38428e1fbb
This commit uses the new `MaybeInvalidModule` type in `wasm-smith` to try to explore more points in the fuzz target space in the `instantiate-maybe-invalid` fuzz target. The goal here is to use the raw fuzz input as the body of a function to stress the validator/decoder a bit more, and try to get inputs we might not otherwise generate.
cargo fuzz Targets for Wasmtime
This crate defines various libFuzzer
fuzzing targets for Wasmtime, which can be run via cargo fuzz.
These fuzz targets just glue together pre-defined test case generators with
oracles and pass libFuzzer-provided inputs to them. The test case generators and
oracles themselves are independent from the fuzzing engine that is driving the
fuzzing process and are defined in wasmtime/crates/fuzzing.
Example
To start fuzzing run the following command, where $MY_FUZZ_TARGET is one of
the available fuzz targets:
cargo fuzz run $MY_FUZZ_TARGET
Available Fuzz Targets
At the time of writing, we have the following fuzz targets:
compile: Attempt to compile libFuzzer's raw input bytes with Wasmtime.instantiate: Attempt to compile and instantiate libFuzzer's raw input bytes with Wasmtime.instantiate_translated: Pass libFuzzer's input bytes towasm-opt -ttfto generate a random, valid Wasm module, and then attempt to instantiate it.
The canonical list of fuzz targets is the .rs files in the fuzz_targets
directory:
ls wasmtime/fuzz/fuzz_targets/
Corpora
While you can start from scratch, libFuzzer will work better if it is given a corpus of seed inputs to kick start the fuzzing process. We maintain a corpus for each of these fuzz targets in a dedicated repo on github.
You can use our corpora by cloning it and placing it at wasmtime/fuzz/corpus:
git clone \
https://github.com/bytecodealliance/wasmtime-libfuzzer-corpus.git \
wasmtime/fuzz/corpus