From a6f741c1daafbb0cda309f3240240c6b21d71928 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Bylica?= Date: Wed, 29 Jul 2020 09:34:55 +0200 Subject: [PATCH 01/15] fuzzer: Collect wasm stats --- test/fuzzer/parser_fuzzer.cpp | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/test/fuzzer/parser_fuzzer.cpp b/test/fuzzer/parser_fuzzer.cpp index 614bc5957..9a50ffc1c 100644 --- a/test/fuzzer/parser_fuzzer.cpp +++ b/test/fuzzer/parser_fuzzer.cpp @@ -3,18 +3,44 @@ // SPDX-License-Identifier: Apache-2.0 #include "parser.hpp" +#include +#include + +struct Stats +{ + int64_t malformed = 0; + int64_t invalid = 0; + int64_t valid = 0; + + ~Stats() + { + const auto all = malformed + invalid + valid; + if (all == 0) + return; + std::clog << "WASM STATS" << std::setprecision(3) << "\n all: " << all + << "\n malformed: " << malformed << " " << ((malformed * 100) / all) << "%" + << "\n invalid: " << invalid << " " << ((invalid * 100) / all) << "%" + << "\n valid: " << valid << " " << ((valid * 100) / all) << "%" + << "\n"; + } +}; + +Stats stats; extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size) noexcept { try { fizzy::parse({data, data_size}); + ++stats.valid; } catch (const fizzy::parser_error&) { + ++stats.malformed; } catch (const fizzy::validation_error&) { + ++stats.invalid; } return 0; } From e49be327a75d133b551f940cf858dab0b971aaeb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Bylica?= Date: Wed, 29 Jul 2020 11:35:41 +0200 Subject: [PATCH 02/15] build: Build wabt with fuzzing flags if enabled --- cmake/ProjectWabt.cmake | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmake/ProjectWabt.cmake b/cmake/ProjectWabt.cmake index bd16b6ef2..efdd9530a 100644 --- a/cmake/ProjectWabt.cmake +++ b/cmake/ProjectWabt.cmake @@ -11,7 +11,7 @@ set(binary_dir ${prefix}/src/wabt-build) set(include_dir ${source_dir}) set(wabt_library ${binary_dir}/${CMAKE_STATIC_LIBRARY_PREFIX}wabt${CMAKE_STATIC_LIBRARY_SUFFIX}) -set(flags -fvisibility=hidden) +set(flags "${fuzzing_flags} -fvisibility=hidden") if(SANITIZE MATCHES address) # Instrument WABT with ASan - required for container-overflow checks. set(flags "-fsanitize=address ${flags}") From fad37a1b8edef2149028d2189926a645bb039daa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Bylica?= Date: Wed, 29 Jul 2020 11:36:25 +0200 Subject: [PATCH 03/15] build: Expose wabt and wasm3 to all testing utils --- test/CMakeLists.txt | 3 +++ test/utils/CMakeLists.txt | 3 --- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt index 3025f313c..68d3bca1b 100644 --- a/test/CMakeLists.txt +++ b/test/CMakeLists.txt @@ -22,6 +22,9 @@ if(HUNTER_ENABLED) endif() find_package(GTest REQUIRED) +include(ProjectWabt) +include(ProjectWasm3) + add_subdirectory(utils) add_subdirectory(bench) add_subdirectory(bench_internal) diff --git a/test/utils/CMakeLists.txt b/test/utils/CMakeLists.txt index 16a3afc40..6b6c13a70 100644 --- a/test/utils/CMakeLists.txt +++ b/test/utils/CMakeLists.txt @@ -2,9 +2,6 @@ # Copyright 2019-2020 The Fizzy Authors. # SPDX-License-Identifier: Apache-2.0 -include(ProjectWabt) -include(ProjectWasm3) - add_library(test-utils STATIC) add_library(fizzy::test-utils ALIAS test-utils) From 7b2756f6349d7da45f528374c482c188acba19d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Bylica?= Date: Wed, 29 Jul 2020 14:07:25 +0200 Subject: [PATCH 04/15] fuzz: Check Fizzy validation against wabt --- test/fuzzer/CMakeLists.txt | 2 +- test/fuzzer/parser_fuzzer.cpp | 64 +++++++++++++++++++++++++++++++++-- 2 files changed, 63 insertions(+), 3 deletions(-) diff --git a/test/fuzzer/CMakeLists.txt b/test/fuzzer/CMakeLists.txt index a5570b54b..feda1539c 100644 --- a/test/fuzzer/CMakeLists.txt +++ b/test/fuzzer/CMakeLists.txt @@ -4,4 +4,4 @@ add_executable(fizzy-fuzz-parser parser_fuzzer.cpp) target_link_options(fizzy-fuzz-parser PRIVATE -fsanitize=fuzzer) -target_link_libraries(fizzy-fuzz-parser PRIVATE fizzy::fizzy-internal) +target_link_libraries(fizzy-fuzz-parser PRIVATE fizzy::fizzy-internal wabt::wabt) diff --git a/test/fuzzer/parser_fuzzer.cpp b/test/fuzzer/parser_fuzzer.cpp index 9a50ffc1c..fc2de360d 100644 --- a/test/fuzzer/parser_fuzzer.cpp +++ b/test/fuzzer/parser_fuzzer.cpp @@ -6,6 +6,13 @@ #include #include +#include +#include +#include +#include + +namespace +{ struct Stats { int64_t malformed = 0; @@ -27,20 +34,73 @@ struct Stats Stats stats; +wabt::Errors wabt_errors; + +bool wabt_parse(const uint8_t* data, size_t data_size) noexcept +{ + using namespace wabt; + + ReadBinaryOptions read_options; + read_options.features.enable_mutable_globals(); + Module module; + + wabt_errors.clear(); + + { + const auto result = + ReadBinaryIr("fuzzing", data, data_size, read_options, &wabt_errors, &module); + + if (Failed(result)) + return false; + } + + { + const auto result = + ValidateModule(&module, &wabt_errors, ValidateOptions{read_options.features}); + if (Failed(result)) + return false; + } + + return wabt_errors.empty(); +} + +} // namespace + extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size) noexcept { + const auto expected = wabt_parse(data, data_size); + try { fizzy::parse({data, data_size}); ++stats.valid; + if (!expected) + { + for (const auto& err : wabt_errors) + { + std::cerr << "MISSED ERROR: " << err.message << "\n"; + } + __builtin_trap(); + } } - catch (const fizzy::parser_error&) + catch (const fizzy::parser_error& err) { ++stats.malformed; + if (expected) + { + std::cerr << "\nMALFORMED: " << err.what() << "\n\n"; + __builtin_trap(); + } } - catch (const fizzy::validation_error&) + catch (const fizzy::validation_error& err) { ++stats.invalid; + if (expected) + { + std::cerr << "\nINVALID: " << err.what() << "\n\n"; + __builtin_trap(); + } } + return 0; } From 980744eff3041a3f33be2cfce52a05cb6bd43634 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Bylica?= Date: Wed, 29 Jul 2020 22:51:07 +0200 Subject: [PATCH 05/15] fuzz: Ignore some wabt errors --- test/fuzzer/parser_fuzzer.cpp | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/test/fuzzer/parser_fuzzer.cpp b/test/fuzzer/parser_fuzzer.cpp index fc2de360d..b4c40b39a 100644 --- a/test/fuzzer/parser_fuzzer.cpp +++ b/test/fuzzer/parser_fuzzer.cpp @@ -34,6 +34,11 @@ struct Stats Stats stats; +constexpr auto wabt_ignored_errors = { + "unable to read u32 leb128: version", + "invalid linking metadata version:", +}; + wabt::Errors wabt_errors; bool wabt_parse(const uint8_t* data, size_t data_size) noexcept @@ -76,11 +81,25 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size) noe ++stats.valid; if (!expected) { + bool has_errors = false; for (const auto& err : wabt_errors) { + bool ignored = false; + + for (const auto& m : wabt_ignored_errors) + { + if (err.message.find(m) != std::string::npos) + ignored = true; + } + if (ignored) + continue; + std::cerr << "MISSED ERROR: " << err.message << "\n"; + has_errors = true; } - __builtin_trap(); + + if (has_errors) + __builtin_trap(); } } catch (const fizzy::parser_error& err) From 1302915839184c46edadfafab1e871c62c56296d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Bylica?= Date: Wed, 29 Jul 2020 23:17:27 +0200 Subject: [PATCH 06/15] fuzz: Support coverage --- CMakeLists.txt | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 29e5097e6..9dfef91c0 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -83,7 +83,9 @@ if(ENABLE_ASSERTIONS) endif() if(FIZZY_FUZZING) - set(fuzzing_flags -fsanitize=fuzzer-no-link,address,undefined,nullability,implicit-unsigned-integer-truncation,implicit-signed-integer-truncation) + if(NOT CMAKE_BUILD_TYPE STREQUAL Coverage) + set(fuzzing_flags -fsanitize=fuzzer-no-link,address,undefined,nullability,implicit-unsigned-integer-truncation,implicit-signed-integer-truncation) + endif() add_compile_options(${fuzzing_flags}) add_link_options(${fuzzing_flags}) endif() From 5a682c6df6482c0ec5e452c8638eb484e1520abb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Bylica?= Date: Mon, 3 Aug 2020 08:20:56 +0200 Subject: [PATCH 07/15] fuzz: Refactor handling unexpected errors --- test/fuzzer/parser_fuzzer.cpp | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/test/fuzzer/parser_fuzzer.cpp b/test/fuzzer/parser_fuzzer.cpp index b4c40b39a..59814252a 100644 --- a/test/fuzzer/parser_fuzzer.cpp +++ b/test/fuzzer/parser_fuzzer.cpp @@ -34,6 +34,11 @@ struct Stats Stats stats; +void handle_unexpected_errors() noexcept +{ + __builtin_trap(); +} + constexpr auto wabt_ignored_errors = { "unable to read u32 leb128: version", "invalid linking metadata version:", @@ -99,7 +104,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size) noe } if (has_errors) - __builtin_trap(); + handle_unexpected_errors(); } } catch (const fizzy::parser_error& err) @@ -108,7 +113,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size) noe if (expected) { std::cerr << "\nMALFORMED: " << err.what() << "\n\n"; - __builtin_trap(); + handle_unexpected_errors(); } } catch (const fizzy::validation_error& err) @@ -117,7 +122,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size) noe if (expected) { std::cerr << "\nINVALID: " << err.what() << "\n\n"; - __builtin_trap(); + handle_unexpected_errors(); } } From b813c8751a1ab5d62bd49f768a0bcb3bbfb91ca6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Bylica?= Date: Mon, 3 Aug 2020 08:33:09 +0200 Subject: [PATCH 08/15] fuzz: Add option to ignore errors --- test/fuzzer/parser_fuzzer.cpp | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/test/fuzzer/parser_fuzzer.cpp b/test/fuzzer/parser_fuzzer.cpp index 59814252a..55870adad 100644 --- a/test/fuzzer/parser_fuzzer.cpp +++ b/test/fuzzer/parser_fuzzer.cpp @@ -3,6 +3,7 @@ // SPDX-License-Identifier: Apache-2.0 #include "parser.hpp" +#include #include #include @@ -36,7 +37,14 @@ Stats stats; void handle_unexpected_errors() noexcept { - __builtin_trap(); + static const bool ignore_errors = [] { + const auto options = std::getenv("OPTIONS"); + if (!options) + return false; + return std::string{options}.find("ignore_errors") != std::string::npos; + }(); + if (!ignore_errors) + __builtin_trap(); } constexpr auto wabt_ignored_errors = { @@ -99,7 +107,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size) noe if (ignored) continue; - std::cerr << "MISSED ERROR: " << err.message << "\n"; + std::cerr << " MISSED ERROR: " << err.message << "\n"; has_errors = true; } @@ -112,7 +120,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size) noe ++stats.malformed; if (expected) { - std::cerr << "\nMALFORMED: " << err.what() << "\n\n"; + std::cerr << " MALFORMED: " << err.what() << "\n"; handle_unexpected_errors(); } } @@ -121,7 +129,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size) noe ++stats.invalid; if (expected) { - std::cerr << "\nINVALID: " << err.what() << "\n\n"; + std::cerr << " INVALID: " << err.what() << "\n"; handle_unexpected_errors(); } } From 4b9552083a2dd8a5246d308746ae77529e511be2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Bylica?= Date: Tue, 15 Sep 2020 20:52:40 +0200 Subject: [PATCH 09/15] fizzy: Use unreachable - better error message --- test/fuzzer/parser_fuzzer.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/fuzzer/parser_fuzzer.cpp b/test/fuzzer/parser_fuzzer.cpp index 55870adad..def2b6867 100644 --- a/test/fuzzer/parser_fuzzer.cpp +++ b/test/fuzzer/parser_fuzzer.cpp @@ -44,7 +44,7 @@ void handle_unexpected_errors() noexcept return std::string{options}.find("ignore_errors") != std::string::npos; }(); if (!ignore_errors) - __builtin_trap(); + __builtin_unreachable(); } constexpr auto wabt_ignored_errors = { From 08d57b65a687f4713b1aa03936803f664ad91299 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Bylica?= Date: Fri, 18 Sep 2020 10:18:20 +0200 Subject: [PATCH 10/15] fuzz: Explicitly disable all WABT extensions --- test/fuzzer/parser_fuzzer.cpp | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/test/fuzzer/parser_fuzzer.cpp b/test/fuzzer/parser_fuzzer.cpp index def2b6867..c5c5dad6a 100644 --- a/test/fuzzer/parser_fuzzer.cpp +++ b/test/fuzzer/parser_fuzzer.cpp @@ -60,6 +60,18 @@ bool wabt_parse(const uint8_t* data, size_t data_size) noexcept ReadBinaryOptions read_options; read_options.features.enable_mutable_globals(); + read_options.features.disable_exceptions(); + read_options.features.disable_annotations(); + read_options.features.disable_bulk_memory(); + read_options.features.disable_gc(); + read_options.features.disable_memory64(); + read_options.features.disable_multi_value(); + read_options.features.disable_reference_types(); + read_options.features.disable_sat_float_to_int(); + read_options.features.disable_sign_extension(); + read_options.features.disable_simd(); + read_options.features.disable_tail_call(); + read_options.features.disable_threads(); Module module; wabt_errors.clear(); From eef6599297f5f0a68bce37f10767b6b507d4d7ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Bylica?= Date: Fri, 18 Sep 2020 11:45:50 +0200 Subject: [PATCH 11/15] Document WAST test contributing --- cmake/spectests_contributing.md | 145 ++++++++++++++++++++++++++++++++ 1 file changed, 145 insertions(+) create mode 100644 cmake/spectests_contributing.md diff --git a/cmake/spectests_contributing.md b/cmake/spectests_contributing.md new file mode 100644 index 000000000..29bee7b48 --- /dev/null +++ b/cmake/spectests_contributing.md @@ -0,0 +1,145 @@ + + +## Run fuzzer + +Run Fizzy vs WABT verification fuzzer, currently in `fuzzing` branch. +Start with small inputs. + +```shell script +bin/fizzy-fuzz-parser corpus -max_len=13 +``` + +In case it finds a failure you will see output like +```text +INFO: Seed: 770491456 +INFO: Loaded 1 modules (64068 inline 8-bit counters): 64068 [0xb8dc90, 0xb9d6d4), +INFO: Loaded 1 PC tables (64068 PCs): 64068 [0xb9d6d8,0xc97b18), +INFO: 10986 files found in corpus +INFO: seed corpus: files: 10986 min: 1b max: 27419b total: 740862b rss: 40Mb +#11160 INITED cov: 7782 ft: 9644 corp: 227/2677b exec/s: 0 rss: 186Mb +#65536 pulse cov: 7782 ft: 9644 corp: 227/2677b lim: 13 exec/s: 32768 rss: 215Mb +#131072 pulse cov: 7782 ft: 9644 corp: 227/2677b lim: 13 exec/s: 32768 rss: 248Mb +#262144 pulse cov: 7782 ft: 9644 corp: 227/2677b lim: 13 exec/s: 32768 rss: 314Mb + MALFORMED: invalid limits 4 +/home/chfast/Projects/wasmx/fizzy/test/fuzzer/parser_fuzzer.cpp:47:9: runtime error: execution reached an unreachable program point +SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/chfast/Projects/wasmx/fizzy/test/fuzzer/parser_fuzzer.cpp:47:9 in +MS: 1 ChangeBit-; base unit: 846f4928f92649789961543e93544b4c2ed6fc44 +0x0,0x61,0x73,0x6d,0x1,0x0,0x0,0x0,0x5,0x3,0x1,0x4,0x2b, +\x00asm\x01\x00\x00\x00\x05\x03\x01\x04+ +artifact_prefix='./'; Test unit written to ./crash-016934f781c41276bfacda9a90385cef85a88d5f +Base64: AGFzbQEAAAAFAwEEKw== +``` + +In this example Fizzy reported the error `MALFORMED: invalid limits 4` +while WABT considers the Wasm binary valid. +The test unit (Wasm binary) is also printed in various forms and saved as +`crash-016934f781c41276bfacda9a90385cef85a88d5f`. + + +## Check WebAssembly spec interpreter + +In case of false negative validation result in WABT it is likely that +such case is missing in the WAST spec test. + +Build the `wasm reference interpreter` following official instructions. + +Rename `crash-016934f781c41276bfacda9a90385cef85a88d5f` to `crash.wasm` +as the interpreter need proper files extension to recognize file type. + +```shell script +./wasm crash.wasm +``` + +Output: +```text +crash.wasm:0xb: decoding error: integer too large +``` + +Good news. This is effectively the same error reported as in Fizzy. In Wasm 1.0 `limits` kind +can be 0 or 1. The the value 4 in the `crash.wasm` is larger than the max 1. + + +## Inspect with WABT tools + +You can use `wasm2wat` or `wasm-validate` tools to confirm the bug in WABT. +Make sure you use the same version as used for fuzzing. +Disable all extensions except "mutable globals". + +In our example, `wasm2wat crash.wasm`: +```webassembly +(module + (memory (;0;) 43 i64)) +``` +This indicates that the issue is in the memory section. + +Unfortunately, we get different error as the data section also has invalid length. +Let's fix that. + + +## Prepare WAST test + +Dump the test unit (`xxd -p -c1000 crash.wasm`): + +```hexdump +0061736d01000000050301042b +``` + +Here are created WAST tests, placed in `new.wast` file. In the original `crash.wasm` the invalid 4 +is followed by `2b` byte. We added 2 more variants of the test with byte `00` and without any +following byte (remember to change the section length if you actually modify the length). + +```wast +(assert_malformed + (module binary + "\00asm" "\01\00\00\00" + "\05\03\01" ;; memory section + "\04\2b" ;; malformed memory limit 4 + ) + "integer too large" +) + +(assert_malformed + (module binary + "\00asm" "\01\00\00\00" + "\05\03\01" ;; memory section + "\04\00" ;; malformed memory limit 4 + ) + "integer too large" +) + +(assert_malformed + (module binary + "\00asm" "\01\00\00\00" + "\05\02\01" ;; memory section + "\04" ;; malformed memory limit 4 + ) + "integer too large" +) +``` + +These tests can be rechecked with WABT. + +```shell script +wast2json new.wast +wasm-validate new.0.wasm +wasm-validate new.1.wasm +wasm-validate new.2.wasm +``` + +The last test case is actually failing in WABT for some other reason, but it can stay as a valid +spectests addition. + +```text +000000c: error: unable to read u32 leb128: memory initial page count +``` + + +## Debug & fix WABT + +Debug `wasm-validate new.0.wasm` to find out why it passes validation. +Binary loading code is in `binary-reader.cc`. + +The example bug is fixed by https://github.com/WebAssembly/wabt/pull/1547. + + +## Send WAST tests upstream \ No newline at end of file From bd3a511d67d2c0e1c7bbed8d1bda0d0734f6d5b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Bylica?= Date: Fri, 18 Sep 2020 22:24:05 +0200 Subject: [PATCH 12/15] Custom mutator --- test/fuzzer/parser_fuzzer.cpp | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/test/fuzzer/parser_fuzzer.cpp b/test/fuzzer/parser_fuzzer.cpp index c5c5dad6a..75ed5e030 100644 --- a/test/fuzzer/parser_fuzzer.cpp +++ b/test/fuzzer/parser_fuzzer.cpp @@ -96,7 +96,28 @@ bool wabt_parse(const uint8_t* data, size_t data_size) noexcept } // namespace -extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size) noexcept +extern "C" { + +size_t LLVMFuzzerMutate(uint8_t* data, size_t size, size_t max_size) noexcept; + +size_t LLVMFuzzerCustomMutator( + uint8_t* data, size_t size, size_t max_size, [[maybe_unused]] unsigned int seed) noexcept +{ + static constexpr uint8_t wasm_prefix[]{0x00, 0x61, 0x73, 0x6d, 0x01, 0x00, 0x00, 0x00}; + static constexpr auto wasm_prefix_size = sizeof(wasm_prefix); + + // For inputs shorter than wasm prefix just mutate it. + if (size <= wasm_prefix_size) + return LLVMFuzzerMutate(data, size, max_size); + + // For other, leave prefix unchanged. It is likely to be valid and we don't want to waste time + // on mutating the prefix. + const auto new_size_without_prefix = LLVMFuzzerMutate( + data + wasm_prefix_size, size - wasm_prefix_size, max_size - wasm_prefix_size); + return new_size_without_prefix + wasm_prefix_size; +} + +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size) noexcept { const auto expected = wabt_parse(data, data_size); @@ -148,3 +169,4 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size) noe return 0; } +} From 3e4798df2857c44f201210011988aa7ffcf53aa2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Bylica?= Date: Fri, 2 Oct 2020 13:08:56 +0200 Subject: [PATCH 13/15] Use fixed WABT --- cmake/ProjectWabt.cmake | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cmake/ProjectWabt.cmake b/cmake/ProjectWabt.cmake index efdd9530a..d522d4e8a 100644 --- a/cmake/ProjectWabt.cmake +++ b/cmake/ProjectWabt.cmake @@ -24,12 +24,12 @@ endif() ExternalProject_Add(wabt EXCLUDE_FROM_ALL 1 PREFIX ${prefix} - DOWNLOAD_NAME wabt-1.0.19.tar.gz + DOWNLOAD_NAME wabt-fixes.tar.gz DOWNLOAD_DIR ${prefix}/downloads SOURCE_DIR ${source_dir} BINARY_DIR ${binary_dir} - URL https://github.com/WebAssembly/wabt/archive/1.0.19.tar.gz - URL_HASH SHA256=134f2afc8205d0a3ab89c5f0d424ff3823e9d2769c39d2235aa37eba7abc15ba + URL https://github.com/ewasm/wabt/archive/fixes.tar.gz + URL_HASH SHA256=2df5d7aef95197e7c207935ff9318524b69f41458c1473a857f4771e8ec75e4c CMAKE_ARGS -DCMAKE_INSTALL_PREFIX= -DCMAKE_CXX_COMPILER=${CMAKE_CXX_COMPILER} From e93e0240e9304bf2aa021fe67a14c5c297afa723 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Bylica?= Date: Fri, 2 Oct 2020 17:59:39 +0200 Subject: [PATCH 14/15] Ignore errors in custom sections --- test/fuzzer/parser_fuzzer.cpp | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/test/fuzzer/parser_fuzzer.cpp b/test/fuzzer/parser_fuzzer.cpp index 75ed5e030..d19c4a4f7 100644 --- a/test/fuzzer/parser_fuzzer.cpp +++ b/test/fuzzer/parser_fuzzer.cpp @@ -72,6 +72,9 @@ bool wabt_parse(const uint8_t* data, size_t data_size) noexcept read_options.features.disable_simd(); read_options.features.disable_tail_call(); read_options.features.disable_threads(); + read_options.fail_on_custom_section_error = false; + read_options.stop_on_first_error = true; + read_options.read_debug_names = false; Module module; wabt_errors.clear(); @@ -82,6 +85,8 @@ bool wabt_parse(const uint8_t* data, size_t data_size) noexcept if (Failed(result)) return false; + + wabt_errors.clear(); // Clear errors (probably) from custom sections. } { From 8c39c2ab9c4f35e7dc4a0dc3639d14a5ec2942aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Bylica?= Date: Fri, 2 Oct 2020 18:01:13 +0200 Subject: [PATCH 15/15] Do not ignore WABT errors --- test/fuzzer/parser_fuzzer.cpp | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/test/fuzzer/parser_fuzzer.cpp b/test/fuzzer/parser_fuzzer.cpp index d19c4a4f7..6fe32f71d 100644 --- a/test/fuzzer/parser_fuzzer.cpp +++ b/test/fuzzer/parser_fuzzer.cpp @@ -47,10 +47,10 @@ void handle_unexpected_errors() noexcept __builtin_unreachable(); } -constexpr auto wabt_ignored_errors = { - "unable to read u32 leb128: version", - "invalid linking metadata version:", -}; +//constexpr auto wabt_ignored_errors = { +// "unable to read u32 leb128: version", +// "invalid linking metadata version:", +//}; wabt::Errors wabt_errors; @@ -135,15 +135,15 @@ int LLVMFuzzerTestOneInput(const uint8_t* data, size_t data_size) noexcept bool has_errors = false; for (const auto& err : wabt_errors) { - bool ignored = false; - - for (const auto& m : wabt_ignored_errors) - { - if (err.message.find(m) != std::string::npos) - ignored = true; - } - if (ignored) - continue; +// bool ignored = false; +// +// for (const auto& m : wabt_ignored_errors) +// { +// if (err.message.find(m) != std::string::npos) +// ignored = true; +// } +// if (ignored) +// continue; std::cerr << " MISSED ERROR: " << err.message << "\n"; has_errors = true;