T0b1/wasmtime
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fuzz: improve fuzz README (#4259)

Browse Source 
* fuzz: document how to reproduce a fuzz bug

* fuzz: document current targets
This commit is contained in:
Andrew Brown
2022-06-10 10:25:32 -07:00
committed by GitHub
parent 0dcda643ea
commit 5f344ae7aa
1 changed files with 44 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
fuzz/README.md
View File

@@ -22,11 +22,33 @@ cargo fuzz run $MY_FUZZ_TARGET
At the time of writing, we have the following fuzz targets: At the time of writing, we have the following fuzz targets:
* `api_calls`: stress the Wasmtime API by executing sequences of API calls; only
the subset of the API is currently supported.
* `compile`: Attempt to compile libFuzzer's raw input bytes with Wasmtime. * `compile`: Attempt to compile libFuzzer's raw input bytes with Wasmtime.
* `instantiate`: Attempt to compile and instantiate libFuzzer's raw input bytes * `compile-maybe-invalid`: Attempt to compile a wasm-smith-generated Wasm module
with Wasmtime. with code sequences that may be invalid.
* `instantiate_translated`: Pass libFuzzer's input bytes to `wasm-opt -ttf` to * `cranelift-fuzzgen`: Generate a Cranelift function and check that it returns
generate a random, valid Wasm module, and then attempt to instantiate it. the same results when compiled to the host and when using the Cranelift
interpreter; only a subset of Cranelift IR is currently supported.
* `cranelift-fuzzgen-verify`: Stress the Cranelift IR verifier by generating a
Cranelift function and checking that it is indeed a valid function.
* `differential`: Generate a Wasm module and check that Wasmtime returns
the same results when run with two different configurations.
* `differential_spec`: Generate a Wasm module and check that Wasmtime returns
the same results as the Wasm spec interpreter (see the `wasm-spec-interpreter`
crate).
* `differential_v8`: Generate a Wasm module and check that Wasmtime returns
the same results as V8.
* `differential_wasmi`: Generate a Wasm module and check that Wasmtime returns
the same results as the `wasmi` interpreter.
* `instantiate`: Generate a Wasm module and Wasmtime configuration and attempt
to compile and instantiate with them.
* `instantiate`: Generate many Wasm modules and attempt to compile and
instantiate them concurrently.
* `spectests`: Pick a random spec test and run it with a generated
configuration.
* `table_ops`: Generate a sequence of `externref` table operations and run them
in a GC environment.
The canonical list of fuzz targets is the `.rs` files in the `fuzz_targets` The canonical list of fuzz targets is the `.rs` files in the `fuzz_targets`
directory: directory:
@@ -50,3 +72,21 @@ git clone \
https://github.com/bytecodealliance/wasmtime-libfuzzer-corpus.git \ https://github.com/bytecodealliance/wasmtime-libfuzzer-corpus.git \
wasmtime/fuzz/corpus wasmtime/fuzz/corpus
``` ```
## Reproducing a Fuzz Bug
When investigating a fuzz bug (especially one found by OSS-Fuzz), use the
following steps to reproduce it locally:
1. Download the test case (either the "Minimized Testcase" or "Unminimized
Testcase" from OSS-Fuzz will do).
2. Run the test case in the correct fuzz target:
```shell
cargo +nightly fuzz run <target> <test case>
```
If all goes well, the bug should reproduce and libFuzzer will dump the
failure stack trace to stdout
3. For more debugging information, run the command above with `RUST_LOG=debug`
to print the configuration and WebAssembly input used by the test case (see
uses of `log_wasm` in the `wasmtime-fuzzing` crate).