
+                    .map(|ty| (name, ty))
+                    .ok()
             })
             .collect()
     }

crates/wasmtime/src/runtime/linker.rs

@@ -8,7 +8,7 @@ use crate::{
     Instance, Module, StoreContextMut, Val, ValRaw, ValType,
 };
 use alloc::sync::Arc;
-use core::fmt;
+use core::fmt::{self, Debug};
 use core::marker;
 #[cfg(feature = "async")]
 use core::{future::Future, pin::Pin};
@@ -90,6 +90,12 @@ pub struct Linker<T> {
     _marker: marker::PhantomData<fn() -> T>,
 }
 
+impl<T> Debug for Linker<T> {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.debug_struct("Linker").finish_non_exhaustive()
+    }
+}
+
 impl<T> Clone for Linker<T> {
     fn clone(&self) -> Linker<T> {
         Linker {

fuzz/fuzz_targets/differential.rs

@@ -1,6 +1,6 @@
 #![no_main]
 
-use libfuzzer_sys::arbitrary::{Result, Unstructured};
+use libfuzzer_sys::arbitrary::{self, Result, Unstructured};
 use libfuzzer_sys::fuzz_target;
 use std::sync::atomic::AtomicUsize;
 use std::sync::atomic::Ordering::SeqCst;
@@ -80,12 +80,15 @@ fn execute_one(data: &[u8]) -> Result<()> {
             return Ok(());
         }
     };
+
+    log::trace!("Building LHS engine");
     let mut lhs = match engine::build(&mut u, lhs, &mut config)? {
         Some(engine) => engine,
         // The chosen engine does not have support compiled into the fuzzer,
         // discard this test case.
         None => return Ok(()),
     };
+    log::debug!("lhs engine: {}", lhs.name());
 
     // Using the now-legalized module configuration generate the Wasm module;
     // this is specified by either the ALLOWED_MODULES environment variable or a
@@ -118,11 +121,11 @@ fn execute_one(data: &[u8]) -> Result<()> {
     log_wasm(&wasm);
 
     // Instantiate the generated wasm file in the chosen differential engine.
-    log::debug!("lhs engine: {}", lhs.name());
     let lhs_instance = lhs.instantiate(&wasm);
     STATS.bump_engine(lhs.name());
 
     // Always use Wasmtime as the second engine to instantiate within.
+    log::debug!("Building RHS Wasmtime");
     let rhs_store = config.to_store();
     let rhs_module = wasmtime::Module::new(rhs_store.engine(), &wasm).unwrap();
     let rhs_instance = WasmtimeInstance::new(rhs_store, rhs_module);
@@ -143,12 +146,22 @@ fn execute_one(data: &[u8]) -> Result<()> {
         loop {
             let arguments = signature
                 .params()
-                .map(|t| DiffValue::arbitrary_of_type(&mut u, t.try_into().unwrap()))
+                .map(|ty| {
+                    let ty = ty
+                        .try_into()
+                        .map_err(|_| arbitrary::Error::IncorrectFormat)?;
+                    DiffValue::arbitrary_of_type(&mut u, ty)
+                })
                 .collect::<Result<Vec<_>>>()?;
             let result_tys = signature
                 .results()
-                .map(|t| DiffValueType::try_from(t).unwrap())
-                .collect::<Vec<_>>();
+                .map(|ty| {
+                    let ty: wasmtime::ValType = ty
+                        .try_into()
+                        .map_err(|_| arbitrary::Error::IncorrectFormat)?;
+                    DiffValueType::try_from(ty).map_err(|_| arbitrary::Error::IncorrectFormat)
+                })
+                .collect::<Result<Vec<_>>>()?;
             let ok = differential(
                 lhs_instance.as_mut(),
                 lhs.as_ref(),