From 7f303595479cd3c6353f01af123783a472a73acd Mon Sep 17 00:00:00 2001 From: Nick Fitzgerald Date: Tue, 3 Dec 2019 13:26:47 -0800 Subject: [PATCH 1/2] Add a README explaining our libFuzzer and `cargo fuzz` setup --- fuzz/README.md | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 fuzz/README.md diff --git a/fuzz/README.md b/fuzz/README.md new file mode 100644 index 0000000000..993fac6b59 --- /dev/null +++ b/fuzz/README.md @@ -0,0 +1,52 @@ +# `cargo fuzz` Targets for Wasmtime + +This crate defines various [libFuzzer](https://www.llvm.org/docs/LibFuzzer.html) +fuzzing targets for Wasmtime, which can be run via [`cargo +fuzz`](https://rust-fuzz.github.io/book/cargo-fuzz.html). + +These fuzz targets just glue together pre-defined test case generators with +oracles and pass libFuzzer-provided inputs to them. The test case generators and +oracles themselves are independent from the fuzzing engine that is driving the +fuzzing process and are defined in `wasmtime/crates/fuzzing`. + +## Example + +To start fuzzing run the following command, where `$MY_FUZZ_TARGET` is one of +the [available fuzz targets](#available-fuzz-targets): + +```shell +cargo fuzz run $MY_FUZZ_TARGET +``` + +## Available Fuzz Targets + +At the time of writing, we have the following fuzz targets: + +* `compile`: Attempt to compile libFuzzer's raw input bytes with Wasmtime. +* `instantiate`: Attempt to compile and instantiate libFuzzer's raw input bytes + with Wasmtime. +* `instantiate_translated`: Pass libFuzzer's input bytes to `wasm-opt -ttf` to + generate a random, valid Wasm module, and then attempt to instantiate it. + +The canonical list of fuzz targets is the `.rs` files in the `fuzz_targets` +directory: + +```shell +ls wasmtime/fuzz/fuzz_targets/ +``` + +## Corpora + +While you *can* start from scratch, libFuzzer will work better if it is given a +[corpus](https://www.llvm.org/docs/LibFuzzer.html#corpus) of seed inputs to kick +start the fuzzing process. We maintain a corpus for each of these fuzz targets +in [a dedicated repo on +github](https://github.com/bytecodealliance/wasmtime-libfuzzer-corpus). + +You can use our corpora by cloning it and placing it at `wasmtime/fuzz/corpus`: + +```shell +git clone \ + https://github.com/bytecodealliance/wasmtime-libfuzzer-corpus.git \ + wasmtime/fuzz/corpus +``` From 75c8ad66850fade7126ea745056b592c410f60ca Mon Sep 17 00:00:00 2001 From: Nick Fitzgerald Date: Tue, 3 Dec 2019 13:27:18 -0800 Subject: [PATCH 2/2] CI: Run our fuzz targets on our corpora This doesn't have libFuzzer generate new inputs in CI, only verifies that we can still successfully process our existing seed inputs in each of our targets' corpora. --- .github/workflows/main.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 99378c5d0b..de395a1d0a 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -62,6 +62,30 @@ jobs: name: doc-api path: target/doc + # Download our libFuzzer corpus and make sure that we can still handle all the + # inputs. + fuzz_corpora: + name: Fuzz Corpora + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + - uses: actions/checkout@v1 + with: + repository: bytecodealliance/wasmtime-libfuzzer-corpus + path: ./wasmtime/fuzz/corpus + ref: refs/heads/master + - uses: ./.github/actions/install-rust + with: + toolchain: nightly + - run: cargo install cargo-fuzz + - run: cargo fetch + working-directory: ./fuzz + # NB: the `-runs=0` means that libFuzzer won't generate new inputs, only run + # the seeds from the corpus. + - run: cargo fuzz run compile -- -runs=0 + - run: cargo fuzz run instantiate -- -runs=0 + - run: cargo fuzz run instantiate_translated -- -runs=0 + # Perform all tests (debug mode) for `wasmtime`. This runs stable/beta/nightly # channels of Rust as well as macOS/Linux/Windows. test: