Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fuzzing: Limit the total number of API calls generated #1265

Merged
merged 1 commit into from
Mar 10, 2020
+8 −12
Merged

fuzzing: Limit the total number of API calls generated #1265

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 8 additions & 12 deletions crates/fuzzing/src/generators/api.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,9 +59,6 @@ struct Scope {
/// The rough predicted maximum RSS of executing all of our generated API
/// calls thus far.
predicted_rss: usize,

/// The number of calls of an exported function from an instance.
num_export_calls: usize,
}

impl Scope {
Expand Down Expand Up @@ -93,12 +90,15 @@ impl Arbitrary for ApiCalls {
let mut scope = Scope::default();
let max_rss = 1 << 30; // 1GB

// Calling an exported function of a `wasm-opt -ttf` module tends to
// take about 20ms. Limit their number to 100, or ~2s, so that we don't
// get too close to our 3s timeout.
let max_export_calls = 100;
// Total limit on number of API calls we'll generate. This exists to
// avoid libFuzzer timeouts.
let max_calls = 100;

for _ in 0..input.arbitrary_len::<ApiCall>()? {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not too familiar with the Arbitrary trait, but is there perhaps a way that we can hook in here? Is there a way to indicate that we want at most a particular number of API calls?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have int_in_range but this draws from the front of the byte string, rather than the end, like lengths do. The mechanism that lengths use to get an integer in a range from the end of the byte string isn't a public API, unfortunately. (Reason lengths should be drawn from the end of the byte string: https://github.com/rust-fuzz/libfuzzer-sys/blob/0c450753/libfuzzer/utils/FuzzedDataProvider.h#L92-L97)

Overall, I don't think it really matters too much, though.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Filed rust-fuzz/arbitrary#36 for posterity

if calls.len() > max_calls {
break;
}

let mut choices: Vec<fn(_, &mut Scope) -> arbitrary::Result<ApiCall>> = vec![];

if swarm.module_new {
Expand Down Expand Up @@ -137,12 +137,8 @@ impl Arbitrary for ApiCalls {
Ok(InstanceDrop { id })
});
}
if swarm.call_exported_func
&& scope.num_export_calls < max_export_calls
&& !scope.instances.is_empty()
{
if swarm.call_exported_func && !scope.instances.is_empty() {
choices.push(|input, scope| {
scope.num_export_calls += 1;
let instances: Vec<_> = scope.instances.keys().collect();
let instance = **input.choose(&instances)?;
let nth = usize::arbitrary(input)?;
Expand Down