PreserveImportsExportsJS Fuzzer: Fix reduction#8621
PreserveImportsExportsJS Fuzzer: Fix reduction#8621kripken wants to merge 7 commits intoWebAssembly:mainfrom
Conversation
aheejin
left a comment
aheejin
left a comment
There was a problem hiding this comment.
Haven't read this all yet (I've got to go now) but a typo.
(In case another person LGTMs it don't wait for me)
| # | ||
| # Note that bugs found by this fuzzer require BINARYEN_TRUST_GIVEN_WASM=1 in the | ||
| # env for reduction. TODO: simplify this | ||
| # Note that bugs found by this fuzzer require BINARYEN_PIEJS_WASM=1 in the |
There was a problem hiding this comment.
BINARYEN_PIEJS_WASM is a file name and not 0/1, based on the code below
BINARYEN_PIEJS_WASM={temp_wasm} ./scripts/fuzz_opt.py {auto_init} --binaryen-bin {binaryen_bin} 
|
As an alternative approach, how about we give the fuzzer options to say what fuzz handler to run? Then the reducer script can specify exactly the failing handler. This would be useful for manual investigations as well. A tricky bit is that random choices in one handler should never be affected by previous handlers so that reducing the number of handlers executed does not change their behavior. This could be done by snapshotting the random state before executing each handler and restoring it afterward. |
|
@tlively Hmm, I think that not running multiple fuzzers on the same testcase would be simpler than that, and would also fix this. It would make us slightly less efficient, but probably not in a significant way. Or did you see other benefits to the other ideas? |
I'm not sure what "see below" is referring to here. Not running multiple fuzzers on the same test case sounds good, too. It will make manual reproduction of problems slightly easier as well because there will less irrelevant logging for the bad seed. If we're not concerned about that change reducing our coverage throughput, it sgtm. |
aheejin
left a comment
aheejin
left a comment
There was a problem hiding this comment.
+1 on not running multiple fuzzers if possible. It took me a while to wrap my head around this...
| (using -ttf / --translate-to-fuzz) in text form and run the reduction from that, | ||
| passing --text to the reducer. Another possible fix is to avoid re-processing | ||
| the wasm for fuzzing in each iteration, by adding | ||
| BINARYEN_TRUST_GIVEN_WASM=1 in the env.) |
There was a problem hiding this comment.
Yes, this is still a useful flag sometimes. Less processing on each reduction iterations sometimes helps (though I don't remember a concrete example).
| # should remove the branch hint. | ||
| # | ||
| # Note that bugs found by this fuzzer tend to require the following during | ||
| # reducing: BINARYEN_TRUST_GIVEN_WASM=1 in the env, and --text as a parameter. |
Sorry, it was just referring to the explanation after that, which said that our running multiple handlers on one testcase is the root issue. One handler runs, and another, and we want to give the other a file that the first can't handle. Ok, then I'll look into the simplification of running a single handler at once, closing this for now. |
3 participants
This fuzzer generates its own files, so reducing it needs some hacks,
unfortunately. Another option might be to separate this fuzzer out
entirely to its own file, or to at least not run multiple fuzzers on the
same testcase (see below), but I'm not sure those are better options.
When the main fuzzer runs multiple internal testcase handlers on a
single wasm file, we must make sure while reducing that only
PreserveImportsExportsJS receives its wasm. That wasm only works
with its JS, so other fuzzers will fail on it. To do so, use an env var
BINARYEN_PIEJS_WASMwhich tells the fuzzer we are reducingin such a situation. The fuzzer reduction script then passes in the
reduced file that way, rather than the usual way, so other fuzzers
do not notice it.
Also rename
orig.wasmtoinitial.wasmas this was confusinggiven that reduction always starts from
original.wasm.