Fuzz JSPI (#7148)

* Add a new "sleep" fuzzer import, that does a sleep for some ms. * Add JSPI support in fuzz_shell.js. This is in the form of commented-out async/await keywords - commented out so that normal fuzzing is not impacted. When we want to fuzz JSPI, we uncomment them. We also apply the JSPI operations of marking imports and exports as suspending/promising. JSPI fuzzing is added to both fuzz_opt.py and ClusterFuzz's run.py.
author: Alon Zakai <azakai@google.com> 2024-12-16 15:21:10 -0800
committer: GitHub <noreply@github.com> 2024-12-16 15:21:10 -0800
commit: aa0550e28002183dd7ea9c2a48ec3533ba70f862 (patch)
tree: 56566cbe1c03ef9477171651cb8514289c16a65e /src
parent: 353b759b230dff8fb82aeb157aeb6db360d74a49 (diff)
download: binaryen-aa0550e28002183dd7ea9c2a48ec3533ba70f862.tar.gz
binaryen-aa0550e28002183dd7ea9c2a48ec3533ba70f862.tar.bz2
binaryen-aa0550e28002183dd7ea9c2a48ec3533ba70f862.zip
3 files changed, 35 insertions, 0 deletions
diff --git a/src/tools/execution-results.h b/src/tools/execution-results.h
index b8823c3f0..ea822d547 100644
--- a/src/tools/execution-results.h
+++ b/src/tools/execution-results.h
@@ -128,6 +128,9 @@ public:
         } catch (const WasmException& e) {
           return {Literal(int32_t(1))};
         }
+      } else if (import->base == "sleep") {
+        // Do not actually sleep, just return the id.
+        return {arguments[1]};
       } else {
         WASM_UNREACHABLE("unknown fuzzer import");
       }
diff --git a/src/tools/fuzzing.h b/src/tools/fuzzing.h
index 78219045c..f76ed62a5 100644
--- a/src/tools/fuzzing.h
+++ b/src/tools/fuzzing.h
@@ -117,6 +117,7 @@ private:
   Name callExportCatchImportName;
   Name callRefImportName;
   Name callRefCatchImportName;
+  Name sleepImportName;
 
   std::unordered_map<Type, std::vector<Name>> globalsByType;
   std::unordered_map<Type, std::vector<Name>> mutableGlobalsByType;
@@ -238,6 +239,7 @@ private:
   void addImportCallingSupport();
   void addImportThrowingSupport();
   void addImportTableSupport();
+  void addImportSleepSupport();
   void addHashMemorySupport();
 
   // Special expression makers
@@ -249,6 +251,7 @@ private:
   // Call either an export or a ref. We do this from a single function to better
   // control the frequency of each.
   Expression* makeImportCallCode(Type type);
+  Expression* makeImportSleep(Type type);
   Expression* makeMemoryHashLogging();
 
   // Function creation
diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp
index a7f5e0d01..2b9286180 100644
--- a/src/tools/fuzzing/fuzzing.cpp
+++ b/src/tools/fuzzing/fuzzing.cpp
@@ -317,6 +317,7 @@ void TranslateToFuzzReader::build() {
   }
   addImportLoggingSupport();
   addImportCallingSupport();
+  addImportSleepSupport();
   modifyInitialFunctions();
   // keep adding functions until we run out of input
   while (!random.finished()) {
@@ -909,6 +910,24 @@ void TranslateToFuzzReader::addImportTableSupport() {
   }
 }
 
+void TranslateToFuzzReader::addImportSleepSupport() {
+  if (!oneIn(4)) {
+    // Fuzz this somewhat rarely, as it may be slow.
+    return;
+  }
+
+  // An import that sleeps for a given number of milliseconds, and also receives
+  // an integer id. It returns that integer id (useful for tracking separate
+  // sleeps).
+  sleepImportName = Names::getValidFunctionName(wasm, "sleep");
+  auto func = std::make_unique<Function>();
+  func->name = sleepImportName;
+  func->module = "fuzzing-support";
+  func->base = "sleep";
+  func->type = Signature({Type::i32, Type::i32}, Type::i32);
+  wasm.addFunction(std::move(func));
+}
+
 void TranslateToFuzzReader::addHashMemorySupport() {
   // Add memory hasher helper (for the hash, see hash.h). The function looks
   // like:
@@ -1090,6 +1109,13 @@ Expression* TranslateToFuzzReader::makeImportCallCode(Type type) {
   return builder.makeCall(exportTarget, {index}, type);
 }
 
+Expression* TranslateToFuzzReader::makeImportSleep(Type type) {
+  // Sleep for some ms, and return a given id.
+  auto* ms = make(Type::i32);
+  auto id = make(Type::i32);
+  return builder.makeCall(sleepImportName, {ms, id}, Type::i32);
+}
+
 Expression* TranslateToFuzzReader::makeMemoryHashLogging() {
   auto* hash = builder.makeCall(std::string("hashMemory"), {}, Type::i32);
   return builder.makeCall(logImportNames[Type::i32], {hash}, Type::none);
@@ -1768,6 +1794,9 @@ Expression* TranslateToFuzzReader::_makeConcrete(Type type) {
     if (callExportCatchImportName || callRefCatchImportName) {
       options.add(FeatureSet::MVP, &Self::makeImportCallCode);
     }
+    if (sleepImportName) {
+      options.add(FeatureSet::MVP, &Self::makeImportSleep);
+    }
     options.add(FeatureSet::ReferenceTypes, &Self::makeRefIsNull);
     options.add(FeatureSet::ReferenceTypes | FeatureSet::GC,
                 &Self::makeRefEq,
author	Alon Zakai <azakai@google.com>	2024-12-16 15:21:10 -0800
committer	GitHub <noreply@github.com>	2024-12-16 15:21:10 -0800
commit	aa0550e28002183dd7ea9c2a48ec3533ba70f862 (patch)
tree	56566cbe1c03ef9477171651cb8514289c16a65e /src
parent	353b759b230dff8fb82aeb157aeb6db360d74a49 (diff)
download	binaryen-aa0550e28002183dd7ea9c2a48ec3533ba70f862.tar.gz binaryen-aa0550e28002183dd7ea9c2a48ec3533ba70f862.tar.bz2 binaryen-aa0550e28002183dd7ea9c2a48ec3533ba70f862.zip