diff options
| author | Alon Zakai <azakai@google.com> | 2024-12-16 15:21:10 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-12-16 15:21:10 -0800 |
| commit | aa0550e28002183dd7ea9c2a48ec3533ba70f862 (patch) | |
| tree | 56566cbe1c03ef9477171651cb8514289c16a65e /scripts | |
| parent | 353b759b230dff8fb82aeb157aeb6db360d74a49 (diff) | |
| download | binaryen-aa0550e28002183dd7ea9c2a48ec3533ba70f862.tar.gz binaryen-aa0550e28002183dd7ea9c2a48ec3533ba70f862.tar.bz2 binaryen-aa0550e28002183dd7ea9c2a48ec3533ba70f862.zip | |
Fuzz JSPI (#7148)
* Add a new "sleep" fuzzer import, that does a sleep for some ms.
* Add JSPI support in fuzz_shell.js. This is in the form of commented-out async/await
keywords - commented out so that normal fuzzing is not impacted. When we want
to fuzz JSPI, we uncomment them. We also apply the JSPI operations of marking
imports and exports as suspending/promising.
JSPI fuzzing is added to both fuzz_opt.py and ClusterFuzz's run.py.
Diffstat (limited to 'scripts')
| -rwxr-xr-x | scripts/clusterfuzz/run.py | 9 | ||||
| -rwxr-xr-x | scripts/fuzz_opt.py | 46 | ||||
| -rw-r--r-- | scripts/fuzz_shell.js | 79 |
3 files changed, 113 insertions, 21 deletions
diff --git a/scripts/clusterfuzz/run.py b/scripts/clusterfuzz/run.py index 8ac880e0d..2fedb6510 100755 --- a/scripts/clusterfuzz/run.py +++ b/scripts/clusterfuzz/run.py @@ -200,6 +200,15 @@ def get_js_file_contents(i, output_dir): print(f'Created {bytes} wasm bytes') + # Some of the time, fuzz JSPI (similar to fuzz_opt.py, see details there). + if system_random.random() < 0.25: + # Prepend the flag to enable JSPI. + js = 'var JSPI = 1;\n\n' + js + + # Un-comment the async and await keywords. + js = js.replace('/* async */', 'async') + js = js.replace('/* await */', 'await') + return js diff --git a/scripts/fuzz_opt.py b/scripts/fuzz_opt.py index 87f059058..ca7c9e355 100755 --- a/scripts/fuzz_opt.py +++ b/scripts/fuzz_opt.py @@ -232,7 +232,11 @@ def randomize_fuzz_settings(): if random.random() < 0.5: GEN_ARGS += ['--enclose-world'] - print('randomized settings (NaNs, OOB, legalize):', NANS, OOB, LEGALIZE) + # Test JSPI somewhat rarely, as it may be slower. + global JSPI + JSPI = random.random() < 0.25 + + print('randomized settings (NaNs, OOB, legalize, JSPI):', NANS, OOB, LEGALIZE, JSPI) def init_important_initial_contents(): @@ -758,11 +762,39 @@ def run_d8_js(js, args=[], liftoff=True): return run_vm(cmd) -FUZZ_SHELL_JS = in_binaryen('scripts', 'fuzz_shell.js') +# For JSPI, we must customize fuzz_shell.js. We do so the first time we need +# it, and save the filename here. +JSPI_JS_FILE = None + + +def get_fuzz_shell_js(): + js = in_binaryen('scripts', 'fuzz_shell.js') + + if not JSPI: + # Just use the normal fuzz shell script. + return js + + global JSPI_JS_FILE + if JSPI_JS_FILE: + # Use the customized file we've already created. + return JSPI_JS_FILE + + JSPI_JS_FILE = os.path.abspath('jspi_fuzz_shell.js') + with open(JSPI_JS_FILE, 'w') as f: + # Enable JSPI. + f.write('var JSPI = 1;\n\n') + + # Un-comment the async and await keywords. + with open(js) as g: + code = g.read() + code = code.replace('/* async */', 'async') + code = code.replace('/* await */', 'await') + f.write(code) + return JSPI_JS_FILE def run_d8_wasm(wasm, liftoff=True, args=[]): - return run_d8_js(FUZZ_SHELL_JS, [wasm] + args, liftoff=liftoff) + return run_d8_js(get_fuzz_shell_js(), [wasm] + args, liftoff=liftoff) def all_disallowed(features): @@ -850,7 +882,7 @@ class CompareVMs(TestCaseHandler): name = 'd8' def run(self, wasm, extra_d8_flags=[]): - return run_vm([shared.V8, FUZZ_SHELL_JS] + shared.V8_OPTS + get_v8_extra_flags() + extra_d8_flags + ['--', wasm]) + return run_vm([shared.V8, get_fuzz_shell_js()] + shared.V8_OPTS + get_v8_extra_flags() + extra_d8_flags + ['--', wasm]) def can_run(self, wasm): # V8 does not support shared memories when running with @@ -1160,7 +1192,7 @@ class Wasm2JS(TestCaseHandler): compare_between_vms(before, interpreter, 'Wasm2JS (vs interpreter)') def run(self, wasm): - with open(FUZZ_SHELL_JS) as f: + with open(get_fuzz_shell_js()) as f: wrapper = f.read() cmd = [in_bin('wasm2js'), wasm, '--emscripten'] # avoid optimizations if we have nans, as we don't handle them with @@ -1193,6 +1225,10 @@ class Wasm2JS(TestCaseHandler): # specifically for growth here if INITIAL_CONTENTS: return False + # We run in node, which lacks JSPI support, and also we need wasm2js to + # implement wasm suspending using JS async/await. + if JSPI: + return False return all_disallowed(['exception-handling', 'simd', 'threads', 'bulk-memory', 'nontrapping-float-to-int', 'tail-call', 'sign-ext', 'reference-types', 'multivalue', 'gc', 'multimemory', 'memory64']) diff --git a/scripts/fuzz_shell.js b/scripts/fuzz_shell.js index 95176bbe6..653146517 100644 --- a/scripts/fuzz_shell.js +++ b/scripts/fuzz_shell.js @@ -1,3 +1,17 @@ +// This script can be customized by setting the following variables in code that +// runs before this script. +// +// The binary to be run. (If not set, we get the filename from argv and read +// from it.) +var binary; +// A second binary to be linked in and run as well. (Can also be read from +// argv.) +var secondBinary; +// Whether we are fuzzing JSPI. In addition to this being set, the "async" and +// "await" keywords must be taken out of the /* KEYWORD */ comments (which they +// are normally in, so as not to affect normal fuzzing). +var JSPI; + // Shell integration: find argv and set up readBinary(). var argv; var readBinary; @@ -25,9 +39,6 @@ if (typeof process === 'object' && typeof require === 'function') { }; } -// The binary to be run. This may be set already (by code that runs before this -// script), and if not, we get the filename from argv. -var binary; if (!binary) { binary = readBinary(argv[0]); } @@ -43,7 +54,6 @@ if (argv.length > 0 && argv[argv.length - 1].startsWith('exports:')) { // If a second parameter is given, it is a second binary that we will link in // with it. -var secondBinary; if (argv[1]) { secondBinary = readBinary(argv[1]); } @@ -163,9 +173,9 @@ function callFunc(func) { // Calls a given function in a try-catch, swallowing JS exceptions, and return 1 // if we did in fact swallow an exception. Wasm traps are not swallowed (see // details below). -function tryCall(func) { +/* async */ function tryCall(func) { try { - func(); + /* await */ func(); return 0; } catch (e) { // We only want to catch exceptions, not wasm traps: traps should still @@ -243,19 +253,39 @@ var imports = { }, // Export operations. - 'call-export': (index) => { - callFunc(exportList[index].value); + 'call-export': /* async */ (index) => { + /* await */ callFunc(exportList[index].value); }, - 'call-export-catch': (index) => { - return tryCall(() => callFunc(exportList[index].value)); + 'call-export-catch': /* async */ (index) => { + return tryCall(/* async */ () => /* await */ callFunc(exportList[index].value)); }, // Funcref operations. - 'call-ref': (ref) => { - callFunc(ref); + 'call-ref': /* async */ (ref) => { + // This is a direct function reference, and just like an export, it must + // be wrapped for JSPI. + ref = wrapExportForJSPI(ref); + /* await */ callFunc(ref); + }, + 'call-ref-catch': /* async */ (ref) => { + ref = wrapExportForJSPI(ref); + return tryCall(/* async */ () => /* await */ callFunc(ref)); }, - 'call-ref-catch': (ref) => { - return tryCall(() => callFunc(ref)); + + // Sleep a given amount of ms (when JSPI) and return a given id after that. + 'sleep': (ms, id) => { + if (!JSPI) { + return id; + } + return new Promise((resolve, reject) => { + setTimeout(() => { + resolve(id); + }, 0); // TODO: Use the ms in some reasonable, deterministic manner. + // Rather than actually setTimeout on them we could manage + // a queue of pending sleeps manually, and order them based + // on the "ms" (which would not be literal ms, but just + // how many time units to wait). + }); }, }, // Emscripten support. @@ -274,6 +304,22 @@ if (typeof WebAssembly.Tag !== 'undefined') { }; } +// If JSPI is available, wrap the imports and exports. +if (JSPI) { + for (var name of ['sleep', 'call-export', 'call-export-catch', 'call-ref', + 'call-ref-catch']) { + imports['fuzzing-support'][name] = + new WebAssembly.Suspending(imports['fuzzing-support'][name]); + } +} + +function wrapExportForJSPI(value) { + if (JSPI && typeof value === 'function') { + value = WebAssembly.promising(value); + } + return value; +} + // If a second binary will be linked in then set up the imports for // placeholders. Any import like (import "placeholder" "0" (func .. will be // provided by the secondary module, and must be called using an indirection. @@ -312,13 +358,14 @@ function build(binary) { // keep the ability to call anything that was ever exported.) for (var key in instance.exports) { var value = instance.exports[key]; + value = wrapExportForJSPI(value); exports[key] = value; exportList.push({ name: key, value: value }); } } // Run the code by calling exports. -function callExports() { +/* async */ function callExports() { // Call the exports we were told, or if we were not given an explicit list, // call them all. var relevantExports = exportsToCall || exportList; @@ -342,7 +389,7 @@ function callExports() { try { console.log('[fuzz-exec] calling ' + name); - var result = callFunc(value); + var result = /* await */ callFunc(value); if (typeof result !== 'undefined') { console.log('[fuzz-exec] note result: ' + name + ' => ' + printed(result)); } |