fuzzing: Combine the compile and compile-mutate fuzz targets (#4048)

We should still get the same amount of fuzzing using libfuzzer's mutators and using `wasm-mutate` as a mutator now, but they can share the same corpus, allowing mutations that one performed but the other didn't to reach new areas.
2022-04-18 18:27:13 -07:00
parent 65b694f6c2
commit 988d6ef9ac
3 changed files with 20 additions and 27 deletions
--- a/fuzz/Cargo.toml
+++ b/fuzz/Cargo.toml
@@ -30,12 +30,6 @@ path = "fuzz_targets/compile.rs"
 test = false
 doc = false

-[[bin]]
-name = "compile-mutate"
-path = "fuzz_targets/compile-mutate.rs"
-test = false
-doc = false
-
 [[bin]]
 name = "instantiate"
 path = "fuzz_targets/instantiate.rs"
--- a/fuzz/fuzz_targets/compile-mutate.rs
+++ b/fuzz/fuzz_targets/compile-mutate.rs
@@ -1,20 +0,0 @@
-#![no_main]
-
-use libfuzzer_sys::{fuzz_mutator, fuzz_target};
-use wasmtime::{Engine, Module};
-
-fuzz_target!(|data: &[u8]| {
-    let engine = Engine::default();
-    wasmtime_fuzzing::oracles::log_wasm(data);
-    drop(Module::new(&engine, data));
-});
-
-fuzz_mutator!(|data: &mut [u8], size: usize, max_size: usize, seed: u32| {
-    wasmtime_fuzzing::mutators::wasm_mutate(
-        data,
-        size,
-        max_size,
-        seed,
-        libfuzzer_sys::fuzzer_mutate,
-    )
-});
--- a/fuzz/fuzz_targets/compile.rs
+++ b/fuzz/fuzz_targets/compile.rs
@@ -1,6 +1,9 @@
+//! Compile arbitrary bytes from the fuzzer as if they were Wasm. Also use
+//! `wasm-mutate` to mutate the fuzz inputs.
+
 #![no_main]

-use libfuzzer_sys::fuzz_target;
+use libfuzzer_sys::{fuzz_mutator, fuzz_target};
 use wasmtime::{Config, Engine, Module};

 fn create_engine() -> Engine {
@@ -19,3 +22,19 @@ fuzz_target!(|data: &[u8]| {
    wasmtime_fuzzing::oracles::log_wasm(data);
    drop(Module::new(&engine, data));
 });
+
+fuzz_mutator!(|data: &mut [u8], size: usize, max_size: usize, seed: u32| {
+    // Half of the time use libfuzzer's built in mutators, and the other half of
+    // the time use `wasm-mutate`.
+    if seed.count_ones() % 2 == 0 {
+        libfuzzer_sys::fuzzer_mutate(data, size, max_size)
+    } else {
+        wasmtime_fuzzing::mutators::wasm_mutate(
+            data,
+            size,
+            max_size,
+            seed,
+            libfuzzer_sys::fuzzer_mutate,
+        )
+    }
+});