You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branch:
release-14.0.0
cfallin/lucet-pr612-base
fitzgen-patch-1
main
pch/bound_tcp_userland_buffer
pch/bump_wasm_tools_210
pch/cli_wasi_legacy
pch/component_call_hooks
pch/resource_table
pch/resource_table_2
pch/upstream_wave
release-0.32.0
release-0.33.0
release-0.34.0
release-0.35.0
release-0.36.0
release-0.37.0
release-0.38.0
release-0.39.0
release-0.40.0
release-1.0.0
release-10.0.0
release-11.0.0
release-12.0.0
release-13.0.0
release-14.0.0
release-15.0.0
release-16.0.0
release-17.0.0
release-18.0.0
release-19.0.0
release-2.0.0
release-20.0.0
release-21.0.0
release-22.0.0
release-23.0.0
release-24.0.0
release-3.0.0
release-4.0.0
release-5.0.0
release-6.0.0
release-7.0.0
release-8.0.0
release-9.0.0
revert-9191-trevor/upgrade-regalloc
revert-union-find
stable-v0.26
trevor/fuzz-pcc
trevor/hyper-rc4
trevor/io-error-interface
0.2.0
0.3.0
cranelift-v0.31.0
cranelift-v0.32.0
cranelift-v0.33.0
cranelift-v0.34.0
cranelift-v0.35.0
cranelift-v0.36.0
cranelift-v0.37.0
cranelift-v0.39.0
cranelift-v0.40.0
cranelift-v0.41.0
cranelift-v0.42.0
cranelift-v0.43.0
cranelift-v0.43.1
cranelift-v0.44.0
cranelift-v0.45.0
cranelift-v0.46.0
cranelift-v0.46.1
cranelift-v0.60.0
cranelift-v0.61.0
cranelift-v0.62.0
cranelift-v0.69.0
dev
filecheck-v0.0.1
minimum-viable-wasi-proxy-serve
v0.10.0
v0.11.0
v0.12.0
v0.15.0
v0.16.0
v0.17.0
v0.18.0
v0.19.0
v0.2.0
v0.20.0
v0.21.0
v0.22.0
v0.22.1
v0.23.0
v0.24.0
v0.25.0
v0.26.0
v0.26.1
v0.27.0
v0.28.0
v0.29.0
v0.3.0
v0.30.0
v0.31.0
v0.32.0
v0.32.1
v0.33.0
v0.33.1
v0.34.0
v0.34.1
v0.34.2
v0.35.0
v0.35.1
v0.35.2
v0.35.3
v0.36.0
v0.37.0
v0.38.0
v0.38.1
v0.38.2
v0.38.3
v0.39.0
v0.39.1
v0.4.0
v0.40.0
v0.40.1
v0.6.0
v0.8.0
v0.9.0
v1.0.0
v1.0.1
v1.0.2
v10.0.0
v10.0.1
v10.0.2
v11.0.0
v11.0.1
v11.0.2
v12.0.0
v12.0.1
v12.0.2
v13.0.0
v13.0.1
v14.0.0
v14.0.1
v14.0.2
v14.0.3
v14.0.4
v15.0.0
v15.0.1
v16.0.0
v17.0.0
v17.0.1
v17.0.2
v17.0.3
v18.0.0
v18.0.1
v18.0.2
v18.0.3
v18.0.4
v19.0.0
v19.0.1
v19.0.2
v2.0.0
v2.0.1
v2.0.2
v20.0.0
v20.0.1
v20.0.2
v21.0.0
v21.0.1
v22.0.0
v23.0.0
v23.0.1
v23.0.2
v24.0.0
v3.0.0
v3.0.1
v4.0.0
v4.0.1
v5.0.0
v5.0.1
v6.0.0
v6.0.1
v6.0.2
v7.0.0
v7.0.1
v8.0.0
v8.0.1
v9.0.0
v9.0.1
v9.0.2
v9.0.3
v9.0.4
${ noResults }
Alex Crichton
42f8ab1493
* Improve longevity for fuzzing corpus of wasm modules This commit is an improvement to the longevity of Wasmtime's corpus of fuzz inputs to the `instantiate` fuzzer. Currently the input to this fuzzers is arbitrary binary data which is a "DNA" of sorts of what to do. This DNA changes over time as we update the fuzzer and add configuration options, for example. When this happens though the meaning of all existing inputs in the corpus changes because they all have slightly different meanings now. The goal of this commit is to improve the usefulness of a historical corpus, with respect to the WebAssembly modules generated, across changes to the DNA. A custom mutator is now provided for the `instantiate` fuzzer. This mutator will not only perform libfuzzer's default mutation for the input but will additionally place an "envelope" around the fuzz input. Namely, the fuzz input is encoded as a valid WebAssembly module where the actual input to the fuzzer is a trailing custom section. When the fuzzer runs over this input it will read the custom section, perform any configuration generation necessary, and then use the envelope module as the actual input to the fuzzer instead of whatever was generated from the fuzz input. This means that when a future update is made to the DNA of a module the interpretation of the fuzz input section will change but the module in question will not change. This means that any interesting shapes of modules with respect to instructions should be preserved over time in theory. Some consequences of this strategy, however, are: * If the DNA changes then it's difficult to produce minor mutations of the original module. This is because mutations generate a module based on the new DNA which is likely much different than the preexisting module. This mainly just means that libFuzzer will have to rediscover how to mutate up into interesting shapes on DNA changes but it'll still be able to retain all the existing interesting modules. Additionally this can be mitigate with the integration of `wasm-mutate` perhaps into these fuzzers as well. * Protection is necessary against libFuzzer itself with respect to the module. The existing fuzzers only expect valid modules to be created, but libFuzzer can now create mutations which leave the trailing section in place, meaning the module is no longer valid. One option is to record a cryptographic hash in the fuzz input section of the previous module, only using the module if the hashes match. This approach will not work over time in the face of binary format changes, however. For example the multi-memory proposal changed binary encodings a year or so ago meaning that any previous fuzz-generated cases would no longer be guaranteed to be valid. The strategy settled by this PR is to pass a flag to the execution function indicating if the module is "known valid" and gracefully handle error if it isn't (for example if it's a prior test case). I'll note that this new strategy of fuzzing is not applied to the `differential` fuzzer. This could theoretically use the same strategy but it relies much more strictly on being able to produce a module with properties like NaN canonicalization, resource limits, fuel to limit execution, etc. While it may be possible to integrate this with `differential` in the future I figured it'd be better to start with the `instantiate` fuzzer and go from there. * Fix doc build |
2 years ago | |
|---|---|---|
| .. | ||
| fuzz_targets | Upgrade wasm-tools crates, namely the component model (#4715) | 2 years ago |
| .gitignore | Implement variant translation in fused adapters (#4534) | 2 years ago |
| Cargo.toml | Improve longevity for fuzzing corpus of wasm modules (#6322) | 2 years ago |