T0b1/wasmtime
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
3ccd10274b698046b7976c55fb4bbe65306b15b9
wasmtime/fuzz
History
Alex Crichton 19d8ff2bf5 Remove reader_parse_test/translate_module fuzz targets (#1212) 
This commit removes the two fuzz targets that we imported from cranelift
when cranelift merged in. These have both uncovered a few issues in the
fuzz targets themselves, for example:

* `translate_module` - this doesn't verify the wasm is valid a head of
  time and cranelift is known to panic on translating invalid wasm
  modules. We also already do a lot of fuzzing of translation of wasm
  modules, so this isn't necessarily buying us anything over what we're
  already fuzzing.

* `reader_parse_test` - discovered in #1205 we already found some "bugs"
  in this but it may not necessarily rise to the level of "needs to be
  run on oss-fuzz for us to find more bugs" yet. It looks like this is
  still somewhat internal so we can re-enable when we've got folks to
  fix the fuzz bugs coming in.

Closes #1205
2020-03-04 13:54:11 -06:00
..
fuzz_targets
Remove reader_parse_test/translate_module fuzz targets (#1212)
2020-03-04 13:54:11 -06:00
.gitignore
fuzzing: remove the in-repo corpus
2019-11-26 15:49:07 -08:00
Cargo.toml
Remove reader_parse_test/translate_module fuzz targets (#1212)
2020-03-04 13:54:11 -06:00
README.md
Add a README explaining our libFuzzer and cargo fuzz setup
2019-12-03 13:26:47 -08:00

README.md

cargo fuzz Targets for Wasmtime

This crate defines various libFuzzer fuzzing targets for Wasmtime, which can be run via cargo fuzz.

These fuzz targets just glue together pre-defined test case generators with oracles and pass libFuzzer-provided inputs to them. The test case generators and oracles themselves are independent from the fuzzing engine that is driving the fuzzing process and are defined in wasmtime/crates/fuzzing.

Example

To start fuzzing run the following command, where $MY_FUZZ_TARGET is one of the available fuzz targets:

cargo fuzz run $MY_FUZZ_TARGET

Available Fuzz Targets

At the time of writing, we have the following fuzz targets:

  • compile: Attempt to compile libFuzzer's raw input bytes with Wasmtime.
  • instantiate: Attempt to compile and instantiate libFuzzer's raw input bytes with Wasmtime.
  • instantiate_translated: Pass libFuzzer's input bytes to wasm-opt -ttf to generate a random, valid Wasm module, and then attempt to instantiate it.

The canonical list of fuzz targets is the .rs files in the fuzz_targets directory:

ls wasmtime/fuzz/fuzz_targets/

Corpora

While you can start from scratch, libFuzzer will work better if it is given a corpus of seed inputs to kick start the fuzzing process. We maintain a corpus for each of these fuzz targets in a dedicated repo on github.

You can use our corpora by cloning it and placing it at wasmtime/fuzz/corpus:

git clone \
    https://github.com/bytecodealliance/wasmtime-libfuzzer-corpus.git \
    wasmtime/fuzz/corpus