[fuzzing] Enable instantiation (bytecodealliance#3958)

- Increase input seed size for wasm-tools to generate larger WebAssembly modules
- Add instantiation in wasm mutator fuzz tests

Author: lum1n0us

tests/fuzz/wasm-mutator-fuzz/README.md

@@ -19,6 +19,7 @@ $ wasm-tools help
 mkdir build && cd build
 # Without custom mutator (libfuzzer modify the buffer randomly)
 cmake ..
+# TODO: TBC. `wasm-tools mutate` is not supported yet
 # With custom mutator (wasm-tools mutate)
 cmake .. -DCUSTOM_MUTATOR=1
 make -j$(nproc)

tests/fuzz/wasm-mutator-fuzz/smith_wasm.sh

@@ -33,36 +33,36 @@ function try_generate_wasm()
 
     local try_i=0
     until [[ -f $GENERATED_WASM_NAME ]]; do
-        head -c 100 /dev/urandom | wasm-tools smith $SMITH_OPTIONS -o $GENERATED_WASM_NAME  >/dev/null 2>&1
+        # Larger input seeds tend to generate larger WebAssembly modules. (256KB)
+        head -c 262144 /dev/urandom | wasm-tools smith $SMITH_OPTIONS -o $GENERATED_WASM_NAME  >/dev/null 2>&1
         try_i=$((try_i+1))
     done
 
     printf -- "-- output ${GENERATED_WASM_NAME} in %d retries\n" $try_i
 }
 
-# try_generate_wasm "--min-memories=1 --min-tables=1" "test_min.wasm"
+WASM_SHAPE=" --allow-invalid-funcs true \
+--generate-custom-sections true \
+--min-funcs 5 \
+--max-instructions 1024 \
+--min-globals 10"
+
+WASM_MVP_FEATURES=" --bulk-memory-enabled true \
+--multi-value-enabled true \
+--reference-types-enabled true \
+--simd-enabled true \
+--tail-call-enabled true"
 
 for i in $(seq 1 $EXPECTED_NUM)
 do
-    # by default
-    try_generate_wasm "" test_$i.wasm
-
-    # with different features
     # mvp
-    try_generate_wasm "--min-memories=1 --min-tables=1" test_min_$i.wasm
-    try_generate_wasm "--min-memories=1 --min-tables=1 --bulk-memory-enabled true" test_bulk_$i.wasm
-    try_generate_wasm "--min-memories=1 --min-tables=1 --reference-types-enabled true" test_ref_$i.wasm
-    try_generate_wasm "--min-memories=1 --min-tables=1 --multi-value-enabled true" test_multi_$i.wasm
-    try_generate_wasm "--min-memories=1 --min-tables=1 --simd-enabled true" test_simd_$i.wasm
-    try_generate_wasm "--min-memories=1 --min-tables=1 --tail-call-enabled true " test_tail_$i.wasm
+    try_generate_wasm "${WASM_SHAPE} ${WASM_MVP_FEATURES}" test_mvp_$i.wasm
 
-    # enable me when compiling iwasm with those features
-    #try_generate_wasm "--min-memories=1 --min-tables=1 --threads-enabled true" test_thread_$i.wasm
-    #try_generate_wasm "--min-memories=1 --min-tables=1 --memory64-enabled true" test_memory64_$i.wasm
-    #try_generate_wasm "--min-memories=1 --min-tables=1 --exceptions-enabled true" test_exception_$i.wasm
-    #try_generate_wasm "--min-memories=1 --min-tables=1 --gc-enabled true" test_gc_$i.wasm
-    # with custom-section
-    try_generate_wasm "--min-memories=1 --min-tables=1 --generate-custom-sections true" test_custom_$i.wasm
+    # other proposals
+    try_generate_wasm "${WASM_SHAPE} --exceptions-enabled true" test_exception_$i.wasm
+    try_generate_wasm "${WASM_SHAPE} --gc-enabled true" test_gc_$i.wasm
+    try_generate_wasm "${WASM_SHAPE} --memory64-enabled true" test_memory64_$i.wasm
+    try_generate_wasm "${WASM_SHAPE} --threads-enabled true" test_threads_$i.wasm
 done
 
 printf "Done\n"

tests/fuzz/wasm-mutator-fuzz/wasm_mutator_fuzz.cc

@@ -13,31 +13,41 @@
 
 using namespace std;
 
-extern "C" WASMModuleCommon *
-wasm_runtime_load(uint8 *buf, uint32 size, char *error_buf,
-                  uint32 error_buf_size);
-
-extern "C" WASMModuleInstanceCommon *
-wasm_runtime_instantiate(WASMModuleCommon *module, uint32 stack_size,
-                         uint32 heap_size, char *error_buf,
-                         uint32 error_buf_size);
-
 extern "C" int
 LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
 {
     /* libfuzzer don't allow us to modify the given Data, so we copy the data
      * here */
     std::vector<uint8_t> myData(Data, Data + Size);
+
     /* init runtime environment */
     wasm_runtime_init();
+
+    char error_buf[128] = { 0 };
     wasm_module_t module =
-        wasm_runtime_load((uint8_t *)myData.data(), Size, nullptr, 0);
-    if (module) {
+        wasm_runtime_load((uint8_t *)myData.data(), Size, error_buf, 120);
+    if (!module) {
+        std::cout << "[LOADING] " << error_buf << std::endl;
+        wasm_runtime_destroy();
+        /* return SUCCESS because the failure has been handled */
+        return 0;
+    }
+
+    wasm_module_inst_t inst = wasm_runtime_instantiate(
+        module, 8 * 1024 * 1024, 16 * 1024 * 1024, error_buf, 120);
+    if (!inst) {
+        std::cout << "[INSTANTIATE] " << error_buf << std::endl;
         wasm_runtime_unload(module);
+        wasm_runtime_destroy();
+        /* return SUCCESS because the failure has been handled */
+        return 0;
     }
-    /* destroy runtime environment */
-    wasm_runtime_destroy();
 
+    std::cout << "PASS" << std::endl;
+
+    wasm_runtime_deinstantiate(inst);
+    wasm_runtime_unload(module);
+    wasm_runtime_destroy();
     return 0; /* Values other than 0 and -1 are reserved for future use. */
 }