Path: blob/main/crates/fuzzing/src/generators/config.rs
3068 views
//! Generate a configuration for both Wasmtime and the Wasm module to execute.12use super::{AsyncConfig, CodegenSettings, InstanceAllocationStrategy, MemoryConfig, ModuleConfig};3use crate::oracles::{StoreLimits, Timeout};4use arbitrary::{Arbitrary, Unstructured};5use std::time::Duration;6use wasmtime::Result;7use wasmtime::{Enabled, Engine, Module, Store};8use wasmtime_test_util::wast::{WastConfig, WastTest, limits};910/// Configuration for `wasmtime::Config` and generated modules for a session of11/// fuzzing.12///13/// This configuration guides what modules are generated, how wasmtime14/// configuration is generated, and is typically itself generated through a call15/// to `Arbitrary` which allows for a form of "swarm testing".16#[derive(Debug, Clone)]17pub struct Config {18/// Configuration related to the `wasmtime::Config`.19pub wasmtime: WasmtimeConfig,20/// Configuration related to generated modules.21pub module_config: ModuleConfig,22}2324impl Config {25/// Indicates that this configuration is being used for differential26/// execution.27///28/// The purpose of this function is to update the configuration which was29/// generated to be compatible with execution in multiple engines. The goal30/// is to produce the exact same result in all engines so we need to paper31/// over things like nan differences and memory/table behavior differences.32pub fn set_differential_config(&mut self) {33let config = &mut self.module_config.config;3435// Make it more likely that there are types available to generate a36// function with.37config.min_types = config.min_types.max(1);38config.max_types = config.max_types.max(1);3940// Generate at least one function41config.min_funcs = config.min_funcs.max(1);42config.max_funcs = config.max_funcs.max(1);4344// Allow a memory to be generated, but don't let it get too large.45// Additionally require the maximum size to guarantee that the growth46// behavior is consistent across engines.47config.max_memory32_bytes = 10 << 16;48config.max_memory64_bytes = 10 << 16;49config.memory_max_size_required = true;5051// If tables are generated make sure they don't get too large to avoid52// hitting any engine-specific limit. Additionally ensure that the53// maximum size is required to guarantee consistent growth across54// engines.55//56// Note that while reference types are disabled below, only allow one57// table.58config.max_table_elements = 1_000;59config.table_max_size_required = true;6061// Don't allow any imports62config.max_imports = 0;6364// Try to get the function and the memory exported65config.export_everything = true;6667// NaN is canonicalized at the wasm level for differential fuzzing so we68// can paper over NaN differences between engines.69config.canonicalize_nans = true;7071// If using the pooling allocator, update the instance limits too72if let InstanceAllocationStrategy::Pooling(pooling) = &mut self.wasmtime.strategy {73// One single-page memory74pooling.total_memories = config.max_memories as u32;75pooling.max_memory_size = 10 << 16;76pooling.max_memories_per_module = config.max_memories as u32;77if pooling.memory_protection_keys == Enabled::Auto78&& pooling.max_memory_protection_keys > 179{80pooling.total_memories =81pooling.total_memories * (pooling.max_memory_protection_keys as u32);82}8384pooling.total_tables = config.max_tables as u32;85pooling.table_elements = 1_000;86pooling.max_tables_per_module = config.max_tables as u32;8788pooling.core_instance_size = 1_000_000;8990let cfg = &mut self.wasmtime.memory_config;91match &mut cfg.memory_reservation {92Some(size) => *size = (*size).max(pooling.max_memory_size as u64),93other @ None => *other = Some(pooling.max_memory_size as u64),94}95}9697// These instructions are explicitly not expected to be exactly the same98// across engines. Don't fuzz them.99config.relaxed_simd_enabled = false;100}101102/// Uses this configuration and the supplied source of data to generate103/// a wasm module.104///105/// If a `default_fuel` is provided, the resulting module will be configured106/// to ensure termination; as doing so will add an additional global to the module,107/// the pooling allocator, if configured, will also have its globals limit updated.108pub fn generate(109&self,110input: &mut Unstructured<'_>,111default_fuel: Option<u32>,112) -> arbitrary::Result<wasm_smith::Module> {113self.module_config.generate(input, default_fuel)114}115116/// Updates this configuration to be able to run the `test` specified.117///118/// This primarily updates `self.module_config` to ensure that it enables119/// all features and proposals necessary to execute the `test` specified.120/// This will additionally update limits in the pooling allocator to be able121/// to execute all tests.122pub fn make_wast_test_compliant(&mut self, test: &WastTest) -> WastConfig {123let wasmtime_test_util::wast::TestConfig {124memory64,125custom_page_sizes,126multi_memory,127threads,128shared_everything_threads,129gc,130function_references,131relaxed_simd,132reference_types,133tail_call,134extended_const,135wide_arithmetic,136component_model_async,137component_model_async_builtins,138component_model_async_stackful,139component_model_threading,140component_model_error_context,141component_model_gc,142component_model_fixed_length_lists,143simd,144exceptions,145legacy_exceptions: _,146custom_descriptors: _,147148hogs_memory: _,149nan_canonicalization: _,150gc_types: _,151stack_switching: _,152spec_test: _,153} = test.config;154155// Enable/disable some proposals that aren't configurable in wasm-smith156// but are configurable in Wasmtime.157self.module_config.function_references_enabled =158function_references.or(gc).unwrap_or(false);159self.module_config.component_model_async = component_model_async.unwrap_or(false);160self.module_config.component_model_async_builtins =161component_model_async_builtins.unwrap_or(false);162self.module_config.component_model_async_stackful =163component_model_async_stackful.unwrap_or(false);164self.module_config.component_model_threading = component_model_threading.unwrap_or(false);165self.module_config.component_model_error_context =166component_model_error_context.unwrap_or(false);167self.module_config.component_model_gc = component_model_gc.unwrap_or(false);168self.module_config.component_model_fixed_length_lists =169component_model_fixed_length_lists.unwrap_or(false);170171// Enable/disable proposals that wasm-smith has knobs for which will be172// read when creating `wasmtime::Config`.173let config = &mut self.module_config.config;174config.bulk_memory_enabled = true;175config.multi_value_enabled = true;176config.wide_arithmetic_enabled = wide_arithmetic.unwrap_or(false);177config.memory64_enabled = memory64.unwrap_or(false);178config.relaxed_simd_enabled = relaxed_simd.unwrap_or(false);179config.simd_enabled = config.relaxed_simd_enabled || simd.unwrap_or(false);180config.tail_call_enabled = tail_call.unwrap_or(false);181config.custom_page_sizes_enabled = custom_page_sizes.unwrap_or(false);182config.threads_enabled = threads.unwrap_or(false);183config.shared_everything_threads_enabled = shared_everything_threads.unwrap_or(false);184config.gc_enabled = gc.unwrap_or(false);185config.reference_types_enabled = config.gc_enabled186|| self.module_config.function_references_enabled187|| reference_types.unwrap_or(false);188config.extended_const_enabled = extended_const.unwrap_or(false);189config.exceptions_enabled = exceptions.unwrap_or(false);190if multi_memory.unwrap_or(false) {191config.max_memories = limits::MEMORIES_PER_MODULE as usize;192} else {193config.max_memories = 1;194}195196if let Some(n) = &mut self.wasmtime.memory_config.memory_reservation {197*n = (*n).max(limits::MEMORY_SIZE as u64);198}199200// FIXME: it might be more ideal to avoid the need for this entirely201// and to just let the test fail. If a test fails due to a pooling202// allocator resource limit being met we could ideally detect that and203// let the fuzz test case pass. That would avoid the need to hardcode204// so much here and in theory wouldn't reduce the usefulness of fuzzers205// all that much. At this time though we can't easily test this configuration.206if let InstanceAllocationStrategy::Pooling(pooling) = &mut self.wasmtime.strategy {207// Clamp protection keys between 1 & 2 to reduce the number of208// slots and then multiply the total memories by the number of keys209// we have since a single store has access to only one key.210pooling.max_memory_protection_keys = pooling.max_memory_protection_keys.max(1).min(2);211pooling.total_memories = pooling212.total_memories213.max(limits::MEMORIES * (pooling.max_memory_protection_keys as u32));214215// For other limits make sure they meet the minimum threshold216// required for our wast tests.217pooling.total_component_instances = pooling218.total_component_instances219.max(limits::COMPONENT_INSTANCES);220pooling.total_tables = pooling.total_tables.max(limits::TABLES);221pooling.max_tables_per_module =222pooling.max_tables_per_module.max(limits::TABLES_PER_MODULE);223pooling.max_memories_per_module = pooling224.max_memories_per_module225.max(limits::MEMORIES_PER_MODULE);226pooling.max_memories_per_component = pooling227.max_memories_per_component228.max(limits::MEMORIES_PER_MODULE);229pooling.total_core_instances = pooling.total_core_instances.max(limits::CORE_INSTANCES);230pooling.max_memory_size = pooling.max_memory_size.max(limits::MEMORY_SIZE);231pooling.table_elements = pooling.table_elements.max(limits::TABLE_ELEMENTS);232pooling.core_instance_size = pooling.core_instance_size.max(limits::CORE_INSTANCE_SIZE);233pooling.component_instance_size = pooling234.component_instance_size235.max(limits::CORE_INSTANCE_SIZE);236pooling.total_stacks = pooling.total_stacks.max(limits::TOTAL_STACKS);237}238239// Return the test configuration that this fuzz configuration represents240// which is used afterwards to test if the `test` here is expected to241// fail or not.242WastConfig {243collector: match self.wasmtime.collector {244Collector::Null => wasmtime_test_util::wast::Collector::Null,245Collector::DeferredReferenceCounting => {246wasmtime_test_util::wast::Collector::DeferredReferenceCounting247}248},249pooling: matches!(250self.wasmtime.strategy,251InstanceAllocationStrategy::Pooling(_)252),253compiler: match self.wasmtime.compiler_strategy {254CompilerStrategy::CraneliftNative => {255wasmtime_test_util::wast::Compiler::CraneliftNative256}257CompilerStrategy::CraneliftPulley => {258wasmtime_test_util::wast::Compiler::CraneliftPulley259}260CompilerStrategy::Winch => wasmtime_test_util::wast::Compiler::Winch,261},262}263}264265/// Converts this to a `wasmtime::Config` object266pub fn to_wasmtime(&self) -> wasmtime::Config {267crate::init_fuzzing();268269let mut cfg = wasmtime_cli_flags::CommonOptions::default();270cfg.codegen.native_unwind_info =271Some(cfg!(target_os = "windows") || self.wasmtime.native_unwind_info);272cfg.codegen.parallel_compilation = Some(false);273274cfg.debug.address_map = Some(self.wasmtime.generate_address_map);275cfg.opts.opt_level = Some(self.wasmtime.opt_level.to_wasmtime());276cfg.opts.regalloc_algorithm = Some(self.wasmtime.regalloc_algorithm.to_wasmtime());277cfg.opts.signals_based_traps = Some(self.wasmtime.signals_based_traps);278cfg.opts.memory_guaranteed_dense_image_size = Some(std::cmp::min(279// Clamp this at 16MiB so we don't get huge in-memory280// images during fuzzing.28116 << 20,282self.wasmtime.memory_guaranteed_dense_image_size,283));284cfg.wasm.async_stack_zeroing = Some(self.wasmtime.async_stack_zeroing);285cfg.wasm.bulk_memory = Some(true);286cfg.wasm.component_model_async = Some(self.module_config.component_model_async);287cfg.wasm.component_model_async_builtins =288Some(self.module_config.component_model_async_builtins);289cfg.wasm.component_model_async_stackful =290Some(self.module_config.component_model_async_stackful);291cfg.wasm.component_model_threading = Some(self.module_config.component_model_threading);292cfg.wasm.component_model_error_context =293Some(self.module_config.component_model_error_context);294cfg.wasm.component_model_gc = Some(self.module_config.component_model_gc);295cfg.wasm.component_model_fixed_length_lists =296Some(self.module_config.component_model_fixed_length_lists);297cfg.wasm.custom_page_sizes = Some(self.module_config.config.custom_page_sizes_enabled);298cfg.wasm.epoch_interruption = Some(self.wasmtime.epoch_interruption);299cfg.wasm.extended_const = Some(self.module_config.config.extended_const_enabled);300cfg.wasm.fuel = self.wasmtime.consume_fuel.then(|| u64::MAX);301cfg.wasm.function_references = Some(self.module_config.function_references_enabled);302cfg.wasm.gc = Some(self.module_config.config.gc_enabled);303cfg.wasm.memory64 = Some(self.module_config.config.memory64_enabled);304cfg.wasm.multi_memory = Some(self.module_config.config.max_memories > 1);305cfg.wasm.multi_value = Some(self.module_config.config.multi_value_enabled);306cfg.wasm.nan_canonicalization = Some(self.wasmtime.canonicalize_nans);307cfg.wasm.reference_types = Some(self.module_config.config.reference_types_enabled);308cfg.wasm.simd = Some(self.module_config.config.simd_enabled);309cfg.wasm.tail_call = Some(self.module_config.config.tail_call_enabled);310cfg.wasm.threads = Some(self.module_config.config.threads_enabled);311cfg.wasm.shared_everything_threads =312Some(self.module_config.config.shared_everything_threads_enabled);313cfg.wasm.wide_arithmetic = Some(self.module_config.config.wide_arithmetic_enabled);314cfg.wasm.exceptions = Some(self.module_config.config.exceptions_enabled);315cfg.wasm.shared_memory = Some(self.module_config.shared_memory);316if !self.module_config.config.simd_enabled {317cfg.wasm.relaxed_simd = Some(false);318}319cfg.codegen.collector = Some(self.wasmtime.collector.to_wasmtime());320321let compiler_strategy = &self.wasmtime.compiler_strategy;322let cranelift_strategy = match compiler_strategy {323CompilerStrategy::CraneliftNative | CompilerStrategy::CraneliftPulley => true,324CompilerStrategy::Winch => false,325};326self.wasmtime.compiler_strategy.configure(&mut cfg);327328self.wasmtime.codegen.configure(&mut cfg);329330// Determine whether we will actually enable PCC -- this is331// disabled if the module requires memory64, which is not yet332// compatible (due to the need for dynamic checks).333let pcc = cfg!(feature = "fuzz-pcc")334&& self.wasmtime.pcc335&& !self.module_config.config.memory64_enabled;336337cfg.codegen.inlining = self.wasmtime.inlining;338339// Only set cranelift specific flags when the Cranelift strategy is340// chosen.341if cranelift_strategy {342if let Some(option) = self.wasmtime.inlining_intra_module {343cfg.codegen.cranelift.push((344"wasmtime_inlining_intra_module".to_string(),345Some(option.to_string()),346));347}348if let Some(size) = self.wasmtime.inlining_small_callee_size {349cfg.codegen.cranelift.push((350"wasmtime_inlining_small_callee_size".to_string(),351// Clamp to avoid extreme code size blow up.352Some(std::cmp::min(1000, size).to_string()),353));354}355if let Some(size) = self.wasmtime.inlining_sum_size_threshold {356cfg.codegen.cranelift.push((357"wasmtime_inlining_sum_size_threshold".to_string(),358// Clamp to avoid extreme code size blow up.359Some(std::cmp::min(1000, size).to_string()),360));361}362363// If the wasm-smith-generated module use nan canonicalization then we364// don't need to enable it, but if it doesn't enable it already then we365// enable this codegen option.366cfg.wasm.nan_canonicalization = Some(!self.module_config.config.canonicalize_nans);367368// Enabling the verifier will at-least-double compilation time, which369// with a 20-30x slowdown in fuzzing can cause issues related to370// timeouts. If generated modules can have more than a small handful of371// functions then disable the verifier when fuzzing to try to lessen the372// impact of timeouts.373if self.module_config.config.max_funcs > 10 {374cfg.codegen.cranelift_debug_verifier = Some(false);375}376377if self.wasmtime.force_jump_veneers {378cfg.codegen.cranelift.push((379"wasmtime_linkopt_force_jump_veneer".to_string(),380Some("true".to_string()),381));382}383384if let Some(pad) = self.wasmtime.padding_between_functions {385cfg.codegen.cranelift.push((386"wasmtime_linkopt_padding_between_functions".to_string(),387Some(pad.to_string()),388));389}390391cfg.codegen.pcc = Some(pcc);392393// Eager init is currently only supported on Cranelift, not Winch.394cfg.opts.table_lazy_init = Some(self.wasmtime.table_lazy_init);395}396397self.wasmtime.strategy.configure(&mut cfg);398399// Vary the memory configuration, but only if threads are not enabled.400// When the threads proposal is enabled we might generate shared memory,401// which is less amenable to different memory configurations:402// - shared memories are required to be "static" so fuzzing the various403// memory configurations will mostly result in uninteresting errors.404// The interesting part about shared memories is the runtime so we405// don't fuzz non-default settings.406// - shared memories are required to be aligned which means that the407// `CustomUnaligned` variant isn't actually safe to use with a shared408// memory.409if !self.module_config.config.threads_enabled {410// If PCC is enabled, force other options to be compatible: PCC is currently only411// supported when bounds checks are elided.412let memory_config = if pcc {413MemoryConfig {414memory_reservation: Some(4 << 30), // 4 GiB415memory_guard_size: Some(2 << 30), // 2 GiB416memory_reservation_for_growth: Some(0),417guard_before_linear_memory: false,418memory_init_cow: true,419// Doesn't matter, only using virtual memory.420cranelift_enable_heap_access_spectre_mitigations: None,421}422} else {423self.wasmtime.memory_config.clone()424};425426memory_config.configure(&mut cfg);427};428429// If malloc-based memory is going to be used, which requires these four430// options set to specific values (and Pulley auto-sets two of them)431// then be sure to cap `memory_reservation_for_growth` at a smaller432// value than the default. For malloc-based memory reservation beyond433// the end of memory isn't captured by `StoreLimiter` so we need to be434// sure it's small enough to not blow OOM limits while fuzzing.435if ((cfg.opts.signals_based_traps == Some(true) && cfg.opts.memory_guard_size == Some(0))436|| self.wasmtime.compiler_strategy == CompilerStrategy::CraneliftPulley)437&& cfg.opts.memory_reservation == Some(0)438&& cfg.opts.memory_init_cow == Some(false)439{440let growth = &mut cfg.opts.memory_reservation_for_growth;441let max = 1 << 20;442*growth = match *growth {443Some(n) => Some(n.min(max)),444None => Some(max),445};446}447448log::debug!("creating wasmtime config with CLI options:\n{cfg}");449let mut cfg = cfg.config(None).expect("failed to create wasmtime::Config");450451if self.wasmtime.async_config != AsyncConfig::Disabled {452log::debug!("async config in use {:?}", self.wasmtime.async_config);453self.wasmtime.async_config.configure(&mut cfg);454}455456// Fuzzing on macOS with mach ports seems to sometimes bypass the mach457// port handling thread entirely and go straight to asan's or fuzzing's458// signal handler. No idea why and for me at least it's just easier to459// disable mach ports when fuzzing because there's no need to use that460// over signal handlers.461if cfg!(target_vendor = "apple") {462cfg.macos_use_mach_ports(false);463}464465return cfg;466}467468/// Convenience function for generating a `Store<T>` using this469/// configuration.470pub fn to_store(&self) -> Store<StoreLimits> {471let engine = Engine::new(&self.to_wasmtime()).unwrap();472let mut store = Store::new(&engine, StoreLimits::new());473self.configure_store(&mut store);474store475}476477/// Configures a store based on this configuration.478pub fn configure_store(&self, store: &mut Store<StoreLimits>) {479store.limiter(|s| s as &mut dyn wasmtime::ResourceLimiter);480self.configure_store_epoch_and_fuel(store);481}482483/// Configures everything unrelated to `T` in a store, such as epochs and484/// fuel.485pub fn configure_store_epoch_and_fuel<T>(&self, store: &mut Store<T>) {486// Configure the store to never abort by default, that is it'll have487// max fuel or otherwise trap on an epoch change but the epoch won't488// ever change.489//490// Afterwards though see what `AsyncConfig` is being used an further491// refine the store's configuration based on that.492if self.wasmtime.consume_fuel {493store.set_fuel(u64::MAX).unwrap();494}495if self.wasmtime.epoch_interruption {496store.epoch_deadline_trap();497store.set_epoch_deadline(1);498}499match self.wasmtime.async_config {500AsyncConfig::Disabled => {}501AsyncConfig::YieldWithFuel(amt) => {502assert!(self.wasmtime.consume_fuel);503store.fuel_async_yield_interval(Some(amt)).unwrap();504}505AsyncConfig::YieldWithEpochs { ticks, .. } => {506assert!(self.wasmtime.epoch_interruption);507store.set_epoch_deadline(ticks);508store.epoch_deadline_async_yield_and_update(ticks);509}510}511}512513/// Generates an arbitrary method of timing out an instance, ensuring that514/// this configuration supports the returned timeout.515pub fn generate_timeout(&mut self, u: &mut Unstructured<'_>) -> arbitrary::Result<Timeout> {516let time_duration = Duration::from_millis(100);517let timeout = u518.choose(&[Timeout::Fuel(100_000), Timeout::Epoch(time_duration)])?519.clone();520match &timeout {521Timeout::Fuel(..) => {522self.wasmtime.consume_fuel = true;523}524Timeout::Epoch(..) => {525self.wasmtime.epoch_interruption = true;526}527Timeout::None => unreachable!("Not an option given to choose()"),528}529Ok(timeout)530}531532/// Compiles the `wasm` within the `engine` provided.533///534/// This notably will use `Module::{serialize,deserialize_file}` to535/// round-trip if configured in the fuzzer.536pub fn compile(&self, engine: &Engine, wasm: &[u8]) -> Result<Module> {537// Propagate this error in case the caller wants to handle538// valid-vs-invalid wasm.539let module = Module::new(engine, wasm)?;540if !self.wasmtime.use_precompiled_cwasm {541return Ok(module);542}543544// Don't propagate these errors to prevent them from accidentally being545// interpreted as invalid wasm, these should never fail on a546// well-behaved host system.547let dir = tempfile::TempDir::new().unwrap();548let file = dir.path().join("module.wasm");549std::fs::write(&file, module.serialize().unwrap()).unwrap();550unsafe { Ok(Module::deserialize_file(engine, &file).unwrap()) }551}552553/// Updates this configuration to forcibly enable async support. Only useful554/// in fuzzers which do async calls.555pub fn enable_async(&mut self, u: &mut Unstructured<'_>) -> arbitrary::Result<()> {556if self.wasmtime.consume_fuel || u.arbitrary()? {557self.wasmtime.async_config =558AsyncConfig::YieldWithFuel(u.int_in_range(1000..=100_000)?);559self.wasmtime.consume_fuel = true;560} else {561self.wasmtime.async_config = AsyncConfig::YieldWithEpochs {562dur: Duration::from_millis(u.int_in_range(1..=10)?),563ticks: u.int_in_range(1..=10)?,564};565self.wasmtime.epoch_interruption = true;566}567Ok(())568}569}570571impl<'a> Arbitrary<'a> for Config {572fn arbitrary(u: &mut Unstructured<'a>) -> arbitrary::Result<Self> {573let mut config = Self {574wasmtime: u.arbitrary()?,575module_config: u.arbitrary()?,576};577578config579.wasmtime580.update_module_config(&mut config.module_config, u)?;581582Ok(config)583}584}585586/// Configuration related to `wasmtime::Config` and the various settings which587/// can be tweaked from within.588#[derive(Arbitrary, Clone, Debug, Eq, Hash, PartialEq)]589pub struct WasmtimeConfig {590opt_level: OptLevel,591regalloc_algorithm: RegallocAlgorithm,592debug_info: bool,593canonicalize_nans: bool,594interruptible: bool,595pub(crate) consume_fuel: bool,596pub(crate) epoch_interruption: bool,597/// The Wasmtime memory configuration to use.598pub memory_config: MemoryConfig,599force_jump_veneers: bool,600memory_init_cow: bool,601memory_guaranteed_dense_image_size: u64,602inlining: Option<bool>,603inlining_intra_module: Option<IntraModuleInlining>,604inlining_small_callee_size: Option<u32>,605inlining_sum_size_threshold: Option<u32>,606use_precompiled_cwasm: bool,607async_stack_zeroing: bool,608/// Configuration for the instance allocation strategy to use.609pub strategy: InstanceAllocationStrategy,610codegen: CodegenSettings,611padding_between_functions: Option<u16>,612generate_address_map: bool,613native_unwind_info: bool,614/// Configuration for the compiler to use.615pub compiler_strategy: CompilerStrategy,616collector: Collector,617table_lazy_init: bool,618619/// Whether or not fuzzing should enable PCC.620pcc: bool,621622/// Configuration for whether wasm is invoked in an async fashion and how623/// it's cooperatively time-sliced.624pub async_config: AsyncConfig,625626/// Whether or not host signal handlers are enabled for this configuration,627/// aka whether signal handlers are supported.628signals_based_traps: bool,629}630631impl WasmtimeConfig {632/// Force `self` to be a configuration compatible with `other`. This is633/// useful for differential execution to avoid unhelpful fuzz crashes when634/// one engine has a feature enabled and the other does not.635pub fn make_compatible_with(&mut self, other: &Self) {636// Use the same allocation strategy between the two configs.637//638// Ideally this wouldn't be necessary, but, during differential639// evaluation, if the `lhs` is using ondemand and the `rhs` is using the640// pooling allocator (or vice versa), then the module may have been641// generated in such a way that is incompatible with the other642// allocation strategy.643//644// We can remove this in the future when it's possible to access the645// fields of `wasm_smith::Module` to constrain the pooling allocator646// based on what was actually generated.647self.strategy = other.strategy.clone();648if let InstanceAllocationStrategy::Pooling { .. } = &other.strategy {649// Also use the same memory configuration when using the pooling650// allocator.651self.memory_config = other.memory_config.clone();652}653654self.make_internally_consistent();655}656657/// Updates `config` to be compatible with `self` and the other way around658/// too.659pub fn update_module_config(660&mut self,661config: &mut ModuleConfig,662_u: &mut Unstructured<'_>,663) -> arbitrary::Result<()> {664match self.compiler_strategy {665CompilerStrategy::CraneliftNative => {}666667CompilerStrategy::Winch => {668// Winch is not complete on non-x64 targets, so just abandon this test669// case. We don't want to force Cranelift because we change what module670// config features are enabled based on the compiler strategy, and we671// don't want to make the same fuzz input DNA generate different test672// cases on different targets.673if cfg!(not(target_arch = "x86_64")) {674log::warn!(675"want to compile with Winch but host architecture does not support it"676);677return Err(arbitrary::Error::IncorrectFormat);678}679680// Winch doesn't support the same set of wasm proposal as Cranelift681// at this time, so if winch is selected be sure to disable wasm682// proposals in `Config` to ensure that Winch can compile the683// module that wasm-smith generates.684config.config.relaxed_simd_enabled = false;685config.config.gc_enabled = false;686config.config.tail_call_enabled = false;687config.config.reference_types_enabled = false;688config.config.exceptions_enabled = false;689config.function_references_enabled = false;690691// Winch's SIMD implementations require AVX and AVX2.692if self693.codegen_flag("has_avx")694.is_some_and(|value| value == "false")695|| self696.codegen_flag("has_avx2")697.is_some_and(|value| value == "false")698{699config.config.simd_enabled = false;700}701702// Tuning the following engine options is currently not supported703// by Winch.704self.signals_based_traps = true;705self.table_lazy_init = true;706self.debug_info = false;707}708709CompilerStrategy::CraneliftPulley => {710config.config.threads_enabled = false;711}712}713714// If using the pooling allocator, constrain the memory and module configurations715// to the module limits.716if let InstanceAllocationStrategy::Pooling(pooling) = &mut self.strategy {717// If the pooling allocator is used, do not allow shared memory to718// be created. FIXME: see719// https://github.com/bytecodealliance/wasmtime/issues/4244.720config.config.threads_enabled = false;721722// Ensure the pooling allocator can support the maximal size of723// memory, picking the smaller of the two to win.724let min_bytes = config725.config726.max_memory32_bytes727// memory64_bytes is a u128, but since we are taking the min728// we can truncate it down to a u64.729.min(730config731.config732.max_memory64_bytes733.try_into()734.unwrap_or(u64::MAX),735);736let min = min_bytes737.min(pooling.max_memory_size as u64)738.min(self.memory_config.memory_reservation.unwrap_or(0));739pooling.max_memory_size = min as usize;740config.config.max_memory32_bytes = min;741config.config.max_memory64_bytes = min as u128;742743// If traps are disallowed then memories must have at least one page744// of memory so if we still are only allowing 0 pages of memory then745// increase that to one here.746if config.config.disallow_traps {747if pooling.max_memory_size < (1 << 16) {748pooling.max_memory_size = 1 << 16;749config.config.max_memory32_bytes = 1 << 16;750config.config.max_memory64_bytes = 1 << 16;751let cfg = &mut self.memory_config;752match &mut cfg.memory_reservation {753Some(size) => *size = (*size).max(pooling.max_memory_size as u64),754size @ None => *size = Some(pooling.max_memory_size as u64),755}756}757// .. additionally update tables758if pooling.table_elements == 0 {759pooling.table_elements = 1;760}761}762763// Don't allow too many linear memories per instance since massive764// virtual mappings can fail to get allocated.765config.config.min_memories = config.config.min_memories.min(10);766config.config.max_memories = config.config.max_memories.min(10);767768// Force this pooling allocator to always be able to accommodate the769// module that may be generated.770pooling.total_memories = config.config.max_memories as u32;771pooling.total_tables = config.config.max_tables as u32;772}773774if !self.signals_based_traps {775// At this time shared memories require a "static" memory776// configuration but when signals-based traps are disabled all777// memories are forced to the "dynamic" configuration. This is778// fixable with some more work on the bounds-checks side of things779// to do a full bounds check even on static memories, but that's780// left for a future PR.781config.config.threads_enabled = false;782783// Spectre-based heap mitigations require signal handlers so this784// must always be disabled if signals-based traps are disabled.785self.memory_config786.cranelift_enable_heap_access_spectre_mitigations = None;787}788789self.make_internally_consistent();790791Ok(())792}793794/// Returns the codegen flag value, if any, for `name`.795pub(crate) fn codegen_flag(&self, name: &str) -> Option<&str> {796self.codegen.flags().iter().find_map(|(n, value)| {797if n == name {798Some(value.as_str())799} else {800None801}802})803}804805/// Helper method to handle some dependencies between various configuration806/// options. This is intended to be called whenever a `Config` is created or807/// modified to ensure that the final result is an instantiable `Config`.808///809/// Note that in general this probably shouldn't exist and anything here can810/// be considered a "TODO" to go implement more stuff in Wasmtime to accept811/// these sorts of configurations. For now though it's intended to reflect812/// the current state of the engine's development.813fn make_internally_consistent(&mut self) {814if !self.signals_based_traps {815let cfg = &mut self.memory_config;816// Spectre-based heap mitigations require signal handlers so817// this must always be disabled if signals-based traps are818// disabled.819cfg.cranelift_enable_heap_access_spectre_mitigations = None;820821// With configuration settings that match the use of malloc for822// linear memories cap the `memory_reservation_for_growth` value823// to something reasonable to avoid OOM in fuzzing.824if !cfg.memory_init_cow825&& cfg.memory_guard_size == Some(0)826&& cfg.memory_reservation == Some(0)827{828let min = 10 << 20; // 10 MiB829if let Some(val) = &mut cfg.memory_reservation_for_growth {830*val = (*val).min(min);831} else {832cfg.memory_reservation_for_growth = Some(min);833}834}835}836}837}838839#[derive(Arbitrary, Clone, Debug, PartialEq, Eq, Hash)]840enum OptLevel {841None,842Speed,843SpeedAndSize,844}845846impl OptLevel {847fn to_wasmtime(&self) -> wasmtime::OptLevel {848match self {849OptLevel::None => wasmtime::OptLevel::None,850OptLevel::Speed => wasmtime::OptLevel::Speed,851OptLevel::SpeedAndSize => wasmtime::OptLevel::SpeedAndSize,852}853}854}855856#[derive(Arbitrary, Clone, Debug, PartialEq, Eq, Hash)]857enum RegallocAlgorithm {858Backtracking,859SinglePass,860}861862impl RegallocAlgorithm {863fn to_wasmtime(&self) -> wasmtime::RegallocAlgorithm {864match self {865RegallocAlgorithm::Backtracking => wasmtime::RegallocAlgorithm::Backtracking,866RegallocAlgorithm::SinglePass => {867// FIXME(#11850)868const SINGLE_PASS_KNOWN_BUGGY_AT_THIS_TIME: bool = true;869if SINGLE_PASS_KNOWN_BUGGY_AT_THIS_TIME {870wasmtime::RegallocAlgorithm::Backtracking871} else {872wasmtime::RegallocAlgorithm::SinglePass873}874}875}876}877}878879#[derive(Arbitrary, Clone, Copy, Debug, PartialEq, Eq, Hash)]880enum IntraModuleInlining {881Yes,882No,883WhenUsingGc,884}885886impl std::fmt::Display for IntraModuleInlining {887fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {888match self {889IntraModuleInlining::Yes => write!(f, "yes"),890IntraModuleInlining::No => write!(f, "no"),891IntraModuleInlining::WhenUsingGc => write!(f, "gc"),892}893}894}895896#[derive(Clone, Debug, PartialEq, Eq, Hash)]897/// Compiler to use.898pub enum CompilerStrategy {899/// Cranelift compiler for the native architecture.900CraneliftNative,901/// Winch compiler.902Winch,903/// Cranelift compiler for the native architecture.904CraneliftPulley,905}906907impl CompilerStrategy {908/// Configures `config` to use this compilation strategy909pub fn configure(&self, config: &mut wasmtime_cli_flags::CommonOptions) {910match self {911CompilerStrategy::CraneliftNative => {912config.codegen.compiler = Some(wasmtime::Strategy::Cranelift);913}914CompilerStrategy::Winch => {915config.codegen.compiler = Some(wasmtime::Strategy::Winch);916}917CompilerStrategy::CraneliftPulley => {918config.codegen.compiler = Some(wasmtime::Strategy::Cranelift);919config.target = Some("pulley64".to_string());920}921}922}923}924925impl Arbitrary<'_> for CompilerStrategy {926fn arbitrary(u: &mut Unstructured<'_>) -> arbitrary::Result<Self> {927// Favor fuzzing native cranelift, but if allowed also enable928// winch/pulley.929match u.int_in_range(0..=19)? {9301 => Ok(Self::CraneliftPulley),9312 => Ok(Self::Winch),932_ => Ok(Self::CraneliftNative),933}934}935}936937#[derive(Arbitrary, Clone, Debug, PartialEq, Eq, Hash)]938pub enum Collector {939DeferredReferenceCounting,940Null,941}942943impl Collector {944fn to_wasmtime(&self) -> wasmtime::Collector {945match self {946Collector::DeferredReferenceCounting => wasmtime::Collector::DeferredReferenceCounting,947Collector::Null => wasmtime::Collector::Null,948}949}950}951952953