Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wasmi: initial integration #12665

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

wasmi: initial integration #12665

wants to merge 5 commits into from

Conversation

Robbepop
Copy link

@Robbepop Robbepop commented Oct 30, 2024
edited
Loading

This proposes to add the Wasmi project to OSS-fuzz.

Wasmi is an efficient WebAssembly interpreter especially suited for embedded environments similar to Wasm3.
It has over 7M downloads on crates.io, a Rust and C API, and is used as security critical component in several big projects, especially in the blockchain industry. Recently Wasmi has been added as backend by the Wasmer project which is also registered in OSS-fuzz.

2 audits have been conducted for Wasmi so far which (amongst others) concluded that Wasmi ideally should be registered to the OSS-fuzz project if possible.

Unfortunately I could not test the Dockerfile and shell script locally due to this issue: #10967
(I am open to suggestions on how to fix the local test setup.)

This adds the 3 fuzzing targets provided by the Wasmi project, translate, execute and differential.
The setup is very simple since it mostly uses the recommended cargo-fuzz.

@github-actions GitHub Actions
Copy link

Robbepop is integrating a new project:
- Main repo: https://github.com/wasmi-labs/wasmi
- Criticality score: 0.58153

@Robbepop Robbepop changed the title Add Wasmi project wasmi: initial integration Oct 30, 2024
@Robbepop
Copy link
Author

Robbepop commented Nov 8, 2024
edited
Loading

It is a bit painful for me not to be able to debug locally.
At least the Presubmit checks/build job now succeeds.

I've been looking into the failed Project tests/build job and saw the following:

+ cargo fuzz build execute --release --debug-assertions
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.06s
+ cargo fuzz build differential --release --debug-assertions --features=differential
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.05s

So we explicitly build for release profile but cargo outputs that it succeeds building for dev profile. This is very confusing to me right now as I cannot reproduce locally and in the aforementioned job does not happen.

This is also why the following cp command fails because it looks up the executable files under the release directory instead of the debug directory:

+ cp target/x86_64-unknown-linux-gnu/release/differential /out/
cp: cannot stat 'target/x86_64-unknown-linux-gnu/release/differential': No such file or directory

@vitorguidi do you have any clues why a dev build was built here despite the clear release settings?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Robbepop @vitorguidi