Crate wasm_smith

A WebAssembly test case generator.

Usage

First, use cargo fuzz to define a new fuzz target:

$ cargo fuzz add my_wasm_smith_fuzz_target

Next, add wasm-smith to your dependencies:

$ cargo add wasm-smith

Then, define your fuzz target so that it takes arbitrary wasm_smith::Modules as an argument, convert the module into serialized Wasm bytes via the to_bytes method, and then feed it into your system:

// fuzz/fuzz_targets/my_wasm_smith_fuzz_target.rs

#![no_main]

use libfuzzer_sys::fuzz_target;
use wasm_smith::Module;

fuzz_target!(|module: Module| {
    let wasm_bytes = module.to_bytes();

    // Your code here...
});

Finally, start fuzzing:

$ cargo fuzz run my_wasm_smith_fuzz_target

Note: For a real world example, also check out the validate fuzz target defined in this repository. Using the wasmparser crate, it checks that every module generated by wasm-smith validates successfully.

Design

The design and implementation strategy of wasm-smith is outlined in this article.

Structs

• Component
  A pseudo-random WebAssembly component.
• Config
  Configuration for a generated module.
• InstructionKinds
  A container for the kinds of instructions that wasm-smith is allowed to emit.
• MemoryOffsetChoices
  This is a tuple (a, b, c) where
• Module
  A pseudo-random WebAssembly module.

Enums

• InstructionKind
  Enumerate the categories of instructions defined in the WebAssembly specification.