Use Honggfuzz for fuzzing targets (#1234)

* Convert fuzzing targets to honggfuzz

* Update workflows for honggfuzz targets

* Format

* Clean up wasm_smith config generation

* Allow ty_to_val to generate random values

* Use fuel-metering and lazy compilation in execute harness

* Disable tail calls for differential fuzzing

* Remove dead code

* Use sudo for apt-get

* Fix clippy

* Allow multiple memories where supported

* Add comment for swarm module

* Use CompilationMode::Eager for executor harness

* Use existing Arbitrary instances for primitive types in ty_to_arbitrary_val

---------

Co-authored-by: Scott Guest <[email protected]>

Author: gtrepta

.github/workflows/rust.yml

@@ -198,64 +198,12 @@ jobs:
       - name: Check uDeps
         run: cargo udeps --all-targets
 
-  fuzz-translate:
-    name: Fuzz (Translation)
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
-        with:
-          submodules: true
-      - uses: dtolnay/rust-toolchain@master
-        with:
-          # Pin nightly so that it does not invalidate GitHub Actions cache too frequently.
-          toolchain: nightly-2024-09-24
-      - name: Set up Rust cache
-        uses: Swatinem/rust-cache@v2
-        with:
-          cache-directories: |
-            ~/fuzz/corpus/translate/
-            ~/fuzz/corpus/translate_metered/
-      - name: Install cargo-fuzz
-        run: |
-          # Note: We use `|| true` because cargo install returns an error
-          #       if cargo-udeps was already installed on the CI runner.
-          cargo install cargo-fuzz || true
-      - name: Build Fuzzing
-        run: cargo fuzz build translate
-      - name: Fuzz (Translation)
-        run: cargo fuzz run translate -j 2 --verbose -- -max_total_time=60 # 1 minute of fuzzing
-      - name: Fuzz (Translation) + fuel
-        run: cargo fuzz run translate_metered -j 2 --verbose -- -max_total_time=60 # 1 minute of fuzzing
-
-  fuzz-execute:
-    name: Fuzz (Execution)
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
-        with:
-          submodules: true
-      - uses: dtolnay/rust-toolchain@master
-        with:
-          # Pin nightly so that it does not invalidate GitHub Actions cache too frequently.
-          toolchain: nightly-2024-09-24
-      - name: Set up Rust cache
-        uses: Swatinem/rust-cache@v2
-        with:
-          cache-directories: |
-            ~/fuzz/corpus/execute/
-      - name: Install cargo-fuzz
-        run: |
-          # Note: We use `|| true` because cargo install returns an error
-          #       if cargo-udeps was already installed on the CI runner.
-          cargo install cargo-fuzz || true
-      - name: Build Fuzzing
-        run: cargo fuzz build execute
-      - name: Fuzz (Execution)
-        run: cargo fuzz run execute -j 2 --verbose -- -max_total_time=120 # 2 minutes of fuzzing
-
-  fuzz-differential:
-    name: Fuzz (Differential)
+  fuzz:
+    name: Fuzz
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        fuzz_target: ['translate', 'translate_metered', 'execute', 'differential']
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
         with:
@@ -268,16 +216,16 @@ jobs:
         uses: Swatinem/rust-cache@v2
         with:
           cache-directories: |
-            ~/fuzz/corpus/differential/
-      - name: Install cargo-fuzz
+            ${{ github.workspace }}/hfuzz_target
+            ${{ github.workspace }}/hfuzz_workspace
+      - name: Install cargo-honggfuzz and dependencies
         run: |
-          # Note: We use `|| true` because cargo install returns an error
-          #       if cargo-udeps was already installed on the CI runner.
-          cargo install cargo-fuzz || true
-      - name: Build Fuzzing
-        run: cargo fuzz build differential
-      - name: Fuzz (Differential)
-        run: cargo fuzz run differential -j 2 --verbose -- -max_total_time=120 # 2 minutes of fuzzing
+          cargo install honggfuzz || true
+          sudo apt-get update && sudo apt-get install --yes binutils-dev libunwind-dev
+      - name: Run HFuzz
+        env:
+          HFUZZ_RUN_ARGS: "--run_time 120 --verbose --quiet" # 2 minutes of fuzzing
+        run: cargo hfuzz run ${{ matrix.fuzz_target }}
 
   miri:
     name: Miri

Cargo.lock

@@ -11,7 +11,7 @@ edition.workspace = true
 cargo-fuzz = true
 
 [dependencies]
-libfuzzer-sys = "0.4.7"
+honggfuzz = "0.5"
 wasmi-stack = { package = "wasmi", version = "0.31.2" }
 wasmtime = "21.0.1"
 wasmi = { workspace = true, features = ["std"] }

fuzz/Cargo.toml

@@ -1,10 +1,9 @@
-#![no_main]
-
 mod utils;
 
-use libfuzzer_sys::fuzz_target;
+use arbitrary::Unstructured;
+use honggfuzz::fuzz;
 use std::{collections::hash_map::RandomState, mem};
-use utils::{arbitrary_exec_module, ty_to_val};
+use utils::arbitrary_config;
 use wasmi as wasmi_reg;
 use wasmi_reg::core::{F32, F64};
 
@@ -68,7 +67,15 @@ impl WasmiRegister {
     }
 
     fn type_to_value(ty: &wasmi_reg::core::ValType) -> wasmi_reg::Val {
-        ty_to_val(ty)
+        match ty {
+            wasmi_reg::core::ValType::I32 => wasmi_reg::Val::I32(1),
+            wasmi_reg::core::ValType::I64 => wasmi_reg::Val::I64(1),
+            wasmi_reg::core::ValType::F32 => wasmi_reg::Val::F32(1.0.into()),
+            wasmi_reg::core::ValType::F64 => wasmi_reg::Val::F64(1.0.into()),
+            unsupported => panic!(
+                "differential fuzzing does not support reference types, yet but found: {unsupported:?}"
+            ),
+        }
     }
 }
 
@@ -169,7 +176,7 @@ impl WasmiStack {
             ValueType::F32 => wasmi_stack::Value::F32(1.0.into()),
             ValueType::F64 => wasmi_stack::Value::F64(1.0.into()),
             unsupported => panic!(
-                "execution fuzzing does not support reference types, yet but found: {unsupported:?}"
+                "differential fuzzing does not support reference types, yet but found: {unsupported:?}"
             ),
         }
     }
@@ -254,7 +261,7 @@ impl Wasmtime {
             wasmtime::ValType::F32 => wasmtime::Val::F32(1.0_f32.to_bits()),
             wasmtime::ValType::F64 => wasmtime::Val::F64(1.0_f64.to_bits()),
             unsupported => panic!(
-                "execution fuzzing does not support reference types, yet but found: {unsupported:?}"
+                "differential fuzzing does not support reference types, yet but found: {unsupported:?}"
             ),
         }
     }
@@ -613,31 +620,44 @@ impl FuzzContext {
     }
 }
 
-fuzz_target!(|data: &[u8]| {
-    let Ok(mut smith_module) = arbitrary_exec_module(data) else {
-        return;
-    };
-    // Note: We cannot use built-in fuel metering of the different engines since that
-    //       would introduce unwanted non-determinism with respect to fuzz testing.
-    let Ok(_) = smith_module.ensure_termination(1_000 /* fuel */) else {
-        return;
-    };
-    let wasm = smith_module.to_bytes();
-    let Some(wasmi_register) = <WasmiRegister as DifferentialTarget>::setup(&wasm[..]) else {
-        return;
-    };
-    let Some(wasmi_stack) = <WasmiStack as DifferentialTarget>::setup(&wasm[..]) else {
-        panic!("wasmi (register) succeeded to create Context while wasmi (stack) failed");
-    };
-    let exports = wasmi_register.exports();
-    let mut context = FuzzContext {
-        wasm,
-        wasmi_register,
-        wasmi_stack,
-        exports,
-    };
-    context.run();
-});
+fn main() {
+    loop {
+        fuzz!(|seed: &[u8]| {
+            let mut unstructured = Unstructured::new(seed);
+            let Ok(mut smith_module) =
+                arbitrary_config(&mut unstructured).and_then(|mut config| {
+                    config.reference_types_enabled = false;
+                    config.tail_call_enabled = false;
+                    config.max_memories = 1;
+                    wasm_smith::Module::new(config, &mut unstructured)
+                })
+            else {
+                return;
+            };
+            // Note: We cannot use built-in fuel metering of the different engines since that
+            //       would introduce unwanted non-determinism with respect to fuzz testing.
+            let Ok(_) = smith_module.ensure_termination(1_000 /* fuel */) else {
+                return;
+            };
+            let wasm = smith_module.to_bytes();
+            let Some(wasmi_register) = <WasmiRegister as DifferentialTarget>::setup(&wasm[..])
+            else {
+                return;
+            };
+            let Some(wasmi_stack) = <WasmiStack as DifferentialTarget>::setup(&wasm[..]) else {
+                panic!("wasmi (register) succeeded to create Context while wasmi (stack) failed");
+            };
+            let exports = wasmi_register.exports();
+            let mut context = FuzzContext {
+                wasm,
+                wasmi_register,
+                wasmi_stack,
+                exports,
+            };
+            context.run();
+        });
+    }
+}
 
 #[derive(Debug, Copy, Clone)]
 pub enum FuzzValue {