alexcrichton opened PR #8440 from alexcrichton:fuzz-async
to bytecodealliance:main
:
This commit revives a very old branch of mine to add a fuzzer for Wasmtime in async mode. This work was originally blocked on llvm/llvm-project#53891 and while that's still an issue it now contains a workaround for that issue. Support for async fuzzing required a good deal of refactorings and changes, and the highlights are:
The main part is that new intrinsics,
__sanitizer_{start,finish}_fiber_switch
are now invoked around the stack-switching routines of fibers. This only works on Unix and is set to only compile when ASAN is enabled (otherwise everything is a noop). This required refactoring of things to get it all in just the right way for ASAN since it appears that these functions not only need to be called but more-or-less need to be adjacent to each other in the code. My guess is that while we're switching ASAN is in a "weird state" and it's not ready to run arbitrary code.Stacks are a problem. The above issue in LLVM outlines how stacks cannot be deallocated at this time because if the deallocated virtual memory is later used for the heap then ASAN will have a false positive about stack overflow. To handle this stacks are specially handled in asan mode by using a special allocation path that never deallocates stacks. This logic additionally applies to the pooling allocator which uses a different stack allocation strategy with ASAN.
With all of the above a new fuzzer is added. This fuzzer generates an arbitrary module, selects an arbitrary means of async (e.g. epochs/fuel), and then tries to execute the exports of the module with various values. In general the fuzzer is looking for crashes/panics as opposed to correct answers as there's no oracle here. This is also intended to stress the code used to switch on and off stacks.
<!--
Please make sure you include the following information:
If this work has been discussed elsewhere, please include a link to that
conversation. If it was discussed in an issue, just mention "issue #...".Explain why this change is needed. If the details are in an issue already,
this can be brief.Our development process is documented in the Wasmtime book:
https://docs.wasmtime.dev/contributing-development-process.htmlPlease ensure all communication follows the code of conduct:
https://github.com/bytecodealliance/wasmtime/blob/main/CODE_OF_CONDUCT.md
-->
alexcrichton has marked PR #8440 as ready for review.
alexcrichton requested fitzgen for a review on PR #8440.
alexcrichton requested wasmtime-fuzz-reviewers for a review on PR #8440.
alexcrichton requested wasmtime-core-reviewers for a review on PR #8440.
alexcrichton requested wasmtime-default-reviewers for a review on PR #8440.
github-actions[bot] commented on PR #8440:
Subscribe to Label Action
cc @fitzgen
<details>
This issue or pull request has been labeled: "fuzzing", "wasmtime:api"Thus the following users have been cc'd because of the following labels:
- fitzgen: fuzzing
To subscribe or unsubscribe from this label, edit the <code>.github/subscribe-to-label.json</code> configuration file.
Learn more.
</details>
alexcrichton updated PR #8440.
fitzgen submitted PR review.
fitzgen submitted PR review.
fitzgen created PR review comment:
This is to leave room for a guard page? Can we have a comment to that effect?
alexcrichton updated PR #8440.
alexcrichton has enabled auto merge for PR #8440.
alexcrichton updated PR #8440.
alexcrichton has enabled auto merge for PR #8440.
alexcrichton updated PR #8440.
alexcrichton has enabled auto merge for PR #8440.
alexcrichton merged PR #8440.
Last updated: Dec 23 2024 at 13:07 UTC