WebAssembly · kripken · Apr 8, 2026 · Apr 8, 2026 · Apr 8, 2026 · Apr 8, 2026
@@ -31,6 +31,7 @@
 import json
 import math
 import os
+import pathlib
 import random
 import re
 import shutil
@@ -2049,8 +2050,9 @@ def compare_to_merged_output(self, output, merged_output):
         compare(output, merged_output, 'Two-Merged')
 
 
-# Test --fuzz-preserve-imports-exports, which never modifies imports or exports.
-class PreserveImportsExports(TestCaseHandler):
+# Test --fuzz-preserve-imports-exports on random inputs. This should never
+# modify imports or exports.
+class PreserveImportsExportsRandom(TestCaseHandler):
     frequency = 0.1
 
     def handle(self, wasm):
@@ -2095,6 +2097,147 @@ def get_relevant_lines(wat):
         compare(get_relevant_lines(original), get_relevant_lines(processed), 'Preserve')
 
 
+# Test --fuzz-preserve-imports-exports on a realistic js+wasm input. Unlike
+# PreserveImportsExportsRandom which starts with a random file and modifies it,
+# this starts with a fixed js+wasm testcase, known to work and to have
+# interesting operations on the js/wasm boundary, and then randomly modifies
+# the wasm. This simulates how an external fuzzer could use binaryen to modify
+# its known-working testcases (parallel to how we test ClusterFuzz here).
+#
+# This reads wasm+js combinations from the test/js_wasm directory, so as new
+# testcases are added there, this will fuzz them.
+#
+# Note that bugs found by this fuzzer require BINARYEN_TRUST_GIVEN_WASM=1 in the
+# env for reduction. TODO: simplify this
+class PreserveImportsExportsJS(TestCaseHandler):
+    frequency = 1
+
+    def handle_pair(self, input, before_wasm, after_wasm, opts):
+        try:
+            self.do_handle_pair(input, before_wasm, after_wasm, opts)
+        except Exception as e:
+            if not os.environ.get('BINARYEN_TRUST_GIVEN_WASM'):
+                # We errored, and we were not given a wasm file to trust as we
+                # reduce, so this is the first time we hit an error. Save the
+                # pre wasm file, the one we began with, as `before_wasm`, so
+                # that the reducer will make us proceed exactly from there.
+                shutil.copyfile(self.pre_wasm, before_wasm)
+            raise e
+
+    def do_handle_pair(self, input, before_wasm, after_wasm, opts):
+        # Some of the time use a custom input. The normal inputs the fuzzer
+        # generates are in range INPUT_SIZE_MIN-INPUT_SIZE_MAX, which is good
+        # for new testcases, but the more changes we make to js+wasm testcases,
+        # the more chance we have to break things entirely (the js/wasm boundary
+        # is fragile). It is useful to also fuzz smaller sizes.
+        if random.random() < 0.25:
+            size = random.randint(0, INPUT_SIZE_MIN * 2)
+            make_random_input(size, input)
+
+        # Pick a js+wasm pair.
+        js_files = list(pathlib.Path(in_binaryen('test', 'js_wasm')).glob('*.mjs'))
+        js_file = str(random.choice(js_files))
+        print(f'js file: {js_file}')
+        wat_file = str(pathlib.Path(js_file).with_suffix('.wat'))
+
+        # Verify the wat works with our features
+        try:
+            run([in_bin('wasm-opt'), wat_file] + FEATURE_OPTS,
+                stderr=subprocess.PIPE,
+                silent=True)
+        except Exception:
+            note_ignored_vm_run('PreserveImportsExportsJS: features not compatible with js+wasm')
+            return
+
+        # Make sure the testcase runs by itself - there should be no invalid
+        # testcases.
+        original_wasm = 'orig.wasm'
+        run([in_bin('wasm-opt'), wat_file, '-o', original_wasm] + FEATURE_OPTS)
+        D8().run_js(js_file, original_wasm)
+
+        # Modify the initial wat to get the pre-optimizations wasm.
+        pre_wasm = abspath('pre.wasm')
+        run([in_bin('wasm-opt'), input] + FEATURE_OPTS + [
+            '-ttf',
+            '--fuzz-preserve-imports-exports',
+            '--initial-fuzz=' + wat_file,
+            '-o', pre_wasm,
+            '-g',
+        ])
+
+        # We successfully generated pre_wasm; stash it for possible reduction
+        # purposes later.
+        self.pre_wasm = pre_wasm
+
+        # If we were given a wasm file, use that instead of all the above. We
+        # do this now, after creating pre_wasm, because we still need to consume
+        # all the randomness normally.
+        if os.environ.get('BINARYEN_TRUST_GIVEN_WASM'):
+            print('using given wasm', before_wasm)
+            pre_wasm = before_wasm
+
+        # Pick a vm and run before we optimize the wasm.
+        vms = [
+            D8(),
+            D8Liftoff(),
+            D8Turboshaft(),
+        ]
+        pre_vm = random.choice(vms)
+        pre = self.do_run(pre_vm, js_file, pre_wasm)
+
+        # Optimize.
+        post_wasm = abspath('post.wasm')
+        cmd = [in_bin('wasm-opt'), pre_wasm, '-o', post_wasm] + opts + FEATURE_OPTS
+        print(' '.join(cmd))
+        proc = subprocess.run(cmd, capture_output=True, text=True)
+        if proc.returncode:
+            if 'Invalid configureAll' in proc.stderr:
+                # We have a hard error on unfamiliar configureAll patterns atm.
+                # Mutation of configureAll will easily break that pattern, so we
+                # must ignore such cases.
+                note_ignored_vm_run('PreserveImportsExportsJS: bad configureAll')
+                return
+
+            # Anything else is a problem.
+            print(proc.stderr)
+            raise Exception('opts failed')
+
+        # Run after opts, in a random vm.
+        post_vm = random.choice(vms)
+        post = self.do_run(post_vm, js_file, post_wasm)
+
+        # Compare
+        compare(pre, post, 'PreserveImportsExportsJS')
+
+    def do_run(self, vm, js, wasm):
+        out = vm.run_js(js, wasm, checked=False)
+
+        cleaned = []
+        for line in out.splitlines():
+            if 'RuntimeError:' in line or 'TypeError:' in line:
+                # This is part of an error like
+                #
+                #  wasm-function[2]:0x273: RuntimeError: unreachable
+                #
+                # We must ignore the binary location, which opts can change. We
+                # must also remove the specific trap, as Binaryen can change
+                # that.
+                line = 'TRAP'
+            elif 'wasm://' in line or '(<anonymous>)' in line:
+                # This is part of a stack trace like
+                #
+                #     at wasm://wasm/12345678:wasm-function[42]:0x123
+                #     at (<anonymous>)
+                #
+                # Ignore it, as traces differ based on optimizations.
+                continue
+            cleaned.append(line)
+        return '\n'.join(cleaned)
+
+    def can_run_on_wasm(self, wasm):
+        return all_disallowed(DISALLOWED_FEATURES_IN_V8)
+
+
 # Test that we preserve branch hints properly. The invariant that we test here
 # is that, given correct branch hints (that is, the input wasm's branch hints
 # are always correct: a branch is taken iff the hint is that it is taken), then
@@ -2322,7 +2465,8 @@ def handle(self, wasm):
     RoundtripText(),
     ClusterFuzz(),
     Two(),
-    PreserveImportsExports(),
+    PreserveImportsExportsRandom(),
+    PreserveImportsExportsJS(),
     BranchHintPreservation(),
 ]
 

@@ -117,6 +117,10 @@
     'waitqueue.wast',
     # TODO: fix handling of the non-utf8 names here
     'name-high-bytes.wast',
+    # JS interop testcases have complex js-wasm interactions
+    'js_interop_counter.wat',
+    'js_interop_cases.wat',
+    'js_interop_corners.wat',
 ]
 
 

@@ -0,0 +1,56 @@
+let protoFactory = new Proxy({}, {
+    get(target, prop, receiver) {
+        // Always return a fresh, empty object.
+        return {};
+    }
+});
+
+let constructors = {};
+
+let imports = {
+    "protos": protoFactory,
+    "env": { constructors },
+};
+
+let compileOptions = { builtins: ["js-prototypes"] };
+
+let buffer = readbuffer(arguments[0]);
+
+let { module, instance } =
+    await WebAssembly.instantiate(buffer, imports, compileOptions);
+
+let Base = constructors.Base;
+let Derived = constructors.Derived;
+
+// Test Base
+console.log("Testing Base...");
+let b = new Base(10);
+console.log("b.getValue():", b.getValue()); // 10
+console.log("b.value getter:", b.value); // 10
+b.value = 20;
+console.log("b.value after setter:", b.getValue()); // 20
+console.log("b instanceof Base:", b instanceof Base); // true
+console.log("b instanceof Derived:", b instanceof Derived); // false
+
+// Test Derived
+console.log("\nTesting Derived...");
+let d = new Derived(100, 500);
+console.log("d.getValue() (inherited):", d.getValue()); // 100
+console.log("d.getExtra():", d.getExtra()); // 500
+console.log("d.value getter (inherited):", d.value); // 100
+d.value = 150;
+console.log("d.value after setter (inherited):", d.getValue()); // 150
+console.log("d instanceof Derived:", d instanceof Derived); // true
+console.log("d instanceof Base (inheritance):", d instanceof Base); // true
+console.log("Derived.staticMethod():", Derived.staticMethod()); // 42
+
+// Test Wasm-side descriptor checks
+console.log("\nTesting Wasm-side descriptor checks...");
+console.log("checkDesc(b):", instance.exports.checkDesc(b)); // 1
+console.log("checkDesc(d):", instance.exports.checkDesc(d)); // 2
+console.log("isDerived(b):", instance.exports.isDerived(b)); // 0
+console.log("isDerived(d):", instance.exports.isDerived(d)); // 1
+
+// Test cross-checks
+console.log("\nTesting cross-checks...");
+console.log("get_base_val(d):", instance.exports.get_base_val(d)); // 150