From 10e495dda2ee7df67d34772884095dc6b7a4f7cd Mon Sep 17 00:00:00 2001
From: Addison Crump <addison.crump@cispa.de>
Date: Wed, 2 Nov 2022 22:04:10 +0100
Subject: [PATCH] explain the VM fuzzer

---
 boa_engine/fuzz/README.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/boa_engine/fuzz/README.md b/boa_engine/fuzz/README.md
index cebfe299e27..0c197f9307c 100644
--- a/boa_engine/fuzz/README.md
+++ b/boa_engine/fuzz/README.md
@@ -24,3 +24,16 @@ following:
      information, as the inputs parsed between the two should be the same.
 
 In this way, this fuzzer can identify correctness issues present in the parser.
+
+## VM Fuzzer
+
+The VM fuzzer, located in [vm-implied.rs](fuzz_targets/vm-implied.rs), identifies crash cases in the VM. It does so by
+generating an arbitrary AST, converting it to source code (to remove invalid inputs), then executing that source code.
+Because we are not comparing against any invariants other than "does it crash", this fuzzer will only discover faults
+which cause the VM to terminate unexpectedly, e.g. as a result of a panic. It will not discover logic errors present in 
+the VM.
+
+To ensure that the VM does not attempt to execute an infinite loop, Boa is restricted to a finite number of instructions
+before the VM is terminated. If a program takes more than a second or so to execute, it likely indicates an issue in the
+VM (as we expect the fuzzer to execute only a certain amount of instructions, which should take significantly less
+time).