1
//! Oracles.
2
//!
3
//! Oracles take a test case and determine whether we have a bug. For example,
4
//! one of the simplest oracles is to take a Wasm binary as our input test case,
5
//! validate and instantiate it, and (implicitly) check that no assertions
6
//! failed or segfaults happened. A more complicated oracle might compare the
7
//! result of executing a Wasm file with and without optimizations enabled, and
8
//! make sure that the two executions are observably identical.
9
//!
10
//! When an oracle finds a bug, it should report it to the fuzzing engine by
11
//! panicking.
12

13
pub mod component_api;
14
pub mod component_async;
15
#[cfg(feature = "fuzz-spec-interpreter")]
16
pub mod diff_spec;
17
pub mod diff_wasmi;
18
pub mod diff_wasmtime;
19
pub mod dummy;
20
pub mod engine;
21
pub mod memory;
22
mod stacks;
23

24
use self::diff_wasmtime::WasmtimeInstance;
25
use self::engine::{DiffEngine, DiffInstance};
26
use crate::generators::GcOps;
27
use crate::generators::{self, CompilerStrategy, DiffValue, DiffValueType};
28
use crate::single_module_fuzzer::KnownValid;
29
use crate::{YieldN, block_on};
30
use arbitrary::Arbitrary;
31
pub use stacks::check_stacks;
32
use std::future::Future;
33
use std::pin::Pin;
34
use std::sync::atomic::{AtomicBool, AtomicUsize, Ordering::SeqCst};
35
use std::sync::{Arc, Condvar, Mutex};
36
use std::task::{Context, Poll};
37
use std::time::{Duration, Instant};
38
use wasmtime::*;
39
use wasmtime_wast::WastContext;
40

41
#[cfg(not(any(windows, target_arch = "s390x", target_arch = "riscv64")))]
42
mod diff_v8;
43

44
static CNT: AtomicUsize = AtomicUsize::new(0);
45

46
/// Logs a wasm file to the filesystem to make it easy to figure out what wasm
47
/// was used when debugging.
48
pub fn log_wasm(wasm: &[u8]) {
49
    super::init_fuzzing();
50

51
    if !log::log_enabled!(log::Level::Debug) {
52
        return;
53
    }
54

55
    let i = CNT.fetch_add(1, SeqCst);
56
    let name = format!("testcase{i}.wasm");
57
    std::fs::write(&name, wasm).expect("failed to write wasm file");
58
    log::debug!("wrote wasm file to `{name}`");
59
    let wat = format!("testcase{i}.wat");
60
    match wasmprinter::print_bytes(wasm) {
61
        Ok(s) => {
62
            std::fs::write(&wat, s).expect("failed to write wat file");
63
            log::debug!("wrote wat file to `{wat}`");
64
        }
65
        // If wasmprinter failed remove a `*.wat` file, if any, to avoid
66
        // confusing a preexisting one with this wasm which failed to get
67
        // printed.
68
        Err(e) => {
69
            log::debug!("failed to print to wat: {e}");
70
            drop(std::fs::remove_file(&wat));
71
        }
72
    }
73
}
74

75
/// The `T` in `Store<T>` for fuzzing stores, used to limit resource
76
/// consumption during fuzzing.
77
#[derive(Clone)]
78
pub struct StoreLimits(Arc<LimitsState>);
79

80
struct LimitsState {
81
    /// Remaining memory, in bytes, left to allocate
82
    remaining_memory: AtomicUsize,
83
    /// Remaining amount of memory that's allowed to be copied via a growth.
84
    remaining_copy_allowance: AtomicUsize,
85
    /// Whether or not an allocation request has been denied
86
    oom: AtomicBool,
87
}
88

89
/// Allow up to 1G which is well below the 2G limit on OSS-Fuzz and should allow
90
/// most interesting behavior.
91
const MAX_MEMORY: usize = 1 << 30;
92

93
/// Allow up to 4G of bytes to be copied (conservatively) which should enable
94
/// growth up to `MAX_MEMORY` or at least up to a relatively large amount.
95
const MAX_MEMORY_MOVED: usize = 4 << 30;
96

97
impl StoreLimits {
98
    /// Creates the default set of limits for all fuzzing stores.
99
    pub fn new() -> StoreLimits {
100
        StoreLimits(Arc::new(LimitsState {
101
            remaining_memory: AtomicUsize::new(MAX_MEMORY),
102
            remaining_copy_allowance: AtomicUsize::new(MAX_MEMORY_MOVED),
103
            oom: AtomicBool::new(false),
104
        }))
105
    }
106

107
    fn alloc(&mut self, amt: usize) -> bool {
108
        log::trace!("alloc {amt:#x} bytes");
109

110
        // Assume that on each allocation of memory that all previous
111
        // allocations of memory are moved. This is pretty coarse but is used to
112
        // help prevent against fuzz test cases that just move tons of bytes
113
        // around continuously. This assumes that all previous memory was
114
        // allocated in a single linear memory and growing by `amt` will require
115
        // moving all the bytes to a new location. This isn't actually required
116
        // all the time nor does it accurately reflect what happens all the
117
        // time, but it's a coarse approximation that should be "good enough"
118
        // for allowing interesting fuzz behaviors to happen while not timing
119
        // out just copying bytes around.
120
        let prev_size = MAX_MEMORY - self.0.remaining_memory.load(SeqCst);
121
        if self
122
            .0
123
            .remaining_copy_allowance
124
            .fetch_update(SeqCst, SeqCst, |remaining| remaining.checked_sub(prev_size))
125
            .is_err()
126
        {
127
            self.0.oom.store(true, SeqCst);
128
            log::debug!("-> too many bytes moved, rejecting allocation");
129
            return false;
130
        }
131

132
        // If we're allowed to move the bytes, then also check if we're allowed
133
        // to actually have this much residence at once.
134
        match self
135
            .0
136
            .remaining_memory
137
            .fetch_update(SeqCst, SeqCst, |remaining| remaining.checked_sub(amt))
138
        {
139
            Ok(_) => true,
140
            Err(_) => {
141
                self.0.oom.store(true, SeqCst);
142
                log::debug!("-> OOM hit");
143
                false
144
            }
145
        }
146
    }
147

148
    fn is_oom(&self) -> bool {
149
        self.0.oom.load(SeqCst)
150
    }
151
}
152

153
impl ResourceLimiter for StoreLimits {
154
    fn memory_growing(
155
        &mut self,
156
        current: usize,
157
        desired: usize,
158
        _maximum: Option<usize>,
159
    ) -> Result<bool> {
160
        Ok(self.alloc(desired - current))
161
    }
162

163
    fn table_growing(
164
        &mut self,
165
        current: usize,
166
        desired: usize,
167
        _maximum: Option<usize>,
168
    ) -> Result<bool> {
169
        let delta = (desired - current).saturating_mul(std::mem::size_of::<usize>());
170
        Ok(self.alloc(delta))
171
    }
172
}
173

174
/// Methods of timing out execution of a WebAssembly module
175
#[derive(Clone, Debug)]
176
pub enum Timeout {
177
    /// No timeout is used, it should be guaranteed via some other means that
178
    /// the input does not infinite loop.
179
    None,
180
    /// Fuel-based timeouts are used where the specified fuel is all that the
181
    /// provided wasm module is allowed to consume.
182
    Fuel(u64),
183
    /// An epoch-interruption-based timeout is used with a sleeping
184
    /// thread bumping the epoch counter after the specified duration.
185
    Epoch(Duration),
186
}
187

188
/// Instantiate the Wasm buffer, and implicitly fail if we have an unexpected
189
/// panic or segfault or anything else that can be detected "passively".
190
///
191
/// The engine will be configured using provided config.
192
pub fn instantiate(
193
    wasm: &[u8],
194
    known_valid: KnownValid,
195
    config: &generators::Config,
196
    timeout: Timeout,
197
) {
198
    let mut store = config.to_store();
199

200
    let module = match compile_module(store.engine(), wasm, known_valid, config) {
201
        Some(module) => module,
202
        None => return,
203
    };
204

205
    let mut timeout_state = HelperThread::default();
206
    match timeout {
207
        Timeout::Fuel(fuel) => store.set_fuel(fuel).unwrap(),
208

209
        // If a timeout is requested then we spawn a helper thread to wait for
210
        // the requested time and then send us a signal to get interrupted. We
211
        // also arrange for the thread's sleep to get interrupted if we return
212
        // early (or the wasm returns within the time limit), which allows the
213
        // thread to get torn down.
214
        //
215
        // This prevents us from creating a huge number of sleeping threads if
216
        // this function is executed in a loop, like it does on nightly fuzzing
217
        // infrastructure.
218
        Timeout::Epoch(timeout) => {
219
            let engine = store.engine().clone();
220
            timeout_state.run_periodically(timeout, move || engine.increment_epoch());
221
        }
222
        Timeout::None => {}
223
    }
224

225
    instantiate_with_dummy(&mut store, &module);
226
}
227

228
/// Represents supported commands to the `instantiate_many` function.
229
#[derive(Arbitrary, Debug)]
230
pub enum Command {
231
    /// Instantiates a module.
232
    ///
233
    /// The value is the index of the module to instantiate.
234
    ///
235
    /// The module instantiated will be this value modulo the number of modules provided to `instantiate_many`.
236
    Instantiate(usize),
237
    /// Terminates a "running" instance.
238
    ///
239
    /// The value is the index of the instance to terminate.
240
    ///
241
    /// The instance terminated will be this value modulo the number of currently running
242
    /// instances.
243
    ///
244
    /// If no instances are running, the command will be ignored.
245
    Terminate(usize),
246
}
247

248
/// Instantiates many instances from the given modules.
249
///
250
/// The engine will be configured using the provided config.
251
///
252
/// The modules are expected to *not* have start functions as no timeouts are configured.
253
pub fn instantiate_many(
254
    modules: &[Vec<u8>],
255
    known_valid: KnownValid,
256
    config: &generators::Config,
257
    commands: &[Command],
258
) {
259
    log::debug!("instantiate_many: {commands:#?}");
260

261
    assert!(!config.module_config.config.allow_start_export);
262

263
    let engine = Engine::new(&config.to_wasmtime()).unwrap();
264

265
    let modules = modules
266
        .iter()
267
        .enumerate()
268
        .filter_map(
269
            |(i, bytes)| match compile_module(&engine, bytes, known_valid, config) {
270
                Some(m) => {
271
                    log::debug!("successfully compiled module {i}");
272
                    Some(m)
273
                }
274
                None => {
275
                    log::debug!("failed to compile module {i}");
276
                    None
277
                }
278
            },
279
        )
280
        .collect::<Vec<_>>();
281

282
    // If no modules were valid, we're done
283
    if modules.is_empty() {
284
        return;
285
    }
286

287
    // This stores every `Store` where a successful instantiation takes place
288
    let mut stores = Vec::new();
289
    let limits = StoreLimits::new();
290

291
    for command in commands {
292
        match command {
293
            Command::Instantiate(index) => {
294
                let index = *index % modules.len();
295
                log::info!("instantiating {index}");
296
                let module = &modules[index];
297
                let mut store = Store::new(&engine, limits.clone());
298
                config.configure_store(&mut store);
299

300
                if instantiate_with_dummy(&mut store, module).is_some() {
301
                    stores.push(Some(store));
302
                } else {
303
                    log::warn!("instantiation failed");
304
                }
305
            }
306
            Command::Terminate(index) => {
307
                if stores.is_empty() {
308
                    continue;
309
                }
310
                let index = *index % stores.len();
311

312
                log::info!("dropping {index}");
313
                stores.swap_remove(index);
314
            }
315
        }
316
    }
317
}
318

319
fn compile_module(
320
    engine: &Engine,
321
    bytes: &[u8],
322
    known_valid: KnownValid,
323
    config: &generators::Config,
324
) -> Option<Module> {
325
    log_wasm(bytes);
326

327
    fn is_pcc_error(e: &wasmtime::Error) -> bool {
328
        // NOTE: please keep this predicate in sync with the display format of CodegenError,
329
        // defined in `wasmtime/cranelift/codegen/src/result.rs`
330
        e.to_string().to_lowercase().contains("proof-carrying-code")
331
    }
332

333
    match config.compile(engine, bytes) {
334
        Ok(module) => Some(module),
335
        Err(e) if is_pcc_error(&e) => {
336
            panic!("pcc error in input: {e:#?}");
337
        }
338
        Err(_) if known_valid == KnownValid::No => None,
339
        Err(e) => {
340
            if let generators::InstanceAllocationStrategy::Pooling(c) = &config.wasmtime.strategy {
341
                // When using the pooling allocator, accept failures to compile
342
                // when arbitrary table element limits have been exceeded as
343
                // there is currently no way to constrain the generated module
344
                // table types.
345
                let string = format!("{e:?}");
346
                if string.contains("minimum element size") {
347
                    return None;
348
                }
349

350
                // Allow modules-failing-to-compile which exceed the requested
351
                // size for each instance. This is something that is difficult
352
                // to control and ensure it always succeeds, so we simply have a
353
                // "random" instance size limit and if a module doesn't fit we
354
                // move on to the next fuzz input.
355
                if string.contains("instance allocation for this module requires") {
356
                    return None;
357
                }
358

359
                // If the pooling allocator is more restrictive on the number of
360
                // tables and memories than we allowed wasm-smith to generate
361
                // then allow compilation errors along those lines.
362
                if c.max_tables_per_module < (config.module_config.config.max_tables as u32)
363
                    && string.contains("defined tables count")
364
                    && string.contains("exceeds the per-instance limit")
365
                {
366
                    return None;
367
                }
368

369
                if c.max_memories_per_module < (config.module_config.config.max_memories as u32)
370
                    && string.contains("defined memories count")
371
                    && string.contains("exceeds the per-instance limit")
372
                {
373
                    return None;
374
                }
375
            }
376

377
            panic!("failed to compile module: {e:?}");
378
        }
379
    }
380
}
381

382
/// Create a Wasmtime [`Instance`] from a [`Module`] and fill in all imports
383
/// with dummy values (e.g., zeroed values, immediately-trapping functions).
384
/// Also, this function catches certain fuzz-related instantiation failures and
385
/// returns `None` instead of panicking.
386
///
387
/// TODO: we should implement tracing versions of these dummy imports that
388
/// record a trace of the order that imported functions were called in and with
389
/// what values. Like the results of exported functions, calls to imports should
390
/// also yield the same values for each configuration, and we should assert
391
/// that.
392
pub fn instantiate_with_dummy(store: &mut Store<StoreLimits>, module: &Module) -> Option<Instance> {
393
    // Creation of imports can fail due to resource limit constraints, and then
394
    // instantiation can naturally fail for a number of reasons as well. Bundle
395
    // the two steps together to match on the error below.
396
    let linker = dummy::dummy_linker(store, module);
397
    if let Err(e) = &linker {
398
        log::warn!("failed to create dummy linker: {e:?}");
399
    }
400
    let instance = linker.and_then(|l| l.instantiate(&mut *store, module));
401
    unwrap_instance(store, instance)
402
}
403

404
fn unwrap_instance(
405
    store: &Store<StoreLimits>,
406
    instance: wasmtime::Result<Instance>,
407
) -> Option<Instance> {
408
    let e = match instance {
409
        Ok(i) => return Some(i),
410
        Err(e) => e,
411
    };
412

413
    log::debug!("failed to instantiate: {e:?}");
414

415
    // If the instantiation hit OOM for some reason then that's ok, it's
416
    // expected that fuzz-generated programs try to allocate lots of
417
    // stuff.
418
    if store.data().is_oom() {
419
        return None;
420
    }
421

422
    // Allow traps which can happen normally with `unreachable` or a timeout or
423
    // such.
424
    if e.is::<Trap>()
425
        // Also allow failures to instantiate as a result of hitting pooling
426
        // limits.
427
        || e.is::<wasmtime::PoolConcurrencyLimitError>()
428
        // And GC heap OOMs.
429
        || e.is::<wasmtime::GcHeapOutOfMemory<()>>()
430
        // And thrown exceptions.
431
        || e.is::<wasmtime::ThrownException>()
432
    {
433
        return None;
434
    }
435

436
    let string = e.to_string();
437

438
    // Currently we instantiate with a `Linker` which can't instantiate
439
    // every single module under the sun due to using name-based resolution
440
    // rather than positional-based resolution
441
    if string.contains("incompatible import type") {
442
        return None;
443
    }
444

445
    // Everything else should be a bug in the fuzzer or a bug in wasmtime
446
    panic!("failed to instantiate: {e:?}");
447
}
448

449
/// Evaluate the function identified by `name` in two different engine
450
/// instances--`lhs` and `rhs`.
451
///
452
/// Returns `Ok(true)` if more evaluations can happen or `Ok(false)` if the
453
/// instances may have drifted apart and no more evaluations can happen.
454
///
455
/// # Panics
456
///
457
/// This will panic if the evaluation is different between engines (e.g.,
458
/// results are different, hashed instance is different, one side traps, etc.).
459
pub fn differential(
460
    lhs: &mut dyn DiffInstance,
461
    lhs_engine: &dyn DiffEngine,
462
    rhs: &mut WasmtimeInstance,
463
    name: &str,
464
    args: &[DiffValue],
465
    result_tys: &[DiffValueType],
466
) -> wasmtime::Result<bool> {
467
    log::debug!("Evaluating: `{name}` with {args:?}");
468
    let lhs_results = match lhs.evaluate(name, args, result_tys) {
469
        Ok(Some(results)) => Ok(results),
470
        Err(e) => Err(e),
471
        // this engine couldn't execute this type signature, so discard this
472
        // execution by returning success.
473
        Ok(None) => return Ok(true),
474
    };
475
    log::debug!(" -> lhs results on {}: {:?}", lhs.name(), &lhs_results);
476

477
    let rhs_results = rhs
478
        .evaluate(name, args, result_tys)
479
        // wasmtime should be able to invoke any signature, so unwrap this result
480
        .map(|results| results.unwrap());
481
    log::debug!(" -> rhs results on {}: {:?}", rhs.name(), &rhs_results);
482

483
    // If Wasmtime hit its OOM condition, which is possible since it's set
484
    // somewhat low while fuzzing, then don't return an error but return
485
    // `false` indicating that differential fuzzing must stop. There's no
486
    // guarantee the other engine has the same OOM limits as Wasmtime, and
487
    // it's assumed that Wasmtime is configured to have a more conservative
488
    // limit than the other engine.
489
    if rhs.is_oom() {
490
        return Ok(false);
491
    }
492

493
    match DiffEqResult::new(lhs_engine, lhs_results, rhs_results) {
494
        DiffEqResult::Success(lhs, rhs) => assert_eq!(lhs, rhs),
495
        DiffEqResult::Poisoned => return Ok(false),
496
        DiffEqResult::Failed => {}
497
    }
498

499
    for (global, ty) in rhs.exported_globals() {
500
        log::debug!("Comparing global `{global}`");
501
        let lhs = match lhs.get_global(&global, ty) {
502
            Some(val) => val,
503
            None => continue,
504
        };
505
        let rhs = rhs.get_global(&global, ty).unwrap();
506
        assert_eq!(lhs, rhs);
507
    }
508
    for (memory, shared) in rhs.exported_memories() {
509
        log::debug!("Comparing memory `{memory}`");
510
        let lhs = match lhs.get_memory(&memory, shared) {
511
            Some(val) => val,
512
            None => continue,
513
        };
514
        let rhs = rhs.get_memory(&memory, shared).unwrap();
515
        if lhs == rhs {
516
            continue;
517
        }
518
        eprintln!("differential memory is {} bytes long", lhs.len());
519
        eprintln!("wasmtime memory is     {} bytes long", rhs.len());
520
        panic!("memories have differing values");
521
    }
522

523
    Ok(true)
524
}
525

526
/// Result of comparing the result of two operations during differential
527
/// execution.
528
pub enum DiffEqResult<T, U> {
529
    /// Both engines succeeded.
530
    Success(T, U),
531
    /// The result has reached the state where engines may have diverged and
532
    /// results can no longer be compared.
533
    Poisoned,
534
    /// Both engines failed with the same error message, and internal state
535
    /// should still match between the two engines.
536
    Failed,
537
}
538

539
fn wasmtime_trap_is_non_deterministic(trap: &Trap) -> bool {
540
    match trap {
541
        // Allocations being too large for the GC are
542
        // implementation-defined.
543
        Trap::AllocationTooLarge |
544
        // Stack size, and therefore when overflow happens, is
545
        // implementation-defined.
546
        Trap::StackOverflow => true,
547
        _ => false,
548
    }
549
}
550

551
fn wasmtime_error_is_non_deterministic(error: &wasmtime::Error) -> bool {
552
    match error.downcast_ref::<Trap>() {
553
        Some(trap) => wasmtime_trap_is_non_deterministic(trap),
554

555
        // For general, unknown errors, we can't rely on this being
556
        // a deterministic Wasm failure that both engines handled
557
        // identically, leaving Wasm in identical states. We could
558
        // just as easily be hitting engine-specific failures, like
559
        // different implementation-defined limits. So simply poison
560
        // this execution and move on to the next test.
561
        None => true,
562
    }
563
}
564

565
impl<T, U> DiffEqResult<T, U> {
566
    /// Computes the differential result from executing in two different
567
    /// engines.
568
    pub fn new(
569
        lhs_engine: &dyn DiffEngine,
570
        lhs_result: Result<T>,
571
        rhs_result: Result<U>,
572
    ) -> DiffEqResult<T, U> {
573
        match (lhs_result, rhs_result) {
574
            (Ok(lhs_result), Ok(rhs_result)) => DiffEqResult::Success(lhs_result, rhs_result),
575

576
            // Handle all non-deterministic errors by poisoning this execution's
577
            // state, so that we simply move on to the next test.
578
            (Err(lhs), _) if lhs_engine.is_non_deterministic_error(&lhs) => {
579
                log::debug!("lhs failed non-deterministically: {lhs:?}");
580
                DiffEqResult::Poisoned
581
            }
582
            (_, Err(rhs)) if wasmtime_error_is_non_deterministic(&rhs) => {
583
                log::debug!("rhs failed non-deterministically: {rhs:?}");
584
                DiffEqResult::Poisoned
585
            }
586

587
            // Both sides failed deterministically. Check that the trap and
588
            // state at the time of failure is the same.
589
            (Err(lhs), Err(rhs)) => {
590
                let rhs = rhs
591
                    .downcast::<Trap>()
592
                    .expect("non-traps handled in earlier match arm");
593

594
                debug_assert!(
595
                    !lhs_engine.is_non_deterministic_error(&lhs),
596
                    "non-deterministic traps handled in earlier match arm",
597
                );
598
                debug_assert!(
599
                    !wasmtime_trap_is_non_deterministic(&rhs),
600
                    "non-deterministic traps handled in earlier match arm",
601
                );
602

603
                lhs_engine.assert_error_match(&lhs, &rhs);
604
                DiffEqResult::Failed
605
            }
606

607
            // A real bug is found if only one side fails.
608
            (Ok(_), Err(err)) => panic!("only the `rhs` failed for this input: {err:?}"),
609
            (Err(err), Ok(_)) => panic!("only the `lhs` failed for this input: {err:?}"),
610
        }
611
    }
612
}
613

614
/// Invoke the given API calls.
615
pub fn make_api_calls(api: generators::api::ApiCalls) {
616
    use crate::generators::api::ApiCall;
617
    use std::collections::HashMap;
618

619
    let mut store: Option<Store<StoreLimits>> = None;
620
    let mut modules: HashMap<usize, Module> = Default::default();
621
    let mut instances: HashMap<usize, Instance> = Default::default();
622

623
    for call in api.calls {
624
        match call {
625
            ApiCall::StoreNew(config) => {
626
                log::trace!("creating store");
627
                assert!(store.is_none());
628
                store = Some(config.to_store());
629
            }
630

631
            ApiCall::ModuleNew { id, wasm } => {
632
                log::debug!("creating module: {id}");
633
                log_wasm(&wasm);
634
                let module = match Module::new(store.as_ref().unwrap().engine(), &wasm) {
635
                    Ok(m) => m,
636
                    Err(_) => continue,
637
                };
638
                let old = modules.insert(id, module);
639
                assert!(old.is_none());
640
            }
641

642
            ApiCall::ModuleDrop { id } => {
643
                log::trace!("dropping module: {id}");
644
                drop(modules.remove(&id));
645
            }
646

647
            ApiCall::InstanceNew { id, module } => {
648
                log::trace!("instantiating module {module} as {id}");
649
                let module = match modules.get(&module) {
650
                    Some(m) => m,
651
                    None => continue,
652
                };
653

654
                let store = store.as_mut().unwrap();
655
                if let Some(instance) = instantiate_with_dummy(store, module) {
656
                    instances.insert(id, instance);
657
                }
658
            }
659

660
            ApiCall::InstanceDrop { id } => {
661
                log::trace!("dropping instance {id}");
662
                instances.remove(&id);
663
            }
664

665
            ApiCall::CallExportedFunc { instance, nth } => {
666
                log::trace!("calling instance export {instance} / {nth}");
667
                let instance = match instances.get(&instance) {
668
                    Some(i) => i,
669
                    None => {
670
                        // Note that we aren't guaranteed to instantiate valid
671
                        // modules, see comments in `InstanceNew` for details on
672
                        // that. But the API call generator can't know if
673
                        // instantiation failed, so we might not actually have
674
                        // this instance. When that's the case, just skip the
675
                        // API call and keep going.
676
                        continue;
677
                    }
678
                };
679
                let store = store.as_mut().unwrap();
680

681
                let funcs = instance
682
                    .exports(&mut *store)
683
                    .filter_map(|e| match e.into_extern() {
684
                        Extern::Func(f) => Some(f),
685
                        _ => None,
686
                    })
687
                    .collect::<Vec<_>>();
688

689
                if funcs.is_empty() {
690
                    continue;
691
                }
692

693
                let nth = nth % funcs.len();
694
                let f = &funcs[nth];
695
                let ty = f.ty(&store);
696
                if let Some(params) = ty
697
                    .params()
698
                    .map(|p| p.default_value())
699
                    .collect::<Option<Vec<_>>>()
700
                {
701
                    let mut results = vec![Val::I32(0); ty.results().len()];
702
                    let _ = f.call(store, &params, &mut results);
703
                }
704
            }
705
        }
706
    }
707
}
708

709
/// Executes the wast `test` with the `config` specified.
710
///
711
/// Ensures that wast tests pass regardless of the `Config`.
712
pub fn wast_test(u: &mut arbitrary::Unstructured<'_>) -> arbitrary::Result<()> {
713
    crate::init_fuzzing();
714

715
    let mut fuzz_config: generators::Config = u.arbitrary()?;
716
    fuzz_config.module_config.shared_memory = true;
717
    let test: generators::WastTest = u.arbitrary()?;
718

719
    let test = &test.test;
720

721
    if test.config.component_model_async() || u.arbitrary()? {
722
        fuzz_config.enable_async(u)?;
723
    }
724

725
    // Discard tests that allocate a lot of memory as we don't want to OOM the
726
    // fuzzer and we also limit memory growth which would cause the test to
727
    // fail.
728
    if test.config.hogs_memory.unwrap_or(false) {
729
        return Err(arbitrary::Error::IncorrectFormat);
730
    }
731

732
    // Transform `fuzz_config` to be valid for `test` and make sure that this
733
    // test is supposed to pass.
734
    let wast_config = fuzz_config.make_wast_test_compliant(test);
735
    if test.should_fail(&wast_config) {
736
        return Err(arbitrary::Error::IncorrectFormat);
737
    }
738

739
    // Winch requires AVX and AVX2 for SIMD tests to pass so don't run the test
740
    // if either isn't enabled.
741
    if fuzz_config.wasmtime.compiler_strategy == CompilerStrategy::Winch
742
        && test.config.simd()
743
        && (fuzz_config
744
            .wasmtime
745
            .codegen_flag("has_avx")
746
            .is_some_and(|value| value == "false")
747
            || fuzz_config
748
                .wasmtime
749
                .codegen_flag("has_avx2")
750
                .is_some_and(|value| value == "false"))
751
    {
752
        log::warn!(
753
            "Skipping Wast test because Winch doesn't support SIMD tests with AVX or AVX2 disabled"
754
        );
755
        return Err(arbitrary::Error::IncorrectFormat);
756
    }
757

758
    // Fuel and epochs don't play well with threads right now, so exclude any
759
    // thread-spawning test if it looks like threads are spawned in that case.
760
    if fuzz_config.wasmtime.consume_fuel || fuzz_config.wasmtime.epoch_interruption {
761
        if test.contents.contains("(thread") {
762
            return Err(arbitrary::Error::IncorrectFormat);
763
        }
764
    }
765

766
    log::debug!("running {:?}", test.path);
767
    let async_ = if fuzz_config.wasmtime.async_config == generators::AsyncConfig::Disabled {
768
        wasmtime_wast::Async::No
769
    } else {
770
        wasmtime_wast::Async::Yes
771
    };
772
    log::debug!("async: {async_:?}");
773
    let engine = Engine::new(&fuzz_config.to_wasmtime()).unwrap();
774
    let mut wast_context = WastContext::new(&engine, async_, move |store| {
775
        fuzz_config.configure_store_epoch_and_fuel(store);
776
    });
777
    wast_context
778
        .register_spectest(&wasmtime_wast::SpectestConfig {
779
            use_shared_memory: true,
780
            suppress_prints: true,
781
        })
782
        .unwrap();
783
    wast_context
784
        .run_wast(test.path.to_str().unwrap(), test.contents.as_bytes())
785
        .unwrap();
786
    Ok(())
787
}
788

789
/// Execute a series of `gc` operations.
790
///
791
/// Returns the number of `gc` operations which occurred throughout the test
792
/// case -- used to test below that gc happens reasonably soon and eventually.
793
pub fn gc_ops(mut fuzz_config: generators::Config, mut ops: GcOps) -> Result<usize> {
794
    let expected_drops = Arc::new(AtomicUsize::new(0));
795
    let num_dropped = Arc::new(AtomicUsize::new(0));
796

797
    let num_gcs = Arc::new(AtomicUsize::new(0));
798
    {
799
        fuzz_config.wasmtime.consume_fuel = true;
800
        let mut store = fuzz_config.to_store();
801
        store.set_fuel(1_000).unwrap();
802

803
        let wasm = ops.to_wasm_binary();
804
        log_wasm(&wasm);
805
        let module = match compile_module(store.engine(), &wasm, KnownValid::No, &fuzz_config) {
806
            Some(m) => m,
807
            None => return Ok(0),
808
        };
809

810
        let mut linker = Linker::new(store.engine());
811

812
        // To avoid timeouts, limit the number of explicit GCs we perform per
813
        // test case.
814
        const MAX_GCS: usize = 5;
815

816
        let func_ty = FuncType::new(
817
            store.engine(),
818
            vec![],
819
            vec![ValType::EXTERNREF, ValType::EXTERNREF, ValType::EXTERNREF],
820
        );
821
        let func = Func::new(&mut store, func_ty, {
822
            let num_dropped = num_dropped.clone();
823
            let expected_drops = expected_drops.clone();
824
            let num_gcs = num_gcs.clone();
825
            move |mut caller: Caller<'_, StoreLimits>, _params, results| {
826
                log::info!("gc_ops: GC");
827
                if num_gcs.fetch_add(1, SeqCst) < MAX_GCS {
828
                    caller.gc(None)?;
829
                }
830

831
                let a = ExternRef::new(
832
                    &mut caller,
833
                    CountDrops::new(&expected_drops, num_dropped.clone()),
834
                )?;
835
                let b = ExternRef::new(
836
                    &mut caller,
837
                    CountDrops::new(&expected_drops, num_dropped.clone()),
838
                )?;
839
                let c = ExternRef::new(
840
                    &mut caller,
841
                    CountDrops::new(&expected_drops, num_dropped.clone()),
842
                )?;
843

844
                log::info!("gc_ops: gc() -> ({a:?}, {b:?}, {c:?})");
845
                results[0] = Some(a).into();
846
                results[1] = Some(b).into();
847
                results[2] = Some(c).into();
848
                Ok(())
849
            }
850
        });
851
        linker.define(&store, "", "gc", func).unwrap();
852

853
        linker
854
            .func_wrap("", "take_refs", {
855
                let expected_drops = expected_drops.clone();
856
                move |caller: Caller<'_, StoreLimits>,
857
                      a: Option<Rooted<ExternRef>>,
858
                      b: Option<Rooted<ExternRef>>,
859
                      c: Option<Rooted<ExternRef>>|
860
                      -> Result<()> {
861
                    log::info!("gc_ops: take_refs({a:?}, {b:?}, {c:?})",);
862

863
                    // Do the assertion on each ref's inner data, even though it
864
                    // all points to the same atomic, so that if we happen to
865
                    // run into a use-after-free bug with one of these refs we
866
                    // are more likely to trigger a segfault.
867
                    if let Some(a) = a {
868
                        let a = a
869
                            .data(&caller)?
870
                            .unwrap()
871
                            .downcast_ref::<CountDrops>()
872
                            .unwrap();
873
                        assert!(a.0.load(SeqCst) <= expected_drops.load(SeqCst));
874
                    }
875
                    if let Some(b) = b {
876
                        let b = b
877
                            .data(&caller)?
878
                            .unwrap()
879
                            .downcast_ref::<CountDrops>()
880
                            .unwrap();
881
                        assert!(b.0.load(SeqCst) <= expected_drops.load(SeqCst));
882
                    }
883
                    if let Some(c) = c {
884
                        let c = c
885
                            .data(&caller)?
886
                            .unwrap()
887
                            .downcast_ref::<CountDrops>()
888
                            .unwrap();
889
                        assert!(c.0.load(SeqCst) <= expected_drops.load(SeqCst));
890
                    }
891
                    Ok(())
892
                }
893
            })
894
            .unwrap();
895

896
        let func_ty = FuncType::new(
897
            store.engine(),
898
            vec![],
899
            vec![ValType::EXTERNREF, ValType::EXTERNREF, ValType::EXTERNREF],
900
        );
901
        let func = Func::new(&mut store, func_ty, {
902
            let num_dropped = num_dropped.clone();
903
            let expected_drops = expected_drops.clone();
904
            move |mut caller, _params, results| {
905
                log::info!("gc_ops: make_refs");
906

907
                let a = ExternRef::new(
908
                    &mut caller,
909
                    CountDrops::new(&expected_drops, num_dropped.clone()),
910
                )?;
911
                let b = ExternRef::new(
912
                    &mut caller,
913
                    CountDrops::new(&expected_drops, num_dropped.clone()),
914
                )?;
915
                let c = ExternRef::new(
916
                    &mut caller,
917
                    CountDrops::new(&expected_drops, num_dropped.clone()),
918
                )?;
919

920
                log::info!("gc_ops: make_refs() -> ({a:?}, {b:?}, {c:?})");
921

922
                results[0] = Some(a).into();
923
                results[1] = Some(b).into();
924
                results[2] = Some(c).into();
925

926
                Ok(())
927
            }
928
        });
929
        linker.define(&store, "", "make_refs", func).unwrap();
930

931
        let func_ty = FuncType::new(
932
            store.engine(),
933
            vec![ValType::Ref(RefType::new(true, HeapType::Struct))],
934
            vec![],
935
        );
936

937
        let func = Func::new(&mut store, func_ty, {
938
            move |_caller: Caller<'_, StoreLimits>, _params, _results| {
939
                log::info!("gc_ops: take_struct(<ref null struct>)");
940
                Ok(())
941
            }
942
        });
943

944
        linker.define(&store, "", "take_struct", func).unwrap();
945

946
        for imp in module.imports() {
947
            if imp.module() == "" {
948
                let name = imp.name();
949
                if name.starts_with("take_struct_") {
950
                    if let wasmtime::ExternType::Func(ft) = imp.ty() {
951
                        let imp_name = name.to_string();
952
                        let func =
953
                            Func::new(&mut store, ft.clone(), move |_caller, _params, _results| {
954
                                log::info!("gc_ops: {imp_name}(<typed structref>)");
955
                                Ok(())
956
                            });
957
                        linker.define(&store, "", name, func).unwrap();
958
                    }
959
                }
960
            }
961
        }
962

963
        let instance = linker.instantiate(&mut store, &module).unwrap();
964
        let run = instance.get_func(&mut store, "run").unwrap();
965

966
        {
967
            let mut scope = RootScope::new(&mut store);
968

969
            log::info!(
970
                "gc_ops: begin allocating {} externref arguments",
971
                ops.limits.num_globals
972
            );
973
            let args: Vec<_> = (0..ops.limits.num_params)
974
                .map(|_| {
975
                    Ok(Val::ExternRef(Some(ExternRef::new(
976
                        &mut scope,
977
                        CountDrops::new(&expected_drops, num_dropped.clone()),
978
                    )?)))
979
                })
980
                .collect::<Result<_>>()?;
981
            log::info!(
982
                "gc_ops: end allocating {} externref arguments",
983
                ops.limits.num_globals
984
            );
985

986
            // The generated function should always return a trap. The only two
987
            // valid traps are table-out-of-bounds which happens through `table.get`
988
            // and `table.set` generated or an out-of-fuel trap. Otherwise any other
989
            // error is unexpected and should fail fuzzing.
990
            log::info!("gc_ops: calling into Wasm `run` function");
991
            let err = run.call(&mut scope, &args, &mut []).unwrap_err();
992
            if err.is::<GcHeapOutOfMemory<CountDrops>>() || err.is::<GcHeapOutOfMemory<()>>() {
993
                // Accept GC OOM as an allowed outcome for this fuzzer.
994
            } else {
995
                let trap = err
996
                    .downcast::<Trap>()
997
                    .expect("if not GC oom, error should be a Wasm trap");
998
                match trap {
999
                    Trap::TableOutOfBounds | Trap::OutOfFuel | Trap::AllocationTooLarge => {}
1000
                    _ => panic!("unexpected trap: {trap}"),
1001
                }
1002
            }
1003
        }
1004

1005
        // Do a final GC after running the Wasm.
1006
        store.gc(None)?;
1007
    }
1008

1009
    assert_eq!(num_dropped.load(SeqCst), expected_drops.load(SeqCst));
1010
    return Ok(num_gcs.load(SeqCst));
1011

1012
    struct CountDrops(Arc<AtomicUsize>);
1013

1014
    impl CountDrops {
1015
        fn new(expected_drops: &AtomicUsize, num_dropped: Arc<AtomicUsize>) -> Self {
1016
            let expected = expected_drops.fetch_add(1, SeqCst);
1017
            log::info!(
1018
                "CountDrops::new: expected drops: {expected} -> {}",
1019
                expected + 1
1020
            );
1021
            Self(num_dropped)
1022
        }
1023
    }
1024

1025
    impl Drop for CountDrops {
1026
        fn drop(&mut self) {
1027
            let drops = self.0.fetch_add(1, SeqCst);
1028
            log::info!("CountDrops::drop: actual drops: {drops} -> {}", drops + 1);
1029
        }
1030
    }
1031
}
1032

1033
#[derive(Default)]
1034
struct HelperThread {
1035
    state: Arc<HelperThreadState>,
1036
    thread: Option<std::thread::JoinHandle<()>>,
1037
}
1038

1039
#[derive(Default)]
1040
struct HelperThreadState {
1041
    should_exit: Mutex<bool>,
1042
    should_exit_cvar: Condvar,
1043
}
1044

1045
impl HelperThread {
1046
    fn run_periodically(&mut self, dur: Duration, mut closure: impl FnMut() + Send + 'static) {
1047
        let state = self.state.clone();
1048
        self.thread = Some(std::thread::spawn(move || {
1049
            // Using our mutex/condvar we wait here for the first of `dur` to
1050
            // pass or the `HelperThread` instance to get dropped.
1051
            let mut should_exit = state.should_exit.lock().unwrap();
1052
            while !*should_exit {
1053
                let (lock, result) = state
1054
                    .should_exit_cvar
1055
                    .wait_timeout(should_exit, dur)
1056
                    .unwrap();
1057
                should_exit = lock;
1058
                // If we timed out for sure then there's no need to continue
1059
                // since we'll just abort on the next `checked_sub` anyway.
1060
                if result.timed_out() {
1061
                    closure();
1062
                }
1063
            }
1064
        }));
1065
    }
1066
}
1067

1068
impl Drop for HelperThread {
1069
    fn drop(&mut self) {
1070
        let thread = match self.thread.take() {
1071
            Some(thread) => thread,
1072
            None => return,
1073
        };
1074
        // Signal our thread that it should exit and wake it up in case it's
1075
        // sleeping.
1076
        *self.state.should_exit.lock().unwrap() = true;
1077
        self.state.should_exit_cvar.notify_one();
1078

1079
        // ... and then wait for the thread to exit to ensure we clean up
1080
        // after ourselves.
1081
        thread.join().unwrap();
1082
    }
1083
}
1084

1085
/// Instantiates a wasm module and runs its exports with dummy values, all in
1086
/// an async fashion.
1087
///
1088
/// Attempts to stress yields in host functions to ensure that exiting and
1089
/// resuming a wasm function call works.
1090
pub fn call_async(wasm: &[u8], config: &generators::Config, mut poll_amts: &[u32]) {
1091
    let mut store = config.to_store();
1092
    let module = match compile_module(store.engine(), wasm, KnownValid::Yes, config) {
1093
        Some(module) => module,
1094
        None => return,
1095
    };
1096

1097
    // Configure a helper thread to periodically increment the epoch to
1098
    // forcibly enable yields-via-epochs if epochs are in use. Note that this
1099
    // is required because the wasm isn't otherwise guaranteed to necessarily
1100
    // call any imports which will also increment the epoch.
1101
    let mut helper_thread = HelperThread::default();
1102
    if let generators::AsyncConfig::YieldWithEpochs { dur, .. } = &config.wasmtime.async_config {
1103
        let engine = store.engine().clone();
1104
        helper_thread.run_periodically(*dur, move || engine.increment_epoch());
1105
    }
1106

1107
    // Generate a `Linker` where all function imports are custom-built to yield
1108
    // periodically and additionally increment the epoch.
1109
    let mut imports = Vec::new();
1110
    for import in module.imports() {
1111
        let item = match import.ty() {
1112
            ExternType::Func(ty) => {
1113
                let poll_amt = take_poll_amt(&mut poll_amts);
1114
                Func::new_async(&mut store, ty.clone(), move |caller, _, results| {
1115
                    let ty = ty.clone();
1116
                    Box::new(async move {
1117
                        caller.engine().increment_epoch();
1118
                        log::info!("yielding {poll_amt} times in import");
1119
                        YieldN(poll_amt).await;
1120
                        for (ret_ty, result) in ty.results().zip(results) {
1121
                            *result = ret_ty.default_value().unwrap();
1122
                        }
1123
                        Ok(())
1124
                    })
1125
                })
1126
                .into()
1127
            }
1128
            other_ty => match other_ty.default_value(&mut store) {
1129
                Ok(item) => item,
1130
                Err(e) => {
1131
                    log::warn!("couldn't create import for {import:?}: {e:?}");
1132
                    return;
1133
                }
1134
            },
1135
        };
1136
        imports.push(item);
1137
    }
1138

1139
    // Run the instantiation process, asynchronously, and if everything
1140
    // succeeds then pull out the instance.
1141
    // log::info!("starting instantiation");
1142
    let instance = block_on(Timeout {
1143
        future: Instance::new_async(&mut store, &module, &imports),
1144
        polls: take_poll_amt(&mut poll_amts),
1145
        end: Instant::now() + Duration::from_millis(2_000),
1146
    });
1147
    let instance = match instance {
1148
        Ok(instantiation_result) => match unwrap_instance(&store, instantiation_result) {
1149
            Some(instance) => instance,
1150
            None => {
1151
                log::info!("instantiation hit a nominal error");
1152
                return; // resource exhaustion or limits met
1153
            }
1154
        },
1155
        Err(_) => {
1156
            log::info!("instantiation failed to complete");
1157
            return; // Timed out or ran out of polls
1158
        }
1159
    };
1160

1161
    // Run each export of the instance in the same manner as instantiation
1162
    // above. Dummy values are passed in for argument values here:
1163
    //
1164
    // TODO: this should probably be more clever about passing in arguments for
1165
    // example they might be used as pointers or something and always using 0
1166
    // isn't too interesting.
1167
    let funcs = instance
1168
        .exports(&mut store)
1169
        .filter_map(|e| {
1170
            let name = e.name().to_string();
1171
            let func = e.into_extern().into_func()?;
1172
            Some((name, func))
1173
        })
1174
        .collect::<Vec<_>>();
1175
    for (name, func) in funcs {
1176
        let ty = func.ty(&store);
1177
        let params = ty
1178
            .params()
1179
            .map(|ty| ty.default_value().unwrap())
1180
            .collect::<Vec<_>>();
1181
        let mut results = ty
1182
            .results()
1183
            .map(|ty| ty.default_value().unwrap())
1184
            .collect::<Vec<_>>();
1185

1186
        log::info!("invoking export {name:?}");
1187
        let future = func.call_async(&mut store, &params, &mut results);
1188
        match block_on(Timeout {
1189
            future,
1190
            polls: take_poll_amt(&mut poll_amts),
1191
            end: Instant::now() + Duration::from_millis(2_000),
1192
        }) {
1193
            // On success or too many polls, try the next export.
1194
            Ok(_) | Err(Exhausted::Polls) => {}
1195

1196
            // If time ran out then stop the current test case as we might have
1197
            // already sucked up a lot of time for this fuzz test case so don't
1198
            // keep it going.
1199
            Err(Exhausted::Time) => return,
1200
        }
1201
    }
1202

1203
    fn take_poll_amt(polls: &mut &[u32]) -> u32 {
1204
        match polls.split_first() {
1205
            Some((a, rest)) => {
1206
                *polls = rest;
1207
                *a
1208
            }
1209
            None => 0,
1210
        }
1211
    }
1212

1213
    /// Helper future for applying a timeout to `future` up to either when `end`
1214
    /// is the current time or `polls` polls happen.
1215
    ///
1216
    /// Note that this helps to time out infinite loops in wasm, for example.
1217
    struct Timeout<F> {
1218
        future: F,
1219
        /// If the future isn't ready by this time then the `Timeout<F>` future
1220
        /// will return `None`.
1221
        end: Instant,
1222
        /// If the future doesn't resolve itself in this many calls to `poll`
1223
        /// then the `Timeout<F>` future will return `None`.
1224
        polls: u32,
1225
    }
1226

1227
    enum Exhausted {
1228
        Time,
1229
        Polls,
1230
    }
1231

1232
    impl<F: Future> Future for Timeout<F> {
1233
        type Output = Result<F::Output, Exhausted>;
1234

1235
        fn poll(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Self::Output> {
1236
            let (end, polls, future) = unsafe {
1237
                let me = self.get_unchecked_mut();
1238
                (me.end, &mut me.polls, Pin::new_unchecked(&mut me.future))
1239
            };
1240
            match future.poll(cx) {
1241
                Poll::Ready(val) => Poll::Ready(Ok(val)),
1242
                Poll::Pending => {
1243
                    if Instant::now() >= end {
1244
                        log::warn!("future operation timed out");
1245
                        return Poll::Ready(Err(Exhausted::Time));
1246
                    }
1247
                    if *polls == 0 {
1248
                        log::warn!("future operation ran out of polls");
1249
                        return Poll::Ready(Err(Exhausted::Polls));
1250
                    }
1251
                    *polls -= 1;
1252
                    Poll::Pending
1253
                }
1254
            }
1255
        }
1256
    }
1257
}
1258

1259
#[cfg(test)]
1260
mod tests {
1261
    use super::*;
1262
    use crate::test::{gen_until_pass, test_n_times};
1263
    use wasmparser::{Validator, WasmFeatures};
1264

1265
    // Test that the `gc_ops` fuzzer eventually runs the gc function in the host.
1266
    // We've historically had issues where this fuzzer accidentally wasn't fuzzing
1267
    // anything for a long time so this is an attempt to prevent that from happening
1268
    // again.
1269
    #[test]
1270
    fn gc_ops_eventually_gcs() {
1271
        // Skip if we're under emulation because some fuzz configurations will do
1272
        // large address space reservations that QEMU doesn't handle well.
1273
        if std::env::var("WASMTIME_TEST_NO_HOG_MEMORY").is_ok() {
1274
            return;
1275
        }
1276

1277
        let ok = gen_until_pass(|(config, test), _| {
1278
            let result = gc_ops(config, test)?;
1279
            Ok(result > 0)
1280
        });
1281

1282
        if !ok {
1283
            panic!("gc was never found");
1284
        }
1285
    }
1286

1287
    #[test]
1288
    fn module_generation_uses_expected_proposals() {
1289
        // Proposals that Wasmtime supports. Eventually a module should be
1290
        // generated that needs these proposals.
1291
        let mut expected = WasmFeatures::MUTABLE_GLOBAL
1292
            | WasmFeatures::FLOATS
1293
            | WasmFeatures::SIGN_EXTENSION
1294
            | WasmFeatures::SATURATING_FLOAT_TO_INT
1295
            | WasmFeatures::MULTI_VALUE
1296
            | WasmFeatures::BULK_MEMORY
1297
            | WasmFeatures::REFERENCE_TYPES
1298
            | WasmFeatures::SIMD
1299
            | WasmFeatures::MULTI_MEMORY
1300
            | WasmFeatures::RELAXED_SIMD
1301
            | WasmFeatures::TAIL_CALL
1302
            | WasmFeatures::WIDE_ARITHMETIC
1303
            | WasmFeatures::MEMORY64
1304
            | WasmFeatures::FUNCTION_REFERENCES
1305
            | WasmFeatures::GC
1306
            | WasmFeatures::GC_TYPES
1307
            | WasmFeatures::CUSTOM_PAGE_SIZES
1308
            | WasmFeatures::EXTENDED_CONST
1309
            | WasmFeatures::EXCEPTIONS;
1310

1311
        // All other features that wasmparser supports, which is presumably a
1312
        // superset of the features that wasm-smith supports, are listed here as
1313
        // unexpected. This means, for example, that if wasm-smith updates to
1314
        // include a new proposal by default that wasmtime implements then it
1315
        // will be required to be listed above.
1316
        let unexpected = WasmFeatures::all() ^ expected;
1317

1318
        let ok = gen_until_pass(|config: generators::Config, u| {
1319
            let wasm = config.generate(u, None)?.to_bytes();
1320

1321
            // Double-check the module is valid
1322
            Validator::new_with_features(WasmFeatures::all()).validate_all(&wasm)?;
1323

1324
            // If any of the unexpected features are removed then this module
1325
            // should always be valid, otherwise something went wrong.
1326
            for feature in unexpected.iter() {
1327
                let ok =
1328
                    Validator::new_with_features(WasmFeatures::all() ^ feature).validate_all(&wasm);
1329
                if ok.is_err() {
1330
                    wasmtime::bail!("generated a module with {feature:?} but that wasn't expected");
1331
                }
1332
            }
1333

1334
            // If any of `expected` is removed and the module fails to validate,
1335
            // then that means the module requires that feature. Remove that
1336
            // from the set of features we're then expecting.
1337
            for feature in expected.iter() {
1338
                let ok =
1339
                    Validator::new_with_features(WasmFeatures::all() ^ feature).validate_all(&wasm);
1340
                if ok.is_err() {
1341
                    expected ^= feature;
1342
                }
1343
            }
1344

1345
            Ok(expected.is_empty())
1346
        });
1347

1348
        if !ok {
1349
            panic!("never generated wasm module using {expected:?}");
1350
        }
1351
    }
1352

1353
    #[test]
1354
    fn wast_smoke_test() {
1355
        test_n_times(50, |(), u| super::wast_test(u));
1356
    }
1357
}
1358

1359