From 34749590549d0a6ed3aacbc4eee4215d8c4373b1 Mon Sep 17 00:00:00 2001 From: Nick Lewycky Date: Mon, 15 Mar 2021 13:36:00 -0700 Subject: [PATCH] Update the readme to account for changes due to wasm-smith. --- fuzz/README.md | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/fuzz/README.md b/fuzz/README.md index 63473a500fe..60c927da7df 100644 --- a/fuzz/README.md +++ b/fuzz/README.md @@ -36,11 +36,11 @@ You should see output that looks something like this: #1409042 NEW cov: 115073 ft: 503951 corp: 4667/1814Kb lim: 4096 exec/s: 884 rss: 857Mb L: 174/4096 MS: 2 ChangeByte-ChangeASCIIInt- ``` -It will continue to generate random inputs forever, until it finds a bug or is terminated. The testcases for bugs it finds go into `fuzz/artifacts/jit_cranelift` and you can rerun the fuzzer on a single input by passing it on the command line `cargo fuzz run jit_cranelift my_testcase.wasm`. +It will continue to generate random inputs forever, until it finds a bug or is terminated. The testcases for bugs it finds go into `fuzz/artifacts/jit_cranelift` and you can rerun the fuzzer on a single input by passing it on the command line `cargo fuzz run jit_cranelift /path/to/testcase`. -## Seeding the corpus, optional +## The corpus -The fuzzer works best when it has examples of small Wasm files to start with. Using `wast2json` from [wabt](https://github.com/WebAssembly/wabt), we can easily produce `.wasm` files out of the WebAssembly spec tests. +Each fuzzer has an individual corpus under fuzz/corpus/test_name, created on first run if not already present. The validate fuzzer works directly with `.wasm` files as bytes and works best if seeded with examples of small Wasm file. Using `wast2json` from [wabt](https://github.com/WebAssembly/wabt), we can easily produce `.wasm` files out of the WebAssembly spec tests. ```sh mkdir spec-test-corpus @@ -49,4 +49,13 @@ mv spec-test-corpus/*.wasm fuzz/corpus/validate/ rm -r spec-test-corpus ``` -The corpus directory is created on the first run of the fuzzer. If it doesn't exist, run it first and then seed the corpus. The fuzzer will pick up new files added to the corpus while it is running. +The others fuzzers use `wasm-smith` which means that the testcase files are the input to the wasm generator, not the valid `.wasm` bytes themselves. In order to debug a testcase, you may find that you need to convert it into a `.wasm` file. Using the standalone `wasm-smith` tool doesn't work for this purpose because we use a custom configuration to our `wasm_smith::Module`. Instead, add some code to the fuzzer target: + +```rust + use std::fs::File; + use std::io::Write; + let mut file = File::create("/tmp/crash.wasm").unwrap(); + file.write_all(&wasm_bytes).unwrap(); +``` + +and run it over just the one testcase.