fix: refactor AOT fuzz testing by consolidating common functions and improving argument handling

Author: lum1n0us

build-scripts/config_common.cmake

@@ -196,7 +196,8 @@ if (NOT WAMR_BUILD_SANITIZER STREQUAL "")
     message(FATAL_ERROR "Unsupported sanitizers: ${INVALID_SANITIZERS}")
   endif()
   # common flags for all sanitizers
-  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -O0 -fno-omit-frame-pointer -fno-sanitize-recover=all -fno-sanitize=alignment")
+  # clang: warning: the object size sanitizer has no effect at -O0, but is explicitly enabled ... [-Winvalid-command-line-argument]
+  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -O1 -fno-omit-frame-pointer -fno-sanitize-recover=all -fno-sanitize=alignment")
   if(CMAKE_C_COMPILER_ID MATCHES ".*Clang")
     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fno-sanitize=unsigned-integer-overflow")
   endif()

core/iwasm/libraries/libc-wasi/sandboxed-system-primitives/src/posix.c

@@ -430,7 +430,7 @@ fd_table_attach(struct fd_table *ft, __wasi_fd_t fd, struct fd_object *fo,
                 __wasi_rights_t rights_base, __wasi_rights_t rights_inheriting)
     REQUIRES_EXCLUSIVE(ft->lock) CONSUMES(fo->refcount)
 {
-    bh_assert(ft->size > fd && "File descriptor table too small");
+    bh_assert(ft->size > (size_t)fd && "File descriptor table too small");
     struct fd_entry *fe = &ft->entries[fd];
     bh_assert(fe->object == NULL
               && "Attempted to overwrite an existing descriptor");

tests/fuzz/wasm-mutator-fuzz/aot-compiler/CMakeLists.txt

@@ -61,5 +61,6 @@ target_link_directories(aotclib PUBLIC ${LLVM_LIBRARY_DIR})
 
 target_link_libraries(aotclib PUBLIC ${REQUIRED_LLVM_LIBS})
 
-add_executable(aot_compiler_fuzz aot_compiler_fuzz.cc)
+add_executable(aot_compiler_fuzz aot_compiler_fuzz.cc ../common/fuzzer_common.cc)
+target_include_directories(aot_compiler_fuzz PRIVATE ../common)
 target_link_libraries(aot_compiler_fuzz PRIVATE stdc++ aotclib)

tests/fuzz/wasm-mutator-fuzz/aot-compiler/aot_compiler_fuzz.cc

@@ -11,6 +11,7 @@
 #include "aot_export.h"
 #include "wasm_export.h"
 #include "bh_read_file.h"
+#include "../common/fuzzer_common.h"
 
 static void
 handle_aot_recent_error(const char *tag)
@@ -23,155 +24,13 @@ handle_aot_recent_error(const char *tag)
     std::cout << tag << " " << error << std::endl;
 }
 
-static bool
-is_supported_val_kind(wasm_valkind_t kind)
-{
-    return kind == WASM_I32 || kind == WASM_I64 || kind == WASM_F32
-           || kind == WASM_F64 || kind == WASM_EXTERNREF
-           || kind == WASM_FUNCREF;
-}
-
-static wasm_val_t
-pre_defined_val(wasm_valkind_t kind)
-{
-    if (kind == WASM_I32) {
-        return wasm_val_t{ .kind = WASM_I32, .of = { .i32 = 2025 } };
-    }
-    else if (kind == WASM_I64) {
-        return wasm_val_t{ .kind = WASM_I64, .of = { .i64 = 168 } };
-    }
-    else if (kind == WASM_F32) {
-        return wasm_val_t{ .kind = WASM_F32, .of = { .f32 = 3.14159f } };
-    }
-    else if (kind == WASM_F64) {
-        return wasm_val_t{ .kind = WASM_F64, .of = { .f64 = 2.71828 } };
-    }
-    else if (kind == WASM_EXTERNREF) {
-        return wasm_val_t{ .kind = WASM_EXTERNREF,
-                           .of = { .foreign = 0xabcddead } };
-    }
-    // because aft is_supported_val_kind() check, so we can safely return as
-    // WASM_FUNCREF
-    else {
-        return wasm_val_t{ .kind = WASM_FUNCREF, .of = { .ref = nullptr } };
-    }
-}
-void
-print_execution_args(const wasm_export_t &export_type,
-                     const std::vector<wasm_val_t> &args, unsigned param_count)
-{
-    std::cout << "[EXECUTION] " << export_type.name << "(";
-    for (unsigned p_i = 0; p_i < param_count; p_i++) {
-        if (p_i != 0) {
-            std::cout << ", ";
-        }
-
-        switch (args[p_i].kind) {
-            case WASM_I32:
-                std::cout << "i32:" << args[p_i].of.i32;
-                break;
-            case WASM_I64:
-                std::cout << "i64:" << args[p_i].of.i64;
-                break;
-            case WASM_F32:
-                std::cout << "f32:" << args[p_i].of.f32;
-                break;
-            case WASM_F64:
-                std::cout << "f64:" << args[p_i].of.f64;
-                break;
-            case WASM_EXTERNREF:
-                std::cout << "externref:" << args[p_i].of.foreign;
-                break;
-            default:
-                // because aft is_supported_val_kind() check, so we can safely
-                // return as WASM_FUNCREF
-                std::cout << "funcref:" << args[p_i].of.ref;
-                break;
-        }
-    }
-    std::cout << ")" << std::endl;
-}
-
-static bool
-execute_export_functions(wasm_module_t module, wasm_module_inst_t inst)
-{
-    int32_t export_count = wasm_runtime_get_export_count(module);
-
-    for (int e_i = 0; e_i < export_count; e_i++) {
-        wasm_export_t export_type = { 0 };
-        wasm_runtime_get_export_type(module, e_i, &export_type);
-
-        if (export_type.kind != WASM_IMPORT_EXPORT_KIND_FUNC) {
-            continue;
-        }
-
-        wasm_function_inst_t func =
-            wasm_runtime_lookup_function(inst, export_type.name);
-        if (!func) {
-            std::cout << "Failed to lookup function: " << export_type.name
-                      << std::endl;
-            continue;
-        }
-
-        wasm_func_type_t func_type = export_type.u.func_type;
-        uint32_t param_count = wasm_func_type_get_param_count(func_type);
-
-        /* build arguments */
-        std::vector<wasm_val_t> args;
-        for (unsigned p_i = 0; p_i < param_count; p_i++) {
-            wasm_valkind_t param_type =
-                wasm_func_type_get_param_valkind(func_type, p_i);
-
-            if (!is_supported_val_kind(param_type)) {
-                std::cout
-                    << "Bypass execution because of unsupported value kind: "
-                    << param_type << std::endl;
-                return true;
-            }
-
-            wasm_val_t arg = pre_defined_val(param_type);
-            args.push_back(arg);
-        }
-
-        /* build results storage */
-        uint32_t result_count = wasm_func_type_get_result_count(func_type);
-        std::vector<wasm_val_t> results = std::vector<wasm_val_t>(result_count);
-
-        print_execution_args(export_type, args, param_count);
-
-        /* execute the function */
-        wasm_exec_env_t exec_env = wasm_runtime_get_exec_env_singleton(inst);
-        if (!exec_env) {
-            std::cout << "Failed to get exec env" << std::endl;
-            return false;
-        }
-
-        bool ret =
-            wasm_runtime_call_wasm_a(exec_env, func, result_count,
-                                     results.data(), param_count, args.data());
-        if (!ret) {
-            const char *exception = wasm_runtime_get_exception(inst);
-            if (!exception) {
-                std::cout << "[EXECUTION] " << export_type.name
-                          << "() failed. No exception info." << std::endl;
-            }
-            else {
-                std::cout << "[EXECUTION] " << export_type.name << "() failed. "
-                          << exception << std::endl;
-            }
-        }
-
-        wasm_runtime_clear_exception(inst);
-    }
-
-    return true;
-}
-
 extern "C" int
 LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
 {
+    char kTargetArch[] = "x86_64";
+    char kTargetAbi[] = "gnu";
     wasm_module_t module = NULL;
-    char error_buf[128] = { 0 };
+    char error_buf[ERROR_BUF_SIZE] = { 0 };
     AOTCompOption option = { 0 };
     aot_comp_data_t comp_data = NULL;
     aot_comp_context_t comp_ctx = NULL;
@@ -180,26 +39,27 @@ LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
     wasm_module_t aot_module = NULL;
     wasm_module_inst_t inst = NULL;
 
-    /* libfuzzer don't allow to modify the given Data, so make a copy here */
-    std::vector<uint8_t> myData(Data, Data + Size);
-
+    /* libfuzzer don't allow to modify the given Data, but get_package_type and
+     * wasm_runtime_load only read the data, so we can safely use const_cast */
     if (Size >= 4
-        && get_package_type(myData.data(), Size) != Wasm_Module_Bytecode) {
+        && get_package_type(const_cast<uint8_t *>(Data), Size)
+               != Wasm_Module_Bytecode) {
         printf("Invalid wasm file: magic header not detected\n");
         return 0;
     }
 
     wasm_runtime_init();
 
-    module = wasm_runtime_load((uint8_t *)myData.data(), Size, error_buf, 120);
+    module = wasm_runtime_load(const_cast<uint8_t *>(Data), Size, error_buf,
+                               MAX_ERROR_BUF_SIZE);
     if (!module) {
         std::cout << "[LOADING] " << error_buf << std::endl;
         goto DESTROY_RUNTIME;
     }
 
     // TODO: target_arch and other fields
-    option.target_arch = "x86_64";
-    option.target_abi = "gnu";
+    option.target_arch = kTargetArch;
+    option.target_abi = kTargetAbi;
     option.enable_bulk_memory = true;
     option.enable_thread_mgr = true;
     option.enable_tail_call = true;
@@ -232,14 +92,15 @@ LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
         goto DESTROY_COMP_CTX;
     }
 
-    aot_module =
-        wasm_runtime_load(aot_file_buf, aot_file_size, error_buf, 128);
+    aot_module = wasm_runtime_load(aot_file_buf, aot_file_size, error_buf,
+                                   ERROR_BUF_SIZE);
     if (!aot_module) {
         std::cout << "[LOADING AOT MODULE] " << error_buf << std::endl;
         goto RELEASE_AOT_FILE_BUF;
     }
 
-    inst = wasm_runtime_instantiate(aot_module, 1024*8, 0, error_buf, 128);
+    inst = wasm_runtime_instantiate(aot_module, 1024 * 8, 0, error_buf,
+                                    ERROR_BUF_SIZE);
     if (!inst) {
         std::cout << "[INSTANTIATING AOT MODULE] " << error_buf << std::endl;
         goto UNLOAD_AOT_MODULE;

tests/fuzz/wasm-mutator-fuzz/common/fuzzer_common.cc

@@ -0,0 +1,145 @@
+// Copyright (C) 2025 Intel Corporation. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+
+#include "fuzzer_common.h"
+#include <iostream>
+#include <string.h>
+
+void
+print_execution_args(const wasm_export_t &export_type,
+                     const std::vector<wasm_val_t> &args, unsigned param_count)
+{
+    std::cout << "[EXECUTION] " << export_type.name << "(";
+    for (unsigned p_i = 0; p_i < param_count; p_i++) {
+        if (p_i != 0) {
+            std::cout << ", ";
+        }
+
+        switch (args[p_i].kind) {
+            case WASM_I32:
+                std::cout << "i32:" << args[p_i].of.i32;
+                break;
+            case WASM_I64:
+                std::cout << "i64:" << args[p_i].of.i64;
+                break;
+            case WASM_F32:
+                std::cout << "f32:" << args[p_i].of.f32;
+                break;
+            case WASM_F64:
+                std::cout << "f64:" << args[p_i].of.f64;
+                break;
+            case WASM_EXTERNREF:
+                std::cout << "externref:" << args[p_i].of.foreign;
+                break;
+            default:
+                // because aft is_supported_val_kind() check, so we can safely
+                // return as WASM_FUNCREF
+                std::cout << "funcref:" << args[p_i].of.ref;
+                break;
+        }
+    }
+    std::cout << ")" << std::endl;
+}
+
+bool
+execute_export_functions(wasm_module_t module, wasm_module_inst_t inst)
+{
+    int32_t export_count = wasm_runtime_get_export_count(module);
+
+    for (int e_i = 0; e_i < export_count; e_i++) {
+        wasm_export_t export_type;
+
+        memset(&export_type, 0, sizeof(export_type));
+        wasm_runtime_get_export_type(module, e_i, &export_type);
+
+        if (export_type.kind != WASM_IMPORT_EXPORT_KIND_FUNC) {
+            continue;
+        }
+
+        wasm_function_inst_t func =
+            wasm_runtime_lookup_function(inst, export_type.name);
+        if (!func) {
+            std::cout << "Failed to lookup function: " << export_type.name
+                      << std::endl;
+            continue;
+        }
+
+        wasm_func_type_t func_type = export_type.u.func_type;
+        uint32_t param_count = wasm_func_type_get_param_count(func_type);
+
+        /* build arguments with capacity reservation */
+        std::vector<wasm_val_t> args;
+        args.reserve(param_count); // Optimization: prevent reallocations
+        for (unsigned p_i = 0; p_i < param_count; p_i++) {
+            wasm_valkind_t param_type =
+                wasm_func_type_get_param_valkind(func_type, p_i);
+
+            if (!is_supported_val_kind(param_type)) {
+                std::cout
+                    << "Bypass execution because of unsupported value kind: "
+                    << param_type << std::endl;
+                return true;
+            }
+
+            wasm_val_t arg = pre_defined_val(param_type);
+            args.push_back(arg);
+        }
+
+        /* build results storage */
+        uint32_t result_count = wasm_func_type_get_result_count(func_type);
+        std::vector<wasm_val_t> results(
+            result_count); // Optimization: direct initialization
+
+        print_execution_args(export_type, args, param_count);
+
+        /* execute the function */
+        wasm_exec_env_t exec_env = wasm_runtime_get_exec_env_singleton(inst);
+        if (!exec_env) {
+            std::cout << "Failed to get exec env" << std::endl;
+            return false;
+        }
+
+        bool ret =
+            wasm_runtime_call_wasm_a(exec_env, func, result_count,
+                                     results.data(), param_count, args.data());
+        if (!ret) {
+            const char *exception = wasm_runtime_get_exception(inst);
+            if (!exception) {
+                std::cout << "[EXECUTION] " << export_type.name
+                          << "() failed. No exception info." << std::endl;
+            }
+            else {
+                std::cout << "[EXECUTION] " << export_type.name << "() failed. "
+                          << exception << std::endl;
+            }
+        }
+
+        wasm_runtime_clear_exception(inst);
+    }
+
+    return true;
+}
+
+void
+report_fuzzer_error(FuzzerErrorPhase phase, const char *message)
+{
+    const char *phase_name = "";
+    switch (phase) {
+        case FuzzerErrorPhase::LOADING:
+            phase_name = "LOADING";
+            break;
+        case FuzzerErrorPhase::INSTANTIATING:
+            phase_name = "INSTANTIATING";
+            break;
+        case FuzzerErrorPhase::COMPILING:
+            phase_name = "COMPILING";
+            break;
+        case FuzzerErrorPhase::EXECUTION:
+            phase_name = "EXECUTION";
+            break;
+        case FuzzerErrorPhase::CLEANUP:
+            phase_name = "CLEANUP";
+            break;
+    }
+    std::cout << "[" << phase_name << "] " << message << std::endl;
+}