Fuzzing: Handle instantiation errors in ClusterFuzz (#7166)

kripken · web-flow · commit f9d78d8ce4ef · 2025-01-07T11:05:29.000-08:00
If the module has an invalid segment offset, for example, it will error. We
should not error in the fuzzer on such rare cases.

Also add logging of the actual error, which matches what we do for
errors elsewhere, and makes debugging easier. As a result another place
needs to look for the prefix now, and not the entire string (since we
append the error contents).
diff --git a/scripts/fuzz_opt.py b/scripts/fuzz_opt.py
@@ -1556,6 +1556,10 @@ def handle(self, wasm):
         run([in_bin('wasm-opt'), abspath('a.wast')] + FEATURE_OPTS)
 
 
+# The error shown when a module fails to instantiate.
+INSTANTIATE_ERROR = 'exception thrown: failed to instantiate module'
+
+
 # Fuzz in a near-identical manner to how we fuzz on ClusterFuzz. This is mainly
 # to see that fuzzing that way works properly (it likely won't catch anything
 # the other fuzzers here catch, though it is possible). That is, running this
@@ -1611,8 +1615,10 @@ def handle(self, wasm):
 
         # Verify that we called something. The fuzzer should always emit at
         # least one exported function (unless we've decided to ignore the entire
-        # run).
-        if output != IGNORE:
+        # run, or if the wasm errored during instantiation, which can happen due
+        # to a testcase with a segment out of bounds, say).
+        if output != IGNORE and not output.startswith(INSTANTIATE_ERROR):
+
             assert FUZZ_EXEC_CALL_PREFIX in output
 
     def ensure(self):
@@ -1672,7 +1678,7 @@ def handle(self, wasm):
             # to anything.
             return
 
-        if output.strip() == 'exception thrown: failed to instantiate module':
+        if output.startswith(INSTANTIATE_ERROR):
             # We may fail to instantiate the modules for valid reasons, such as
             # an active segment being out of bounds. There is no point to
             # continue in such cases, as no exports are called.
diff --git a/scripts/fuzz_shell.js b/scripts/fuzz_shell.js
@@ -346,7 +346,7 @@ function build(binary) {
   try {
     instance = new WebAssembly.Instance(module, imports);
   } catch (e) {
-    console.log('exception thrown: failed to instantiate module');
+    console.log('exception thrown: failed to instantiate module: ' + e);
     quit();
   }
 

Original file line number	Diff line number	Diff line change
`@@ -346,7 +346,7 @@ function build(binary) {`
`346`	`346`	`try {`
`347`	`347`	`instance = new WebAssembly.Instance(module, imports);`
`348`	`348`	`} catch (e) {`
`349`		`- console.log('exception thrown: failed to instantiate module');`
	`349`	`+ console.log('exception thrown: failed to instantiate module: ' + e);`
`350`	`350`	`quit();`
`351`	`351`	`}`
`352`	`352`