Fuzzer: Avoid constantly growing the wasm each time (#7511)

Imagine we start with a fuzz file, then mutate it (using it as initial
content and letting the fuzzer make changes, perhaps with
`--preserve-imports-and-exports`). We can mutate it again and
again, which is what harnesses like Fuzzilli do. It is somewhat bad
if we keep growing the file, because then when we explore the
space of wasm files, the further we travel, the more we focus on
big files for no good reason.

Running `--fuzz-passes` is one way to trim the wasm (it might end
up running `-O3`), but not reliable. This PR goes through places
that always add code and tries to at least give a chance to not do
so. As long as there is a chance to not grow, then a harness can
see two testcases of equal coverage and pick the smaller one.

Specific changes:

* If a data segment exists already, do not always add others.
* If an exnref table exists already, reuse it (like we do with funcref).
* Don't always add hashMemory support (which is large).
* Avoid errors in the fuzzer on wasm files without exports. That is
  now possible, since we no longer always add at least 1 export.

Author: kripken

scripts/fuzz_opt.py

@@ -1627,7 +1627,11 @@ def handle(self, wasm):
 class ClusterFuzz(TestCaseHandler):
     frequency = 0.1
 
-    def handle(self, wasm):
+    # Use handle_pair over handle because we don't use these wasm files anyhow,
+    # we generate our own using run.py. If we used handle, we'd be called twice
+    # for each iteration (once for each of the wasm files we ignore), which is
+    # confusing.
+    def handle_pair(self, input, before_wasm, after_wasm, opts):
         self.ensure()
 
         # run.py() should emit these two files. Delete them to make sure they
@@ -1651,6 +1655,9 @@ def handle(self, wasm):
         assert os.path.exists(fuzz_file)
         assert os.path.exists(flags_file)
 
+        # We'll use the fuzz file a few times below in commands.
+        fuzz_file = os.path.abspath(fuzz_file)
+
         # Run the testcase in V8, similarly to how ClusterFuzz does.
         cmd = [shared.V8]
         # The flags are given in the flags file - we do *not* use our normal
@@ -1664,20 +1671,27 @@ def handle(self, wasm):
         cmd += get_v8_extra_flags()
         # Run the fuzz file, which contains a modified fuzz_shell.js - we do
         # *not* run fuzz_shell.js normally.
-        cmd.append(os.path.abspath(fuzz_file))
+        cmd.append(fuzz_file)
         # No wasm file needs to be provided: it is hardcoded into the JS. Note
         # that we use run_vm(), which will ignore known issues in our output and
         # in V8. Those issues may cause V8 to e.g. reject a binary we emit that
         # is invalid, but that should not be a problem for ClusterFuzz (it isn't
         # a crash).
         output = run_vm(cmd)
 
-        # Verify that we called something. The fuzzer should always emit at
-        # least one exported function (unless we've decided to ignore the entire
+        # Verify that we called something, if the fuzzer emitted a func export
+        # (rarely, none might exist), unless we've decided to ignore the entire
         # run, or if the wasm errored during instantiation, which can happen due
-        # to a testcase with a segment out of bounds, say).
+        # to a testcase with a segment out of bounds, say.
         if output != IGNORE and not output.startswith(INSTANTIATE_ERROR):
-            assert FUZZ_EXEC_CALL_PREFIX in output
+            # Do the work to find if there were function exports: extract the
+            # wasm from the JS, and process it.
+            run([sys.executable,
+                 in_binaryen('scripts', 'clusterfuzz', 'extract_wasms.py'),
+                 fuzz_file,
+                 'extracted'])
+            if get_exports('extracted.0.wasm', ['func']):
+                assert FUZZ_EXEC_CALL_PREFIX in output
 
     def ensure(self):
         # The first time we actually run, set things up: make a bundle like the

src/tools/fuzzing.h

@@ -174,6 +174,7 @@ class TranslateToFuzzReader {
   Name exnrefTableName;
 
   std::unordered_map<Type, Name> logImportNames;
+  Name hashMemoryName;
   Name throwImportName;
   Name tableGetImportName;
   Name tableSetImportName;

src/tools/fuzzing/fuzzing.cpp

@@ -26,10 +26,6 @@
 
 namespace wasm {
 
-namespace {
-
-} // anonymous namespace
-
 TranslateToFuzzReader::TranslateToFuzzReader(Module& wasm,
                                              std::vector<char>&& input,
                                              bool closedWorld)
@@ -395,9 +391,12 @@ void TranslateToFuzzReader::setupMemory() {
 
   auto& memory = wasm.memories[0];
   if (wasm.features.hasBulkMemory()) {
-    size_t memCovered = 0;
+    size_t numSegments = upTo(8);
     // need at least one segment for memory.inits
-    size_t numSegments = upTo(8) + 1;
+    if (wasm.dataSegments.empty() && !numSegments) {
+      numSegments = 1;
+    }
+    size_t memCovered = 0;
     for (size_t i = 0; i < numSegments; i++) {
       auto segment = builder.makeDataSegment();
       segment->setName(Names::getValidDataSegmentName(wasm, Name::fromInt(i)),
@@ -417,19 +416,21 @@ void TranslateToFuzzReader::setupMemory() {
       wasm.addDataSegment(std::move(segment));
     }
   } else {
-    // init some data
-    auto segment = builder.makeDataSegment();
-    segment->memory = memory->name;
-    segment->offset =
-      builder.makeConst(Literal::makeFromInt32(0, memory->addressType));
-    segment->setName(Names::getValidDataSegmentName(wasm, Name::fromInt(0)),
-                     false);
-    auto num = upTo(fuzzParams->USABLE_MEMORY * 2);
-    for (size_t i = 0; i < num; i++) {
-      auto value = upTo(512);
-      segment->data.push_back(value >= 256 ? 0 : (value & 0xff));
+    // init some data, especially if none exists before
+    if (!oneIn(wasm.dataSegments.empty() ? 10 : 2)) {
+      auto segment = builder.makeDataSegment();
+      segment->memory = memory->name;
+      segment->offset =
+        builder.makeConst(Literal::makeFromInt32(0, memory->addressType));
+      segment->setName(Names::getValidDataSegmentName(wasm, Name::fromInt(0)),
+                       false);
+      auto num = upTo(fuzzParams->USABLE_MEMORY * 2);
+      for (size_t i = 0; i < num; i++) {
+        auto value = upTo(512);
+        segment->data.push_back(value >= 256 ? 0 : (value & 0xff));
+      }
+      wasm.addDataSegment(std::move(segment));
     }
-    wasm.addDataSegment(std::move(segment));
   }
 }
 
@@ -588,17 +589,27 @@ void TranslateToFuzzReader::setupTables() {
   // When EH is enabled, set up an exnref table.
   if (wasm.features.hasExceptionHandling()) {
     Type exnref = Type(HeapType::exn, Nullable);
-    Address initial = upTo(10);
-    Address max = oneIn(2) ? initial + upTo(4) : Memory::kUnlimitedSize;
-    auto tablePtr =
-      builder.makeTable(Names::getValidTableName(wasm, "exnref_table"),
-                        exnref,
-                        initial,
-                        max,
-                        Type::i32); // TODO: wasm64
-    tablePtr->hasExplicitName = true;
-    table = wasm.addTable(std::move(tablePtr));
-    exnrefTableName = table->name;
+    auto iter =
+      std::find_if(wasm.tables.begin(), wasm.tables.end(), [&](auto& table) {
+        return table->type == exnref;
+      });
+    if (iter != wasm.tables.end()) {
+      // Use the existing one.
+      exnrefTableName = iter->get()->name;
+    } else {
+      // Create a new exnref table.
+      Address initial = upTo(10);
+      Address max = oneIn(2) ? initial + upTo(4) : Memory::kUnlimitedSize;
+      auto tablePtr =
+        builder.makeTable(Names::getValidTableName(wasm, "exnref_table"),
+                          exnref,
+                          initial,
+                          max,
+                          Type::i32); // TODO: wasm64
+      tablePtr->hasExplicitName = true;
+      table = wasm.addTable(std::move(tablePtr));
+      exnrefTableName = table->name;
+    }
   }
 }
 
@@ -1073,6 +1084,11 @@ void TranslateToFuzzReader::addImportSleepSupport() {
 }
 
 void TranslateToFuzzReader::addHashMemorySupport() {
+  // Don't always add this.
+  if (oneIn(2)) {
+    return;
+  }
+
   // Add memory hasher helper (for the hash, see hash.h). The function looks
   // like:
   // function hashMemory() {
@@ -1107,13 +1123,13 @@ void TranslateToFuzzReader::addHashMemorySupport() {
   }
   contents.push_back(builder.makeLocalGet(0, Type::i32));
   auto* body = builder.makeBlock(contents);
-  auto name = Names::getValidFunctionName(wasm, "hashMemory");
+  hashMemoryName = Names::getValidFunctionName(wasm, "hashMemory");
   auto* hasher = wasm.addFunction(builder.makeFunction(
-    name, Signature(Type::none, Type::i32), {Type::i32}, body));
+    hashMemoryName, Signature(Type::none, Type::i32), {Type::i32}, body));
 
-  if (!preserveImportsAndExports) {
+  if (!preserveImportsAndExports && !wasm.getExportOrNull("hashMemory")) {
     wasm.addExport(
-      builder.makeExport(hasher->name, hasher->name, ExternalKind::Function));
+      builder.makeExport("hashMemory", hasher->name, ExternalKind::Function));
     // Export memory so JS fuzzing can use it
     if (!wasm.getExportOrNull("memory")) {
       wasm.addExport(builder.makeExport(
@@ -1321,7 +1337,7 @@ Expression* TranslateToFuzzReader::makeImportSleep(Type type) {
 }
 
 Expression* TranslateToFuzzReader::makeMemoryHashLogging() {
-  auto* hash = builder.makeCall(std::string("hashMemory"), {}, Type::i32);
+  auto* hash = builder.makeCall(hashMemoryName, {}, Type::i32);
   return builder.makeCall(logImportNames[Type::i32], {hash}, Type::none);
 }
 
@@ -2019,7 +2035,7 @@ void TranslateToFuzzReader::addInvocations(Function* func) {
     }
     invocations.push_back(invoke);
     // log out memory in some cases
-    if (oneIn(2)) {
+    if (hashMemoryName && oneIn(2)) {
       invocations.push_back(makeMemoryHashLogging());
     }
   }
@@ -2177,7 +2193,7 @@ Expression* TranslateToFuzzReader::_makeConcrete(Type type) {
 Expression* TranslateToFuzzReader::_makenone() {
   auto choice = upTo(100);
   if (choice < LOGGING_PERCENT) {
-    if (choice < LOGGING_PERCENT / 2) {
+    if (!hashMemoryName || choice < LOGGING_PERCENT / 2) {
       return makeImportLogging();
     } else {
       return makeMemoryHashLogging();

test/passes/fuzz_metrics_noprint.bin.txt

@@ -1,35 +1,35 @@
 Metrics
 total
- [exports]      : 77      
- [funcs]        : 111     
- [globals]      : 21      
- [imports]      : 5       
+ [exports]      : 65      
+ [funcs]        : 93      
+ [globals]      : 7       
+ [imports]      : 4       
  [memories]     : 1       
- [memory-data]  : 5       
- [table-data]   : 45      
+ [memory-data]  : 23      
+ [table-data]   : 25      
  [tables]       : 1       
  [tags]         : 0       
- [total]        : 9163    
- [vars]         : 296     
- Binary         : 620     
- Block          : 1503    
- Break          : 288     
- Call           : 580     
- CallIndirect   : 101     
- Const          : 1500    
- Drop           : 136     
- GlobalGet      : 772     
- GlobalSet      : 562     
- If             : 478     
- Load           : 126     
- LocalGet       : 630     
- LocalSet       : 487     
- Loop           : 166     
- Nop            : 78      
- RefFunc        : 45      
- Return         : 87      
- Select         : 75      
- Store          : 60      
- Switch         : 2       
- Unary          : 588     
- Unreachable    : 279     
+ [total]        : 6800    
+ [vars]         : 256     
+ Binary         : 454     
+ Block          : 1201    
+ Break          : 196     
+ Call           : 205     
+ CallIndirect   : 61      
+ Const          : 1131    
+ Drop           : 88      
+ GlobalGet      : 635     
+ GlobalSet      : 487     
+ If             : 378     
+ Load           : 88      
+ LocalGet       : 406     
+ LocalSet       : 341     
+ Loop           : 148     
+ Nop            : 107     
+ RefFunc        : 25      
+ Return         : 58      
+ Select         : 52      
+ Store          : 41      
+ Switch         : 1       
+ Unary          : 451     
+ Unreachable    : 246     

test/passes/fuzz_metrics_passes_noprint.bin.txt

@@ -1,35 +1,35 @@
 Metrics
 total
- [exports]      : 36      
- [funcs]        : 64      
- [globals]      : 7       
- [imports]      : 4       
+ [exports]      : 37      
+ [funcs]        : 59      
+ [globals]      : 4       
+ [imports]      : 6       
  [memories]     : 1       
- [memory-data]  : 29      
- [table-data]   : 19      
+ [memory-data]  : 20      
+ [table-data]   : 28      
  [tables]       : 1       
  [tags]         : 0       
- [total]        : 10813   
- [vars]         : 208     
- Binary         : 791     
- Block          : 1709    
- Break          : 412     
- Call           : 382     
- CallIndirect   : 73      
- Const          : 1793    
- Drop           : 77      
- GlobalGet      : 898     
- GlobalSet      : 637     
- If             : 561     
- Load           : 199     
- LocalGet       : 908     
- LocalSet       : 616     
- Loop           : 248     
- Nop            : 169     
- RefFunc        : 19      
- Return         : 89      
- Select         : 91      
- Store          : 80      
- Switch         : 2       
- Unary          : 747     
- Unreachable    : 312     
+ [total]        : 9402    
+ [vars]         : 189     
+ Binary         : 651     
+ Block          : 1534    
+ Break          : 332     
+ Call           : 296     
+ CallIndirect   : 91      
+ Const          : 1666    
+ Drop           : 64      
+ GlobalGet      : 650     
+ GlobalSet      : 582     
+ If             : 506     
+ Load           : 149     
+ LocalGet       : 827     
+ LocalSet       : 497     
+ Loop           : 232     
+ Nop            : 114     
+ RefFunc        : 28      
+ Return         : 81      
+ Select         : 75      
+ Store          : 71      
+ Switch         : 7       
+ Unary          : 657     
+ Unreachable    : 292