Stream: git-wasmtime

Topic: wasmtime / issue #3933 Take N mutations from `wasm-mutate...

view this post on Zulip Wasmtime GitHub notifications bot (Mar 15 2022 at 22:59):

fitzgen opened issue #3933:

This will let us reuse wasm-mutate's e-graph, if it constructed one, which is important since it can be expensive to construct and we want to amortize that.

Will need to use thread locals or something though to stash the iterator between calls to the custom mutator though.

view this post on Zulip Wasmtime GitHub notifications bot (Mar 15 2022 at 22:59):

fitzgen labeled issue #3933:

This will let us reuse wasm-mutate's e-graph, if it constructed one, which is important since it can be expensive to construct and we want to amortize that.

Will need to use thread locals or something though to stash the iterator between calls to the custom mutator though.

view this post on Zulip Wasmtime GitHub notifications bot (Mar 15 2022 at 22:59):

github-actions[bot] commented on issue #3933:

Subscribe to Label Action

cc @fitzgen

<details>
This issue or pull request has been labeled: "fuzzing"

Thus the following users have been cc'd because of the following labels:

To subscribe or unsubscribe from this label, edit the <code>.github/subscribe-to-label.json</code> configuration file.

Learn more.
</details>

view this post on Zulip Wasmtime GitHub notifications bot (Mar 30 2022 at 18:59):

fitzgen commented on issue #3933:

Hm actually every time that libfuzzer calls our custom mutate hook with a specific input and seed, it expects the hook to return the same mutation. That would kinda break if we are first checking "do we have an existing iterator of mutations to draw from in thread local storage?" first rather than computing a fresh mutation from scratch.

Ideally libfuzzer would just let us return multiple mutations directly :-/

Not 100% sure how to resolve this, since we really do want to take advantage of the iterator to amortize the cost of e-graph construction.

Anyone have ideas?

Maybe it is actually just fine if we don't obey the same-input-and-seed-leads-to-same-mutation invariant?

view this post on Zulip Wasmtime GitHub notifications bot (Mar 30 2022 at 19:07):

bjorn3 commented on issue #3933:

Would trying multiple wasm functions derived from the same wasm-mutate e-graph in a single libfuzzer fuzz round work? And then use a new e-graph for the next fuzz round.

view this post on Zulip Wasmtime GitHub notifications bot (Mar 30 2022 at 19:45):

fitzgen commented on issue #3933:

An e-graph is specific to a single expression, so the same expression would need to occur in multiple functions. And we would need to search and find all instances of that expression. I don't think this will be particularly fruitful.

Last updated: Nov 22 2024 at 16:03 UTC