Replace bincode with postcard. Inline fuzz_mutate. Address other small comments

khagankhan · khagankhan · commit 07f260124808 · 2025-07-24T21:31:35.000Z
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/fuzzing/Cargo.toml b/crates/fuzzing/Cargo.toml
@@ -15,13 +15,11 @@ workspace = true
 wasmtime-test-util = { workspace = true, features = ['wast'] }
 
 [dependencies]
-bincode = "2.0.1"
 anyhow = { workspace = true }
 arbitrary = { workspace = true, features = ["derive"] }
 env_logger = { workspace = true }
 log = { workspace = true }
 mutatis = { workspace = true }
-rand = { workspace = true }
 rayon = "1.2.1"
 smallvec = { workspace = true }
 target-lexicon = { workspace = true }
@@ -38,6 +36,7 @@ wasmi = { version = "0.43.1", default-features = false, features = ["std", "simd
 futures = { workspace = true }
 wasmtime-test-util = { workspace = true, features = ['wast', 'component-fuzz', 'component'] }
 serde_json = { workspace = true }
+serde = { workspace = true }
 
 [dependencies.wasmtime-cli-flags]
 workspace = true
diff --git a/crates/fuzzing/src/generators/table_ops.rs b/crates/fuzzing/src/generators/table_ops.rs
@@ -1,7 +1,7 @@
 //! Generating series of `table.get` and `table.set` operations.
-use bincode::{Decode, Encode};
 use mutatis::mutators as m;
 use mutatis::{Candidates, Context, DefaultMutate, Generate, Mutate, Result as MutResult};
+use serde::{Deserialize, Serialize};
 use smallvec::SmallVec;
 use std::ops::RangeInclusive;
 use wasm_encoder::{
@@ -12,7 +12,7 @@ use wasm_encoder::{
 
 /// A description of a Wasm module that makes a series of `externref` table
 /// operations.
-#[derive(Debug, Default, Encode, Decode)]
+#[derive(Debug, Default, Serialize, Deserialize)]
 pub struct TableOps {
     pub(crate) num_params: u32,
     pub(crate) num_globals: u32,
@@ -183,7 +183,10 @@ impl TableOps {
 
         self.ops = new_ops;
     }
-    /// Pops from the vector of the opcodes and returns bool
+
+    /// Attempts to remove the last opcode from the sequence.
+    ///
+    /// Returns `true` if an opcode was successfully removed, or `false` if the list was already empty.
     pub fn pop(&mut self) -> bool {
         self.ops.pop().is_some()
     }
@@ -288,7 +291,7 @@ macro_rules! define_table_ops {
             $op:ident $( ( $($limit:expr => $ty:ty),* ) )? : $params:expr => $results:expr ,
         )*
     ) => {
-        #[derive(Copy, Clone, Debug, Encode, Decode)]
+        #[derive(Copy, Clone, Debug, Serialize, Deserialize)]
         pub(crate) enum TableOp {
             $(
                 $op ( $( $($ty),* )? ),
diff --git a/crates/fuzzing/src/oracles.rs b/crates/fuzzing/src/oracles.rs
@@ -23,8 +23,7 @@ use self::diff_wasmtime::WasmtimeInstance;
 use self::engine::{DiffEngine, DiffInstance};
 use crate::generators::{self, CompilerStrategy, DiffValue, DiffValueType};
 use crate::single_module_fuzzer::KnownValid;
-use arbitrary::{Arbitrary, Unstructured};
-use rand::{Rng, SeedableRng};
+use arbitrary::Arbitrary;
 pub use stacks::check_stacks;
 use std::future::Future;
 use std::pin::Pin;
@@ -1332,22 +1331,6 @@ pub fn call_async(wasm: &[u8], config: &generators::Config, mut poll_amts: &[u32
     }
 }
 
-/// Fuzz target for table operations that reconstructs config from seed.
-pub fn fuzz_table_ops((config_seed, ops): (u64, generators::table_ops::TableOps)) {
-    let mut buf = [0u8; 1024];
-    let mut rng = rand::rngs::StdRng::seed_from_u64(config_seed);
-
-    for b in buf.iter_mut() {
-        *b = rng.r#gen()
-    }
-
-    let u = Unstructured::new(&buf);
-    let config = generators::Config::arbitrary_take_rest(u)
-        .expect("should be able to generate config from seed");
-
-    let _ = crate::oracles::table_ops(config, ops);
-}
-
 #[cfg(test)]
 mod tests {
     use super::*;
diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml
@@ -13,7 +13,8 @@ cargo-fuzz = true
 
 [dependencies]
 mutatis = { workspace = true }
-bincode = "2.0.1"
+rand = { workspace = true }
+postcard = { workspace = true }
 anyhow = { workspace = true }
 env_logger = { workspace = true }
 cranelift-assembler-x64 = { workspace = true, features = ["fuzz"] }
diff --git a/fuzz/fuzz_targets/table_ops.rs b/fuzz/fuzz_targets/table_ops.rs
@@ -1,45 +1,56 @@
 #![no_main]
 
+use libfuzzer_sys::arbitrary::{Arbitrary, Unstructured};
 use libfuzzer_sys::{fuzz_mutator, fuzz_target, fuzzer_mutate};
 use mutatis::Session;
+use postcard::{from_bytes, to_slice};
+use rand::{Rng, SeedableRng};
 use wasmtime_fuzzing::generators::table_ops::TableOps;
-use wasmtime_fuzzing::oracles::fuzz_table_ops;
+use wasmtime_fuzzing::oracles::table_ops;
 
 fuzz_target!(|input: (u64, TableOps)| {
-    fuzz_table_ops(input);
+    let (seed, ops) = input;
+    let mut buf = [0u8; 1024];
+    let mut rng = rand::rngs::StdRng::seed_from_u64(seed);
+    for b in buf.iter_mut() {
+        *b = rng.r#gen();
+    }
+
+    let u = Unstructured::new(&buf);
+    let config = wasmtime_fuzzing::generators::Config::arbitrary_take_rest(u)
+        .expect("should be able to generate config from seed");
+
+    let _ = table_ops(config, ops);
 });
 
 fuzz_mutator!(|data: &mut [u8], size: usize, max_size: usize, seed: u32| {
     let _ = env_logger::try_init();
 
-    // With probability of about 1/8, just use the default mutator.
+    // With probability of about 1/8, use default mutator
     if seed.count_ones() % 8 == 0 {
         return fuzzer_mutate(data, size, max_size);
     }
 
-    // Fallback to default on decode failure
-    let mut tuple =
-        bincode::decode_from_slice::<(u64, TableOps), _>(data, bincode::config::standard())
-            .map_or_else(|_err| (0, TableOps::default()), |(tuple, _)| tuple);
+    // Try to decode using postcard; fallback to default input on failure
+    let mut tuple: (u64, TableOps) = from_bytes(&data[..size]).ok().unwrap_or_default();
 
     let mut session = Session::new().seed(seed.into()).shrink(max_size < size);
 
     if session.mutate(&mut tuple).is_ok() {
-        // Re-encode the mutated ops back into `data`.
         loop {
-            if let Ok(new_size) =
-                bincode::encode_into_slice(&tuple, data, bincode::config::standard())
-            {
-                return new_size;
+            if let Ok(encoded) = to_slice(&tuple, data) {
+                return encoded.len();
             }
-            // When re-encoding fails (presumably because `data` is not
-            // large enough) then pop an op off the end and try again.
+
+            // Attempt to shrink ops if encoding fails (e.g., buffer too small)
             if tuple.1.pop() {
                 continue;
             }
+
             break;
         }
     }
-    // Fall back to the fuzzer's default mutation strategies.
+
+    // Fallback to default libfuzzer mutator
     fuzzer_mutate(data, size, max_size)
 });
