feat[fuzz]: add WASM fuzzer support for wasmfuzz (#5575)

## Summary
- Add support for building the array_ops fuzzer as a WASM binary for
wasmfuzz
- Native fuzzer targets (array_ops, file_io) continue to work unchanged
- Add CI workflow to test WASM fuzzer for array_ops

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Signed-off-by: Joe Isaacs <[email protected]>
Co-authored-by: Claude <[email protected]>

Author: joseph-isaacs

.github/workflows/wasm-fuzz.yml

@@ -0,0 +1,88 @@
+name: WASM Fuzz
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Run daily at 2 AM UTC
+    - cron: "0 2 * * *"
+
+permissions:
+  contents: read
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  wasm-fuzz:
+    name: "Build & Fuzz WASM"
+    runs-on: ubuntu-latest
+    timeout-minutes: 270
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: ./.github/actions/setup-rust
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          toolchain: nightly
+          targets: "wasm32-wasip1"
+          components: "rust-src"
+
+      - name: Build WASM fuzz target
+        run: |
+          cargo +nightly build \
+            --manifest-path fuzz/Cargo.toml \
+            --target wasm32-wasip1 \
+            --no-default-features \
+            --features wasmfuzz \
+            --release \
+            --bin array_ops_wasm
+
+      - name: Install wabt tools
+        run: sudo apt-get update && sudo apt-get install -y wabt
+
+      - name: Verify WASM exports
+        run: |
+          echo "Checking for required wasmfuzz exports..."
+          wasm-objdump -x target/wasm32-wasip1/release/array_ops_wasm.wasm | grep -E "(LLVMFuzzerTestOneInput|wasmfuzz_malloc|wasmfuzz_free)"
+
+      - name: Install wasmfuzz
+        run: cargo install --git https://github.com/CISPA-SysSec/wasmfuzz --locked
+
+      - name: Run wasmfuzz
+        id: fuzz
+        run: |
+          mkdir -p corpus-wasm
+          # Capture exit code - wasmfuzz exits with error on crash
+          set +e
+          wasmfuzz fuzz \
+            --timeout=4h \
+            --cores 2 \
+            --dir corpus-wasm/ \
+            target/wasm32-wasip1/release/array_ops_wasm.wasm
+          FUZZ_EXIT=$?
+          set -e
+          echo "exit_code=$FUZZ_EXIT" >> $GITHUB_OUTPUT
+          if [ $FUZZ_EXIT -ne 0 ]; then
+            echo "crash_found=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Replay crash inputs
+        if: steps.fuzz.outputs.crash_found == 'true'
+        run: |
+          echo "::error::Crash found during fuzzing! Replaying inputs for debug output..."
+          for input in corpus-wasm/*; do
+            echo "=== Replaying: $input ==="
+            wasmfuzz run --trace target/wasm32-wasip1/release/array_ops_wasm.wasm "$input" || true
+          done
+
+      - name: Upload corpus
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: corpus-wasm
+          path: corpus-wasm/
+          retention-days: 30
+
+      - name: Fail if crash found
+        if: steps.fuzz.outputs.crash_found == 'true'
+        run: exit 1

Cargo.lock

@@ -0,0 +1,20 @@
+# Configuration for wasmfuzz builds
+# These flags are based on wasmfuzz's build-rust-harness.py
+
+[target.wasm32-wasip1]
+rustflags = [
+    # Embed source for coverage reports
+    "-Zembed-source=yes",
+    "-Zdwarf-version=5",
+    "-g",
+    # Static linking
+    "-Ctarget-feature=+crt-static",
+    # lime1 CPU for wasmfuzz compatibility
+    "-Ctarget-cpu=lime1",
+    # Reactor mode for persistent fuzzing
+    "-Zwasi-exec-model=reactor",
+]
+
+[unstable]
+# Required for building std to wasm32-wasip1
+build-std = ["std", "panic_abort"]

fuzz/.cargo/config.toml

@@ -17,24 +17,36 @@ version = { workspace = true }
 [package.metadata]
 cargo-fuzz = true
 
+[features]
+default = ["native"]
+native = ["libfuzzer-sys", "zstd", "vortex-file"]
+wasmfuzz = []
+zstd = ["vortex-layout/zstd"]
+
 [dependencies]
+# Always needed - arbitrary is used for input generation
+arbitrary = { workspace = true }
 itertools = { workspace = true }
-libfuzzer-sys = { workspace = true }
 strum = { workspace = true, features = ["derive"] }
-vortex = { workspace = true }
+
+# Vortex core - no default features for WASM compatibility (files feature pulls in tokio)
+vortex = { path = "../vortex", default-features = false }
 vortex-array = { workspace = true, features = ["arbitrary", "test-harness"] }
 vortex-btrblocks = { workspace = true }
 vortex-buffer = { workspace = true }
 vortex-dtype = { workspace = true, features = ["arbitrary"] }
 vortex-error = { workspace = true }
-vortex-file = { workspace = true, features = ["tokio", "zstd"] }
 vortex-io = { workspace = true }
-vortex-layout = { workspace = true, features = ["zstd"] }
+vortex-layout = { workspace = true }
 vortex-mask = { workspace = true }
 vortex-scalar = { workspace = true, features = ["arbitrary"] }
 vortex-session = { workspace = true }
 vortex-utils = { workspace = true }
 
+# Native-only: libfuzzer harness and file IO (won't compile to WASM)
+libfuzzer-sys = { workspace = true, optional = true }
+vortex-file = { workspace = true, optional = true }
+
 [lints]
 workspace = true
 
@@ -44,10 +56,20 @@ doc = false
 name = "array_ops"
 path = "fuzz_targets/array_ops.rs"
 test = false
+required-features = ["native"]
 
 [[bin]]
 bench = false
 doc = false
 name = "file_io"
 path = "fuzz_targets/file_io.rs"
 test = false
+required-features = ["native"]
+
+[[bin]]
+bench = false
+doc = false
+name = "array_ops_wasm"
+path = "fuzz_targets/array_ops_wasm.rs"
+test = false
+required-features = ["wasmfuzz"]

fuzz/Cargo.toml

@@ -0,0 +1,53 @@
+# SPDX-License-Identifier: Apache-2.0
+# SPDX-FileCopyrightText: Copyright the Vortex contributors
+
+#!/bin/bash
+# Build the vortex-fuzz crate for wasmfuzz
+#
+# This script builds the fuzzer binary for the wasm32-wasip1 target,
+# which can then be used with wasmfuzz for coverage-guided fuzzing.
+#
+# Prerequisites:
+#   - Nightly Rust toolchain (for -Z flags)
+#   - wasm32-wasip1 target: rustup +nightly target add wasm32-wasip1
+#   - wasmfuzz: cargo install --git https://github.com/CISPA-SysSec/wasmfuzz
+#
+# Usage:
+#   ./build-wasmfuzz.sh
+#
+# After building, run with wasmfuzz:
+#   wasmfuzz fuzz --timeout=1h --cores 8 --dir corpus/ \
+#       target/wasm32-wasip1/release/array_ops_wasm.wasm
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+cd "$SCRIPT_DIR/.."
+
+echo "Building vortex-fuzz for wasm32-wasip1..."
+
+# Build the WASM binary with nightly for -Z flags (build-std, embed-source, etc.)
+rustup run nightly cargo build \
+    --manifest-path fuzz/Cargo.toml \
+    --target wasm32-wasip1 \
+    --no-default-features \
+    --features wasmfuzz \
+    --release \
+    --bin array_ops_wasm
+
+WASM_OUTPUT="target/wasm32-wasip1/release/array_ops_wasm.wasm"
+
+if [ -f "$WASM_OUTPUT" ]; then
+    echo ""
+    echo "Build successful!"
+    echo "Output: $WASM_OUTPUT"
+    echo ""
+    echo "To run with wasmfuzz:"
+    echo "  wasmfuzz fuzz --timeout=1h --cores 8 --dir corpus/ $WASM_OUTPUT"
+    echo ""
+    echo "See: https://github.com/CISPA-SysSec/wasmfuzz"
+else
+    echo "Build completed but .wasm output not found at expected location."
+    echo "Check target/wasm32-wasip1/release/ for outputs:"
+    ls -la target/wasm32-wasip1/release/ 2>/dev/null || echo "Directory not found"
+fi