cfallin requested fitzgen and iximeow for a review on PR #2453.
cfallin opened PR #2453 from differential-fuzz-interp
to main
:
This PR adds a new fuzz target,
differential_wasmi
, that runs a
Cranelift-based Wasm backend alongside a simple third-party Wasm
interpeter crate (wasmi
). The fuzzing runs the first function in a
given module to completion on each side, and then diffs the return value
and linear memory contents.This strategy should provide end-to-end coverage including both the Wasm
translation to CLIF (which has seen some subtle and scary bugs at
times), the lowering from CLIF to VCode, the register allocation, and
the final code emission.<!--
Please ensure that the following steps are all taken care of before submitting
the PR.
[ ] This has been discussed in issue #..., or if not, please tell us why
here.[ ] A short description of what this does, why it is needed; if the
description becomes long, the matter should probably be discussed in an issue
first.[ ] This PR contains test cases, if meaningful.
- [ ] A reviewer from the core maintainer team has been assigned for this PR.
If you don't know who could review this, please indicate so. The list of
suggested reviewers on the right can help you.Please ensure all communication adheres to the code of conduct.
-->
cfallin requested fitzgen and iximeow for a review on PR #2453.
cfallin updated PR #2453 from differential-fuzz-interp
to main
:
This PR adds a new fuzz target,
differential_wasmi
, that runs a
Cranelift-based Wasm backend alongside a simple third-party Wasm
interpeter crate (wasmi
). The fuzzing runs the first function in a
given module to completion on each side, and then diffs the return value
and linear memory contents.This strategy should provide end-to-end coverage including both the Wasm
translation to CLIF (which has seen some subtle and scary bugs at
times), the lowering from CLIF to VCode, the register allocation, and
the final code emission.<!--
Please ensure that the following steps are all taken care of before submitting
the PR.
[ ] This has been discussed in issue #..., or if not, please tell us why
here.[ ] A short description of what this does, why it is needed; if the
description becomes long, the matter should probably be discussed in an issue
first.[ ] This PR contains test cases, if meaningful.
- [ ] A reviewer from the core maintainer team has been assigned for this PR.
If you don't know who could review this, please indicate so. The list of
suggested reviewers on the right can help you.Please ensure all communication adheres to the code of conduct.
-->
cfallin updated PR #2453 from differential-fuzz-interp
to main
:
This PR adds a new fuzz target,
differential_wasmi
, that runs a
Cranelift-based Wasm backend alongside a simple third-party Wasm
interpeter crate (wasmi
). The fuzzing runs the first function in a
given module to completion on each side, and then diffs the return value
and linear memory contents.This strategy should provide end-to-end coverage including both the Wasm
translation to CLIF (which has seen some subtle and scary bugs at
times), the lowering from CLIF to VCode, the register allocation, and
the final code emission.<!--
Please ensure that the following steps are all taken care of before submitting
the PR.
[ ] This has been discussed in issue #..., or if not, please tell us why
here.[ ] A short description of what this does, why it is needed; if the
description becomes long, the matter should probably be discussed in an issue
first.[ ] This PR contains test cases, if meaningful.
- [ ] A reviewer from the core maintainer team has been assigned for this PR.
If you don't know who could review this, please indicate so. The list of
suggested reviewers on the right can help you.Please ensure all communication adheres to the code of conduct.
-->
cfallin updated PR #2453 from differential-fuzz-interp
to main
:
This PR adds a new fuzz target,
differential_wasmi
, that runs a
Cranelift-based Wasm backend alongside a simple third-party Wasm
interpeter crate (wasmi
). The fuzzing runs the first function in a
given module to completion on each side, and then diffs the return value
and linear memory contents.This strategy should provide end-to-end coverage including both the Wasm
translation to CLIF (which has seen some subtle and scary bugs at
times), the lowering from CLIF to VCode, the register allocation, and
the final code emission.<!--
Please ensure that the following steps are all taken care of before submitting
the PR.
[ ] This has been discussed in issue #..., or if not, please tell us why
here.[ ] A short description of what this does, why it is needed; if the
description becomes long, the matter should probably be discussed in an issue
first.[ ] This PR contains test cases, if meaningful.
- [ ] A reviewer from the core maintainer team has been assigned for this PR.
If you don't know who could review this, please indicate so. The list of
suggested reviewers on the right can help you.Please ensure all communication adheres to the code of conduct.
-->
cfallin updated PR #2453 from differential-fuzz-interp
to main
:
This PR adds a new fuzz target,
differential_wasmi
, that runs a
Cranelift-based Wasm backend alongside a simple third-party Wasm
interpeter crate (wasmi
). The fuzzing runs the first function in a
given module to completion on each side, and then diffs the return value
and linear memory contents.This strategy should provide end-to-end coverage including both the Wasm
translation to CLIF (which has seen some subtle and scary bugs at
times), the lowering from CLIF to VCode, the register allocation, and
the final code emission.<!--
Please ensure that the following steps are all taken care of before submitting
the PR.
[ ] This has been discussed in issue #..., or if not, please tell us why
here.[ ] A short description of what this does, why it is needed; if the
description becomes long, the matter should probably be discussed in an issue
first.[ ] This PR contains test cases, if meaningful.
- [ ] A reviewer from the core maintainer team has been assigned for this PR.
If you don't know who could review this, please indicate so. The list of
suggested reviewers on the right can help you.Please ensure all communication adheres to the code of conduct.
-->
alexcrichton submitted PR Review.
alexcrichton submitted PR Review.
alexcrichton created PR Review Comment:
This can be tightened up a bit with
let payload = payload.ok()?
and in a few other places too
alexcrichton created PR Review Comment:
Does wasmi not support larger memories? Or is this to just limit how much memory we're comparing?
alexcrichton created PR Review Comment:
This function may actually be best done elsewhere perhaps? It might make more sense to create a
wasmtime::Config
and use wasmtime to compile the module first, and that can do a lot of the gating here. We can disable wasm features that wasmi hasn't implemented to prevent them getting past validation.Additionally once we've got
wasmtime::Module
we can inspect the exports for what to locate.
alexcrichton created PR Review Comment:
Another alternative is to configure
wasm_smith::Config
to generate only appropriate modules for running in wasmi. We could presumably add configuration options for things like "disable this proposal", "memories can be at most this big", or "there must be amain
function which takes no arguments"
fitzgen submitted PR Review.
fitzgen created PR Review Comment:
if wasmi_mem.current_size().0 != wasmtime_mem.size() {
We have a method to get the size in pages, so no need for the manual conversion here.
fitzgen created PR Review Comment:
Out of curiosity, why can't we handle start functions?
fitzgen submitted PR Review.
fitzgen created PR Review Comment:
Yeah, I think
wasm_smith::Config
is the way to go here.
fitzgen created PR Review Comment:
I assume this is to limit the size of memory, since we are comparing wasmtime and wasmi memories.
Again, rather than filtering generated wasm modules, we can get better throughput by only generating Wasm modules that have the shape we're looking for (via
wasm_smith::Config
).Aside: it would be good to do this memory comparison with our other differential fuzz targets as well. I had assumed it would be too slow, but now that we have
wasm-smith
and can control memory sizes, that assumption doesn't necessarily hold anymore.
cfallin updated PR #2453 from differential-fuzz-interp
to main
:
This PR adds a new fuzz target,
differential_wasmi
, that runs a
Cranelift-based Wasm backend alongside a simple third-party Wasm
interpeter crate (wasmi
). The fuzzing runs the first function in a
given module to completion on each side, and then diffs the return value
and linear memory contents.This strategy should provide end-to-end coverage including both the Wasm
translation to CLIF (which has seen some subtle and scary bugs at
times), the lowering from CLIF to VCode, the register allocation, and
the final code emission.<!--
Please ensure that the following steps are all taken care of before submitting
the PR.
[ ] This has been discussed in issue #..., or if not, please tell us why
here.[ ] A short description of what this does, why it is needed; if the
description becomes long, the matter should probably be discussed in an issue
first.[ ] This PR contains test cases, if meaningful.
- [ ] A reviewer from the core maintainer team has been assigned for this PR.
If you don't know who could review this, please indicate so. The list of
suggested reviewers on the right can help you.Please ensure all communication adheres to the code of conduct.
-->
cfallin updated PR #2453 from differential-fuzz-interp
to main
:
This PR adds a new fuzz target,
differential_wasmi
, that runs a
Cranelift-based Wasm backend alongside a simple third-party Wasm
interpeter crate (wasmi
). The fuzzing runs the first function in a
given module to completion on each side, and then diffs the return value
and linear memory contents.This strategy should provide end-to-end coverage including both the Wasm
translation to CLIF (which has seen some subtle and scary bugs at
times), the lowering from CLIF to VCode, the register allocation, and
the final code emission.<!--
Please ensure that the following steps are all taken care of before submitting
the PR.
[ ] This has been discussed in issue #..., or if not, please tell us why
here.[ ] A short description of what this does, why it is needed; if the
description becomes long, the matter should probably be discussed in an issue
first.[ ] This PR contains test cases, if meaningful.
- [ ] A reviewer from the core maintainer team has been assigned for this PR.
If you don't know who could review this, please indicate so. The list of
suggested reviewers on the right can help you.Please ensure all communication adheres to the code of conduct.
-->
cfallin submitted PR Review.
cfallin created PR Review Comment:
Done!
cfallin submitted PR Review.
cfallin created PR Review Comment:
This is mostly just for simplicity -- instantiate module first on both sides, then execute and compare. Also
start()
can't return a value, and it seemed better to (i) only execute one function, to economize on fuzzing input bytes (more efficient search) and (ii) allow a return-value comparison. Since we haveallow_start_export()
in theConfig
now I think this is probably fine, as we aren't rejecting any modules because of it?
cfallin submitted PR Review.
cfallin created PR Review Comment:
Done!
cfallin submitted PR Review.
cfallin created PR Review Comment:
Indeed, this is both to limit the comparison time and to reduce memory usage; I was getting OOMs otherwise during fuzzing.
cfallin submitted PR Review.
cfallin created PR Review Comment:
Oh, neat, I didn't know that
Option
was question-mark-operator-friendly too; thanks!
cfallin updated PR #2453 from differential-fuzz-interp
to main
:
This PR adds a new fuzz target,
differential_wasmi
, that runs a
Cranelift-based Wasm backend alongside a simple third-party Wasm
interpeter crate (wasmi
). The fuzzing runs the first function in a
given module to completion on each side, and then diffs the return value
and linear memory contents.This strategy should provide end-to-end coverage including both the Wasm
translation to CLIF (which has seen some subtle and scary bugs at
times), the lowering from CLIF to VCode, the register allocation, and
the final code emission.<!--
Please ensure that the following steps are all taken care of before submitting
the PR.
[ ] This has been discussed in issue #..., or if not, please tell us why
here.[ ] A short description of what this does, why it is needed; if the
description becomes long, the matter should probably be discussed in an issue
first.[ ] This PR contains test cases, if meaningful.
- [ ] A reviewer from the core maintainer team has been assigned for this PR.
If you don't know who could review this, please indicate so. The list of
suggested reviewers on the right can help you.Please ensure all communication adheres to the code of conduct.
-->
alexcrichton submitted PR Review.
alexcrichton submitted PR Review.
alexcrichton created PR Review Comment:
It's ok to omit
default
here since it doesn't do anything.
alexcrichton created PR Review Comment:
In this crate you might be able to do this with
#[derive(Arbitrary)]
I think too
alexcrichton created PR Review Comment:
For
.ok()?
here, is that ignoring traps? Or are there other failure conditions? Ideally we'd also test that if wasmi trapped that wasmtime also traps (and the memories still look the same)
alexcrichton created PR Review Comment:
FWIW this can also be
let mut wasmi_buf = vec![0; wasmtime_mem.data_size()];
alexcrichton created PR Review Comment:
It should be ok to remove
default
here too
cfallin updated PR #2453 from differential-fuzz-interp
to main
:
This PR adds a new fuzz target,
differential_wasmi
, that runs a
Cranelift-based Wasm backend alongside a simple third-party Wasm
interpeter crate (wasmi
). The fuzzing runs the first function in a
given module to completion on each side, and then diffs the return value
and linear memory contents.This strategy should provide end-to-end coverage including both the Wasm
translation to CLIF (which has seen some subtle and scary bugs at
times), the lowering from CLIF to VCode, the register allocation, and
the final code emission.<!--
Please ensure that the following steps are all taken care of before submitting
the PR.
[ ] This has been discussed in issue #..., or if not, please tell us why
here.[ ] A short description of what this does, why it is needed; if the
description becomes long, the matter should probably be discussed in an issue
first.[ ] This PR contains test cases, if meaningful.
- [ ] A reviewer from the core maintainer team has been assigned for this PR.
If you don't know who could review this, please indicate so. The list of
suggested reviewers on the right can help you.Please ensure all communication adheres to the code of conduct.
-->
cfallin submitted PR Review.
cfallin created PR Review Comment:
Yes, originally I had figured it would be the most useful to just compare successful runs on both sides, but I agree that allowing traps allows for more interesting coverage -- fixed (here and in value-matching below), thanks!
cfallin submitted PR Review.
cfallin created PR Review Comment:
Nice, thanks.
cfallin submitted PR Review.
cfallin created PR Review Comment:
Done.
cfallin submitted PR Review.
cfallin created PR Review Comment:
Done.
cfallin submitted PR Review.
cfallin created PR Review Comment:
Done.
cfallin merged PR #2453.
Last updated: Dec 23 2024 at 13:07 UTC