diff options
| author | Alon Zakai <azakai@google.com> | 2024-11-08 10:16:52 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-11-08 10:16:52 -0800 |
| commit | 8c0429ac09d06d6056687e36fd4fb37f61681233 (patch) | |
| tree | c26a80f84cbee89a09f3c4c114180cb8d1cb30df | |
| parent | b30067658459ca167e58fe0dee9d85ea6100c223 (diff) | |
| download | binaryen-8c0429ac09d06d6056687e36fd4fb37f61681233.tar.gz binaryen-8c0429ac09d06d6056687e36fd4fb37f61681233.tar.bz2 binaryen-8c0429ac09d06d6056687e36fd4fb37f61681233.zip | |
[EH] Fuzz calls from JS by calling wasm exports, sometimes catching (#7067)
This adds two new imports to fuzzer modules:
* call-export, which gets an export index and calls it.
* call-export-catch, which does the call in a try-catch, swallowing
any error, and returning 1 if it saw an error.
The former gives us calls back into the wasm, possibly making various
trips between wasm and JS in interesting ways. The latter adds a
try-catch which helps fuzz wasm EH.
We do these calls using a wasm export index, i.e., the index in
the list of exports. This is simple, but it does have the downside that
it makes executing the wasm sensitive to changes in exports (e.g.
wasm-merge adds more), which requires some handling in the fuzzer.
| -rwxr-xr-x | scripts/fuzz_opt.py | 28 | ||||
| -rw-r--r-- | scripts/fuzz_shell.js | 75 | ||||
| -rw-r--r-- | src/tools/execution-results.h | 50 | ||||
| -rw-r--r-- | src/tools/fuzzing.h | 7 | ||||
| -rw-r--r-- | src/tools/fuzzing/fuzzing.cpp | 84 | ||||
| -rw-r--r-- | test/lit/exec/fuzzing-api.wast | 56 | ||||
| -rw-r--r-- | test/passes/fuzz_metrics_noprint.bin.txt | 56 | ||||
| -rw-r--r-- | test/passes/translate-to-fuzz_all-features_metrics_noprint.txt | 80 |
8 files changed, 351 insertions, 85 deletions
diff --git a/scripts/fuzz_opt.py b/scripts/fuzz_opt.py index 7522dce8c..bf712c821 100755 --- a/scripts/fuzz_opt.py +++ b/scripts/fuzz_opt.py @@ -1230,6 +1230,16 @@ def filter_exports(wasm, output, keep, keep_defaults=True): run([in_bin('wasm-metadce'), wasm, '-o', output, '--graph-file', 'graph.json'] + FEATURE_OPTS) +# Check if a wasm file would notice changes to exports. Normally removing an +# export that is not called, for example, would not be observable, but if the +# "call-export*" functions are present then such changes can break us. +def wasm_notices_export_changes(wasm): + # we could be more precise here and disassemble the wasm to look for an + # actual import with name "call-export*", but looking for the string should + # have practically no false positives. + return b'call-export' in open(wasm, 'rb').read() + + # Fuzz the interpreter with --fuzz-exec -tnh. The tricky thing with traps-never- # happen mode is that if a trap *does* happen then that is undefined behavior, # and the optimizer was free to make changes to observable behavior there. The @@ -1323,6 +1333,12 @@ class TrapsNeverHappen(TestCaseHandler): compare_between_vms(before, after, 'TrapsNeverHappen') + def can_run_on_wasm(self, wasm): + # If the wasm is sensitive to changes in exports then we cannot alter + # them, but we must remove trapping exports (see above), so we cannot + # run in such a case. + return not wasm_notices_export_changes(wasm) + # Tests wasm-ctor-eval class CtorEval(TestCaseHandler): @@ -1354,6 +1370,12 @@ class CtorEval(TestCaseHandler): compare_between_vms(fix_output(wasm_exec), fix_output(evalled_wasm_exec), 'CtorEval') + def can_run_on_wasm(self, wasm): + # ctor-eval modifies exports, because it assumes they are ctors and so + # are only called once (so if it evals them away, they can be + # removed). If the wasm might notice that, we cannot run. + return not wasm_notices_export_changes(wasm) + # Tests wasm-merge class Merge(TestCaseHandler): @@ -1427,6 +1449,12 @@ class Merge(TestCaseHandler): compare_between_vms(output, merged_output, 'Merge') + def can_run_on_wasm(self, wasm): + # wasm-merge combines exports, which can alter their indexes and lead to + # noticeable differences if the wasm is sensitive to such things, which + # prevents us from running. + return not wasm_notices_export_changes(wasm) + FUNC_NAMES_REGEX = re.compile(r'\n [(]func [$](\S+)') diff --git a/scripts/fuzz_shell.js b/scripts/fuzz_shell.js index 72120cf7f..d9a994896 100644 --- a/scripts/fuzz_shell.js +++ b/scripts/fuzz_shell.js @@ -134,6 +134,29 @@ function logValue(x, y) { console.log('[LoggingExternalInterface logging ' + printed(x, y) + ']'); } +// Some imports need to access exports by index. +var exportsList; +function getExportByIndex(index) { + if (!exportsList) { + exportsList = []; + for (var e in exports) { + exportsList.push(e); + } + } + return exports[exportsList[index]]; +} + +// Given a wasm function, call it as best we can from JS, and return the result. +function callFunc(func) { + // Send the function a null for each parameter. Null can be converted without + // error to both a number and a reference. + var args = []; + for (var i = 0; i < func.length; i++) { + args.push(null); + } + return func.apply(null, args); +} + // Table get/set operations need a BigInt if the table has 64-bit indexes. This // adds a proper cast as needed. function toAddressType(table, index) { @@ -172,6 +195,50 @@ var imports = { 'table-set': (index, value) => { exports.table.set(toAddressType(exports.table, index), value); }, + + // Export operations. + 'call-export': (index) => { + callFunc(getExportByIndex(index)); + }, + 'call-export-catch': (index) => { + try { + callFunc(getExportByIndex(index)); + return 0; + } catch (e) { + // We only want to catch exceptions, not wasm traps: traps should still + // halt execution. Handling this requires different code in wasm2js, so + // check for that first (wasm2js does not define RuntimeError, so use + // that for the check - when wasm2js is run, we override the entire + // WebAssembly object with a polyfill, so we know exactly what it + // contains). + var wasm2js = !WebAssembly.RuntimeError; + if (!wasm2js) { + // When running native wasm, we can detect wasm traps. + if (e instanceof WebAssembly.RuntimeError) { + throw e; + } + } + var text = e + ''; + // We must not swallow host limitations here: a host limitation is a + // problem that means we must not compare the outcome here to any other + // VM. + var hostIssues = ['requested new array is too large', + 'out of memory', + 'Maximum call stack size exceeded']; + if (wasm2js) { + // When wasm2js does trap, it just throws an "abort" error. + hostIssues.push('abort'); + } + for (var hostIssue of hostIssues) { + if (text.includes(hostIssue)) { + throw e; + } + } + // Otherwise, this is a normal exception we want to catch (a wasm + // exception, or a conversion error on the wasm/JS boundary, etc.). + return 1; + } + }, }, // Emscripten support. 'env': { @@ -250,16 +317,10 @@ for (var e of exportsToCall) { if (typeof exports[e] !== 'function') { continue; } - // Send the function a null for each parameter. Null can be converted without - // error to both a number and a reference. var func = exports[e]; - var args = []; - for (var i = 0; i < func.length; i++) { - args.push(null); - } try { console.log('[fuzz-exec] calling ' + e); - var result = func.apply(null, args); + var result = callFunc(func); if (typeof result !== 'undefined') { console.log('[fuzz-exec] note result: ' + e + ' => ' + printed(result)); } diff --git a/src/tools/execution-results.h b/src/tools/execution-results.h index 78cc5af1f..25d0c0772 100644 --- a/src/tools/execution-results.h +++ b/src/tools/execution-results.h @@ -40,10 +40,15 @@ private: // The name of the table exported by the name 'table.' Imports access it. Name exportedTable; + Module& wasm; + + // The ModuleRunner and this ExternalInterface end up needing links both ways, + // so we cannot init this in the constructor. + ModuleRunner* instance = nullptr; public: LoggingExternalInterface(Loggings& loggings, Module& wasm) - : loggings(loggings) { + : loggings(loggings), wasm(wasm) { for (auto& exp : wasm.exports) { if (exp->kind == ExternalKind::Table && exp->name == "table") { exportedTable = exp->value; @@ -99,6 +104,18 @@ public: } tableStore(exportedTable, index, arguments[1]); return {}; + } else if (import->base == "call-export") { + callExport(arguments[0].geti32()); + // Return nothing. If we wanted to return a value we'd need to have + // multiple such functions, one for each signature. + return {}; + } else if (import->base == "call-export-catch") { + try { + callExport(arguments[0].geti32()); + return {Literal(int32_t(0))}; + } catch (const WasmException& e) { + return {Literal(int32_t(1))}; + } } else { WASM_UNREACHABLE("unknown fuzzer import"); } @@ -127,6 +144,35 @@ public: auto payload = std::make_shared<ExnData>("__private", Literals{}); throwException(WasmException{Literal(payload)}); } + + Literals callExport(Index index) { + if (index >= wasm.exports.size()) { + // No export. + throwEmptyException(); + } + auto& exp = wasm.exports[index]; + if (exp->kind != ExternalKind::Function) { + // No callable export. + throwEmptyException(); + } + auto* func = wasm.getFunction(exp->value); + + // TODO JS traps on some types on the boundary, which we should behave the + // same on. For now, this is not needed because the fuzzer will prune all + // non-JS-compatible exports anyhow. + + // Send default values as arguments, or trap if we need anything else. + Literals arguments; + for (const auto& param : func->getParams()) { + if (!param.isDefaultable()) { + throwEmptyException(); + } + arguments.push_back(Literal::makeZero(param)); + } + return instance->callFunction(func->name, arguments); + } + + void setModuleRunner(ModuleRunner* instance_) { instance = instance_; } }; // gets execution results from a wasm module. this is useful for fuzzing @@ -148,6 +194,7 @@ struct ExecutionResults { LoggingExternalInterface interface(loggings, wasm); try { ModuleRunner instance(wasm, &interface); + interface.setModuleRunner(&instance); // execute all exported methods (that are therefore preserved through // opts) for (auto& exp : wasm.exports) { @@ -298,6 +345,7 @@ struct ExecutionResults { LoggingExternalInterface interface(loggings, wasm); try { ModuleRunner instance(wasm, &interface); + interface.setModuleRunner(&instance); return run(func, wasm, instance); } catch (const TrapException&) { // May throw in instance creation (init of offsets). diff --git a/src/tools/fuzzing.h b/src/tools/fuzzing.h index 6f73feca9..3e8ec5b97 100644 --- a/src/tools/fuzzing.h +++ b/src/tools/fuzzing.h @@ -104,10 +104,11 @@ private: Name funcrefTableName; std::unordered_map<Type, Name> logImportNames; - Name throwImportName; Name tableGetImportName; Name tableSetImportName; + Name callExportImportName; + Name callExportCatchImportName; std::unordered_map<Type, std::vector<Name>> globalsByType; std::unordered_map<Type, std::vector<Name>> mutableGlobalsByType; @@ -225,9 +226,8 @@ private: void finalizeTable(); void prepareHangLimitSupport(); void addHangLimitSupport(); - // Imports that we call to log out values. void addImportLoggingSupport(); - // An import that we call to throw an exception from outside. + void addImportCallingSupport(); void addImportThrowingSupport(); void addImportTableSupport(); void addHashMemorySupport(); @@ -238,6 +238,7 @@ private: Expression* makeImportThrowing(Type type); Expression* makeImportTableGet(); Expression* makeImportTableSet(Type type); + Expression* makeImportCallExport(Type type); Expression* makeMemoryHashLogging(); // Function creation diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp index 1329e886e..f4e21d870 100644 --- a/src/tools/fuzzing/fuzzing.cpp +++ b/src/tools/fuzzing/fuzzing.cpp @@ -182,6 +182,7 @@ void TranslateToFuzzReader::build() { addImportTableSupport(); } addImportLoggingSupport(); + addImportCallingSupport(); modifyInitialFunctions(); // keep adding functions until we run out of input while (!random.finished()) { @@ -635,6 +636,49 @@ void TranslateToFuzzReader::addImportLoggingSupport() { } } +void TranslateToFuzzReader::addImportCallingSupport() { + // Only add these some of the time, as they inhibit some fuzzing (things like + // wasm-ctor-eval and wasm-merge are sensitive to the wasm being able to call + // its own exports, and to care about the indexes of the exports): + // + // 0 - none + // 1 - call-export + // 2 - call-export-catch + // 3 - call-export & call-export-catch + // 4 - none + // 5 - none + // + auto choice = upTo(6); + if (choice >= 4) { + return; + } + + if (choice & 1) { + // Given an export index, call it from JS. + callExportImportName = Names::getValidFunctionName(wasm, "call-export"); + auto func = std::make_unique<Function>(); + func->name = callExportImportName; + func->module = "fuzzing-support"; + func->base = "call-export"; + func->type = Signature({Type::i32}, Type::none); + wasm.addFunction(std::move(func)); + } + + if (choice & 2) { + // Given an export index, call it from JS and catch all exceptions. Return + // whether we caught. Exceptions are common (if the index is invalid, in + // particular), so a variant that catches is useful to avoid halting. + callExportCatchImportName = + Names::getValidFunctionName(wasm, "call-export-catch"); + auto func = std::make_unique<Function>(); + func->name = callExportCatchImportName; + func->module = "fuzzing-support"; + func->base = "call-export-catch"; + func->type = Signature(Type::i32, Type::i32); + wasm.addFunction(std::move(func)); + } +} + void TranslateToFuzzReader::addImportThrowingSupport() { // Throw some kind of exception from JS. // TODO: Send an index, which is which exported wasm Tag we should throw, or @@ -820,6 +864,38 @@ Expression* TranslateToFuzzReader::makeImportTableSet(Type type) { Type::none); } +Expression* TranslateToFuzzReader::makeImportCallExport(Type type) { + // The none-returning variant just does the call. The i32-returning one + // catches any errors and returns 1 when it saw an error. Based on the + // variant, pick which to call, and the maximum index to call. + Name target; + Index maxIndex = wasm.exports.size(); + if (type == Type::none) { + target = callExportImportName; + } else if (type == Type::i32) { + target = callExportCatchImportName; + // This never traps, so we can be less careful, but we do still want to + // avoid trapping a lot as executing code is more interesting. (Note that + // even though we double here, the risk is not that great: we are still + // adding functions as we go, so the first half of functions/exports can + // double here and still end up in bounds by the time we've added them all.) + maxIndex = (maxIndex + 1) * 2; + } else { + WASM_UNREACHABLE("bad import.call"); + } + // We must have set up the target function. + assert(target); + + // Most of the time, call a valid export index in the range we picked, but + // sometimes allow anything at all. + auto* index = make(Type::i32); + if (!allowOOB || !oneIn(10)) { + index = builder.makeBinary( + RemUInt32, index, builder.makeConst(int32_t(maxIndex))); + } + return builder.makeCall(target, {index}, type); +} + Expression* TranslateToFuzzReader::makeMemoryHashLogging() { auto* hash = builder.makeCall(std::string("hashMemory"), {}, Type::i32); return builder.makeCall(logImportNames[Type::i32], {hash}, Type::none); @@ -1511,6 +1587,9 @@ Expression* TranslateToFuzzReader::_makeConcrete(Type type) { options.add(FeatureSet::Atomics, &Self::makeAtomic); } if (type == Type::i32) { + if (callExportCatchImportName) { + options.add(FeatureSet::MVP, &Self::makeImportCallExport); + } options.add(FeatureSet::ReferenceTypes, &Self::makeRefIsNull); options.add(FeatureSet::ReferenceTypes | FeatureSet::GC, &Self::makeRefEq, @@ -1590,6 +1669,9 @@ Expression* TranslateToFuzzReader::_makenone() { if (tableSetImportName) { options.add(FeatureSet::ReferenceTypes, &Self::makeImportTableSet); } + if (callExportImportName) { + options.add(FeatureSet::MVP, &Self::makeImportCallExport); + } return (this->*pick(options))(Type::none); } @@ -2023,7 +2105,7 @@ Expression* TranslateToFuzzReader::makeCallIndirect(Type type) { return makeTrivial(type); } } - // with high probability, make sure the type is valid otherwise, most are + // with high probability, make sure the type is valid - otherwise, most are // going to trap auto addressType = wasm.getTable(funcrefTableName)->addressType; Expression* target; diff --git a/test/lit/exec/fuzzing-api.wast b/test/lit/exec/fuzzing-api.wast index 0d0f25130..38a8ce41b 100644 --- a/test/lit/exec/fuzzing-api.wast +++ b/test/lit/exec/fuzzing-api.wast @@ -13,8 +13,13 @@ (import "fuzzing-support" "table-set" (func $table.set (param i32 funcref))) (import "fuzzing-support" "table-get" (func $table.get (param i32) (result funcref))) + (import "fuzzing-support" "call-export" (func $call.export (param i32))) + (import "fuzzing-support" "call-export-catch" (func $call.export.catch (param i32) (result i32))) + (table $table 10 20 funcref) + ;; Note that the exported table appears first here, but in the binary and in + ;; the IR it is actually last, as we always add function exports first. (export "table" (table $table)) ;; CHECK: [fuzz-exec] calling logging @@ -53,7 +58,6 @@ ;; CHECK-NEXT: [LoggingExternalInterface logging 0] ;; CHECK-NEXT: [LoggingExternalInterface logging 1] ;; CHECK-NEXT: [exception thrown: __private ()] - ;; CHECK-NEXT: warning: no passes specified, not doing any work (func $table.getting (export "table.getting") ;; There is a non-null value at 5, and a null at 6. (call $log-i32 @@ -77,6 +81,43 @@ ) ) ) + + ;; CHECK: [fuzz-exec] calling export.calling + ;; CHECK-NEXT: [LoggingExternalInterface logging 42] + ;; CHECK-NEXT: [LoggingExternalInterface logging 3.14159] + ;; CHECK-NEXT: [exception thrown: __private ()] + (func $export.calling (export "export.calling") + ;; At index 0 in the exports we have $logging, so we will do those loggings. + (call $call.export + (i32.const 0) + ) + ;; At index 999 we have nothing, so we'll error. + (call $call.export + (i32.const 999) + ) + ) + + ;; CHECK: [fuzz-exec] calling export.calling.catching + ;; CHECK-NEXT: [LoggingExternalInterface logging 42] + ;; CHECK-NEXT: [LoggingExternalInterface logging 3.14159] + ;; CHECK-NEXT: [LoggingExternalInterface logging 0] + ;; CHECK-NEXT: [LoggingExternalInterface logging 1] + ;; CHECK-NEXT: warning: no passes specified, not doing any work + (func $export.calling.catching (export "export.calling.catching") + ;; At index 0 in the exports we have $logging, so we will do those loggings, + ;; then log a 0 as no exception happens. + (call $log-i32 + (call $call.export.catch + (i32.const 0) + ) + ) + ;; At index 999 we have nothing, so we'll error, catch it, and log 1. + (call $log-i32 + (call $call.export.catch + (i32.const 999) + ) + ) + ) ) ;; CHECK: [fuzz-exec] calling logging ;; CHECK-NEXT: [LoggingExternalInterface logging 42] @@ -92,6 +133,19 @@ ;; CHECK-NEXT: [LoggingExternalInterface logging 0] ;; CHECK-NEXT: [LoggingExternalInterface logging 1] ;; CHECK-NEXT: [exception thrown: __private ()] + +;; CHECK: [fuzz-exec] calling export.calling +;; CHECK-NEXT: [LoggingExternalInterface logging 42] +;; CHECK-NEXT: [LoggingExternalInterface logging 3.14159] +;; CHECK-NEXT: [exception thrown: __private ()] + +;; CHECK: [fuzz-exec] calling export.calling.catching +;; CHECK-NEXT: [LoggingExternalInterface logging 42] +;; CHECK-NEXT: [LoggingExternalInterface logging 3.14159] +;; CHECK-NEXT: [LoggingExternalInterface logging 0] +;; CHECK-NEXT: [LoggingExternalInterface logging 1] +;; CHECK-NEXT: [fuzz-exec] comparing export.calling +;; CHECK-NEXT: [fuzz-exec] comparing export.calling.catching ;; CHECK-NEXT: [fuzz-exec] comparing logging ;; CHECK-NEXT: [fuzz-exec] comparing table.getting ;; CHECK-NEXT: [fuzz-exec] comparing table.setting diff --git a/test/passes/fuzz_metrics_noprint.bin.txt b/test/passes/fuzz_metrics_noprint.bin.txt index ba0ccaa10..0fa206e0a 100644 --- a/test/passes/fuzz_metrics_noprint.bin.txt +++ b/test/passes/fuzz_metrics_noprint.bin.txt @@ -1,35 +1,35 @@ Metrics total - [exports] : 25 - [funcs] : 40 + [exports] : 45 + [funcs] : 60 [globals] : 18 - [imports] : 4 + [imports] : 5 [memories] : 1 [memory-data] : 24 - [table-data] : 19 + [table-data] : 15 [tables] : 1 [tags] : 0 - [total] : 5335 - [vars] : 170 - Binary : 403 - Block : 900 - Break : 163 - Call : 197 - CallIndirect : 11 - Const : 824 - Drop : 56 - GlobalGet : 464 - GlobalSet : 342 - If : 298 - Load : 87 - LocalGet : 402 - LocalSet : 304 - Loop : 126 - Nop : 74 - RefFunc : 19 - Return : 60 - Select : 34 - Store : 46 - Switch : 1 - Unary : 356 - Unreachable : 168 + [total] : 5475 + [vars] : 222 + Binary : 410 + Block : 870 + Break : 148 + Call : 271 + CallIndirect : 30 + Const : 915 + Drop : 51 + GlobalGet : 458 + GlobalSet : 323 + If : 293 + Load : 96 + LocalGet : 442 + LocalSet : 284 + Loop : 99 + Nop : 76 + RefFunc : 15 + Return : 78 + Select : 47 + Store : 44 + Switch : 2 + Unary : 365 + Unreachable : 158 diff --git a/test/passes/translate-to-fuzz_all-features_metrics_noprint.txt b/test/passes/translate-to-fuzz_all-features_metrics_noprint.txt index fd37193f5..a77708b2e 100644 --- a/test/passes/translate-to-fuzz_all-features_metrics_noprint.txt +++ b/test/passes/translate-to-fuzz_all-features_metrics_noprint.txt @@ -1,56 +1,48 @@ Metrics total - [exports] : 7 - [funcs] : 8 + [exports] : 6 + [funcs] : 12 [globals] : 4 [imports] : 8 [memories] : 1 [memory-data] : 112 - [table-data] : 0 + [table-data] : 3 [tables] : 1 - [tags] : 1 - [total] : 645 - [vars] : 33 - ArrayGet : 2 - ArrayLen : 1 - ArrayNew : 3 + [tags] : 0 + [total] : 608 + [vars] : 48 + ArrayNew : 5 ArrayNewFixed : 5 - AtomicCmpxchg : 1 - AtomicFence : 1 - AtomicRMW : 1 - Binary : 76 - Block : 64 + Binary : 75 + Block : 80 + BrOn : 5 Break : 4 - Call : 15 - Const : 149 - DataDrop : 1 - Drop : 1 - GlobalGet : 25 - GlobalSet : 22 - If : 22 - Load : 25 - LocalGet : 55 - LocalSet : 35 - Loop : 4 - MemoryFill : 1 + Call : 21 + CallRef : 1 + Const : 113 + Drop : 15 + GlobalGet : 39 + GlobalSet : 36 + If : 21 + Load : 17 + LocalGet : 45 + LocalSet : 20 + Loop : 7 Nop : 7 - Pop : 6 - RefAs : 5 - RefCast : 1 - RefEq : 2 - RefFunc : 13 + RefAs : 2 + RefEq : 1 + RefFunc : 9 + RefI31 : 1 RefIsNull : 1 - RefNull : 10 + RefNull : 8 Return : 5 - SIMDExtract : 1 - Select : 6 - StringConst : 1 - StringEncode : 1 - StructNew : 24 - StructSet : 1 - Try : 7 - TryTable : 2 - TupleExtract : 2 - TupleMake : 3 - Unary : 23 - Unreachable : 11 + Select : 2 + Store : 1 + StringConst : 4 + StringEq : 1 + StringMeasure : 2 + StructNew : 13 + TupleExtract : 1 + TupleMake : 4 + Unary : 19 + Unreachable : 18 |