T0b1/wasmtime
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fuzzing: Combine the compile and compile-mutate fuzz targets (#4048)

Browse Source 
We should still get the same amount of fuzzing using libfuzzer's mutators and
using `wasm-mutate` as a mutator now, but they can share the same corpus,
allowing mutations that one performed but the other didn't to reach new areas.
This commit is contained in:
Nick Fitzgerald
2022-04-18 18:27:13 -07:00
committed by GitHub
parent 65b694f6c2
commit 988d6ef9ac
3 changed files with 20 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
fuzz/Cargo.toml
View File

@@ -30,12 +30,6 @@ path = "fuzz_targets/compile.rs"
test = false test = false
doc = false doc = false
[[bin]]
name = "compile-mutate"
path = "fuzz_targets/compile-mutate.rs"
test = false
doc = false
[[bin]] [[bin]]
name = "instantiate" name = "instantiate"
path = "fuzz_targets/instantiate.rs" path = "fuzz_targets/instantiate.rs"

20
fuzz/fuzz_targets/compile-mutate.rs
View File

@@ -1,20 +0,0 @@
#![no_main]
use libfuzzer_sys::{fuzz_mutator, fuzz_target};
use wasmtime::{Engine, Module};
fuzz_target!(|data: &[u8]| {
let engine = Engine::default();
wasmtime_fuzzing::oracles::log_wasm(data);
drop(Module::new(&engine, data));
});
fuzz_mutator!(|data: &mut [u8], size: usize, max_size: usize, seed: u32| {
wasmtime_fuzzing::mutators::wasm_mutate(
data,
size,
max_size,
seed,
libfuzzer_sys::fuzzer_mutate,
)
});

21
fuzz/fuzz_targets/compile.rs
View File

@@ -1,6 +1,9 @@
//! Compile arbitrary bytes from the fuzzer as if they were Wasm. Also use
//! `wasm-mutate` to mutate the fuzz inputs.
#![no_main] #![no_main]
use libfuzzer_sys::fuzz_target; use libfuzzer_sys::{fuzz_mutator, fuzz_target};
use wasmtime::{Config, Engine, Module}; use wasmtime::{Config, Engine, Module};
fn create_engine() -> Engine { fn create_engine() -> Engine {
@@ -19,3 +22,19 @@ fuzz_target!(|data: &[u8]| {
wasmtime_fuzzing::oracles::log_wasm(data); wasmtime_fuzzing::oracles::log_wasm(data);
drop(Module::new(&engine, data)); drop(Module::new(&engine, data));
}); });
fuzz_mutator!(|data: &mut [u8], size: usize, max_size: usize, seed: u32| {
// Half of the time use libfuzzer's built in mutators, and the other half of
// the time use `wasm-mutate`.
if seed.count_ones() % 2 == 0 {
libfuzzer_sys::fuzzer_mutate(data, size, max_size)
} else {
wasmtime_fuzzing::mutators::wasm_mutate(
data,
size,
max_size,
seed,
libfuzzer_sys::fuzzer_mutate,
)
}
});