wasmtime / issue #5816 fuzzgen: Generate ISA flags · git-wasmtime

Stream: git-wasmtime

Topic: wasmtime / issue #5816 fuzzgen: Generate ISA flags

Wasmtime GitHub notifications bot (Feb 17 2023 at 14:27):

afonso360 opened issue #5816:

:wave: Hey,

Feature

Our cranelift-fuzzgen library should allow generating random ISA flags for each target.

Benefit

This allows us to test multiple implementations of the same cranelift instruction, if some ISA extension is available. For example fuzzgen currently never covers the new instructions added in #5795 since we never turn on AVX. We always stick to the defaults.

Implementation

We currently have two fuzz targets using the cranelift-fuzzgen library. (icache and fuzzgen).

icache cross compiles a function into a given target architecture but never executes it. For this target we should allow all existing extensions to be enabled.

fuzzgen compiles and executes the code, thus we need to use cranelift-native to query which extensions are available in the current fuzzing host, and only allow those to be enabled.

Additionally we can't start from an empty set of ISA flags, we must start from the default ISA flags for that architecture. This is due to
the x64 backend requiring sse3/sse4.1 and sse4.2 to lower some instructions and we don't have fallback lowerings so those would panic if we start from the empty set and not turn those on.

We should largely be able to query existing extensions from the ISA and turn on random ISA flags. However there are some flags that we must specially handle such as aarch64's sign_return_address_with_bkey, this is platform specific, and we can't just randomly enable that on fuzzgen. That is the only flag that I'm aware that could cause issues.

Alternatives

Wasmtime's fuzzers already covers some of this, but can't reach all of the instructions that fuzzgen generates so there would still be value there.

Wasmtime GitHub notifications bot (Feb 17 2023 at 14:27):

afonso360 labeled issue #5816:

:wave: Hey,

Feature

Our cranelift-fuzzgen library should allow generating random ISA flags for each target.

Benefit

This allows us to test multiple implementations of the same cranelift instruction, if some ISA extension is available. For example fuzzgen currently never covers the new instructions added in #5795 since we never turn on AVX. We always stick to the defaults.

Implementation

We currently have two fuzz targets using the cranelift-fuzzgen library. (icache and fuzzgen).

icache cross compiles a function into a given target architecture but never executes it. For this target we should allow all existing extensions to be enabled.

fuzzgen compiles and executes the code, thus we need to use cranelift-native to query which extensions are available in the current fuzzing host, and only allow those to be enabled.

Additionally we can't start from an empty set of ISA flags, we must start from the default ISA flags for that architecture. This is due to
the x64 backend requiring sse3/sse4.1 and sse4.2 to lower some instructions and we don't have fallback lowerings so those would panic if we start from the empty set and not turn those on.

We should largely be able to query existing extensions from the ISA and turn on random ISA flags. However there are some flags that we must specially handle such as aarch64's sign_return_address_with_bkey, this is platform specific, and we can't just randomly enable that on fuzzgen. That is the only flag that I'm aware that could cause issues.

Alternatives

Wasmtime's fuzzers already covers some of this, but can't reach all of the instructions that fuzzgen generates so there would still be value there.

Wasmtime GitHub notifications bot (Feb 17 2023 at 14:28):

afonso360 edited issue #5816:

:wave: Hey,

Feature

Our cranelift-fuzzgen library should allow generating random ISA flags for each target.

Benefit

This allows us to test multiple implementations of the same cranelift instruction, if some ISA extension is available. For example fuzzgen currently never covers the new instructions added in #5795 since we never turn on AVX. We always stick to the defaults.

Implementation

We currently have two fuzz targets using the cranelift-fuzzgen library. (icache and fuzzgen).

icache cross compiles a function into a given target architecture but never executes it. For this target we should allow all existing extensions to be enabled.

fuzzgen compiles and executes the code, thus we need to use cranelift-native to query which extensions are available in the current fuzzing host, and only allow those to be enabled.

Additionally we can't start from an empty set of ISA flags, we must start from the default ISA flags for that architecture. This is due to the x64 backend requiring sse3/sse4.1 and sse4.2 to lower some instructions and we don't have fallback lowerings so those would panic if we start from the empty set and not turn those on.

We should largely be able to query existing extensions from the ISA and turn on random ISA flags. However there are some flags that we must specially handle such as aarch64's sign_return_address_with_bkey, this is platform specific, and we can't just randomly enable that on fuzzgen. That is the only flag that I'm aware that could cause issues.

Alternatives

Wasmtime's fuzzers already covers some of this, but can't reach all of the instructions that fuzzgen generates so there would still be value there.

Wasmtime GitHub notifications bot (Feb 17 2023 at 15:06):

alexcrichton commented on issue #5816:

While not exactly applicable to cranelift-fuzzgen this is Wasmtime's implementation of selection here. Wasmtime's goal is to run the code so it ends up duplicating the logic in cranelift-native for mapping between Rust-standard-library feature names and Cranelift feature names.

Wasmtime GitHub notifications bot (Mar 22 2023 at 11:42):

afonso360 closed issue #5816:

:wave: Hey,

Feature

Our cranelift-fuzzgen library should allow generating random ISA flags for each target.

Benefit

This allows us to test multiple implementations of the same cranelift instruction, if some ISA extension is available. For example fuzzgen currently never covers the new instructions added in #5795 since we never turn on AVX. We always stick to the defaults.

Implementation

We currently have two fuzz targets using the cranelift-fuzzgen library. (icache and fuzzgen).

icache cross compiles a function into a given target architecture but never executes it. For this target we should allow all existing extensions to be enabled.

fuzzgen compiles and executes the code, thus we need to use cranelift-native to query which extensions are available in the current fuzzing host, and only allow those to be enabled.

Additionally we can't start from an empty set of ISA flags, we must start from the default ISA flags for that architecture. This is due to the x64 backend requiring sse3/sse4.1 and sse4.2 to lower some instructions and we don't have fallback lowerings so those would panic if we start from the empty set and not turn those on.

We should largely be able to query existing extensions from the ISA and turn on random ISA flags. However there are some flags that we must specially handle such as aarch64's sign_return_address_with_bkey, this is platform specific, and we can't just randomly enable that on fuzzgen. That is the only flag that I'm aware that could cause issues.

Alternatives

Wasmtime's fuzzers already covers some of this, but can't reach all of the instructions that fuzzgen generates so there would still be value there.

Last updated: Nov 22 2024 at 16:03 UTC