fix: add wasmfuzz_malloc/wasmfuzz_free exports and daily cron job

- Add wasmfuzz_malloc and wasmfuzz_free exports that wasmfuzz requires
  for passing fuzz input data to the WASM binary
- Configure daily cron job at 2 AM UTC that runs for 4 hours
- Add workflow_dispatch input to configure fuzz duration
- Upload corpus and crash artifacts for investigation
- Only run full fuzzing on schedule/dispatch, build-only on PRs

Signed-off-by: Joe Isaacs <[email protected]>

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: joseph-isaacs

.github/workflows/wasm-fuzz.yml

@@ -1,11 +1,20 @@
-name: WASM Fuzz Build
+name: WASM Fuzz
 
 on:
   pull_request:
     paths:
       - "fuzz/**"
       - ".github/workflows/wasm-fuzz.yml"
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      fuzz_duration:
+        description: "Fuzzing duration in hours"
+        required: false
+        default: "4"
+        type: string
+  schedule:
+    # Run daily at 2 AM UTC
+    - cron: "0 2 * * *"
 
 permissions:
   contents: read
@@ -46,10 +55,11 @@ jobs:
       - name: Install wabt tools
         run: sudo apt-get update && sudo apt-get install -y wabt
 
-      - name: Verify LLVMFuzzerTestOneInput export
+      - name: Verify WASM exports
         run: |
-          wasm-objdump -x target/wasm32-wasip1/release/array_ops_wasm.wasm | grep -E "LLVMFuzzer"
-          echo "LLVMFuzzerTestOneInput is properly exported"
+          echo "Checking for required wasmfuzz exports..."
+          wasm-objdump -x target/wasm32-wasip1/release/array_ops_wasm.wasm | grep -E "(LLVMFuzzerTestOneInput|wasmfuzz_malloc|wasmfuzz_free)"
+          echo "All required exports present: LLVMFuzzerTestOneInput, wasmfuzz_malloc, wasmfuzz_free"
 
       - name: Setup Wasmtime
         uses: bytecodealliance/actions/wasmtime/setup@v1
@@ -69,11 +79,13 @@ jobs:
           retention-days: 7
 
   test-wasmfuzz:
-    name: "Test with wasmfuzz"
+    name: "Fuzz with wasmfuzz"
     runs-on: ubuntu-latest
-    timeout-minutes: 60
+    # 4.5 hours to allow 4 hours of fuzzing + setup time
+    timeout-minutes: 270
     needs: build-wasm-fuzz
-    continue-on-error: true
+    # Only run full fuzzing on schedule or manual dispatch, skip on PRs
+    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
     steps:
       - uses: actions/checkout@v6
 
@@ -95,12 +107,57 @@ jobs:
           cargo install --git https://github.com/CISPA-SysSec/wasmfuzz --locked
           echo "installed=true" >> $GITHUB_OUTPUT
 
-      - name: Run wasmfuzz (brief test)
+      - name: Determine fuzz duration
+        id: duration
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            HOURS="${{ github.event.inputs.fuzz_duration }}"
+          else
+            # Default to 4 hours for scheduled runs
+            HOURS="4"
+          fi
+          echo "hours=$HOURS" >> $GITHUB_OUTPUT
+          echo "Fuzzing will run for $HOURS hour(s)"
+
+      - name: Run wasmfuzz
+        if: steps.install-wasmfuzz.outputs.installed == 'true'
+        run: |
+          mkdir -p corpus crashes
+          DURATION="${{ steps.duration.outputs.hours }}h"
+          echo "Running wasmfuzz for $DURATION"
+          wasmfuzz fuzz \
+            --timeout="$DURATION" \
+            --cores 2 \
+            --dir corpus/ \
+            ./wasm-fuzzer/array_ops_wasm.wasm || true
+          echo "wasmfuzz completed"
+
+      - name: Check for crashes
         if: steps.install-wasmfuzz.outputs.installed == 'true'
         run: |
-          mkdir -p corpus
-          timeout 60s wasmfuzz fuzz --cores 1 --dir corpus/ ./wasm-fuzzer/array_ops_wasm.wasm || true
-          echo "wasmfuzz test completed"
+          if [ -d "crashes" ] && [ "$(ls -A crashes 2>/dev/null)" ]; then
+            echo "::error::Crashes found during fuzzing!"
+            ls -la crashes/
+            exit 1
+          else
+            echo "No crashes found"
+          fi
+
+      - name: Upload corpus
+        if: steps.install-wasmfuzz.outputs.installed == 'true'
+        uses: actions/upload-artifact@v4
+        with:
+          name: fuzz-corpus
+          path: corpus/
+          retention-days: 30
+
+      - name: Upload crashes (if any)
+        if: failure() && steps.install-wasmfuzz.outputs.installed == 'true'
+        uses: actions/upload-artifact@v4
+        with:
+          name: fuzz-crashes
+          path: crashes/
+          retention-days: 90
 
       - name: Report wasmfuzz status
         if: steps.install-wasmfuzz.outputs.installed != 'true'

fuzz/fuzz_targets/array_ops_wasm.rs

@@ -3,11 +3,19 @@
 
 //! WASM-compatible fuzz target for array operations.
 //!
-//! This target is designed to work with wasmfuzz and exports the
-//! `LLVMFuzzerTestOneInput` function that wasmfuzz expects.
+//! This target is designed to work with wasmfuzz and exports:
+//! - `LLVMFuzzerTestOneInput` - the fuzzing entry point
+//! - `wasmfuzz_malloc` / `wasmfuzz_free` - memory allocation for wasmfuzz to pass input data
+//!
+//! wasmfuzz looks for `wasmfuzz_malloc`/`wasmfuzz_free` or `malloc`/`free` exports.
+//! We provide `wasmfuzz_malloc`/`wasmfuzz_free` using Rust's global allocator.
 
 #![allow(clippy::unwrap_used, clippy::result_large_err)]
 
+use std::alloc::Layout;
+use std::alloc::alloc;
+use std::alloc::dealloc;
+
 use arbitrary::Arbitrary;
 use arbitrary::Unstructured;
 use vortex_array::Array;
@@ -38,6 +46,40 @@ use vortex_fuzz::error::VortexFuzzResult;
 use vortex_fuzz::sort_canonical_array;
 use vortex_scalar::Scalar;
 
+/// Allocate memory for wasmfuzz to pass input data.
+///
+/// wasmfuzz requires a `wasmfuzz_malloc` or `malloc` export to allocate space for fuzz inputs.
+///
+/// # Safety
+///
+/// Returns a pointer to allocated memory of at least `size` bytes, or null on failure.
+#[unsafe(no_mangle)]
+pub unsafe extern "C" fn wasmfuzz_malloc(size: usize) -> *mut u8 {
+    if size == 0 {
+        return std::ptr::null_mut();
+    }
+    let layout = match Layout::from_size_align(size, 8) {
+        Ok(layout) => layout,
+        Err(_) => return std::ptr::null_mut(),
+    };
+    unsafe { alloc(layout) }
+}
+
+/// Free memory allocated by wasmfuzz_malloc.
+///
+/// # Safety
+///
+/// The pointer must have been allocated by wasmfuzz_malloc with the given size.
+#[unsafe(no_mangle)]
+pub unsafe extern "C" fn wasmfuzz_free(ptr: *mut u8, size: usize) {
+    if ptr.is_null() || size == 0 {
+        return;
+    }
+    if let Ok(layout) = Layout::from_size_align(size, 8) {
+        unsafe { dealloc(ptr, layout) };
+    }
+}
+
 /// The entry point for wasmfuzz.
 ///
 /// This function is called by wasmfuzz with fuzzer-generated input data.