Some fuzzing improvements#12962
Open
tschneidereit wants to merge 3 commits intobytecodealliance:mainfrom
Open
Conversation
We have poor coverage for this 'misc' sub-target, so let's make it more prominent.
Specifically: - drop the component_async target, now that that is its own thing - as a side-benefit, skip calling oracles::component_async::init() - improve and simplify the sub-target selection logic. Before, the majority of invocations of misc didn't do anything, because the input byte would select a non-existent sub-target. This is visible in the extremely low coverage of the misc.rs file, and consequently equally low utilization of the misc target on OSS-Fuzz
This adds a fairly expansive [dictionary](https://llvm.org/docs/LibFuzzer.html#dictionaries) for use by the `compile` and `instantiate` targets. I had Claude Opus generate the dictionary and checked it reasonably, but not terribly thoroughly. My understanding is that mistakes in it should be harmless, since the fuzzer should learn quickly not to use patterns that lead nowhere.
Subscribe to Label Actioncc @fitzgen DetailsThis issue or pull request has been labeled: "fuzzing"Thus the following users have been cc'd because of the following labels:
To subscribe or unsubscribe from this label, edit the |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Together, these lead to a meaningful uptick in coverage from similarly-length local runs.
In particular,
component_asynctarget gave me 60% coverage ofruntime/component/concurrent, where OSS-Fuzz is at around 40%miscimprovements make all of the sub-targets covered, whereas currently on OSS-Fuzz, this target is virtually unused because, IIUC, most of the time it aborts immediately.I honestly don't know how useful the dictionary will be, but we should be able to see by observing behavior of the affected fuzzers.