diff options
| author | Alon Zakai <azakai@google.com> | 2024-11-08 10:16:52 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-11-08 10:16:52 -0800 |
| commit | 8c0429ac09d06d6056687e36fd4fb37f61681233 (patch) | |
| tree | c26a80f84cbee89a09f3c4c114180cb8d1cb30df /test/lit/exec/fuzzing-api.wast | |
| parent | b30067658459ca167e58fe0dee9d85ea6100c223 (diff) | |
| download | binaryen-8c0429ac09d06d6056687e36fd4fb37f61681233.tar.gz binaryen-8c0429ac09d06d6056687e36fd4fb37f61681233.tar.bz2 binaryen-8c0429ac09d06d6056687e36fd4fb37f61681233.zip | |
[EH] Fuzz calls from JS by calling wasm exports, sometimes catching (#7067)
This adds two new imports to fuzzer modules:
* call-export, which gets an export index and calls it.
* call-export-catch, which does the call in a try-catch, swallowing
any error, and returning 1 if it saw an error.
The former gives us calls back into the wasm, possibly making various
trips between wasm and JS in interesting ways. The latter adds a
try-catch which helps fuzz wasm EH.
We do these calls using a wasm export index, i.e., the index in
the list of exports. This is simple, but it does have the downside that
it makes executing the wasm sensitive to changes in exports (e.g.
wasm-merge adds more), which requires some handling in the fuzzer.
Diffstat (limited to 'test/lit/exec/fuzzing-api.wast')
| -rw-r--r-- | test/lit/exec/fuzzing-api.wast | 56 |
1 files changed, 55 insertions, 1 deletions
diff --git a/test/lit/exec/fuzzing-api.wast b/test/lit/exec/fuzzing-api.wast index 0d0f25130..38a8ce41b 100644 --- a/test/lit/exec/fuzzing-api.wast +++ b/test/lit/exec/fuzzing-api.wast @@ -13,8 +13,13 @@ (import "fuzzing-support" "table-set" (func $table.set (param i32 funcref))) (import "fuzzing-support" "table-get" (func $table.get (param i32) (result funcref))) + (import "fuzzing-support" "call-export" (func $call.export (param i32))) + (import "fuzzing-support" "call-export-catch" (func $call.export.catch (param i32) (result i32))) + (table $table 10 20 funcref) + ;; Note that the exported table appears first here, but in the binary and in + ;; the IR it is actually last, as we always add function exports first. (export "table" (table $table)) ;; CHECK: [fuzz-exec] calling logging @@ -53,7 +58,6 @@ ;; CHECK-NEXT: [LoggingExternalInterface logging 0] ;; CHECK-NEXT: [LoggingExternalInterface logging 1] ;; CHECK-NEXT: [exception thrown: __private ()] - ;; CHECK-NEXT: warning: no passes specified, not doing any work (func $table.getting (export "table.getting") ;; There is a non-null value at 5, and a null at 6. (call $log-i32 @@ -77,6 +81,43 @@ ) ) ) + + ;; CHECK: [fuzz-exec] calling export.calling + ;; CHECK-NEXT: [LoggingExternalInterface logging 42] + ;; CHECK-NEXT: [LoggingExternalInterface logging 3.14159] + ;; CHECK-NEXT: [exception thrown: __private ()] + (func $export.calling (export "export.calling") + ;; At index 0 in the exports we have $logging, so we will do those loggings. + (call $call.export + (i32.const 0) + ) + ;; At index 999 we have nothing, so we'll error. + (call $call.export + (i32.const 999) + ) + ) + + ;; CHECK: [fuzz-exec] calling export.calling.catching + ;; CHECK-NEXT: [LoggingExternalInterface logging 42] + ;; CHECK-NEXT: [LoggingExternalInterface logging 3.14159] + ;; CHECK-NEXT: [LoggingExternalInterface logging 0] + ;; CHECK-NEXT: [LoggingExternalInterface logging 1] + ;; CHECK-NEXT: warning: no passes specified, not doing any work + (func $export.calling.catching (export "export.calling.catching") + ;; At index 0 in the exports we have $logging, so we will do those loggings, + ;; then log a 0 as no exception happens. + (call $log-i32 + (call $call.export.catch + (i32.const 0) + ) + ) + ;; At index 999 we have nothing, so we'll error, catch it, and log 1. + (call $log-i32 + (call $call.export.catch + (i32.const 999) + ) + ) + ) ) ;; CHECK: [fuzz-exec] calling logging ;; CHECK-NEXT: [LoggingExternalInterface logging 42] @@ -92,6 +133,19 @@ ;; CHECK-NEXT: [LoggingExternalInterface logging 0] ;; CHECK-NEXT: [LoggingExternalInterface logging 1] ;; CHECK-NEXT: [exception thrown: __private ()] + +;; CHECK: [fuzz-exec] calling export.calling +;; CHECK-NEXT: [LoggingExternalInterface logging 42] +;; CHECK-NEXT: [LoggingExternalInterface logging 3.14159] +;; CHECK-NEXT: [exception thrown: __private ()] + +;; CHECK: [fuzz-exec] calling export.calling.catching +;; CHECK-NEXT: [LoggingExternalInterface logging 42] +;; CHECK-NEXT: [LoggingExternalInterface logging 3.14159] +;; CHECK-NEXT: [LoggingExternalInterface logging 0] +;; CHECK-NEXT: [LoggingExternalInterface logging 1] +;; CHECK-NEXT: [fuzz-exec] comparing export.calling +;; CHECK-NEXT: [fuzz-exec] comparing export.calling.catching ;; CHECK-NEXT: [fuzz-exec] comparing logging ;; CHECK-NEXT: [fuzz-exec] comparing table.getting ;; CHECK-NEXT: [fuzz-exec] comparing table.setting |