chore(fuzzing): Improve wasm execution fuzzers#8632
Merged
venkkatesh-sekar merged 18 commits intomasterfrom Feb 9, 2026
Merged
chore(fuzzing): Improve wasm execution fuzzers#8632venkkatesh-sekar merged 18 commits intomasterfrom
venkkatesh-sekar merged 18 commits intomasterfrom
Conversation
venkkatesh-sekar
changed the title
WasmExecutor fuzzer
venkkatesh-sekar
changed the title
WasmExecutor fuzzer
adambratschikaye
approved these changes
Feb 9, 2026
kpop-dfinity
pushed a commit
that referenced
this pull request
Feb 20, 2026
This PR sends some love to the Wasm execution fuzzers, as they were in maintenance mode for some time and haven't caught up with the recent changes in the execution environment. **Production code changes:** 1. Adds a new test method `set_api_type` to `rs/embedders/src/wasmtime_embedder/system_api.rs` to hot reload the `ApiType` for `SystemApiImpl`. (This affects some constants within the state as well, but I don't think they are necessary for the fuzzer). ### `execute_with_wasm_executor_afl` 1. In the previous versions, `WasmExecutionInput` was created for every Wasm method executed, but this was done poorly. The `CompilationCache` was created fresh for each input, and thus the Wasm was compiled every time a method was executed. The current change utilizes `WasmExecutor.create_execution_state` to compile and instantiate the Wasm, and we pass the `compilation_cache` used here to `WasmExecutionInput`. This improves the fuzzer speed by 10x. 2. Every time a method was executed, a new `ExecutionState` was created, including the `SystemState`. To extend the coverage of the fuzzer, the result of the previous method's execution is persisted for the next method. This includes `ExecutionState` and `SystemState`, but the changes carried over are done conservatively. Precisely, this includes globals, `wasm_memory`, `stable_memory`, and balance changes in `SystemState`. 3. Previously, the `ApiType` was always set to `Init`, which was not right. To extend the coverage, we set the correct `ApiType` for the method, as this influences the system API responses. 4. The `SystemState` also contains a dummy `call_context`, as some system API operations like `msg_cycles_accept` panic without it (rightfully). ### `ic_wasm.rs` 1. There was some machinery to extract `exported_globals`, since the previous version of `execute_with_wasm_executor_afl` required it. Since this is now done via `WasmExecutor.create_execution_state`, we can remove generating `exported_globals` from `ICWasmModule`. 2. `wasm_smith::Config` sets every new Wasm proposal to enabled, which created a lot of invalid Wasm. This is fine from the compiler fuzzer point of view, but the execution fuzzers don't require it. Hence, the struct is exhaustively listed, and the addition of new fields will fail compilation. 3. The ability to generate 32-bit system API is brought back (lost in some refactoring). ### `import.rs` The ability to generate 32-bit system API is brought back (lost in some refactoring). ### `compile.rs` `SerializedModuleBytes` is not required to be deterministic, and we set it as empty to hold the equality check for other fields. ### `execute_with_wasmtime_afl` `ApiType` change as above. ### `differential...` `ApiType` change as above. We had excluded having a Cargo.toml for fuzzers in the hope of a Bazel solution for Rust Analyzer. The day hasn't come after years, so I have added a Cargo.toml for the `wasm_fuzzers` library, as this improves fixing issues a lot quicker. --------- Co-authored-by: IDX GitHub Automation <infra+github-automation@dfinity.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR sends some love to the Wasm execution fuzzers, as they were in maintenance mode for some time and haven't caught up with the recent changes in the execution environment.
Production code changes:
set_api_typetors/embedders/src/wasmtime_embedder/system_api.rsto hot reload theApiTypeforSystemApiImpl. (This affects some constants within the state as well, but I don't think they are necessary for the fuzzer).execute_with_wasm_executor_aflWasmExecutionInputwas created for every Wasm method executed, but this was done poorly. TheCompilationCachewas created fresh for each input, and thus the Wasm was compiled every time a method was executed. The current change utilizesWasmExecutor.create_execution_stateto compile and instantiate the Wasm, and we pass thecompilation_cacheused here toWasmExecutionInput. This improves the fuzzer speed by 10x.ExecutionStatewas created, including theSystemState. To extend the coverage of the fuzzer, the result of the previous method's execution is persisted for the next method. This includesExecutionStateandSystemState, but the changes carried over are done conservatively. Precisely, this includes globals,wasm_memory,stable_memory, and balance changes inSystemState.ApiTypewas always set toInit, which was not right. To extend the coverage, we set the correctApiTypefor the method, as this influences the system API responses.SystemStatealso contains a dummycall_context, as some system API operations likemsg_cycles_acceptpanic without it (rightfully).ic_wasm.rsexported_globals, since the previous version ofexecute_with_wasm_executor_aflrequired it. Since this is now done viaWasmExecutor.create_execution_state, we can remove generatingexported_globalsfromICWasmModule.wasm_smith::Configsets every new Wasm proposal to enabled, which created a lot of invalid Wasm. This is fine from the compiler fuzzer point of view, but the execution fuzzers don't require it. Hence, the struct is exhaustively listed, and the addition of new fields will fail compilation.import.rsThe ability to generate 32-bit system API is brought back (lost in some refactoring).
compile.rsSerializedModuleBytesis not required to be deterministic, and we set it as empty to hold the equality check for other fields.execute_with_wasmtime_aflApiTypechange as above.differential...ApiTypechange as above.We had excluded having a Cargo.toml for fuzzers in the hope of a Bazel solution for Rust Analyzer. The day hasn't come after years, so I have added a Cargo.toml for the
wasm_fuzzerslibrary, as this improves fixing issues a lot quicker.