Stream: git-wasmtime

Topic: wasmtime / PR #6322 Improve longevity for fuzzing corpus ...


view this post on Zulip Wasmtime GitHub notifications bot (May 02 2023 at 00:44):

alexcrichton opened PR #6322 from alexcrichton:stable-fuzz-corpus to bytecodealliance:main:

This commit is an improvement to the longevity of Wasmtime's corpus of fuzz inputs to the instantiate fuzzer. Currently the input to this fuzzers is arbitrary binary data which is a "DNA" of sorts of what to do. This DNA changes over time as we update the fuzzer and add configuration options, for example. When this happens though the meaning of all existing inputs in the corpus changes because they all have slightly different meanings now. The goal of this commit is to improve the usefulness of a historical corpus, with respect to the WebAssembly modules generated, across changes to the DNA.

A custom mutator is now provided for the instantiate fuzzer. This mutator will not only perform libfuzzer's default mutation for the input but will additionally place an "envelope" around the fuzz input. Namely, the fuzz input is encoded as a valid WebAssembly module where the actual input to the fuzzer is a trailing custom section. When the fuzzer runs over this input it will read the custom section, perform any configuration generation necessary, and then use the envelope module as the actual input to the fuzzer instead of whatever was generated from the fuzz input. This means that when a future update is made to the DNA of a module the interpretation of the fuzz input section will change but the module in question will not change. This means that any interesting shapes of modules with respect to instructions should be preserved over time in theory.

Some consequences of this strategy, however, are:

I'll note that this new strategy of fuzzing is not applied to the differential fuzzer. This could theoretically use the same strategy but it relies much more strictly on being able to produce a module with properties like NaN canonicalization, resource limits, fuel to limit execution, etc. While it may be possible to integrate this with differential in the future I figured it'd be better to start with the instantiate fuzzer and go from there.

<!--
Please make sure you include the following information:

Our development process is documented in the Wasmtime book:
https://docs.wasmtime.dev/contributing-development-process.html

Please ensure all communication follows the code of conduct:
https://github.com/bytecodealliance/wasmtime/blob/main/CODE_OF_CONDUCT.md
-->

view this post on Zulip Wasmtime GitHub notifications bot (May 02 2023 at 00:44):

alexcrichton requested elliottt for a review on PR #6322.

view this post on Zulip Wasmtime GitHub notifications bot (May 02 2023 at 00:44):

alexcrichton requested wasmtime-fuzz-reviewers for a review on PR #6322.

view this post on Zulip Wasmtime GitHub notifications bot (May 02 2023 at 00:44):

alexcrichton requested wasmtime-compiler-reviewers for a review on PR #6322.

view this post on Zulip Wasmtime GitHub notifications bot (May 02 2023 at 00:44):

alexcrichton requested pchickey for a review on PR #6322.

view this post on Zulip Wasmtime GitHub notifications bot (May 02 2023 at 00:44):

alexcrichton requested wasmtime-core-reviewers for a review on PR #6322.

view this post on Zulip Wasmtime GitHub notifications bot (May 02 2023 at 00:44):

alexcrichton requested wasmtime-default-reviewers for a review on PR #6322.

view this post on Zulip Wasmtime GitHub notifications bot (May 02 2023 at 15:14):

alexcrichton updated PR #6322.

view this post on Zulip Wasmtime GitHub notifications bot (May 02 2023 at 15:57):

pchickey submitted PR review.

view this post on Zulip Wasmtime GitHub notifications bot (May 02 2023 at 20:05):

alexcrichton merged PR #6322.


Last updated: Dec 23 2024 at 12:05 UTC