use crate::config::Config;1use crate::function_generator::FunctionGenerator;2use crate::settings::{Flags, OptLevel};3use anyhow::Result;4use arbitrary::{Arbitrary, Unstructured};5use cranelift::codegen::Context;6use cranelift::codegen::data_value::DataValue;7use cranelift::codegen::ir::{Function, LibCall};8use cranelift::codegen::ir::{UserExternalName, UserFuncName};9use cranelift::codegen::isa::Builder;10use cranelift::prelude::isa::{OwnedTargetIsa, TargetIsa};11use cranelift::prelude::settings::SettingKind;12use cranelift::prelude::*;13use cranelift_arbitrary::CraneliftArbitrary;14use cranelift_native::builder_with_options;15use rand::{Rng, SeedableRng, rngs::SmallRng};16use target_isa_extras::TargetIsaExtras;17use target_lexicon::Architecture;1819mod config;20mod cranelift_arbitrary;21mod function_generator;22mod passes;23mod print;24mod target_isa_extras;2526pub use print::PrintableTestCase;2728pub type TestCaseInput = Vec<DataValue>;2930pub enum IsaFlagGen {31/// When generating ISA flags, ensure that they are all supported by32/// the current host.33Host,34/// All flags available in cranelift are allowed to be generated.35/// We also allow generating all possible values for each enum flag.36All,37}3839pub struct FuzzGen<'r, 'data>40where41'data: 'r,42{43pub u: &'r mut Unstructured<'data>,44pub config: Config,45}4647impl<'r, 'data> FuzzGen<'r, 'data>48where49'data: 'r,50{51pub fn new(u: &'r mut Unstructured<'data>) -> Self {52Self {53u,54config: Config::default(),55}56}5758pub fn generate_signature(&mut self, isa: &dyn TargetIsa) -> Result<Signature> {59let max_params = self.u.int_in_range(self.config.signature_params.clone())?;60let max_rets = self.u.int_in_range(self.config.signature_rets.clone())?;61Ok(self.u.signature(62isa.supports_simd(),63isa.triple().architecture,64max_params,65max_rets,66)?)67}6869pub fn generate_test_inputs(mut self, signature: &Signature) -> Result<Vec<TestCaseInput>> {70let mut inputs = Vec::new();7172// Generate up to "max_test_case_inputs" inputs, we need an upper bound here since73// the fuzzer at some point starts trying to feed us way too many inputs. (I found one74// test case with 130k inputs!)75for _ in 0..self.config.max_test_case_inputs {76let last_len = self.u.len();7778let test_args = signature79.params80.iter()81.map(|p| self.u.datavalue(p.value_type))82.collect::<Result<TestCaseInput>>()?;8384inputs.push(test_args);8586// Continue generating input as long as we just consumed some of self.u. Otherwise87// we'll generate the same test input again and again, forever. Note that once self.u88// becomes empty we obviously can't consume any more of it, so this check is more89// general. Also note that we need to generate at least one input or the fuzz target90// won't actually test anything, so checking at the end of the loop is good, even if91// self.u is empty from the start and we end up with all zeros in test_args.92assert!(self.u.len() <= last_len);93if self.u.len() == last_len {94break;95}96}9798Ok(inputs)99}100101fn run_func_passes(&mut self, func: Function, isa: &dyn TargetIsa) -> Result<Function> {102// Do a NaN Canonicalization pass on the generated function.103//104// Both IEEE754 and the Wasm spec are somewhat loose about what is allowed105// to be returned from NaN producing operations. And in practice this changes106// from X86 to Aarch64 and others. Even in the same host machine, the107// interpreter may produce a code sequence different from cranelift that108// generates different NaN's but produces legal results according to the spec.109//110// These differences cause spurious failures in the fuzzer. To fix this111// we enable the NaN Canonicalization pass that replaces any NaN's produced112// with a single fixed canonical NaN value.113//114// This is something that we can enable via flags for the compiled version, however115// the interpreter won't get that version, so call that pass manually here.116117let mut ctx = Context::for_function(func);118119// We disable the verifier here, since if it fails it prevents a test case from120// being generated and formatted by `cargo fuzz fmt`.121// We run the verifier before compiling the code, so it always gets verified.122let flags = settings::Flags::new({123let mut builder = settings::builder();124builder.set("enable_verifier", "false").unwrap();125builder126});127128// Create a new TargetISA from the given ISA, this ensures that we copy all ISA129// flags, which may have an effect on the code generated by the passes below.130let isa = Builder::from_target_isa(isa)131.finish(flags)132.expect("Failed to build TargetISA");133134// Finally run the NaN canonicalization pass135ctx.canonicalize_nans(isa.as_ref())136.expect("Failed NaN canonicalization pass");137138// Run the int_divz pass139//140// This pass replaces divs and rems with sequences that do not trap141passes::do_int_divz_pass(self, &mut ctx.func)?;142143// This pass replaces fcvt* instructions with sequences that do not trap144passes::do_fcvt_trap_pass(self, &mut ctx.func)?;145146Ok(ctx.func)147}148149pub fn generate_func(150&mut self,151name: UserFuncName,152isa: OwnedTargetIsa,153usercalls: Vec<(UserExternalName, Signature)>,154libcalls: Vec<LibCall>,155) -> Result<Function> {156let sig = self.generate_signature(&*isa)?;157158let func = FunctionGenerator::new(159&mut self.u,160&self.config,161isa.clone(),162name,163sig,164usercalls,165libcalls,166)167.generate()?;168169self.run_func_passes(func, &*isa)170}171172/// Generate a random set of cranelift flags.173/// Only semantics preserving flags are considered174pub fn generate_flags(&mut self, target_arch: Architecture) -> arbitrary::Result<Flags> {175let mut builder = settings::builder();176177let opt = self.u.choose(OptLevel::all())?;178builder.set("opt_level", &format!("{opt}")[..]).unwrap();179180// Boolean flags181// TODO: enable_pinned_reg does not work with our current trampolines. See: #4376182// TODO: is_pic has issues:183// x86: https://github.com/bytecodealliance/wasmtime/issues/5005184// aarch64: https://github.com/bytecodealliance/wasmtime/issues/2735185let bool_settings = [186"enable_alias_analysis",187"unwind_info",188"preserve_frame_pointers",189"enable_heap_access_spectre_mitigation",190"enable_table_access_spectre_mitigation",191"enable_incremental_compilation_cache_checks",192"regalloc_checker",193"enable_llvm_abi_extensions",194];195for flag_name in bool_settings {196let enabled = self197.config198.compile_flag_ratio199.get(&flag_name)200.map(|&(num, denum)| self.u.ratio(num, denum))201.unwrap_or_else(|| bool::arbitrary(self.u))?;202203let value = format!("{enabled}");204builder.set(flag_name, value.as_str()).unwrap();205}206207let supports_inline_probestack = match target_arch {208Architecture::X86_64 => true,209Architecture::Aarch64(_) => true,210Architecture::Riscv64(_) => true,211_ => false,212};213214// Optionally test inline stackprobes on supported platforms215// TODO: Test outlined stack probes.216if supports_inline_probestack && bool::arbitrary(self.u)? {217builder.enable("enable_probestack").unwrap();218builder.set("probestack_strategy", "inline").unwrap();219220let size = self221.u222.int_in_range(self.config.stack_probe_size_log2.clone())?;223builder224.set("probestack_size_log2", &format!("{size}"))225.unwrap();226}227228// Generate random basic block padding229let bb_padding = self230.u231.int_in_range(self.config.bb_padding_log2_size.clone())232.unwrap();233builder234.set("bb_padding_log2_minus_one", &format!("{bb_padding}"))235.unwrap();236237// Fixed settings238239// We need llvm ABI extensions for i128 values on x86, so enable it regardless of240// what we picked above.241if target_arch == Architecture::X86_64 {242builder.enable("enable_llvm_abi_extensions").unwrap();243}244245// FIXME(#9510) remove once this option is permanently disabled246builder.enable("enable_multi_ret_implicit_sret").unwrap();247248// This is the default, but we should ensure that it wasn't accidentally turned off anywhere.249builder.enable("enable_verifier").unwrap();250251// `machine_code_cfg_info` generates additional metadata for the embedder but this doesn't feed back252// into compilation anywhere, we leave it on unconditionally to make sure the generation doesn't panic.253builder.enable("machine_code_cfg_info").unwrap();254255// Differential fuzzing between the interpreter and the host will only256// really work if NaN payloads are canonicalized, so enable this.257builder.enable("enable_nan_canonicalization").unwrap();258259Ok(Flags::new(builder))260}261262/// Generate a random set of ISA flags and apply them to a Builder.263///264/// Based on `mode` we can either allow all flags, or just the subset that is265/// supported by the current host.266///267/// In all cases only a subset of the allowed flags is applied to the builder.268pub fn set_isa_flags(&mut self, builder: &mut Builder, mode: IsaFlagGen) -> Result<()> {269// `max_isa` is the maximal set of flags that we can use.270let max_builder = match mode {271IsaFlagGen::All => {272let mut max_builder = isa::lookup(builder.triple().clone())?;273274for flag in max_builder.iter() {275match flag.kind {276SettingKind::Bool => {277max_builder.enable(flag.name)?;278}279SettingKind::Enum => {280// Since these are enums there isn't a "max" value per se, pick one at random.281let value = self.u.choose(flag.values.unwrap())?;282max_builder.set(flag.name, value)?;283}284SettingKind::Preset => {285// Presets are just special flags that combine other flags, we don't286// want to enable them directly, just the underlying flags.287}288_ => todo!(),289};290}291max_builder292}293// Use `cranelift-native` to do feature detection for us.294IsaFlagGen::Host => builder_with_options(true)295.expect("Unable to build a TargetIsa for the current host"),296};297// Cranelift has a somewhat weird API for this, but we need to build the final `TargetIsa` to be able298// to extract the values for the ISA flags. We need that to use the `string_value()` that formats299// the values so that we can pass it into the builder again.300let max_isa = max_builder.finish(Flags::new(settings::builder()))?;301302// We give each of the flags a chance of being copied over. Otherwise we303// keep the default. Note that a constant amount of data is taken from304// `self.u` as a seed for a `SmallRng` which is then transitively used305// to make decisions about what flags to include. This is done to ensure306// that the same test case generates similarly across different machines307// with different CPUs when `Host` is used above.308let mut rng = SmallRng::from_seed(self.u.arbitrary()?);309for value in max_isa.isa_flags().iter() {310if rng.random() {311continue;312}313builder.set(value.name, &value.value_string())?;314}315316Ok(())317}318}319320321