Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[fuzzing] execute every exported function #3959

Open
wants to merge 6 commits into
base: main
Choose a base branch
from

Conversation

lum1n0us
Copy link
Collaborator

@lum1n0us lum1n0us commented Dec 15, 2024

after #3984

@lum1n0us lum1n0us force-pushed the fix/fuzzing_execution branch 3 times, most recently from 4042677 to c4e6caa Compare December 24, 2024 08:14
@lum1n0us lum1n0us force-pushed the fix/fuzzing_execution branch from c4e6caa to 59b1581 Compare January 5, 2025 08:31
@lum1n0us lum1n0us marked this pull request as ready for review January 5, 2025 08:33
@yamt
Copy link
Collaborator

yamt commented Jan 6, 2025

for a similar fuzzier (https://github.com/yamt/toywasm/tree/master/examples/fuzz)
i ended up with having a small limit for the number of functions to execute
because a module can have a ton of exported functions.
i'm not sure if the same concern applies to this fuzzier. just FYI.

@lum1n0us
Copy link
Collaborator Author

lum1n0us commented Jan 6, 2025

i ended up with having a small limit for the number of functions to execute because a module can have a ton of exported functions.

May I ask the negative consequences of executing too many functions?

@yamt
Copy link
Collaborator

yamt commented Jan 6, 2025

i ended up with having a small limit for the number of functions to execute because a module can have a ton of exported functions.

May I ask the negative consequences of executing too many functions?

it takes very long. practically ~forever.

@lum1n0us
Copy link
Collaborator Author

lum1n0us commented Jan 7, 2025

Just FYI:

If the issue is due to an infinite loop, the --fuel option can be utilized to prevent the endless execution scenario.

@yamt
Copy link
Collaborator

yamt commented Jan 7, 2025

Just FYI:

If the issue is due to an infinite loop, the --fuel option can be utilized to prevent the endless execution scenario.

does the fuel thing "accumulate" among function calls?
otherwise it isn't a solution.

@lum1n0us
Copy link
Collaborator Author

lum1n0us commented Jan 7, 2025

-f, --fuel This is roughly the number of loop iterations and function calls that will be executed before a trap is raised to prevent infinite loops.

IIUC, yes.

pre_defined_val(wasm_valkind_t kind)
{
if (kind == WASM_I32) {
return wasm_val_t{ .kind = WASM_I32, .of = { .i32 = 2025 } };
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be better to generate random value to cover more value range?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😄 It makes it easier to replicate the issue that led to the failure. In a fuzzing issue report, you typically only get the error information generated by XSAN, with no accompanying logs. Using random values as function parameters can make it challenging to identify the exact combination that triggered the problem.

🤔 Additionally, I'm looking for a way to run opcodes with random operands. It appears to be a variant of the LLVMFuzzerTestOneInput() function. Perhaps I should create a new test LLVMFuzzerTestOneInput() to execute each opcode individually, allowing the fuzzer to supply random operands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants