fuzzing: reject non-wasm files quickly and execute aot after compilation (#4780)

* fix: disable unsigned integer overflow sanitization in build configurations

FYI: from https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html

`-fsanitize=unsigned-integer-overflow`: Unsigned integer overflow, where the result of an unsigned integer computation cannot be represented in its type. Unlike signed integer overflow, this is not undefined behavior, but it is often unintentional. This sanitizer does not check for lossy implicit conversions performed before such a computation.

It brings a more common question: which is better, pre-additional-check or post-additional-check to fix a potential unsigned integer overflow? A pre-additional-check involves using a check to prevent integer overflow from the very beginning. A post-additional-check involves using a check after addition to see if there is an overflow.

In this project, post-additional-checking is widely used. let's follow the routine.

for performance sensitive logic, use __builtin_add_overflow etc. provide something like https://github.com/yamt/toywasm/blob/9a5622791e99395e26e6e96cef830af3d91a1685/lib/platform.h#L176-L191 and encourage the use of them.

ref. #4549 (comment)

* fix: update AOT compiler configuration and enhance error handling in fuzz tests

Author: lum1n0us

build-scripts/config_common.cmake

@@ -196,7 +196,8 @@ if (NOT WAMR_BUILD_SANITIZER STREQUAL "")
     message(FATAL_ERROR "Unsupported sanitizers: ${INVALID_SANITIZERS}")
   endif()
   # common flags for all sanitizers
-  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -O0 -fno-omit-frame-pointer -fno-sanitize-recover=all -fno-sanitize=alignment")
+  # clang: warning: the object size sanitizer has no effect at -O0, but is explicitly enabled ... [-Winvalid-command-line-argument]
+  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -O1 -fno-omit-frame-pointer -fno-sanitize-recover=all -fno-sanitize=alignment")
   if(CMAKE_C_COMPILER_ID MATCHES ".*Clang")
     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fno-sanitize=unsigned-integer-overflow")
   endif()

core/iwasm/libraries/libc-wasi/sandboxed-system-primitives/src/posix.c

@@ -430,7 +430,7 @@ fd_table_attach(struct fd_table *ft, __wasi_fd_t fd, struct fd_object *fo,
                 __wasi_rights_t rights_base, __wasi_rights_t rights_inheriting)
     REQUIRES_EXCLUSIVE(ft->lock) CONSUMES(fo->refcount)
 {
-    bh_assert(ft->size > fd && "File descriptor table too small");
+    bh_assert(ft->size > (size_t)fd && "File descriptor table too small");
     struct fd_entry *fe = &ft->entries[fd];
     bh_assert(fe->object == NULL
               && "Attempted to overwrite an existing descriptor");

tests/fuzz/wasm-mutator-fuzz/aot-compiler/CMakeLists.txt

@@ -1,12 +1,6 @@
 # Copyright (C) 2025 Intel Corporation. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 
-# Set default build options with the ability to override from the command line
-if(NOT WAMR_BUILD_INTERP)
-  set(WAMR_BUILD_INTERP 1)
-endif()
-
-set(WAMR_BUILD_WAMR_COMPILER 1)
 set(WAMR_BUILD_AOT 0)
 set(WAMR_BUILD_INTERP 1)
 set(WAMR_BUILD_JIT 0)
@@ -67,5 +61,6 @@ target_link_directories(aotclib PUBLIC ${LLVM_LIBRARY_DIR})
 
 target_link_libraries(aotclib PUBLIC ${REQUIRED_LLVM_LIBS})
 
-add_executable(aot_compiler_fuzz aot_compiler_fuzz.cc)
+add_executable(aot_compiler_fuzz aot_compiler_fuzz.cc ../common/fuzzer_common.cc)
+target_include_directories(aot_compiler_fuzz PRIVATE ../common)
 target_link_libraries(aot_compiler_fuzz PRIVATE stdc++ aotclib)

tests/fuzz/wasm-mutator-fuzz/aot-compiler/aot_compiler_fuzz.cc

@@ -11,6 +11,7 @@
 #include "aot_export.h"
 #include "wasm_export.h"
 #include "bh_read_file.h"
+#include "../common/fuzzer_common.h"
 
 static void
 handle_aot_recent_error(const char *tag)
@@ -26,32 +27,39 @@ handle_aot_recent_error(const char *tag)
 extern "C" int
 LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
 {
+    char kTargetArch[] = "x86_64";
+    char kTargetAbi[] = "gnu";
     wasm_module_t module = NULL;
-    char error_buf[128] = { 0 };
+    char error_buf[ERROR_BUF_SIZE] = { 0 };
     AOTCompOption option = { 0 };
     aot_comp_data_t comp_data = NULL;
     aot_comp_context_t comp_ctx = NULL;
+    uint8 *aot_file_buf = NULL;
+    uint32 aot_file_size = 0;
+    wasm_module_t aot_module = NULL;
+    wasm_module_inst_t inst = NULL;
 
-    /* libfuzzer don't allow to modify the given Data, so make a copy here */
-    std::vector<uint8_t> myData(Data, Data + Size);
-
+    /* libfuzzer don't allow to modify the given Data, but get_package_type and
+     * wasm_runtime_load only read the data, so we can safely use const_cast */
     if (Size >= 4
-        && get_package_type(myData.data(), Size) != Wasm_Module_Bytecode) {
+        && get_package_type(const_cast<uint8_t *>(Data), Size)
+               != Wasm_Module_Bytecode) {
         printf("Invalid wasm file: magic header not detected\n");
         return 0;
     }
 
     wasm_runtime_init();
 
-    module = wasm_runtime_load((uint8_t *)myData.data(), Size, error_buf, 120);
+    module = wasm_runtime_load(const_cast<uint8_t *>(Data), Size, error_buf,
+                               MAX_ERROR_BUF_SIZE);
     if (!module) {
         std::cout << "[LOADING] " << error_buf << std::endl;
         goto DESTROY_RUNTIME;
     }
 
     // TODO: target_arch and other fields
-    option.target_arch = "x86_64";
-    option.target_abi = "gnu";
+    option.target_arch = kTargetArch;
+    option.target_abi = kTargetAbi;
     option.enable_bulk_memory = true;
     option.enable_thread_mgr = true;
     option.enable_tail_call = true;
@@ -78,6 +86,34 @@ LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
         goto DESTROY_COMP_CTX;
     }
 
+    aot_file_buf = aot_emit_aot_file_buf(comp_ctx, comp_data, &aot_file_size);
+    if (!aot_file_buf) {
+        handle_aot_recent_error("[EMITTING AOT FILE]");
+        goto DESTROY_COMP_CTX;
+    }
+
+    aot_module = wasm_runtime_load(aot_file_buf, aot_file_size, error_buf,
+                                   ERROR_BUF_SIZE);
+    if (!aot_module) {
+        std::cout << "[LOADING AOT MODULE] " << error_buf << std::endl;
+        goto RELEASE_AOT_FILE_BUF;
+    }
+
+    inst = wasm_runtime_instantiate(aot_module, 1024 * 8, 0, error_buf,
+                                    ERROR_BUF_SIZE);
+    if (!inst) {
+        std::cout << "[INSTANTIATING AOT MODULE] " << error_buf << std::endl;
+        goto UNLOAD_AOT_MODULE;
+    }
+
+    execute_export_functions(module, inst);
+
+DEINSTANTIZE_AOT_MODULE:
+    wasm_runtime_deinstantiate(inst);
+UNLOAD_AOT_MODULE:
+    wasm_runtime_unload(aot_module);
+RELEASE_AOT_FILE_BUF:
+    wasm_runtime_free(aot_file_buf);
 DESTROY_COMP_CTX:
     aot_destroy_comp_context(comp_ctx);
 DESTROY_COMP_DATA:

tests/fuzz/wasm-mutator-fuzz/common/fuzzer_common.cc

@@ -0,0 +1,145 @@
+// Copyright (C) 2025 Intel Corporation. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+
+#include "fuzzer_common.h"
+#include <iostream>
+#include <string.h>
+
+void
+print_execution_args(const wasm_export_t &export_type,
+                     const std::vector<wasm_val_t> &args, unsigned param_count)
+{
+    std::cout << "[EXECUTION] " << export_type.name << "(";
+    for (unsigned p_i = 0; p_i < param_count; p_i++) {
+        if (p_i != 0) {
+            std::cout << ", ";
+        }
+
+        switch (args[p_i].kind) {
+            case WASM_I32:
+                std::cout << "i32:" << args[p_i].of.i32;
+                break;
+            case WASM_I64:
+                std::cout << "i64:" << args[p_i].of.i64;
+                break;
+            case WASM_F32:
+                std::cout << "f32:" << args[p_i].of.f32;
+                break;
+            case WASM_F64:
+                std::cout << "f64:" << args[p_i].of.f64;
+                break;
+            case WASM_EXTERNREF:
+                std::cout << "externref:" << args[p_i].of.foreign;
+                break;
+            default:
+                // because aft is_supported_val_kind() check, so we can safely
+                // return as WASM_FUNCREF
+                std::cout << "funcref:" << args[p_i].of.ref;
+                break;
+        }
+    }
+    std::cout << ")" << std::endl;
+}
+
+bool
+execute_export_functions(wasm_module_t module, wasm_module_inst_t inst)
+{
+    int32_t export_count = wasm_runtime_get_export_count(module);
+
+    for (int e_i = 0; e_i < export_count; e_i++) {
+        wasm_export_t export_type;
+
+        memset(&export_type, 0, sizeof(export_type));
+        wasm_runtime_get_export_type(module, e_i, &export_type);
+
+        if (export_type.kind != WASM_IMPORT_EXPORT_KIND_FUNC) {
+            continue;
+        }
+
+        wasm_function_inst_t func =
+            wasm_runtime_lookup_function(inst, export_type.name);
+        if (!func) {
+            std::cout << "Failed to lookup function: " << export_type.name
+                      << std::endl;
+            continue;
+        }
+
+        wasm_func_type_t func_type = export_type.u.func_type;
+        uint32_t param_count = wasm_func_type_get_param_count(func_type);
+
+        /* build arguments with capacity reservation */
+        std::vector<wasm_val_t> args;
+        args.reserve(param_count); // Optimization: prevent reallocations
+        for (unsigned p_i = 0; p_i < param_count; p_i++) {
+            wasm_valkind_t param_type =
+                wasm_func_type_get_param_valkind(func_type, p_i);
+
+            if (!is_supported_val_kind(param_type)) {
+                std::cout
+                    << "Bypass execution because of unsupported value kind: "
+                    << param_type << std::endl;
+                return true;
+            }
+
+            wasm_val_t arg = pre_defined_val(param_type);
+            args.push_back(arg);
+        }
+
+        /* build results storage */
+        uint32_t result_count = wasm_func_type_get_result_count(func_type);
+        std::vector<wasm_val_t> results(
+            result_count); // Optimization: direct initialization
+
+        print_execution_args(export_type, args, param_count);
+
+        /* execute the function */
+        wasm_exec_env_t exec_env = wasm_runtime_get_exec_env_singleton(inst);
+        if (!exec_env) {
+            std::cout << "Failed to get exec env" << std::endl;
+            return false;
+        }
+
+        bool ret =
+            wasm_runtime_call_wasm_a(exec_env, func, result_count,
+                                     results.data(), param_count, args.data());
+        if (!ret) {
+            const char *exception = wasm_runtime_get_exception(inst);
+            if (!exception) {
+                std::cout << "[EXECUTION] " << export_type.name
+                          << "() failed. No exception info." << std::endl;
+            }
+            else {
+                std::cout << "[EXECUTION] " << export_type.name << "() failed. "
+                          << exception << std::endl;
+            }
+        }
+
+        wasm_runtime_clear_exception(inst);
+    }
+
+    return true;
+}
+
+void
+report_fuzzer_error(FuzzerErrorPhase phase, const char *message)
+{
+    const char *phase_name = "";
+    switch (phase) {
+        case FuzzerErrorPhase::LOADING:
+            phase_name = "LOADING";
+            break;
+        case FuzzerErrorPhase::INSTANTIATING:
+            phase_name = "INSTANTIATING";
+            break;
+        case FuzzerErrorPhase::COMPILING:
+            phase_name = "COMPILING";
+            break;
+        case FuzzerErrorPhase::EXECUTION:
+            phase_name = "EXECUTION";
+            break;
+        case FuzzerErrorPhase::CLEANUP:
+            phase_name = "CLEANUP";
+            break;
+    }
+    std::cout << "[" << phase_name << "] " << message << std::endl;
+}

tests/fuzz/wasm-mutator-fuzz/common/fuzzer_common.h

@@ -0,0 +1,77 @@
+// Copyright (C) 2025 Intel Corporation. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+
+#ifndef FUZZER_COMMON_H
+#define FUZZER_COMMON_H
+
+#include "wasm_export.h"
+#include <iostream>
+#include <vector>
+
+// Constants for consistent buffer sizes
+constexpr size_t ERROR_BUF_SIZE = 128;
+constexpr size_t MAX_ERROR_BUF_SIZE = 120; // Used in wasm_runtime_load
+
+// Error phases for consistent reporting
+enum class FuzzerErrorPhase {
+    LOADING,
+    INSTANTIATING,
+    COMPILING,
+    EXECUTION,
+    CLEANUP
+};
+
+// Small inline helper functions
+
+// Check if a value kind is supported by the fuzzer
+static inline bool
+is_supported_val_kind(wasm_valkind_t kind)
+{
+    return kind == WASM_I32 || kind == WASM_I64 || kind == WASM_F32
+           || kind == WASM_F64 || kind == WASM_EXTERNREF
+           || kind == WASM_FUNCREF;
+}
+
+// Generate a predefined value for a given value kind
+static inline wasm_val_t
+pre_defined_val(wasm_valkind_t kind)
+{
+    if (kind == WASM_I32) {
+        return wasm_val_t{ .kind = WASM_I32, .of = { .i32 = 2025 } };
+    }
+    else if (kind == WASM_I64) {
+        return wasm_val_t{ .kind = WASM_I64, .of = { .i64 = 168 } };
+    }
+    else if (kind == WASM_F32) {
+        return wasm_val_t{ .kind = WASM_F32, .of = { .f32 = 3.14159f } };
+    }
+    else if (kind == WASM_F64) {
+        return wasm_val_t{ .kind = WASM_F64, .of = { .f64 = 2.71828 } };
+    }
+    else if (kind == WASM_EXTERNREF) {
+        return wasm_val_t{ .kind = WASM_EXTERNREF,
+                           .of = { .foreign = 0xabcddead } };
+    }
+    // because aft is_supported_val_kind() check, so we can safely return as
+    // WASM_FUNCREF
+    else {
+        return wasm_val_t{ .kind = WASM_FUNCREF, .of = { .ref = nullptr } };
+    }
+}
+
+// Function declarations (implemented in fuzzer_common.cc)
+
+// Print execution arguments for debugging
+void
+print_execution_args(const wasm_export_t &export_type,
+                     const std::vector<wasm_val_t> &args, unsigned param_count);
+
+// Execute all export functions in a module
+bool
+execute_export_functions(wasm_module_t module, wasm_module_inst_t inst);
+
+// Helper for consistent error reporting
+void
+report_fuzzer_error(FuzzerErrorPhase phase, const char *message);
+
+#endif // FUZZER_COMMON_H

tests/fuzz/wasm-mutator-fuzz/sanitizer_flags.cmake

@@ -12,6 +12,7 @@ if(NOT IN_OSS_FUZZ)
 
   # SANITIZER_FLAGS_undefined
   add_compile_options(
+    -O1
     -fsanitize=array-bounds,bool,builtin,enum,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unsigned-integer-overflow,unreachable,vla-bound,vptr
     -fno-sanitize-recover=array-bounds,bool,builtin,enum,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr
   )

tests/fuzz/wasm-mutator-fuzz/wasm-mutator/CMakeLists.txt

@@ -47,7 +47,8 @@ if(NOT DEFINED WAMR_BUILD_SIMD)
 endif()
 
 set(WAMR_BUILD_REF_TYPES 1)
-set(WAMR_BUILD_GC 1)
+# disable it since it is not fully supported
+set(WAMR_BUILD_GC 0)
 
 include(${REPO_ROOT_DIR}/build-scripts/runtime_lib.cmake)
 include(${REPO_ROOT_DIR}/core/shared/utils/uncommon/shared_uncommon.cmake)
@@ -57,5 +58,6 @@ target_include_directories(vmlib PUBLIC ${RUNTIME_LIB_HEADER_LIST})
 target_link_directories(vmlib PUBLIC ${RUNTIME_LIB_LINK_LIST})
 target_link_libraries(vmlib PUBLIC ${REQUIRED_LLVM_LIBS})
 
-add_executable(wasm_mutator_fuzz wasm_mutator_fuzz.cc)
+add_executable(wasm_mutator_fuzz wasm_mutator_fuzz.cc ../common/fuzzer_common.cc)
+target_include_directories(wasm_mutator_fuzz PRIVATE ../common)
 target_link_libraries(wasm_mutator_fuzz PRIVATE vmlib m)