Add async to the component_api fuzzer #12047
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
Author
|
I ran this overnight and it found #12046, but that took quite some time. I expect it'll probably uncover something else but I think this is ready to at least send to oss-fuzz. |
This commit extends the preexisting `component_api` fuzzer in Wasmtime to support `async`. This required a fair bit of refactoring to how the fuzzer worked but the basic idea remains the same. This fuzzer generates: * An arbitrary component-model type signature (minus resources/futures/streams) * A component which imports a function of this signature from the host and exports a function of this signature to the host. * Internally the export is implemented with a component `caller` that imports/exports this function signature. * The `caller` component is instantiated with a `callee` component that imports/exports this function signature. * The `callee` component is instantiated with the host. In essence a component model value is threaded into a component, to another composed component, then back out to the host. The return value then makes its way back through the same channel. The fuzz test ensures that the parameters received in the host import are the same as those passed to the export. Additionally the return value of the export is ensured to be the same as the one that the host import returned. In essence this is testing ABI handling in Wasmtime to ensure that composition works correctly in addition to lifting/lowering code. This fuzzer additionally has a "static" and "dynamic" mode where, at compile time, N components are generated with different signatures and use the "typed" APIs of Wasmtime. For "dynamic" `Val` is used to test and arbitrary components are generated at fuzz-time. The fuzzer finally executes this roundtrip in a loop multiple times in one fuzz test case to test different runtime-shapes of values in addition to compile-time-shapes of values. The main addition in this commit is to extend all of this with the async ABI. The following knobs were added and implemented: * The function type used for the root component export, the function between the composed components, and the function imported from the host all have the ability to be an `async` function type now. * The lifts/lowers, in all locations, can be configured with the various ABIs supported (e.g. sync, async-callback, or async-stackful for lifts, and sync/async for lowers). * Like before the string encoding can be varied between the components as well. This is intended to stress combining different flavors of ABI with different behaviors to ensure that all the various paths throughout Wasmtime and such are hit. The goal of this fuzzer is to stress ABI lifting/lowering, so this is not handling much related to async event scheduling (that's for a future fuzzer). In a follow-up commit I hope to extend this fuzzer with some async event scheduling nonetheless. For example the fuzzer will generate an async yield point before/after calling `task.return` or before/after calling the host import. That is intended to stress `first_poll`-vs-not behavior as it relates to ABI handling. None of that is yet implemented and for this fuzzer async calls are assumed to always succeed immediately for now.
alexcrichton
force-pushed
the
fuzz-async-roundtrip
branch
from
22524f6 to
a10db88
Compare
github-actions
bot
added
the
fuzzing
Subscribe to Label Actioncc @fitzgen
This issue or pull request has been labeled: "fuzzing"
Thus the following users have been cc'd because of the following labels:
To subscribe or unsubscribe from this label, edit the |
dicej
approved these changes
Nov 19, 2025
Contributor
dicej
left a comment
dicej
left a comment
There was a problem hiding this comment.
LGTM. Thanks for doing this!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit extends the preexisting
component_apifuzzer in Wasmtime to supportasync. This required a fair bit of refactoring to how the fuzzer worked but the basic idea remains the same. This fuzzer generates:callerthat imports/exports this function signature.callercomponent is instantiated with acalleecomponent that imports/exports this function signature.calleecomponent is instantiated with the host.In essence a component model value is threaded into a component, to another composed component, then back out to the host. The return value then makes its way back through the same channel. The fuzz test ensures that the parameters received in the host import are the same as those passed to the export. Additionally the return value of the export is ensured to be the same as the one that the host import returned. In essence this is testing ABI handling in Wasmtime to ensure that composition works correctly in addition to lifting/lowering code.
This fuzzer additionally has a "static" and "dynamic" mode where, at compile time, N components are generated with different signatures and use the "typed" APIs of Wasmtime. For "dynamic"
Valis used to test and arbitrary components are generated at fuzz-time. The fuzzer finally executes this roundtrip in a loop multiple times in one fuzz test case to test different runtime-shapes of values in addition to compile-time-shapes of values.The main addition in this commit is to extend all of this with the async ABI. The following knobs were added and implemented:
The function type used for the root component export, the function between the composed components, and the function imported from the host all have the ability to be an
asyncfunction type now.The lifts/lowers, in all locations, can be configured with the various ABIs supported (e.g. sync, async-callback, or async-stackful for lifts, and sync/async for lowers).
Like before the string encoding can be varied between the components as well.
This is intended to stress combining different flavors of ABI with different behaviors to ensure that all the various paths throughout Wasmtime and such are hit. The goal of this fuzzer is to stress ABI lifting/lowering, so this is not handling much related to async event scheduling (that's for a future fuzzer).
In a follow-up commit I hope to extend this fuzzer with some async event scheduling nonetheless. For example the fuzzer will generate an async yield point before/after calling
task.returnor before/after calling the host import. That is intended to stressfirst_poll-vs-not behavior as it relates to ABI handling. None of that is yet implemented and for this fuzzer async calls are assumed to always succeed immediately for now.