Update the readme to account for changes due to wasm-smith.

Gurubaseio · Mar 15, 2021 · 3474959 · 3474959
1 parent 400d99f
commit 3474959
Showing 1 changed file with 13 additions and 4 deletions.
diff --git a/fuzz/README.md b/fuzz/README.md
@@ -36,11 +36,11 @@ You should see output that looks something like this:
 #1409042        NEW    cov: 115073 ft: 503951 corp: 4667/1814Kb lim: 4096 exec/s: 884 rss: 857Mb L: 174/4096 MS: 2 ChangeByte-ChangeASCIIInt-
 ```
 
-It will continue to generate random inputs forever, until it finds a bug or is terminated. The testcases for bugs it finds go into `fuzz/artifacts/jit_cranelift` and you can rerun the fuzzer on a single input by passing it on the command line `cargo fuzz run jit_cranelift my_testcase.wasm`.
+It will continue to generate random inputs forever, until it finds a bug or is terminated. The testcases for bugs it finds go into `fuzz/artifacts/jit_cranelift` and you can rerun the fuzzer on a single input by passing it on the command line `cargo fuzz run jit_cranelift /path/to/testcase`.
 
-## Seeding the corpus, optional
+## The corpus
 
-The fuzzer works best when it has examples of small Wasm files to start with. Using `wast2json` from [wabt](https://github.com/WebAssembly/wabt), we can easily produce `.wasm` files out of the WebAssembly spec tests.
+Each fuzzer has an individual corpus under fuzz/corpus/test_name, created on first run if not already present. The validate fuzzer works directly with `.wasm` files as bytes and works best if seeded with examples of small Wasm file. Using `wast2json` from [wabt](https://github.com/WebAssembly/wabt), we can easily produce `.wasm` files out of the WebAssembly spec tests.
 
 ```sh
 mkdir spec-test-corpus
@@ -49,4 +49,13 @@ mv spec-test-corpus/*.wasm fuzz/corpus/validate/
 rm -r spec-test-corpus
 ```
 
-The corpus directory is created on the first run of the fuzzer. If it doesn't exist, run it first and then seed the corpus. The fuzzer will pick up new files added to the corpus while it is running.
+The others fuzzers use `wasm-smith` which means that the testcase files are the input to the wasm generator, not the valid `.wasm` bytes themselves. In order to debug a testcase, you may find that you need to convert it into a `.wasm` file. Using the standalone `wasm-smith` tool doesn't work for this purpose because we use a custom configuration to our `wasm_smith::Module`. Instead, add some code to the fuzzer target:
+
+```rust
+    use std::fs::File;
+    use std::io::Write;
+    let mut file = File::create("/tmp/crash.wasm").unwrap();
+    file.write_all(&wasm_bytes).unwrap();
+```
+
+and run it over just the one testcase.