Enable the GC proposal during general fuzzing (#10332)

* Enable the GC proposal during general fuzzing

This allows us to fuzz Wasm GC in our fuzz targets that use the common
config-generation infrastructure, such as the differential fuzz target.

Fixes #10328

* Make handling of non-deterministic errors more robust in differential fuzzer

* remove logging from functions that can be called from signal handlers

Author: fitzgen

crates/fuzzing/src/generators/config.rs

@@ -527,7 +527,7 @@ impl<'a> Arbitrary<'a> for Config {
 
         config
             .wasmtime
-            .update_module_config(&mut config.module_config.config, u)?;
+            .update_module_config(&mut config.module_config, u)?;
 
         Ok(config)
     }
@@ -604,7 +604,7 @@ impl WasmtimeConfig {
     /// too.
     pub fn update_module_config(
         &mut self,
-        config: &mut wasm_smith::Config,
+        config: &mut ModuleConfig,
         u: &mut Unstructured<'_>,
     ) -> arbitrary::Result<()> {
         match self.compiler_strategy {
@@ -627,10 +627,11 @@ impl WasmtimeConfig {
                 // at this time, so if winch is selected be sure to disable wasm
                 // proposals in `Config` to ensure that Winch can compile the
                 // module that wasm-smith generates.
-                config.relaxed_simd_enabled = false;
-                config.gc_enabled = false;
-                config.tail_call_enabled = false;
-                config.reference_types_enabled = false;
+                config.config.relaxed_simd_enabled = false;
+                config.config.gc_enabled = false;
+                config.config.tail_call_enabled = false;
+                config.config.reference_types_enabled = false;
+                config.function_references_enabled = false;
 
                 // Winch's SIMD implementations require AVX and AVX2.
                 if self
@@ -640,7 +641,7 @@ impl WasmtimeConfig {
                         .codegen_flag("has_avx2")
                         .is_some_and(|value| value == "false")
                 {
-                    config.simd_enabled = false;
+                    config.config.simd_enabled = false;
                 }
 
                 // Tuning  the following engine options is currently not supported
@@ -651,7 +652,7 @@ impl WasmtimeConfig {
             }
 
             CompilerStrategy::CraneliftPulley => {
-                config.threads_enabled = false;
+                config.config.threads_enabled = false;
             }
         }
 
@@ -661,7 +662,8 @@ impl WasmtimeConfig {
         // and for wasm threads that will require some refactoring of the
         // `LinearMemory` trait to bubble up the request that the linear memory
         // not move. Otherwise that just generates a panic right now.
-        if config.threads_enabled || matches!(self.strategy, InstanceAllocationStrategy::Pooling(_))
+        if config.config.threads_enabled
+            || matches!(self.strategy, InstanceAllocationStrategy::Pooling(_))
         {
             self.avoid_custom_unaligned_memory(u)?;
         }
@@ -672,31 +674,38 @@ impl WasmtimeConfig {
             // If the pooling allocator is used, do not allow shared memory to
             // be created. FIXME: see
             // https://github.com/bytecodealliance/wasmtime/issues/4244.
-            config.threads_enabled = false;
+            config.config.threads_enabled = false;
 
             // Ensure the pooling allocator can support the maximal size of
             // memory, picking the smaller of the two to win.
             let min_bytes = config
+                .config
                 .max_memory32_bytes
                 // memory64_bytes is a u128, but since we are taking the min
                 // we can truncate it down to a u64.
-                .min(config.max_memory64_bytes.try_into().unwrap_or(u64::MAX));
+                .min(
+                    config
+                        .config
+                        .max_memory64_bytes
+                        .try_into()
+                        .unwrap_or(u64::MAX),
+                );
             let mut min = min_bytes.min(pooling.max_memory_size as u64);
             if let MemoryConfig::Normal(cfg) = &self.memory_config {
                 min = min.min(cfg.memory_reservation.unwrap_or(0));
             }
             pooling.max_memory_size = min as usize;
-            config.max_memory32_bytes = min;
-            config.max_memory64_bytes = min as u128;
+            config.config.max_memory32_bytes = min;
+            config.config.max_memory64_bytes = min as u128;
 
             // If traps are disallowed then memories must have at least one page
             // of memory so if we still are only allowing 0 pages of memory then
             // increase that to one here.
-            if config.disallow_traps {
+            if config.config.disallow_traps {
                 if pooling.max_memory_size < (1 << 16) {
                     pooling.max_memory_size = 1 << 16;
-                    config.max_memory32_bytes = 1 << 16;
-                    config.max_memory64_bytes = 1 << 16;
+                    config.config.max_memory32_bytes = 1 << 16;
+                    config.config.max_memory64_bytes = 1 << 16;
                     if let MemoryConfig::Normal(cfg) = &mut self.memory_config {
                         match &mut cfg.memory_reservation {
                             Some(size) => *size = (*size).max(pooling.max_memory_size as u64),
@@ -712,13 +721,13 @@ impl WasmtimeConfig {
 
             // Don't allow too many linear memories per instance since massive
             // virtual mappings can fail to get allocated.
-            config.min_memories = config.min_memories.min(10);
-            config.max_memories = config.max_memories.min(10);
+            config.config.min_memories = config.config.min_memories.min(10);
+            config.config.max_memories = config.config.max_memories.min(10);
 
             // Force this pooling allocator to always be able to accommodate the
             // module that may be generated.
-            pooling.total_memories = config.max_memories as u32;
-            pooling.total_tables = config.max_tables as u32;
+            pooling.total_memories = config.config.max_memories as u32;
+            pooling.total_tables = config.config.max_tables as u32;
         }
 
         if !self.signals_based_traps {
@@ -728,7 +737,7 @@ impl WasmtimeConfig {
             // fixable with some more work on the bounds-checks side of things
             // to do a full bounds check even on static memories, but that's
             // left for a future PR.
-            config.threads_enabled = false;
+            config.config.threads_enabled = false;
 
             // Spectre-based heap mitigations require signal handlers so this
             // must always be disabled if signals-based traps are disabled.

crates/fuzzing/src/generators/module.rs

@@ -41,8 +41,8 @@ impl<'a> Arbitrary<'a> for ModuleConfig {
         let _ = config.relaxed_simd_enabled;
         let _ = config.tail_call_enabled;
         let _ = config.extended_const_enabled;
+        let _ = config.gc_enabled;
         config.exceptions_enabled = false;
-        config.gc_enabled = false;
         config.custom_page_sizes_enabled = u.arbitrary()?;
         config.wide_arithmetic_enabled = u.arbitrary()?;
         config.memory64_enabled = u.ratio(1, 20)?;

crates/fuzzing/src/generators/value.rs

@@ -267,6 +267,7 @@ impl PartialEq for DiffValue {
             }
             (Self::FuncRef { null: a }, Self::FuncRef { null: b }) => a == b,
             (Self::ExternRef { null: a }, Self::ExternRef { null: b }) => a == b,
+            (Self::AnyRef { null: a }, Self::AnyRef { null: b }) => a == b,
             _ => false,
         }
     }
@@ -302,7 +303,7 @@ impl TryFrom<wasmtime::ValType> for DiffValueType {
                 (true, HeapType::Any) => Ok(Self::AnyRef),
                 (true, HeapType::I31) => Ok(Self::AnyRef),
                 (true, HeapType::None) => Ok(Self::AnyRef),
-                _ => Err("non-funcref and non-externref reference types are not supported yet"),
+                _ => Err("non-null reference types are not supported yet"),
             },
         }
     }

crates/fuzzing/src/oracles.rs

@@ -369,8 +369,11 @@ pub fn instantiate_with_dummy(store: &mut Store<StoreLimits>, module: &Module) -
     // Creation of imports can fail due to resource limit constraints, and then
     // instantiation can naturally fail for a number of reasons as well. Bundle
     // the two steps together to match on the error below.
-    let instance =
-        dummy::dummy_linker(store, module).and_then(|l| l.instantiate(&mut *store, module));
+    let linker = dummy::dummy_linker(store, module);
+    if let Err(e) = &linker {
+        log::warn!("failed to create dummy linker: {e:?}");
+    }
+    let instance = linker.and_then(|l| l.instantiate(&mut *store, module));
     unwrap_instance(store, instance)
 }
 
@@ -507,6 +510,32 @@ pub enum DiffEqResult<T, U> {
     Failed,
 }
 
+fn wasmtime_trap_is_non_deterministic(trap: &Trap) -> bool {
+    match trap {
+        // Allocations being too large for the GC are
+        // implementation-defined.
+        Trap::AllocationTooLarge |
+        // Stack size, and therefore when overflow happens, is
+        // implementation-defined.
+        Trap::StackOverflow => true,
+        _ => false,
+    }
+}
+
+fn wasmtime_error_is_non_deterministic(error: &wasmtime::Error) -> bool {
+    match error.downcast_ref::<Trap>() {
+        Some(trap) => wasmtime_trap_is_non_deterministic(trap),
+
+        // For general, unknown errors, we can't rely on this being
+        // a deterministic Wasm failure that both engines handled
+        // identically, leaving Wasm in identical states. We could
+        // just as easily be hitting engine-specific failures, like
+        // different implementation-defined limits. So simply poison
+        // this execution and move on to the next test.
+        None => true,
+    }
+}
+
 impl<T, U> DiffEqResult<T, U> {
     /// Computes the differential result from executing in two different
     /// engines.
@@ -518,41 +547,37 @@ impl<T, U> DiffEqResult<T, U> {
         match (lhs_result, rhs_result) {
             (Ok(lhs_result), Ok(rhs_result)) => DiffEqResult::Success(lhs_result, rhs_result),
 
-            // Both sides failed. Check that the trap and state at the time of
-            // failure is the same, when possible.
-            (Err(lhs), Err(rhs)) => {
-                let rhs = match rhs.downcast::<Trap>() {
-                    Ok(trap) => trap,
-
-                    // For general, unknown errors, we can't rely on this being
-                    // a deterministic Wasm failure that both engines handled
-                    // identically, leaving Wasm in identical states. We could
-                    // just as easily be hitting engine-specific failures, like
-                    // different implementation-defined limits. So simply report
-                    // failure and move on to the next test.
-                    Err(err) => {
-                        log::debug!("rhs failed: {err:?}");
-                        return DiffEqResult::Failed;
-                    }
-                };
+            // Handle all non-deterministic errors by poisoning this execution's
+            // state, so that we simply move on to the next test.
+            (Err(lhs), _) if lhs_engine.is_non_deterministic_error(&lhs) => {
+                log::debug!("lhs failed non-deterministically: {lhs:?}");
+                DiffEqResult::Poisoned
+            }
+            (_, Err(rhs)) if wasmtime_error_is_non_deterministic(&rhs) => {
+                log::debug!("rhs failed non-deterministically: {rhs:?}");
+                DiffEqResult::Poisoned
+            }
 
-                // Even some traps are nondeterministic, and we can't rely on
-                // the errors matching or leaving Wasm in the same state.
-                let poisoned =
-                    // Allocations being too large for the GC are
-                    // implementation-defined.
-                    rhs == Trap::AllocationTooLarge
-                    // Stack size, and therefore when overflow happens, is
-                    // implementation-defined.
-                    || rhs == Trap::StackOverflow
-                    || lhs_engine.is_stack_overflow(&lhs);
-                if poisoned {
-                    return DiffEqResult::Poisoned;
-                }
+            // Both sides failed deterministically. Check that the trap and
+            // state at the time of failure is the same.
+            (Err(lhs), Err(rhs)) => {
+                let rhs = rhs
+                    .downcast::<Trap>()
+                    .expect("non-traps handled in earlier match arm");
+
+                debug_assert!(
+                    !lhs_engine.is_non_deterministic_error(&lhs),
+                    "non-deterministic traps handled in earlier match arm",
+                );
+                debug_assert!(
+                    !wasmtime_trap_is_non_deterministic(&rhs),
+                    "non-deterministic traps handled in earlier match arm",
+                );
 
                 lhs_engine.assert_error_match(&lhs, &rhs);
                 DiffEqResult::Failed
             }
+
             // A real bug is found if only one side fails.
             (Ok(_), Err(err)) => panic!("only the `rhs` failed for this input: {err:?}"),
             (Err(err), Ok(_)) => panic!("only the `lhs` failed for this input: {err:?}"),
@@ -1337,6 +1362,8 @@ mod tests {
             | WasmFeatures::TAIL_CALL
             | WasmFeatures::WIDE_ARITHMETIC
             | WasmFeatures::MEMORY64
+            | WasmFeatures::FUNCTION_REFERENCES
+            | WasmFeatures::GC
             | WasmFeatures::GC_TYPES
             | WasmFeatures::CUSTOM_PAGE_SIZES
             | WasmFeatures::EXTENDED_CONST;

crates/fuzzing/src/oracles/diff_spec.rs

@@ -49,7 +49,7 @@ impl DiffEngine for SpecInterpreter {
         let _ = (trap, err);
     }
 
-    fn is_stack_overflow(&self, err: &Error) -> bool {
+    fn is_non_deterministic_error(&self, err: &Error) -> bool {
         err.to_string().contains("(Isabelle) call stack exhausted")
     }
 }

crates/fuzzing/src/oracles/diff_v8.rs

@@ -145,7 +145,7 @@ impl DiffEngine for V8Engine {
         verify_wasmtime("not possibly present in an error, just panic please");
     }
 
-    fn is_stack_overflow(&self, err: &Error) -> bool {
+    fn is_non_deterministic_error(&self, err: &Error) -> bool {
         err.to_string().contains("Maximum call stack size exceeded")
     }
 }

crates/fuzzing/src/oracles/diff_wasmi.rs

@@ -85,7 +85,7 @@ impl DiffEngine for WasmiEngine {
         }
     }
 
-    fn is_stack_overflow(&self, err: &Error) -> bool {
+    fn is_non_deterministic_error(&self, err: &Error) -> bool {
         matches!(
             self.trap_code(err),
             Some(wasmi::core::TrapCode::StackOverflow)

crates/fuzzing/src/oracles/diff_wasmtime.rs

@@ -26,13 +26,15 @@ impl WasmtimeEngine {
     ) -> arbitrary::Result<Self> {
         let mut new_config = u.arbitrary::<WasmtimeConfig>()?;
         new_config.compiler_strategy = compiler_strategy;
-        new_config.update_module_config(&mut config.module_config.config, u)?;
+        new_config.update_module_config(&mut config.module_config, u)?;
         new_config.make_compatible_with(&config.wasmtime);
 
         let config = generators::Config {
             wasmtime: new_config,
             module_config: config.module_config.clone(),
         };
+        log::debug!("Created new Wasmtime differential engine with config: {config:?}");
+
         Ok(Self { config })
     }
 }
@@ -57,12 +59,13 @@ impl DiffEngine for WasmtimeEngine {
         let lhs = lhs
             .downcast_ref::<Trap>()
             .expect(&format!("not a trap: {lhs:?}"));
+
         assert_eq!(lhs, rhs, "{lhs}\nis not equal to\n{rhs}");
     }
 
-    fn is_stack_overflow(&self, err: &Error) -> bool {
+    fn is_non_deterministic_error(&self, err: &Error) -> bool {
         match err.downcast_ref::<Trap>() {
-            Some(trap) => *trap == Trap::StackOverflow,
+            Some(trap) => super::wasmtime_trap_is_non_deterministic(trap),
             None => false,
         }
     }
@@ -118,11 +121,10 @@ impl WasmtimeInstance {
 
         globals
             .into_iter()
-            .map(|(name, global)| {
-                (
-                    name,
-                    global.ty(&self.store).content().clone().try_into().unwrap(),
-                )
+            .filter_map(|(name, global)| {
+                DiffValueType::try_from(global.ty(&self.store).content().clone())
+                    .map(|ty| (name, ty))
+                    .ok()
             })
             .collect()
     }

crates/fuzzing/src/oracles/engine.rs

@@ -61,9 +61,12 @@ pub trait DiffEngine {
     /// generated.
     fn assert_error_match(&self, err: &Error, trap: &Trap);
 
-    /// Returns whether the error specified from this engine might be stack
-    /// overflow.
-    fn is_stack_overflow(&self, err: &Error) -> bool;
+    /// Returns whether the error specified from this engine is
+    /// non-deterministic, like a stack overflow or an attempt to allocate an
+    /// object that is too large (which is non-deterministic because it may
+    /// depend on which collector it was configured with or memory available on
+    /// the system).
+    fn is_non_deterministic_error(&self, err: &Error) -> bool;
 }
 
 /// Provide a way to evaluate Wasm functions--a Wasm instance implemented by a

crates/wasmtime/src/runtime/linker.rs

@@ -8,7 +8,7 @@ use crate::{
     Instance, Module, StoreContextMut, Val, ValRaw, ValType,
 };
 use alloc::sync::Arc;
-use core::fmt;
+use core::fmt::{self, Debug};
 use core::marker;
 #[cfg(feature = "async")]
 use core::{future::Future, pin::Pin};
@@ -90,6 +90,12 @@ pub struct Linker<T> {
     _marker: marker::PhantomData<fn() -> T>,
 }
 
+impl<T> Debug for Linker<T> {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.debug_struct("Linker").finish_non_exhaustive()
+    }
+}
+
 impl<T> Clone for Linker<T> {
     fn clone(&self) -> Linker<T> {
         Linker {