wasm-smith

wasm-smith

A WebAssembly test case generator.

• Features
• Usage
  • With cargo fuzz and libfuzzer-sys
  • As a Command Line Tool

Features

• Always valid: All generated Wasm modules pass validation. wasm-smith gets past your wasm parser and validator, exercising the guts of your Wasm compiler, runtime, or tool.

• Supports the full WebAssembly language: Doesn't have blind spots or unimplemented instructions.

• Implements the Arbitrary trait: Easy to use with cargo fuzz and libfuzzer-sys!

• Deterministic: Given the same input seed, always generates the same output Wasm module, so you can always reproduce test failures.

• Plays nice with mutation-based fuzzers: Small changes to the input tend to produce small changes to the output Wasm module. Larger inputs tend to generate larger Wasm modules.

Usage

With cargo fuzz and libfuzzer-sys

First, use cargo fuzz to define a new fuzz target:

$ cargo fuzz add my_wasm_smith_fuzz_target

Next, add wasm-smith to your dependencies:

$ cargo add wasm-smith

Then, define your fuzz target so that it takes arbitrary wasm_smith::Modules as an argument, convert the module into serialized Wasm bytes via the to_bytes method, and then feed it into your system:

// fuzz/fuzz_targets/my_wasm_smith_fuzz_target.rs

#![no_main]

use libfuzzer_sys::fuzz_target;
use wasm_smith::Module;

fuzz_target!(|module: Module| {
    let wasm_bytes = module.to_bytes();

    // Your code here...
});

Finally, start fuzzing:

$ cargo fuzz run my_wasm_smith_fuzz_target

Note: Also check out the validate fuzz target defined in this repository. Using the wasmparser crate, it checks that every module generated by wasm-smith validates successfully.

As a Command Line Tool

Install the CLI tool via cargo:

$ cargo install wasm-tools

Convert some arbitrary input into a valid Wasm module:

$ head -c 100 /dev/urandom | wasm-tools smith -o test.wasm

Finally, run your tool on the generated Wasm module:

$ my-wasm-tool test.wasm