Update wasmi used during fuzzing (#9458)

* Fix differential fuzzing with multi-memory and pooling Fix an issue found during fuzzing where when multi-memory and the pooling allocator are enabled then if MPK is detected and found the total number of memories needs to be increased because stores belong in a single stripe. * Update wasmi used in fuzzing Pulls in differential fuzzing support for multi-memory
bytecodealliance · Oct 11, 2024 · 460a4c0 · 460a4c0
1 parent 9b2e972
commit 460a4c0
Show file tree

Hide file tree

Showing 7 changed files with 112 additions and 69 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/fuzzing/Cargo.toml b/crates/fuzzing/Cargo.toml
@@ -29,7 +29,7 @@ wasm-encoder = { workspace = true }
 wasm-smith = { workspace = true }
 wasm-mutate = { workspace = true }
 wasm-spec-interpreter = { path = "./wasm-spec-interpreter", optional = true }
-wasmi = "0.31.1"
+wasmi = "0.38.0"
 futures = { workspace = true }
 
 # We rely on precompiled v8 binaries, but rusty-v8 doesn't have a precompiled

diff --git a/crates/fuzzing/src/generators/config.rs b/crates/fuzzing/src/generators/config.rs
@@ -9,7 +9,7 @@ use anyhow::Result;
 use arbitrary::{Arbitrary, Unstructured};
 use std::sync::Arc;
 use std::time::Duration;
-use wasmtime::{Engine, Module, Store};
+use wasmtime::{Engine, Module, MpkEnabled, Store};
 
 /// Configuration for `wasmtime::Config` and generated modules for a session of
 /// fuzzing.
@@ -78,6 +78,12 @@ impl Config {
             pooling.total_memories = config.max_memories as u32;
             pooling.max_memory_size = 10 << 16;
             pooling.max_memories_per_module = config.max_memories as u32;
+            if pooling.memory_protection_keys == MpkEnabled::Auto
+                && pooling.max_memory_protection_keys > 1
+            {
+                pooling.total_memories =
+                    pooling.total_memories * (pooling.max_memory_protection_keys as u32);
+            }
 
             pooling.total_tables = config.max_tables as u32;
             pooling.table_elements = 1_000;

diff --git a/crates/fuzzing/src/generators/pooling_config.rs b/crates/fuzzing/src/generators/pooling_config.rs
@@ -69,6 +69,7 @@ impl PoolingAllocationConfig {
         cfg.async_stack_keep_resident(self.async_stack_keep_resident);
 
         cfg.memory_protection_keys(self.memory_protection_keys);
+        cfg.max_memory_protection_keys(self.max_memory_protection_keys);
 
         cfg
     }
@@ -115,7 +116,7 @@ impl<'a> Arbitrary<'a> for PoolingAllocationConfig {
             async_stack_keep_resident: u.int_in_range(0..=1 << 20)?,
 
             memory_protection_keys: *u.choose(&[MpkEnabled::Auto, MpkEnabled::Disable])?,
-            max_memory_protection_keys: u.int_in_range(0..=20)?,
+            max_memory_protection_keys: u.int_in_range(1..=20)?,
         })
     }
 }
diff --git a/crates/fuzzing/src/oracles/diff_wasmi.rs b/crates/fuzzing/src/oracles/diff_wasmi.rs
@@ -21,8 +21,6 @@ impl WasmiEngine {
         config.exceptions_enabled = false;
         config.gc_enabled = false;
         config.wide_arithmetic_enabled = false;
-        config.max_memories = config.max_memories.min(1);
-        config.min_memories = config.min_memories.min(1);
 
         let mut wasmi_config = wasmi::Config::default();
         wasmi_config
@@ -35,11 +33,32 @@ impl WasmiEngine {
             .wasm_bulk_memory(config.bulk_memory_enabled)
             .wasm_reference_types(config.reference_types_enabled)
             .wasm_tail_call(config.tail_call_enabled)
+            .wasm_multi_memory(config.max_memories > 1)
             .wasm_extended_const(true);
         Self {
             engine: wasmi::Engine::new(&wasmi_config),
         }
     }
+
+    fn trap_code(&self, err: &Error) -> Option<wasmi::core::TrapCode> {
+        let err = err.downcast_ref::<wasmi::Error>()?;
+        if let Some(code) = err.as_trap_code() {
+            return Some(code);
+        }
+
+        match err.kind() {
+            wasmi::errors::ErrorKind::Instantiation(
+                wasmi::errors::InstantiationError::ElementSegmentDoesNotFit { .. },
+            ) => Some(wasmi::core::TrapCode::TableOutOfBounds),
+            wasmi::errors::ErrorKind::Memory(wasmi::errors::MemoryError::OutOfBoundsAccess) => {
+                Some(wasmi::core::TrapCode::MemoryOutOfBounds)
+            }
+            _ => {
+                log::trace!("unknown wasmi error: {:?}", err.kind());
+                None
+            }
+        }
+    }
 }
 
 impl DiffEngine for WasmiEngine {
@@ -59,53 +78,17 @@ impl DiffEngine for WasmiEngine {
     }
 
     fn assert_error_match(&self, trap: &Trap, err: &Error) {
-        // Acquire a `wasmi::Trap` from the wasmi error which we'll use to
-        // assert that it has the same kind of trap as the wasmtime-based trap.
-        let wasmi = match err.downcast_ref::<wasmi::Error>() {
-            Some(wasmi::Error::Trap(trap)) => trap,
-
-            // Out-of-bounds data segments turn into this category which
-            // Wasmtime reports as a `MemoryOutOfBounds`.
-            Some(wasmi::Error::Memory(msg)) => {
-                assert_eq!(
-                    *trap,
-                    Trap::MemoryOutOfBounds,
-                    "wasmtime error did not match wasmi: {msg}"
-                );
-                return;
-            }
-
-            // Ignore this for now, looks like "elements segment does not fit"
-            // falls into this category and to avoid doing string matching this
-            // is just ignored.
-            Some(wasmi::Error::Instantiation(msg)) => {
-                log::debug!("ignoring wasmi instantiation error: {msg}");
-                return;
-            }
-
-            Some(other) => panic!("unexpected wasmi error: {other}"),
-
-            None => err
-                .downcast_ref::<wasmi::core::Trap>()
-                .expect(&format!("not a trap: {err:?}")),
-        };
-        assert!(wasmi.trap_code().is_some());
-        assert_eq!(
-            wasmi_to_wasmtime_trap_code(wasmi.trap_code().unwrap()),
-            *trap
-        );
+        match self.trap_code(err) {
+            Some(code) => assert_eq!(wasmi_to_wasmtime_trap_code(code), *trap),
+            None => panic!("unexpected wasmi error {err:?}"),
+        }
     }
 
     fn is_stack_overflow(&self, err: &Error) -> bool {
-        let trap = match err.downcast_ref::<wasmi::Error>() {
-            Some(wasmi::Error::Trap(trap)) => trap,
-            Some(_) => return false,
-            None => match err.downcast_ref::<wasmi::core::Trap>() {
-                Some(trap) => trap,
-                None => return false,
-            },
-        };
-        matches!(trap.trap_code(), Some(wasmi::core::TrapCode::StackOverflow))
+        matches!(
+            self.trap_code(err),
+            Some(wasmi::core::TrapCode::StackOverflow)
+        )
     }
 }
 
@@ -150,7 +133,7 @@ impl DiffInstance for WasmiInstance {
             .and_then(wasmi::Extern::into_func)
             .unwrap();
         let arguments: Vec<_> = arguments.iter().map(|x| x.into()).collect();
-        let mut results = vec![wasmi::Value::I32(0); result_tys.len()];
+        let mut results = vec![wasmi::Val::I32(0); result_tys.len()];
         function
             .call(&mut self.store, &arguments, &mut results)
             .context("wasmi function trap")?;
@@ -183,9 +166,9 @@ impl DiffInstance for WasmiInstance {
     }
 }
 
-impl From<&DiffValue> for wasmi::Value {
+impl From<&DiffValue> for wasmi::Val {
     fn from(v: &DiffValue) -> Self {
-        use wasmi::Value as WasmiValue;
+        use wasmi::Val as WasmiValue;
         match *v {
             DiffValue::I32(n) => WasmiValue::I32(n),
             DiffValue::I64(n) => WasmiValue::I64(n),
@@ -205,9 +188,9 @@ impl From<&DiffValue> for wasmi::Value {
     }
 }
 
-impl From<wasmi::Value> for DiffValue {
-    fn from(value: wasmi::Value) -> Self {
-        use wasmi::Value as WasmiValue;
+impl From<wasmi::Val> for DiffValue {
+    fn from(value: wasmi::Val) -> Self {
+        use wasmi::Val as WasmiValue;
         match value {
             WasmiValue::I32(n) => DiffValue::I32(n),
             WasmiValue::I64(n) => DiffValue::I64(n),

diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml
@@ -2650,6 +2650,12 @@ Most of the rest of the changes are adding some new unstable features which
 aren't enabled by default.
 """
 
+[[audits.smallvec]]
+who = "Alex Crichton <[email protected]>"
+criteria = "safe-to-deploy"
+delta = "1.11.0 -> 1.13.2"
+notes = "Mostly minor updates, the one semi-substantial update looks good."
+
 [[audits.socket2]]
 who = "Alex Crichton <[email protected]>"
 criteria = "safe-to-deploy"

diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock
@@ -1513,6 +1513,13 @@ user-id = 2915
 user-login = "Amanieu"
 user-name = "Amanieu d'Antras"
 
+[[publisher.libm]]
+version = "0.2.8"
+when = "2023-10-06"
+user-id = 2915
+user-login = "Amanieu"
+user-name = "Amanieu d'Antras"
+
 [[publisher.linux-raw-sys]]
 version = "0.3.8"
 when = "2023-05-19"