Enable the GC proposal during general fuzzing

fitzgen · fitzgen · commit d332b9710684 · 2025-03-12T10:48:15.000-07:00
This allows us to fuzz Wasm GC in our fuzz targets that use the common config-generation infrastructure, such as the differential fuzz target. Fixes bytecodealliance#10328
diff --git a/crates/fuzzing/src/generators/config.rs b/crates/fuzzing/src/generators/config.rs
@@ -527,7 +527,7 @@ impl<'a> Arbitrary<'a> for Config {
 
         config
             .wasmtime
-            .update_module_config(&mut config.module_config.config, u)?;
+            .update_module_config(&mut config.module_config, u)?;
 
         Ok(config)
     }
@@ -604,7 +604,7 @@ impl WasmtimeConfig {
     /// too.
     pub fn update_module_config(
         &mut self,
-        config: &mut wasm_smith::Config,
+        config: &mut ModuleConfig,
         u: &mut Unstructured<'_>,
     ) -> arbitrary::Result<()> {
         match self.compiler_strategy {
@@ -627,10 +627,11 @@ impl WasmtimeConfig {
                 // at this time, so if winch is selected be sure to disable wasm
                 // proposals in `Config` to ensure that Winch can compile the
                 // module that wasm-smith generates.
-                config.relaxed_simd_enabled = false;
-                config.gc_enabled = false;
-                config.tail_call_enabled = false;
-                config.reference_types_enabled = false;
+                config.config.relaxed_simd_enabled = false;
+                config.config.gc_enabled = false;
+                config.config.tail_call_enabled = false;
+                config.config.reference_types_enabled = false;
+                config.function_references_enabled = false;
 
                 // Winch's SIMD implementations require AVX and AVX2.
                 if self
@@ -640,7 +641,7 @@ impl WasmtimeConfig {
                         .codegen_flag("has_avx2")
                         .is_some_and(|value| value == "false")
                 {
-                    config.simd_enabled = false;
+                    config.config.simd_enabled = false;
                 }
 
                 // Tuning  the following engine options is currently not supported
@@ -651,7 +652,7 @@ impl WasmtimeConfig {
             }
 
             CompilerStrategy::CraneliftPulley => {
-                config.threads_enabled = false;
+                config.config.threads_enabled = false;
             }
         }
 
@@ -661,7 +662,8 @@ impl WasmtimeConfig {
         // and for wasm threads that will require some refactoring of the
         // `LinearMemory` trait to bubble up the request that the linear memory
         // not move. Otherwise that just generates a panic right now.
-        if config.threads_enabled || matches!(self.strategy, InstanceAllocationStrategy::Pooling(_))
+        if config.config.threads_enabled
+            || matches!(self.strategy, InstanceAllocationStrategy::Pooling(_))
         {
             self.avoid_custom_unaligned_memory(u)?;
         }
@@ -672,31 +674,38 @@ impl WasmtimeConfig {
             // If the pooling allocator is used, do not allow shared memory to
             // be created. FIXME: see
             // https://github.com/bytecodealliance/wasmtime/issues/4244.
-            config.threads_enabled = false;
+            config.config.threads_enabled = false;
 
             // Ensure the pooling allocator can support the maximal size of
             // memory, picking the smaller of the two to win.
             let min_bytes = config
+                .config
                 .max_memory32_bytes
                 // memory64_bytes is a u128, but since we are taking the min
                 // we can truncate it down to a u64.
-                .min(config.max_memory64_bytes.try_into().unwrap_or(u64::MAX));
+                .min(
+                    config
+                        .config
+                        .max_memory64_bytes
+                        .try_into()
+                        .unwrap_or(u64::MAX),
+                );
             let mut min = min_bytes.min(pooling.max_memory_size as u64);
             if let MemoryConfig::Normal(cfg) = &self.memory_config {
                 min = min.min(cfg.memory_reservation.unwrap_or(0));
             }
             pooling.max_memory_size = min as usize;
-            config.max_memory32_bytes = min;
-            config.max_memory64_bytes = min as u128;
+            config.config.max_memory32_bytes = min;
+            config.config.max_memory64_bytes = min as u128;
 
             // If traps are disallowed then memories must have at least one page
             // of memory so if we still are only allowing 0 pages of memory then
             // increase that to one here.
-            if config.disallow_traps {
+            if config.config.disallow_traps {
                 if pooling.max_memory_size < (1 << 16) {
                     pooling.max_memory_size = 1 << 16;
-                    config.max_memory32_bytes = 1 << 16;
-                    config.max_memory64_bytes = 1 << 16;
+                    config.config.max_memory32_bytes = 1 << 16;
+                    config.config.max_memory64_bytes = 1 << 16;
                     if let MemoryConfig::Normal(cfg) = &mut self.memory_config {
                         match &mut cfg.memory_reservation {
                             Some(size) => *size = (*size).max(pooling.max_memory_size as u64),
@@ -712,13 +721,13 @@ impl WasmtimeConfig {
 
             // Don't allow too many linear memories per instance since massive
             // virtual mappings can fail to get allocated.
-            config.min_memories = config.min_memories.min(10);
-            config.max_memories = config.max_memories.min(10);
+            config.config.min_memories = config.config.min_memories.min(10);
+            config.config.max_memories = config.config.max_memories.min(10);
 
             // Force this pooling allocator to always be able to accommodate the
             // module that may be generated.
-            pooling.total_memories = config.max_memories as u32;
-            pooling.total_tables = config.max_tables as u32;
+            pooling.total_memories = config.config.max_memories as u32;
+            pooling.total_tables = config.config.max_tables as u32;
         }
 
         if !self.signals_based_traps {
@@ -728,7 +737,7 @@ impl WasmtimeConfig {
             // fixable with some more work on the bounds-checks side of things
             // to do a full bounds check even on static memories, but that's
             // left for a future PR.
-            config.threads_enabled = false;
+            config.config.threads_enabled = false;
 
             // Spectre-based heap mitigations require signal handlers so this
             // must always be disabled if signals-based traps are disabled.
diff --git a/crates/fuzzing/src/generators/module.rs b/crates/fuzzing/src/generators/module.rs
@@ -41,8 +41,8 @@ impl<'a> Arbitrary<'a> for ModuleConfig {
         let _ = config.relaxed_simd_enabled;
         let _ = config.tail_call_enabled;
         let _ = config.extended_const_enabled;
+        let _ = config.gc_enabled;
         config.exceptions_enabled = false;
-        config.gc_enabled = false;
         config.custom_page_sizes_enabled = u.arbitrary()?;
         config.wide_arithmetic_enabled = u.arbitrary()?;
         config.memory64_enabled = u.ratio(1, 20)?;
diff --git a/crates/fuzzing/src/generators/value.rs b/crates/fuzzing/src/generators/value.rs
@@ -267,6 +267,7 @@ impl PartialEq for DiffValue {
             }
             (Self::FuncRef { null: a }, Self::FuncRef { null: b }) => a == b,
             (Self::ExternRef { null: a }, Self::ExternRef { null: b }) => a == b,
+            (Self::AnyRef { null: a }, Self::AnyRef { null: b }) => a == b,
             _ => false,
         }
     }
@@ -302,7 +303,7 @@ impl TryFrom<wasmtime::ValType> for DiffValueType {
                 (true, HeapType::Any) => Ok(Self::AnyRef),
                 (true, HeapType::I31) => Ok(Self::AnyRef),
                 (true, HeapType::None) => Ok(Self::AnyRef),
-                _ => Err("non-funcref and non-externref reference types are not supported yet"),
+                _ => Err("non-null reference types are not supported yet"),
             },
         }
     }
diff --git a/crates/fuzzing/src/oracles.rs b/crates/fuzzing/src/oracles.rs
@@ -369,8 +369,11 @@ pub fn instantiate_with_dummy(store: &mut Store<StoreLimits>, module: &Module) -
     // Creation of imports can fail due to resource limit constraints, and then
     // instantiation can naturally fail for a number of reasons as well. Bundle
     // the two steps together to match on the error below.
-    let instance =
-        dummy::dummy_linker(store, module).and_then(|l| l.instantiate(&mut *store, module));
+    let linker = dummy::dummy_linker(store, module);
+    if let Err(e) = &linker {
+        log::warn!("failed to create dummy linker: {e:?}");
+    }
+    let instance = linker.and_then(|l| l.instantiate(&mut *store, module));
     unwrap_instance(store, instance)
 }
 
@@ -507,6 +510,18 @@ pub enum DiffEqResult<T, U> {
     Failed,
 }
 
+fn wasmtime_trap_is_non_deterministic(trap: &Trap) -> bool {
+    match trap {
+        // Allocations being too large for the GC are
+        // implementation-defined.
+        Trap::AllocationTooLarge |
+        // Stack size, and therefore when overflow happens, is
+        // implementation-defined.
+        Trap::StackOverflow => true,
+        _ => false,
+    }
+}
+
 impl<T, U> DiffEqResult<T, U> {
     /// Computes the differential result from executing in two different
     /// engines.
@@ -518,6 +533,8 @@ impl<T, U> DiffEqResult<T, U> {
         match (lhs_result, rhs_result) {
             (Ok(lhs_result), Ok(rhs_result)) => DiffEqResult::Success(lhs_result, rhs_result),
 
+            (Err(lhs), _) if lhs_engine.is_non_deterministic_error(&lhs) => DiffEqResult::Poisoned,
+
             // Both sides failed. Check that the trap and state at the time of
             // failure is the same, when possible.
             (Err(lhs), Err(rhs)) => {
@@ -528,31 +545,24 @@ impl<T, U> DiffEqResult<T, U> {
                     // a deterministic Wasm failure that both engines handled
                     // identically, leaving Wasm in identical states. We could
                     // just as easily be hitting engine-specific failures, like
-                    // different implementation-defined limits. So simply report
-                    // failure and move on to the next test.
+                    // different implementation-defined limits. So simply poison
+                    // this execution and move on to the next test.
                     Err(err) => {
                         log::debug!("rhs failed: {err:?}");
-                        return DiffEqResult::Failed;
+                        return DiffEqResult::Poisoned;
                     }
                 };
 
                 // Even some traps are nondeterministic, and we can't rely on
                 // the errors matching or leaving Wasm in the same state.
-                let poisoned =
-                    // Allocations being too large for the GC are
-                    // implementation-defined.
-                    rhs == Trap::AllocationTooLarge
-                    // Stack size, and therefore when overflow happens, is
-                    // implementation-defined.
-                    || rhs == Trap::StackOverflow
-                    || lhs_engine.is_stack_overflow(&lhs);
-                if poisoned {
+                if wasmtime_trap_is_non_deterministic(&rhs) {
                     return DiffEqResult::Poisoned;
                 }
 
                 lhs_engine.assert_error_match(&lhs, &rhs);
                 DiffEqResult::Failed
             }
+
             // A real bug is found if only one side fails.
             (Ok(_), Err(err)) => panic!("only the `rhs` failed for this input: {err:?}"),
             (Err(err), Ok(_)) => panic!("only the `lhs` failed for this input: {err:?}"),
@@ -1337,6 +1347,8 @@ mod tests {
             | WasmFeatures::TAIL_CALL
             | WasmFeatures::WIDE_ARITHMETIC
             | WasmFeatures::MEMORY64
+            | WasmFeatures::FUNCTION_REFERENCES
+            | WasmFeatures::GC
             | WasmFeatures::GC_TYPES
             | WasmFeatures::CUSTOM_PAGE_SIZES
             | WasmFeatures::EXTENDED_CONST;
diff --git a/crates/fuzzing/src/oracles/diff_spec.rs b/crates/fuzzing/src/oracles/diff_spec.rs
@@ -49,7 +49,7 @@ impl DiffEngine for SpecInterpreter {
         let _ = (trap, err);
     }
 
-    fn is_stack_overflow(&self, err: &Error) -> bool {
+    fn is_non_deterministic_error(&self, err: &Error) -> bool {
         err.to_string().contains("(Isabelle) call stack exhausted")
     }
 }
diff --git a/crates/fuzzing/src/oracles/diff_v8.rs b/crates/fuzzing/src/oracles/diff_v8.rs
@@ -145,7 +145,7 @@ impl DiffEngine for V8Engine {
         verify_wasmtime("not possibly present in an error, just panic please");
     }
 
-    fn is_stack_overflow(&self, err: &Error) -> bool {
+    fn is_non_deterministic_error(&self, err: &Error) -> bool {
         err.to_string().contains("Maximum call stack size exceeded")
     }
 }
diff --git a/crates/fuzzing/src/oracles/diff_wasmi.rs b/crates/fuzzing/src/oracles/diff_wasmi.rs
@@ -85,7 +85,7 @@ impl DiffEngine for WasmiEngine {
         }
     }
 
-    fn is_stack_overflow(&self, err: &Error) -> bool {
+    fn is_non_deterministic_error(&self, err: &Error) -> bool {
         matches!(
             self.trap_code(err),
             Some(wasmi::core::TrapCode::StackOverflow)
diff --git a/crates/fuzzing/src/oracles/diff_wasmtime.rs b/crates/fuzzing/src/oracles/diff_wasmtime.rs
@@ -26,13 +26,15 @@ impl WasmtimeEngine {
     ) -> arbitrary::Result<Self> {
         let mut new_config = u.arbitrary::<WasmtimeConfig>()?;
         new_config.compiler_strategy = compiler_strategy;
-        new_config.update_module_config(&mut config.module_config.config, u)?;
+        new_config.update_module_config(&mut config.module_config, u)?;
         new_config.make_compatible_with(&config.wasmtime);
 
         let config = generators::Config {
             wasmtime: new_config,
             module_config: config.module_config.clone(),
         };
+        log::debug!("Created new Wasmtime differential engine with config: {config:?}");
+
         Ok(Self { config })
     }
 }
@@ -57,12 +59,13 @@ impl DiffEngine for WasmtimeEngine {
         let lhs = lhs
             .downcast_ref::<Trap>()
             .expect(&format!("not a trap: {lhs:?}"));
+
         assert_eq!(lhs, rhs, "{lhs}\nis not equal to\n{rhs}");
     }
 
-    fn is_stack_overflow(&self, err: &Error) -> bool {
+    fn is_non_deterministic_error(&self, err: &Error) -> bool {
         match err.downcast_ref::<Trap>() {
-            Some(trap) => *trap == Trap::StackOverflow,
+            Some(trap) => super::wasmtime_trap_is_non_deterministic(trap),
             None => false,
         }
     }
@@ -118,11 +121,10 @@ impl WasmtimeInstance {
 
         globals
             .into_iter()
-            .map(|(name, global)| {
-                (
-                    name,
-                    global.ty(&self.store).content().clone().try_into().unwrap(),
-                )
+            .filter_map(|(name, global)| {
+                DiffValueType::try_from(global.ty(&self.store).content().clone())
+                    .map(|ty| (name, ty))
+                    .ok()
             })
             .collect()
     }
diff --git a/crates/fuzzing/src/oracles/engine.rs b/crates/fuzzing/src/oracles/engine.rs
@@ -61,9 +61,12 @@ pub trait DiffEngine {
     /// generated.
     fn assert_error_match(&self, err: &Error, trap: &Trap);
 
-    /// Returns whether the error specified from this engine might be stack
-    /// overflow.
-    fn is_stack_overflow(&self, err: &Error) -> bool;
+    /// Returns whether the error specified from this engine is
+    /// non-deterministic, like a stack overflow or an attempt to allocate an
+    /// object that is too large (which is non-deterministic because it may
+    /// depend on which collector it was configured with or memory available on
+    /// the system).
+    fn is_non_deterministic_error(&self, err: &Error) -> bool;
 }
 
 /// Provide a way to evaluate Wasm functions--a Wasm instance implemented by a
diff --git a/crates/wasmtime/src/runtime/linker.rs b/crates/wasmtime/src/runtime/linker.rs
@@ -8,7 +8,7 @@ use crate::{
     Instance, Module, StoreContextMut, Val, ValRaw, ValType,
 };
 use alloc::sync::Arc;
-use core::fmt;
+use core::fmt::{self, Debug};
 use core::marker;
 #[cfg(feature = "async")]
 use core::{future::Future, pin::Pin};
@@ -90,6 +90,12 @@ pub struct Linker<T> {
     _marker: marker::PhantomData<fn() -> T>,
 }
 
+impl<T> Debug for Linker<T> {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.debug_struct("Linker").finish_non_exhaustive()
+    }
+}
+
 impl<T> Clone for Linker<T> {
     fn clone(&self) -> Linker<T> {
         Linker {
diff --git a/crates/wasmtime/src/runtime/vm/gc/enabled/free_list.rs b/crates/wasmtime/src/runtime/vm/gc/enabled/free_list.rs
@@ -310,14 +310,6 @@ fn blocks_are_contiguous(prev_index: u32, prev_len: u32, next_index: u32) -> boo
     // the size of the `Layout` given to us upon deallocation (aka `prev_len`)
     // is smaller than the actual size of the block we allocated.
     let end_of_prev = prev_index + prev_len;
-    log::trace!(
-        "checking for overlapping blocks: \n\
-         \t prev_index = {prev_index:#x}\n\
-         \t   prev_len = {prev_len:#x}\n\
-         \tend_of_prev = {end_of_prev:#x}\n\
-         \t next_index = {next_index:#x}\n\
-         `next_index` should be >= `end_of_prev`"
-    );
     debug_assert!(
         next_index >= end_of_prev,
         "overlapping blocks: \n\
diff --git a/crates/wasmtime/src/runtime/vm/traphandlers.rs b/crates/wasmtime/src/runtime/vm/traphandlers.rs
diff --git a/fuzz/fuzz_targets/differential.rs b/fuzz/fuzz_targets/differential.rs

Original file line number	Diff line number	Diff line change
`@@ -267,6 +267,7 @@ impl PartialEq for DiffValue {`
`267`	`267`	`}`
`268`	`268`	`(Self::FuncRef { null: a }, Self::FuncRef { null: b }) => a == b,`
`269`	`269`	`(Self::ExternRef { null: a }, Self::ExternRef { null: b }) => a == b,`
	`270`	`+ (Self::AnyRef { null: a }, Self::AnyRef { null: b }) => a == b,`
`270`	`271`	`_ => false,`
`271`	`272`	`}`
`272`	`273`	`}`
`@@ -302,7 +303,7 @@ impl TryFrom<wasmtime::ValType> for DiffValueType {`
`302`	`303`	`(true, HeapType::Any) => Ok(Self::AnyRef),`
`303`	`304`	`(true, HeapType::I31) => Ok(Self::AnyRef),`
`304`	`305`	`(true, HeapType::None) => Ok(Self::AnyRef),`
`305`		`- _ => Err("non-funcref and non-externref reference types are not supported yet"),`
	`306`	`+ _ => Err("non-null reference types are not supported yet"),`
`306`	`307`	`},`
`307`	`308`	`}`
`308`	`309`	`}`
Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,7 @@ impl DiffEngine for SpecInterpreter {`
`49`	`49`	`let _ = (trap, err);`
`50`	`50`	`}`
`51`	`51`
`52`		`- fn is_stack_overflow(&self, err: &Error) -> bool {`
	`52`	`+ fn is_non_deterministic_error(&self, err: &Error) -> bool {`
`53`	`53`	`err.to_string().contains("(Isabelle) call stack exhausted")`
`54`	`54`	`}`
`55`	`55`	`}`
Original file line number	Diff line number	Diff line change
`@@ -145,7 +145,7 @@ impl DiffEngine for V8Engine {`
`145`	`145`	`verify_wasmtime("not possibly present in an error, just panic please");`
`146`	`146`	`}`
`147`	`147`
`148`		`- fn is_stack_overflow(&self, err: &Error) -> bool {`
	`148`	`+ fn is_non_deterministic_error(&self, err: &Error) -> bool {`
`149`	`149`	`err.to_string().contains("Maximum call stack size exceeded")`
`150`	`150`	`}`
`151`	`151`	`}`
Original file line number	Diff line number	Diff line change
`@@ -85,7 +85,7 @@ impl DiffEngine for WasmiEngine {`
`85`	`85`	`}`
`86`	`86`	`}`
`87`	`87`
`88`		`- fn is_stack_overflow(&self, err: &Error) -> bool {`
	`88`	`+ fn is_non_deterministic_error(&self, err: &Error) -> bool {`
`89`	`89`	`matches!(`
`90`	`90`	`self.trap_code(err),`
`91`	`91`	`Some(wasmi::core::TrapCode::StackOverflow)`