Skip to content

Commit

Permalink
Merge pull request #176 from wasmerio/fuzz
Browse files Browse the repository at this point in the history
Initial commit of fuzzers using `cargo fuzz`.
  • Loading branch information
nlewycky authored Jul 17, 2020
2 parents 4322c8d + c517c80 commit 54c5290
Show file tree
Hide file tree
Showing 9 changed files with 229 additions and 0 deletions.
4 changes: 4 additions & 0 deletions fuzz/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@

target
corpus
artifacts
49 changes: 49 additions & 0 deletions fuzz/Cargo.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@

[package]
name = "wasmer-bin-fuzz"
version = "0.0.0"
authors = ["Automatically generated"]
publish = false
edition = "2018"

[package.metadata]
cargo-fuzz = true

[dependencies.wasmer]
path = "../lib/api"
[dependencies.wasmer-compiler-cranelift]
path = "../lib/compiler-cranelift"
[dependencies.wasmer-compiler-llvm]
path = "../lib/compiler-llvm"
[dependencies.wasmer-compiler-singlepass]
path = "../lib/compiler-singlepass"
[dependencies.wasmer-engine-jit]
path = "../lib/engine-jit"
[dependencies.wasmer-engine-native]
path = "../lib/engine-native"
[dependencies.libfuzzer-sys]
git = "https://github.com/rust-fuzz/libfuzzer-sys.git"

# Prevent this from interfering with workspaces
[workspace]
members = ["."]

[[bin]]
name = "validate"
path = "fuzz_targets/validate.rs"

[[bin]]
name = "jit_cranelift"
path = "fuzz_targets/jit_cranelift.rs"

[[bin]]
name = "jit_llvm"
path = "fuzz_targets/jit_llvm.rs"

[[bin]]
name = "jit_singlepass"
path = "fuzz_targets/jit_singlepass.rs"

[[bin]]
name = "native_cranelift"
path = "fuzz_targets/native_cranelift.rs"
52 changes: 52 additions & 0 deletions fuzz/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
This directory contains the fuzz tests for wasmer. To fuzz, we use the `cargo-fuzz` package.

## Installation

You may need to install the `cargo-fuzz` package to get the `cargo fuzz` subcommand. Use

```sh
$ cargo install cargo-fuzz
```

`cargo-fuzz` is documented in the [Rust Fuzz Book](https://rust-fuzz.github.io/book/cargo-fuzz.html).

## Running a fuzzer (validate, jit_llvm, native_cranelift, ...)

Once `cargo-fuzz` is installed, you can run the `validate` fuzzer with
```sh
cargo fuzz run validate
```
or the `jit_cranelift` fuzzer
```sh
cargo fuzz run jit_cranelift
```
See the [fuzz/fuzz_targets](https://github.com/wasmerio/wasmer-reborn/tree/fuzz/fuzz_targets/) directory for the full list of targets.

You should see output that looks something like this:

```
#1408022 NEW cov: 115073 ft: 503843 corp: 4659/1807Kb lim: 4096 exec/s: 889 rss: 857Mb L: 2588/4096 MS: 1 ChangeASCIIInt-
#1408273 NEW cov: 115073 ft: 503844 corp: 4660/1808Kb lim: 4096 exec/s: 888 rss: 857Mb L: 1197/4096 MS: 1 ShuffleBytes-
#1408534 NEW cov: 115073 ft: 503866 corp: 4661/1809Kb lim: 4096 exec/s: 886 rss: 857Mb L: 977/4096 MS: 1 ShuffleBytes-
#1408540 NEW cov: 115073 ft: 503869 corp: 4662/1811Kb lim: 4096 exec/s: 886 rss: 857Mb L: 2067/4096 MS: 1 ChangeBit-
#1408831 NEW cov: 115073 ft: 503945 corp: 4663/1811Kb lim: 4096 exec/s: 885 rss: 857Mb L: 460/4096 MS: 1 CMP- DE: "\x16\x00\x00\x00\x00\x00\x00\x00"-
#1408977 NEW cov: 115073 ft: 503946 corp: 4664/1813Kb lim: 4096 exec/s: 885 rss: 857Mb L: 1972/4096 MS: 1 ShuffleBytes-
#1408999 NEW cov: 115073 ft: 503949 corp: 4665/1814Kb lim: 4096 exec/s: 884 rss: 857Mb L: 964/4096 MS: 2 ChangeBit-ShuffleBytes-
#1409040 NEW cov: 115073 ft: 503950 corp: 4666/1814Kb lim: 4096 exec/s: 884 rss: 857Mb L: 90/4096 MS: 1 ChangeBit-
#1409042 NEW cov: 115073 ft: 503951 corp: 4667/1814Kb lim: 4096 exec/s: 884 rss: 857Mb L: 174/4096 MS: 2 ChangeByte-ChangeASCIIInt-
```

It will continue to generate random inputs forever, until it finds a bug or is terminated. The testcases for bugs it finds go into `fuzz/artifacts/jit_cranelift` and you can rerun the fuzzer on a single input by passing it on the command line `cargo fuzz run jit_cranelift my_testcase.wasm`.

## Seeding the corpus, optional

The fuzzer works best when it has examples of small Wasm files to start with. Using `wast2json` from [wabt](https://github.com/WebAssembly/wabt), we can easily produce `.wasm` files out of the WebAssembly spec tests.

```sh
mkdir spec-test-corpus
for i in `find tests/ -name "*.wast"`; do wast2json --enable-all $i -o spec-test-corpus/$(basename $i).json; done
mv spec-test-corpus/*.wasm fuzz/corpus/validate/
rm -r spec-test-corpus
```

The corpus directory is created on the first run of the fuzzer. If it doesn't exist, run it first and then seed the corpus. The fuzzer will pick up new files added to the corpus while it is running.
25 changes: 25 additions & 0 deletions fuzz/fuzz_targets/headless_cranelift.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
#![no_main]
#[macro_use]
extern crate libfuzzer_sys;

use wasmer::{imports, Instance, Module, Store};
use wasmer_compiler_cranelift::Cranelift;
use wasmer_engine_native::Native;

fuzz_target!(|wasm_bytes: &[u8]| {
let serialized = {
let mut compiler = Cranelift::default();
let store = Store::new(&Native::new(&mut compiler).engine());
match Module::validate(&store, wasm_bytes) {
Err(_) => return,
Ok(_) => {}
};
let module = Module::new(&store, wasm_bytes).unwrap();
module.serialize().unwrap();
};

let engine = Native::headless().engine();
let store = Store::new(&engine);
let module = unsafe { Module::deserialize(&store, serialized) };
let _instance = Instance::new(&module, &imports! {});
});
21 changes: 21 additions & 0 deletions fuzz/fuzz_targets/jit_cranelift.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
#![no_main]
#[macro_use]
extern crate libfuzzer_sys;

use wasmer::{imports, CompilerConfig, Instance, Module, Store};
use wasmer_compiler_cranelift::Cranelift;
use wasmer_engine_jit::JIT;

fuzz_target!(|wasm_bytes: &[u8]| {
let mut compiler = Cranelift::default();
compiler.canonicalize_nans(true);
compiler.enable_verifier();
let store = Store::new(&JIT::new(&compiler).engine());
match Module::validate(&store, wasm_bytes) {
Ok(_) => {
let module = Module::new(&store, wasm_bytes).unwrap();
let _instance = Instance::new(&module, &imports! {});
}
Err(_) => {}
};
});
21 changes: 21 additions & 0 deletions fuzz/fuzz_targets/jit_llvm.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
#![no_main]
#[macro_use]
extern crate libfuzzer_sys;

use wasmer::{imports, CompilerConfig, Instance, Module, Store};
use wasmer_compiler_llvm::LLVM;
use wasmer_engine_jit::JIT;

fuzz_target!(|wasm_bytes: &[u8]| {
let mut compiler = LLVM::default();
compiler.canonicalize_nans(true);
compiler.enable_verifier();
let store = Store::new(&JIT::new(&compiler).engine());
match Module::validate(&store, wasm_bytes) {
Ok(_) => {
let module = Module::new(&store, wasm_bytes).unwrap();
let _instance = Instance::new(&module, &imports! {});
}
Err(_) => {}
};
});
19 changes: 19 additions & 0 deletions fuzz/fuzz_targets/jit_singlepass.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
#![no_main]
#[macro_use]
extern crate libfuzzer_sys;

use wasmer::{imports, Instance, Module, Store};
use wasmer_compiler_singlepass::Singlepass;
use wasmer_engine_jit::JIT;

fuzz_target!(|wasm_bytes: &[u8]| {
let compiler = Singlepass::default();
let store = Store::new(&JIT::new(&compiler).engine());
match Module::validate(&store, wasm_bytes) {
Ok(_) => {
let module = Module::new(&store, wasm_bytes).unwrap();
let _instance = Instance::new(&module, &imports! {});
}
Err(_) => {}
};
});
25 changes: 25 additions & 0 deletions fuzz/fuzz_targets/native_cranelift.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
#![no_main]
#[macro_use]
extern crate libfuzzer_sys;

use wasmer::{imports, Instance, Module, Store};
use wasmer_compiler_cranelift::Cranelift;
use wasmer_engine_native::Native;

fuzz_target!(|wasm_bytes: &[u8]| {
let serialized = {
let mut compiler = Cranelift::default();
let store = Store::new(&Native::new(&mut compiler).engine());
match Module::validate(&store, wasm_bytes) {
Err(_) => return,
Ok(_) => {}
};
let module = Module::new(&store, wasm_bytes).unwrap();
module.serialize().unwrap()
};

let engine = Native::headless().engine();
let store = Store::new(&engine);
let module = unsafe { Module::deserialize(&store, serialized.as_slice()) }.unwrap();
let _instance = Instance::new(&module, &imports! {});
});
13 changes: 13 additions & 0 deletions fuzz/fuzz_targets/validate.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
#![no_main]
#[macro_use]
extern crate libfuzzer_sys;

use wasmer::{imports, Instance, Module, Store};
use wasmer_compiler_cranelift::Cranelift;
use wasmer_engine_jit::JIT;

fuzz_target!(|wasm_bytes: &[u8]| {
let compiler = Cranelift::default();
let store = Store::new(&JIT::new(&compiler).engine());
Module::validate(&store, wasm_bytes);
});

0 comments on commit 54c5290

Please sign in to comment.