New Fuzz Target for Exercising Interface Functions

[fitzgen]

To help make the component model and interface types production ready, we want
to extensively fuzz and exercise Wasmtime's ability to pass interface values
back and forth with Wasm.

This fuzz target should:

• generate an arbitrary interface type T,
• generate a Wasm component that
  • imports a host function T -> T, and
  • exports a function T -> T that passes its argument to the import function
    and returns the result of the import function,
• generate some number of arbitrary values of type T,
• and for each value:
  • call the Wasm's exported function,
  • when the host function is called, assert that the argument is equal to the
    original value,
  • return the argument from the host function,
  • when the Wasm function returns to the host, assert that the argument is
    equal to the original value,
  • assert that the host function was actually called.

This tests that we can round trip interface values of type T both as arguments
and returns to and from Wasm.

Here is a diagram showing what the fuzz target should do:

+-------------------+                   +------------------+
| Host              |                   | Wasm             |
|                   |   argument        |                  |
|     arbitrary ------------------------------>            |
|     value         |                   |      |           |
|                   |                   |      |           |
|                   |                   |      |           |
|         +-----------------+           |      |           |
|         | host function   |           |      |           |
|         | imported by     |           |      |           |
|         | Wasm            |  argument |      V           |
|         |            <-----------------------            |
|         |           |     |           |                  |
|         | assert    |     |           |                  |
|         | value is  |     |           |                  |
|         | equal     V     |  return   |                  |
|         |            ----------------------->            |
|         |                 |           |      |           |
|         +-----------------+           |      |           |
|                   |                   |      |           |
|                   |          return   |      V           |
|   assert    <--------------------------------            |
|   value is        |                   |                  |
|   equal           |                   |                  |
|                   |                   |                  |
+-------------------+                   +------------------+

Test Case Generator

The test case generator will be responsible for generating

• the arbitrary interface type T,
• the Wasm component that takes values of type T, passes them to the imported
  host function, and returns the result of the host function,
• and instances of type T.

Oracle

There are two versions of the oracle:

1. a version that uses the dynamic interface types API to pass values to Wasm,
   and
2. a version that uses the static interface types API to pass values to Wasm.

Dynamic API Oracle

The dynamic API oracle will be paired with the test case generator at runtime
and use Wasmtime's dynamic API for interface type values (doesn't exist at time
of writing; the component equivalent of wasmtime::Val).

Static API Oracle

The static API oracle will use the test case generator at build time to
generate, say, 1000 interface types T to fuzz, and then generate arbitrary
instances of T at runtime. This means that if T is a struct, for example, we
can define a Rust type like

#[derive(InterfaceType)]
struct MyRustType {
    foo: u32,
    bar: String,
}

whose instances can be passed to the Wasm directly via Wasmtime's static API for
interface types. We will generate arbitrary instance of MyRustType at runtime
in this scenario, but not new types T.

(Note that derive(InterfaceType) does not exist at the time of writing.)

[fitzgen]

We might actually want to have two instances of the Wasm component, so that values flow like

argument: host ---> wasm A ---> wasm B ---> host import
return: host import ---> wasm B ---> wasm A ---> host

so that we are exercising component-to-component trampolines and all that.

[dicej]

Thanks, for writing this up, @fitzgen. A few questions for you:

1. Given that neither the dynamic API for interface type values nor derive(InterfaceType) yet exist, I assume each of those things will need to be implemented before the corresponding oracle is created. Is that correct?
2. Is it worthwhile to do any work on this issue before one of the above features is implemented? I.e. is there any value in writing the test case generator prior to being able to write oracles that use it?
3. For the static API oracle, were you thinking of creating (or extending) a build.rs that generates Rust code or writing a procedural macro?

[fitzgen]

• Given that neither the dynamic API for interface type values nor derive(InterfaceType) yet exist, I assume each of those things will need to be implemented before the corresponding oracle is created. Is that correct?

• Is it worthwhile to do any work on this issue before one of the above features is implemented? I.e. is there any value in writing the test case generator prior to being able to write oracles that use it?

Yeah, I think it makes sense to unblock this before working on it. We could probably technically implement some (most?) of the test case generator without the oracles, but I think it would be best if they were developed in together since I think the shape of the generator may be informed by the oracles.

For the static API oracle, were you thinking of creating (or extending) a build.rs that generates Rust code or writing a procedural macro?

I think a build.rs would be better, since it would generally just be easier to write, read, and debug.

[dicej]

@alexcrichton Are you planning to create an issue for derive(InterfaceType? I'd be happy to create a placeholder, but I'm still fuzzy on the details, so I'll need help fleshing it out.

Also, it sounds like we might also need an issue for the interface-type-equivalent of wasmtime::Val Nick mentioned above. I think I understand what's involved there (e.g. copying values.rs and adapting it for interface types), but I could use guidance there, too.

[alexcrichton]

I do indeed want to open an issue! Sorry I got caught up all day in a debugging adventure but that's over now so I'll go make an issue next.

[dicej]

FYI, I'm planning to start working on this tomorrow, assuming no significant additional work is needed on #4442.

[dicej]

Looks like #4442 needs more work, so I won't be able to tackle this one quite yet.

[dicej]

Quick question: Should the test case generator deliberately generate instances and components which do not match the generated type?

For example, if the generated type is a record with three fields, should the instance generator (sometimes) generate values with too many, not enough, or mis-typed field values (or values which are instances of an entirely different sort of type), and should the component generator (sometimes) generate a component which expects a different record type (or a different sort of type)?

[fitzgen]

You could do that with very low probability (something like u.ratio(1, 1_000)) if you want, but I don't think it is super critical. Wouldn't work on this kind of thing ahead of working on the main bits.

[dicej]

Regarding the static API oracle: neither libFuzzer nor cargo-fuzz will be involved, correct? I'm envisioning adding code to the build.rs at the root of the repo which generates a .rs file under the tests directory containing a single test that exercises 1000 random test cases, each of which has been generated in build.rs using the test case generator with an arbitrary::Unstructured initialized with a random byte slice. Does that sound right?