Path: blob/main/crates/fuzzing/src/generators/config.rs
1693 views
//! Generate a configuration for both Wasmtime and the Wasm module to execute.12use super::{AsyncConfig, CodegenSettings, InstanceAllocationStrategy, MemoryConfig, ModuleConfig};3use crate::oracles::{StoreLimits, Timeout};4use anyhow::Result;5use arbitrary::{Arbitrary, Unstructured};6use std::time::Duration;7use wasmtime::{Enabled, Engine, Module, Store};8use wasmtime_test_util::wast::{WastConfig, WastTest, limits};910/// Configuration for `wasmtime::Config` and generated modules for a session of11/// fuzzing.12///13/// This configuration guides what modules are generated, how wasmtime14/// configuration is generated, and is typically itself generated through a call15/// to `Arbitrary` which allows for a form of "swarm testing".16#[derive(Debug, Clone)]17pub struct Config {18/// Configuration related to the `wasmtime::Config`.19pub wasmtime: WasmtimeConfig,20/// Configuration related to generated modules.21pub module_config: ModuleConfig,22}2324impl Config {25/// Indicates that this configuration is being used for differential26/// execution.27///28/// The purpose of this function is to update the configuration which was29/// generated to be compatible with execution in multiple engines. The goal30/// is to produce the exact same result in all engines so we need to paper31/// over things like nan differences and memory/table behavior differences.32pub fn set_differential_config(&mut self) {33let config = &mut self.module_config.config;3435// Make it more likely that there are types available to generate a36// function with.37config.min_types = config.min_types.max(1);38config.max_types = config.max_types.max(1);3940// Generate at least one function41config.min_funcs = config.min_funcs.max(1);42config.max_funcs = config.max_funcs.max(1);4344// Allow a memory to be generated, but don't let it get too large.45// Additionally require the maximum size to guarantee that the growth46// behavior is consistent across engines.47config.max_memory32_bytes = 10 << 16;48config.max_memory64_bytes = 10 << 16;49config.memory_max_size_required = true;5051// If tables are generated make sure they don't get too large to avoid52// hitting any engine-specific limit. Additionally ensure that the53// maximum size is required to guarantee consistent growth across54// engines.55//56// Note that while reference types are disabled below, only allow one57// table.58config.max_table_elements = 1_000;59config.table_max_size_required = true;6061// Don't allow any imports62config.max_imports = 0;6364// Try to get the function and the memory exported65config.export_everything = true;6667// NaN is canonicalized at the wasm level for differential fuzzing so we68// can paper over NaN differences between engines.69config.canonicalize_nans = true;7071// If using the pooling allocator, update the instance limits too72if let InstanceAllocationStrategy::Pooling(pooling) = &mut self.wasmtime.strategy {73// One single-page memory74pooling.total_memories = config.max_memories as u32;75pooling.max_memory_size = 10 << 16;76pooling.max_memories_per_module = config.max_memories as u32;77if pooling.memory_protection_keys == Enabled::Auto78&& pooling.max_memory_protection_keys > 179{80pooling.total_memories =81pooling.total_memories * (pooling.max_memory_protection_keys as u32);82}8384pooling.total_tables = config.max_tables as u32;85pooling.table_elements = 1_000;86pooling.max_tables_per_module = config.max_tables as u32;8788pooling.core_instance_size = 1_000_000;8990let cfg = &mut self.wasmtime.memory_config;91match &mut cfg.memory_reservation {92Some(size) => *size = (*size).max(pooling.max_memory_size as u64),93other @ None => *other = Some(pooling.max_memory_size as u64),94}95}9697// These instructions are explicitly not expected to be exactly the same98// across engines. Don't fuzz them.99config.relaxed_simd_enabled = false;100}101102/// Uses this configuration and the supplied source of data to generate103/// a wasm module.104///105/// If a `default_fuel` is provided, the resulting module will be configured106/// to ensure termination; as doing so will add an additional global to the module,107/// the pooling allocator, if configured, will also have its globals limit updated.108pub fn generate(109&self,110input: &mut Unstructured<'_>,111default_fuel: Option<u32>,112) -> arbitrary::Result<wasm_smith::Module> {113self.module_config.generate(input, default_fuel)114}115116/// Updates this configuration to be able to run the `test` specified.117///118/// This primarily updates `self.module_config` to ensure that it enables119/// all features and proposals necessary to execute the `test` specified.120/// This will additionally update limits in the pooling allocator to be able121/// to execute all tests.122pub fn make_wast_test_compliant(&mut self, test: &WastTest) -> WastConfig {123let wasmtime_test_util::wast::TestConfig {124memory64,125custom_page_sizes,126multi_memory,127threads,128shared_everything_threads,129gc,130function_references,131relaxed_simd,132reference_types,133tail_call,134extended_const,135wide_arithmetic,136component_model_async,137component_model_async_builtins,138component_model_async_stackful,139component_model_error_context,140component_model_gc,141simd,142exceptions,143legacy_exceptions: _,144145hogs_memory: _,146nan_canonicalization: _,147gc_types: _,148stack_switching: _,149spec_test: _,150} = test.config;151152// Enable/disable some proposals that aren't configurable in wasm-smith153// but are configurable in Wasmtime.154self.module_config.function_references_enabled =155function_references.or(gc).unwrap_or(false);156self.module_config.component_model_async = component_model_async.unwrap_or(false);157self.module_config.component_model_async_builtins =158component_model_async_builtins.unwrap_or(false);159self.module_config.component_model_async_stackful =160component_model_async_stackful.unwrap_or(false);161self.module_config.component_model_error_context =162component_model_error_context.unwrap_or(false);163self.module_config.component_model_gc = component_model_gc.unwrap_or(false);164165// Enable/disable proposals that wasm-smith has knobs for which will be166// read when creating `wasmtime::Config`.167let config = &mut self.module_config.config;168config.bulk_memory_enabled = true;169config.multi_value_enabled = true;170config.wide_arithmetic_enabled = wide_arithmetic.unwrap_or(false);171config.memory64_enabled = memory64.unwrap_or(false);172config.relaxed_simd_enabled = relaxed_simd.unwrap_or(false);173config.simd_enabled = config.relaxed_simd_enabled || simd.unwrap_or(false);174config.tail_call_enabled = tail_call.unwrap_or(false);175config.custom_page_sizes_enabled = custom_page_sizes.unwrap_or(false);176config.threads_enabled = threads.unwrap_or(false);177config.shared_everything_threads_enabled = shared_everything_threads.unwrap_or(false);178config.gc_enabled = gc.unwrap_or(false);179config.reference_types_enabled = config.gc_enabled180|| self.module_config.function_references_enabled181|| reference_types.unwrap_or(false);182config.extended_const_enabled = extended_const.unwrap_or(false);183config.exceptions_enabled = exceptions.unwrap_or(false);184if multi_memory.unwrap_or(false) {185config.max_memories = limits::MEMORIES_PER_MODULE as usize;186} else {187config.max_memories = 1;188}189190if let Some(n) = &mut self.wasmtime.memory_config.memory_reservation {191*n = (*n).max(limits::MEMORY_SIZE as u64);192}193194// FIXME: it might be more ideal to avoid the need for this entirely195// and to just let the test fail. If a test fails due to a pooling196// allocator resource limit being met we could ideally detect that and197// let the fuzz test case pass. That would avoid the need to hardcode198// so much here and in theory wouldn't reduce the usefulness of fuzzers199// all that much. At this time though we can't easily test this configuration.200if let InstanceAllocationStrategy::Pooling(pooling) = &mut self.wasmtime.strategy {201// Clamp protection keys between 1 & 2 to reduce the number of202// slots and then multiply the total memories by the number of keys203// we have since a single store has access to only one key.204pooling.max_memory_protection_keys = pooling.max_memory_protection_keys.max(1).min(2);205pooling.total_memories = pooling206.total_memories207.max(limits::MEMORIES * (pooling.max_memory_protection_keys as u32));208209// For other limits make sure they meet the minimum threshold210// required for our wast tests.211pooling.total_component_instances = pooling212.total_component_instances213.max(limits::COMPONENT_INSTANCES);214pooling.total_tables = pooling.total_tables.max(limits::TABLES);215pooling.max_tables_per_module =216pooling.max_tables_per_module.max(limits::TABLES_PER_MODULE);217pooling.max_memories_per_module = pooling218.max_memories_per_module219.max(limits::MEMORIES_PER_MODULE);220pooling.max_memories_per_component = pooling221.max_memories_per_component222.max(limits::MEMORIES_PER_MODULE);223pooling.total_core_instances = pooling.total_core_instances.max(limits::CORE_INSTANCES);224pooling.max_memory_size = pooling.max_memory_size.max(limits::MEMORY_SIZE);225pooling.table_elements = pooling.table_elements.max(limits::TABLE_ELEMENTS);226pooling.core_instance_size = pooling.core_instance_size.max(limits::CORE_INSTANCE_SIZE);227pooling.component_instance_size = pooling228.component_instance_size229.max(limits::CORE_INSTANCE_SIZE);230pooling.total_stacks = pooling.total_stacks.max(limits::TOTAL_STACKS);231}232233// Return the test configuration that this fuzz configuration represents234// which is used afterwards to test if the `test` here is expected to235// fail or not.236WastConfig {237collector: match self.wasmtime.collector {238Collector::Null => wasmtime_test_util::wast::Collector::Null,239Collector::DeferredReferenceCounting => {240wasmtime_test_util::wast::Collector::DeferredReferenceCounting241}242},243pooling: matches!(244self.wasmtime.strategy,245InstanceAllocationStrategy::Pooling(_)246),247compiler: match self.wasmtime.compiler_strategy {248CompilerStrategy::CraneliftNative => {249wasmtime_test_util::wast::Compiler::CraneliftNative250}251CompilerStrategy::CraneliftPulley => {252wasmtime_test_util::wast::Compiler::CraneliftPulley253}254CompilerStrategy::Winch => wasmtime_test_util::wast::Compiler::Winch,255},256}257}258259/// Converts this to a `wasmtime::Config` object260pub fn to_wasmtime(&self) -> wasmtime::Config {261crate::init_fuzzing();262263let mut cfg = wasmtime_cli_flags::CommonOptions::default();264cfg.codegen.native_unwind_info =265Some(cfg!(target_os = "windows") || self.wasmtime.native_unwind_info);266cfg.codegen.parallel_compilation = Some(false);267268cfg.debug.address_map = Some(self.wasmtime.generate_address_map);269cfg.opts.opt_level = Some(self.wasmtime.opt_level.to_wasmtime());270cfg.opts.regalloc_algorithm = Some(self.wasmtime.regalloc_algorithm.to_wasmtime());271cfg.opts.signals_based_traps = Some(self.wasmtime.signals_based_traps);272cfg.opts.memory_guaranteed_dense_image_size = Some(std::cmp::min(273// Clamp this at 16MiB so we don't get huge in-memory274// images during fuzzing.27516 << 20,276self.wasmtime.memory_guaranteed_dense_image_size,277));278cfg.wasm.async_stack_zeroing = Some(self.wasmtime.async_stack_zeroing);279cfg.wasm.bulk_memory = Some(true);280cfg.wasm.component_model_async = Some(self.module_config.component_model_async);281cfg.wasm.component_model_async_builtins =282Some(self.module_config.component_model_async_builtins);283cfg.wasm.component_model_async_stackful =284Some(self.module_config.component_model_async_stackful);285cfg.wasm.component_model_error_context =286Some(self.module_config.component_model_error_context);287cfg.wasm.component_model_gc = Some(self.module_config.component_model_gc);288cfg.wasm.custom_page_sizes = Some(self.module_config.config.custom_page_sizes_enabled);289cfg.wasm.epoch_interruption = Some(self.wasmtime.epoch_interruption);290cfg.wasm.extended_const = Some(self.module_config.config.extended_const_enabled);291cfg.wasm.fuel = self.wasmtime.consume_fuel.then(|| u64::MAX);292cfg.wasm.function_references = Some(self.module_config.function_references_enabled);293cfg.wasm.gc = Some(self.module_config.config.gc_enabled);294cfg.wasm.memory64 = Some(self.module_config.config.memory64_enabled);295cfg.wasm.multi_memory = Some(self.module_config.config.max_memories > 1);296cfg.wasm.multi_value = Some(self.module_config.config.multi_value_enabled);297cfg.wasm.nan_canonicalization = Some(self.wasmtime.canonicalize_nans);298cfg.wasm.reference_types = Some(self.module_config.config.reference_types_enabled);299cfg.wasm.simd = Some(self.module_config.config.simd_enabled);300cfg.wasm.tail_call = Some(self.module_config.config.tail_call_enabled);301cfg.wasm.threads = Some(self.module_config.config.threads_enabled);302cfg.wasm.shared_everything_threads =303Some(self.module_config.config.shared_everything_threads_enabled);304cfg.wasm.wide_arithmetic = Some(self.module_config.config.wide_arithmetic_enabled);305cfg.wasm.exceptions = Some(self.module_config.config.exceptions_enabled);306if !self.module_config.config.simd_enabled {307cfg.wasm.relaxed_simd = Some(false);308}309cfg.codegen.collector = Some(self.wasmtime.collector.to_wasmtime());310311let compiler_strategy = &self.wasmtime.compiler_strategy;312let cranelift_strategy = match compiler_strategy {313CompilerStrategy::CraneliftNative | CompilerStrategy::CraneliftPulley => true,314CompilerStrategy::Winch => false,315};316self.wasmtime.compiler_strategy.configure(&mut cfg);317318self.wasmtime.codegen.configure(&mut cfg);319320// Determine whether we will actually enable PCC -- this is321// disabled if the module requires memory64, which is not yet322// compatible (due to the need for dynamic checks).323let pcc = cfg!(feature = "fuzz-pcc")324&& self.wasmtime.pcc325&& !self.module_config.config.memory64_enabled;326327cfg.codegen.inlining = self.wasmtime.inlining;328329// Only set cranelift specific flags when the Cranelift strategy is330// chosen.331if cranelift_strategy {332if let Some(option) = self.wasmtime.inlining_intra_module {333cfg.codegen.cranelift.push((334"wasmtime_inlining_intra_module".to_string(),335Some(option.to_string()),336));337}338if let Some(size) = self.wasmtime.inlining_small_callee_size {339cfg.codegen.cranelift.push((340"wasmtime_inlining_small_callee_size".to_string(),341// Clamp to avoid extreme code size blow up.342Some(std::cmp::min(1000, size).to_string()),343));344}345if let Some(size) = self.wasmtime.inlining_sum_size_threshold {346cfg.codegen.cranelift.push((347"wasmtime_inlining_sum_size_threshold".to_string(),348// Clamp to avoid extreme code size blow up.349Some(std::cmp::min(1000, size).to_string()),350));351}352353// If the wasm-smith-generated module use nan canonicalization then we354// don't need to enable it, but if it doesn't enable it already then we355// enable this codegen option.356cfg.wasm.nan_canonicalization = Some(!self.module_config.config.canonicalize_nans);357358// Enabling the verifier will at-least-double compilation time, which359// with a 20-30x slowdown in fuzzing can cause issues related to360// timeouts. If generated modules can have more than a small handful of361// functions then disable the verifier when fuzzing to try to lessen the362// impact of timeouts.363if self.module_config.config.max_funcs > 10 {364cfg.codegen.cranelift_debug_verifier = Some(false);365}366367if self.wasmtime.force_jump_veneers {368cfg.codegen.cranelift.push((369"wasmtime_linkopt_force_jump_veneer".to_string(),370Some("true".to_string()),371));372}373374if let Some(pad) = self.wasmtime.padding_between_functions {375cfg.codegen.cranelift.push((376"wasmtime_linkopt_padding_between_functions".to_string(),377Some(pad.to_string()),378));379}380381cfg.codegen.pcc = Some(pcc);382383// Eager init is currently only supported on Cranelift, not Winch.384cfg.opts.table_lazy_init = Some(self.wasmtime.table_lazy_init);385}386387self.wasmtime.strategy.configure(&mut cfg);388389// Vary the memory configuration, but only if threads are not enabled.390// When the threads proposal is enabled we might generate shared memory,391// which is less amenable to different memory configurations:392// - shared memories are required to be "static" so fuzzing the various393// memory configurations will mostly result in uninteresting errors.394// The interesting part about shared memories is the runtime so we395// don't fuzz non-default settings.396// - shared memories are required to be aligned which means that the397// `CustomUnaligned` variant isn't actually safe to use with a shared398// memory.399if !self.module_config.config.threads_enabled {400// If PCC is enabled, force other options to be compatible: PCC is currently only401// supported when bounds checks are elided.402let memory_config = if pcc {403MemoryConfig {404memory_reservation: Some(4 << 30), // 4 GiB405memory_guard_size: Some(2 << 30), // 2 GiB406memory_reservation_for_growth: Some(0),407guard_before_linear_memory: false,408memory_init_cow: true,409// Doesn't matter, only using virtual memory.410cranelift_enable_heap_access_spectre_mitigations: None,411}412} else {413self.wasmtime.memory_config.clone()414};415416memory_config.configure(&mut cfg);417};418419// If malloc-based memory is going to be used, which requires these four420// options set to specific values (and Pulley auto-sets two of them)421// then be sure to cap `memory_reservation_for_growth` at a smaller422// value than the default. For malloc-based memory reservation beyond423// the end of memory isn't captured by `StoreLimiter` so we need to be424// sure it's small enough to not blow OOM limits while fuzzing.425if ((cfg.opts.signals_based_traps == Some(true) && cfg.opts.memory_guard_size == Some(0))426|| self.wasmtime.compiler_strategy == CompilerStrategy::CraneliftPulley)427&& cfg.opts.memory_reservation == Some(0)428&& cfg.opts.memory_init_cow == Some(false)429{430let growth = &mut cfg.opts.memory_reservation_for_growth;431let max = 1 << 20;432*growth = match *growth {433Some(n) => Some(n.min(max)),434None => Some(max),435};436}437438log::debug!("creating wasmtime config with CLI options:\n{cfg}");439let mut cfg = cfg.config(None).expect("failed to create wasmtime::Config");440441if self.wasmtime.async_config != AsyncConfig::Disabled {442log::debug!("async config in use {:?}", self.wasmtime.async_config);443self.wasmtime.async_config.configure(&mut cfg);444}445446return cfg;447}448449/// Convenience function for generating a `Store<T>` using this450/// configuration.451pub fn to_store(&self) -> Store<StoreLimits> {452let engine = Engine::new(&self.to_wasmtime()).unwrap();453let mut store = Store::new(&engine, StoreLimits::new());454self.configure_store(&mut store);455store456}457458/// Configures a store based on this configuration.459pub fn configure_store(&self, store: &mut Store<StoreLimits>) {460store.limiter(|s| s as &mut dyn wasmtime::ResourceLimiter);461462// Configure the store to never abort by default, that is it'll have463// max fuel or otherwise trap on an epoch change but the epoch won't464// ever change.465//466// Afterwards though see what `AsyncConfig` is being used an further467// refine the store's configuration based on that.468if self.wasmtime.consume_fuel {469store.set_fuel(u64::MAX).unwrap();470}471if self.wasmtime.epoch_interruption {472store.epoch_deadline_trap();473store.set_epoch_deadline(1);474}475match self.wasmtime.async_config {476AsyncConfig::Disabled => {}477AsyncConfig::YieldWithFuel(amt) => {478assert!(self.wasmtime.consume_fuel);479store.fuel_async_yield_interval(Some(amt)).unwrap();480}481AsyncConfig::YieldWithEpochs { ticks, .. } => {482assert!(self.wasmtime.epoch_interruption);483store.set_epoch_deadline(ticks);484store.epoch_deadline_async_yield_and_update(ticks);485}486}487}488489/// Generates an arbitrary method of timing out an instance, ensuring that490/// this configuration supports the returned timeout.491pub fn generate_timeout(&mut self, u: &mut Unstructured<'_>) -> arbitrary::Result<Timeout> {492let time_duration = Duration::from_millis(100);493let timeout = u494.choose(&[Timeout::Fuel(100_000), Timeout::Epoch(time_duration)])?495.clone();496match &timeout {497Timeout::Fuel(..) => {498self.wasmtime.consume_fuel = true;499}500Timeout::Epoch(..) => {501self.wasmtime.epoch_interruption = true;502}503Timeout::None => unreachable!("Not an option given to choose()"),504}505Ok(timeout)506}507508/// Compiles the `wasm` within the `engine` provided.509///510/// This notably will use `Module::{serialize,deserialize_file}` to511/// round-trip if configured in the fuzzer.512pub fn compile(&self, engine: &Engine, wasm: &[u8]) -> Result<Module> {513// Propagate this error in case the caller wants to handle514// valid-vs-invalid wasm.515let module = Module::new(engine, wasm)?;516if !self.wasmtime.use_precompiled_cwasm {517return Ok(module);518}519520// Don't propagate these errors to prevent them from accidentally being521// interpreted as invalid wasm, these should never fail on a522// well-behaved host system.523let dir = tempfile::TempDir::new().unwrap();524let file = dir.path().join("module.wasm");525std::fs::write(&file, module.serialize().unwrap()).unwrap();526unsafe { Ok(Module::deserialize_file(engine, &file).unwrap()) }527}528529/// Updates this configuration to forcibly enable async support. Only useful530/// in fuzzers which do async calls.531pub fn enable_async(&mut self, u: &mut Unstructured<'_>) -> arbitrary::Result<()> {532if self.wasmtime.consume_fuel || u.arbitrary()? {533self.wasmtime.async_config =534AsyncConfig::YieldWithFuel(u.int_in_range(1000..=100_000)?);535self.wasmtime.consume_fuel = true;536} else {537self.wasmtime.async_config = AsyncConfig::YieldWithEpochs {538dur: Duration::from_millis(u.int_in_range(1..=10)?),539ticks: u.int_in_range(1..=10)?,540};541self.wasmtime.epoch_interruption = true;542}543Ok(())544}545}546547impl<'a> Arbitrary<'a> for Config {548fn arbitrary(u: &mut Unstructured<'a>) -> arbitrary::Result<Self> {549let mut config = Self {550wasmtime: u.arbitrary()?,551module_config: u.arbitrary()?,552};553554config555.wasmtime556.update_module_config(&mut config.module_config, u)?;557558Ok(config)559}560}561562/// Configuration related to `wasmtime::Config` and the various settings which563/// can be tweaked from within.564#[derive(Arbitrary, Clone, Debug, Eq, Hash, PartialEq)]565pub struct WasmtimeConfig {566opt_level: OptLevel,567regalloc_algorithm: RegallocAlgorithm,568debug_info: bool,569canonicalize_nans: bool,570interruptable: bool,571pub(crate) consume_fuel: bool,572pub(crate) epoch_interruption: bool,573/// The Wasmtime memory configuration to use.574pub memory_config: MemoryConfig,575force_jump_veneers: bool,576memory_init_cow: bool,577memory_guaranteed_dense_image_size: u64,578inlining: Option<bool>,579inlining_intra_module: Option<IntraModuleInlining>,580inlining_small_callee_size: Option<u32>,581inlining_sum_size_threshold: Option<u32>,582use_precompiled_cwasm: bool,583async_stack_zeroing: bool,584/// Configuration for the instance allocation strategy to use.585pub strategy: InstanceAllocationStrategy,586codegen: CodegenSettings,587padding_between_functions: Option<u16>,588generate_address_map: bool,589native_unwind_info: bool,590/// Configuration for the compiler to use.591pub compiler_strategy: CompilerStrategy,592collector: Collector,593table_lazy_init: bool,594595/// Whether or not fuzzing should enable PCC.596pcc: bool,597598/// Configuration for whether wasm is invoked in an async fashion and how599/// it's cooperatively time-sliced.600pub async_config: AsyncConfig,601602/// Whether or not host signal handlers are enabled for this configuration,603/// aka whether signal handlers are supported.604signals_based_traps: bool,605}606607impl WasmtimeConfig {608/// Force `self` to be a configuration compatible with `other`. This is609/// useful for differential execution to avoid unhelpful fuzz crashes when610/// one engine has a feature enabled and the other does not.611pub fn make_compatible_with(&mut self, other: &Self) {612// Use the same allocation strategy between the two configs.613//614// Ideally this wouldn't be necessary, but, during differential615// evaluation, if the `lhs` is using ondemand and the `rhs` is using the616// pooling allocator (or vice versa), then the module may have been617// generated in such a way that is incompatible with the other618// allocation strategy.619//620// We can remove this in the future when it's possible to access the621// fields of `wasm_smith::Module` to constrain the pooling allocator622// based on what was actually generated.623self.strategy = other.strategy.clone();624if let InstanceAllocationStrategy::Pooling { .. } = &other.strategy {625// Also use the same memory configuration when using the pooling626// allocator.627self.memory_config = other.memory_config.clone();628}629630self.make_internally_consistent();631}632633/// Updates `config` to be compatible with `self` and the other way around634/// too.635pub fn update_module_config(636&mut self,637config: &mut ModuleConfig,638_u: &mut Unstructured<'_>,639) -> arbitrary::Result<()> {640match self.compiler_strategy {641CompilerStrategy::CraneliftNative => {}642643CompilerStrategy::Winch => {644// Winch is not complete on non-x64 targets, so just abandon this test645// case. We don't want to force Cranelift because we change what module646// config features are enabled based on the compiler strategy, and we647// don't want to make the same fuzz input DNA generate different test648// cases on different targets.649if cfg!(not(target_arch = "x86_64")) {650log::warn!(651"want to compile with Winch but host architecture does not support it"652);653return Err(arbitrary::Error::IncorrectFormat);654}655656// Winch doesn't support the same set of wasm proposal as Cranelift657// at this time, so if winch is selected be sure to disable wasm658// proposals in `Config` to ensure that Winch can compile the659// module that wasm-smith generates.660config.config.relaxed_simd_enabled = false;661config.config.gc_enabled = false;662config.config.tail_call_enabled = false;663config.config.reference_types_enabled = false;664config.config.exceptions_enabled = false;665config.function_references_enabled = false;666667// Winch's SIMD implementations require AVX and AVX2.668if self669.codegen_flag("has_avx")670.is_some_and(|value| value == "false")671|| self672.codegen_flag("has_avx2")673.is_some_and(|value| value == "false")674{675config.config.simd_enabled = false;676}677678// Tuning the following engine options is currently not supported679// by Winch.680self.signals_based_traps = true;681self.table_lazy_init = true;682self.debug_info = false;683}684685CompilerStrategy::CraneliftPulley => {686config.config.threads_enabled = false;687}688}689690// If using the pooling allocator, constrain the memory and module configurations691// to the module limits.692if let InstanceAllocationStrategy::Pooling(pooling) = &mut self.strategy {693// If the pooling allocator is used, do not allow shared memory to694// be created. FIXME: see695// https://github.com/bytecodealliance/wasmtime/issues/4244.696config.config.threads_enabled = false;697698// Ensure the pooling allocator can support the maximal size of699// memory, picking the smaller of the two to win.700let min_bytes = config701.config702.max_memory32_bytes703// memory64_bytes is a u128, but since we are taking the min704// we can truncate it down to a u64.705.min(706config707.config708.max_memory64_bytes709.try_into()710.unwrap_or(u64::MAX),711);712let min = min_bytes713.min(pooling.max_memory_size as u64)714.min(self.memory_config.memory_reservation.unwrap_or(0));715pooling.max_memory_size = min as usize;716config.config.max_memory32_bytes = min;717config.config.max_memory64_bytes = min as u128;718719// If traps are disallowed then memories must have at least one page720// of memory so if we still are only allowing 0 pages of memory then721// increase that to one here.722if config.config.disallow_traps {723if pooling.max_memory_size < (1 << 16) {724pooling.max_memory_size = 1 << 16;725config.config.max_memory32_bytes = 1 << 16;726config.config.max_memory64_bytes = 1 << 16;727let cfg = &mut self.memory_config;728match &mut cfg.memory_reservation {729Some(size) => *size = (*size).max(pooling.max_memory_size as u64),730size @ None => *size = Some(pooling.max_memory_size as u64),731}732}733// .. additionally update tables734if pooling.table_elements == 0 {735pooling.table_elements = 1;736}737}738739// Don't allow too many linear memories per instance since massive740// virtual mappings can fail to get allocated.741config.config.min_memories = config.config.min_memories.min(10);742config.config.max_memories = config.config.max_memories.min(10);743744// Force this pooling allocator to always be able to accommodate the745// module that may be generated.746pooling.total_memories = config.config.max_memories as u32;747pooling.total_tables = config.config.max_tables as u32;748}749750if !self.signals_based_traps {751// At this time shared memories require a "static" memory752// configuration but when signals-based traps are disabled all753// memories are forced to the "dynamic" configuration. This is754// fixable with some more work on the bounds-checks side of things755// to do a full bounds check even on static memories, but that's756// left for a future PR.757config.config.threads_enabled = false;758759// Spectre-based heap mitigations require signal handlers so this760// must always be disabled if signals-based traps are disabled.761self.memory_config762.cranelift_enable_heap_access_spectre_mitigations = None;763}764765self.make_internally_consistent();766767Ok(())768}769770/// Returns the codegen flag value, if any, for `name`.771pub(crate) fn codegen_flag(&self, name: &str) -> Option<&str> {772self.codegen.flags().iter().find_map(|(n, value)| {773if n == name {774Some(value.as_str())775} else {776None777}778})779}780781/// Helper method to handle some dependencies between various configuration782/// options. This is intended to be called whenever a `Config` is created or783/// modified to ensure that the final result is an instantiable `Config`.784///785/// Note that in general this probably shouldn't exist and anything here can786/// be considered a "TODO" to go implement more stuff in Wasmtime to accept787/// these sorts of configurations. For now though it's intended to reflect788/// the current state of the engine's development.789fn make_internally_consistent(&mut self) {790if !self.signals_based_traps {791let cfg = &mut self.memory_config;792// Spectre-based heap mitigations require signal handlers so793// this must always be disabled if signals-based traps are794// disabled.795cfg.cranelift_enable_heap_access_spectre_mitigations = None;796797// With configuration settings that match the use of malloc for798// linear memories cap the `memory_reservation_for_growth` value799// to something reasonable to avoid OOM in fuzzing.800if !cfg.memory_init_cow801&& cfg.memory_guard_size == Some(0)802&& cfg.memory_reservation == Some(0)803{804let min = 10 << 20; // 10 MiB805if let Some(val) = &mut cfg.memory_reservation_for_growth {806*val = (*val).min(min);807} else {808cfg.memory_reservation_for_growth = Some(min);809}810}811}812}813}814815#[derive(Arbitrary, Clone, Debug, PartialEq, Eq, Hash)]816enum OptLevel {817None,818Speed,819SpeedAndSize,820}821822impl OptLevel {823fn to_wasmtime(&self) -> wasmtime::OptLevel {824match self {825OptLevel::None => wasmtime::OptLevel::None,826OptLevel::Speed => wasmtime::OptLevel::Speed,827OptLevel::SpeedAndSize => wasmtime::OptLevel::SpeedAndSize,828}829}830}831832#[derive(Arbitrary, Clone, Debug, PartialEq, Eq, Hash)]833enum RegallocAlgorithm {834Backtracking,835// FIXME(#11544 and #11545): rename back to `SinglePass` and handle below836// when those issues are fixed837TemporarilyDisabledSinglePass,838}839840impl RegallocAlgorithm {841fn to_wasmtime(&self) -> wasmtime::RegallocAlgorithm {842match self {843RegallocAlgorithm::Backtracking => wasmtime::RegallocAlgorithm::Backtracking,844RegallocAlgorithm::TemporarilyDisabledSinglePass => {845wasmtime::RegallocAlgorithm::Backtracking846}847}848}849}850851#[derive(Arbitrary, Clone, Copy, Debug, PartialEq, Eq, Hash)]852enum IntraModuleInlining {853Yes,854No,855WhenUsingGc,856}857858impl std::fmt::Display for IntraModuleInlining {859fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {860match self {861IntraModuleInlining::Yes => write!(f, "yes"),862IntraModuleInlining::No => write!(f, "no"),863IntraModuleInlining::WhenUsingGc => write!(f, "gc"),864}865}866}867868#[derive(Clone, Debug, PartialEq, Eq, Hash)]869/// Compiler to use.870pub enum CompilerStrategy {871/// Cranelift compiler for the native architecture.872CraneliftNative,873/// Winch compiler.874Winch,875/// Cranelift compiler for the native architecture.876CraneliftPulley,877}878879impl CompilerStrategy {880/// Configures `config` to use this compilation strategy881pub fn configure(&self, config: &mut wasmtime_cli_flags::CommonOptions) {882match self {883CompilerStrategy::CraneliftNative => {884config.codegen.compiler = Some(wasmtime::Strategy::Cranelift);885}886CompilerStrategy::Winch => {887config.codegen.compiler = Some(wasmtime::Strategy::Winch);888}889CompilerStrategy::CraneliftPulley => {890config.codegen.compiler = Some(wasmtime::Strategy::Cranelift);891config.target = Some("pulley64".to_string());892}893}894}895}896897impl Arbitrary<'_> for CompilerStrategy {898fn arbitrary(u: &mut Unstructured<'_>) -> arbitrary::Result<Self> {899// Favor fuzzing native cranelift, but if allowed also enable900// winch/pulley.901match u.int_in_range(0..=19)? {9021 => Ok(Self::CraneliftPulley),9032 => Ok(Self::Winch),904_ => Ok(Self::CraneliftNative),905}906}907}908909#[derive(Arbitrary, Clone, Debug, PartialEq, Eq, Hash)]910pub enum Collector {911DeferredReferenceCounting,912Null,913}914915impl Collector {916fn to_wasmtime(&self) -> wasmtime::Collector {917match self {918Collector::DeferredReferenceCounting => wasmtime::Collector::DeferredReferenceCounting,919Collector::Null => wasmtime::Collector::Null,920}921}922}923924925