T0b1/wasmtime
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
dba74024aa412f284871375db292c1bf9079d769
wasmtime/fuzz
History
Alex Crichton ff1af20479 Add a fuzz mode to stress unaligned wasm addresses (#3516) 
Alignment on all memory instructions in wasm is currently best-effort
and not actually required, meaning that whatever wasm actually uses as
an address should work regardless of whether the address is aligned or
not. This is theoretically tested in the fuzzers via
wasm-smith-generated code, but wasm-smith doesn't today have too too
high of a chance of generating an actual successful load/store.

This commit adds a new configuration option to the `Config` generator
for fuzzing which forces usage of a custom linear memory implementation
which is backed by Rust's `Vec<u8>` and forces the base address of
linear memory to be off-by-one relative to the base address of the
`Vec<u8>` itself. This should theoretically force host addresses to
almost always be unaligned, even if wasm addresses are otherwise
aligned.

The main interesting fuzz coverage here is likely to be in the existing
`differential` target which compares running the same module in wasmtime
with two different `Config` values to ensure the same results are
produced. This probably won't increase coverage all that much in the
near future due to wasm-smith rarely generating successful loads/stores,
but in the meantime by hooking this up into `Config` it also means that
we'll be running in comparison against v8 and also ensuring that all
spec tests succeed if misalignment is forced at the hardware level.

As a side effect this commit also cleans up the fuzzers slightly:

* The `DifferentialConfig` struct is removed and folded into `Config`
* The `init_hang_limit` processing is removed since we don't use
  `-ttf`-generated modules from binaryen any more.
* Traps are now asserted to have the same trap code, otherwise
  differential fuzzing fails.
* Some more debug logging was added to the differential fuzzer
2021-11-15 08:24:23 -06:00
..
fuzz_targets
Add a fuzz mode to stress unaligned wasm addresses (#3516)
2021-11-15 08:24:23 -06:00
.gitignore
fuzzing: remove the in-repo corpus
2019-11-26 15:49:07 -08:00
Cargo.toml
Remove spec interpreter fuzz target temporarily (#3399)
2021-09-30 13:09:19 -05:00
README.md
Add a README explaining our libFuzzer and cargo fuzz setup
2019-12-03 13:26:47 -08:00

README.md

cargo fuzz Targets for Wasmtime

This crate defines various libFuzzer fuzzing targets for Wasmtime, which can be run via cargo fuzz.

These fuzz targets just glue together pre-defined test case generators with oracles and pass libFuzzer-provided inputs to them. The test case generators and oracles themselves are independent from the fuzzing engine that is driving the fuzzing process and are defined in wasmtime/crates/fuzzing.

Example

To start fuzzing run the following command, where $MY_FUZZ_TARGET is one of the available fuzz targets:

cargo fuzz run $MY_FUZZ_TARGET

Available Fuzz Targets

At the time of writing, we have the following fuzz targets:

  • compile: Attempt to compile libFuzzer's raw input bytes with Wasmtime.
  • instantiate: Attempt to compile and instantiate libFuzzer's raw input bytes with Wasmtime.
  • instantiate_translated: Pass libFuzzer's input bytes to wasm-opt -ttf to generate a random, valid Wasm module, and then attempt to instantiate it.

The canonical list of fuzz targets is the .rs files in the fuzz_targets directory:

ls wasmtime/fuzz/fuzz_targets/

Corpora

While you can start from scratch, libFuzzer will work better if it is given a corpus of seed inputs to kick start the fuzzing process. We maintain a corpus for each of these fuzz targets in a dedicated repo on github.

You can use our corpora by cloning it and placing it at wasmtime/fuzz/corpus:

git clone \
    https://github.com/bytecodealliance/wasmtime-libfuzzer-corpus.git \
    wasmtime/fuzz/corpus