1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
|
/* -*- Mode: javascript; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
// This file is used to detect and find cases where the Visage's parser is
// accepting more inputs than SpiderMonkey's parser.
//
// 1. Find new cases:
//
// To find new cases, we have to build with libFuzzer. The JS Shell can easily
// be built with libFuzzer by adding --enable-fuzzing to the configure script
// command line.
//
// Create a directory, and copy all test cases from the JS shell to this
// directory:
//
// $ mkdir fuzzer-input
// $ cd fuzzer-input
// $ find ../ -name \*.js -print0 | xargs -I '{}' -0 -n1 cp '{}' $(pwd)
//
// Once the JS Shell is built, set the FUZZER environment variable to this
// script location.
//
// $ FUZZER="./fuzz-tests/differential-parsing.js" build.dir/dist/bin/js -- \
// -use_value_profile=1 -print_pcs=1 -timeout=5 -max_len=32 -only_ascii=1 \
// ./fuzzer-input
//
// 2. Test a crashing test case:
//
// Once a new crashing test case is found, this script can be used to
// reproduce the crashing conditions.
//
// To do so, you need a JS Shell and to load this script and use the testFile
// function with the location of the crashing file.
//
// $ build.dir/dist/bin/js
// js> load("./fuzz-tests/differential-parsing.js");
// js> testFile("./crash-42");
// Parse Script C++: fail
// Parse Module C++: fail
// Parse Script Rust: succeed
// Parse Module Rust: fail
// Hit MOZ_CRASH(Rust accept more than C++)
//
/* global crash, os, parse, timeout */
// This global will hold the current fuzzing buffer for each iteration.
var fuzzBuf;
function timed(sec, f) {
// If the function `f` takes more than 3 seconds, then the evaluation ends
// prematurely and returns in libFuzzer handler without considering this
// test case as interesting.
timeout(sec, function() {
return false;
});
f();
// Remove the timeout handler, to not kill future executions.
timeout(-1);
}
var parseScriptCpp = { module: false, smoosh: false };
var parseScriptRust = { module: false, smoosh: true };
var parseModuleRust = { module: true, smoosh: true };
var parseModuleCpp = { module: true, smoosh: false };
function test(code, verbose = false) {
var isScriptCpp = false,
isModuleCpp = false,
isScriptRust = false,
isModuleRust = false;
try {
parse(code, parseScriptCpp);
isScriptCpp = true;
if (verbose) {
console.log("Parse Script C++: succeed");
}
} catch (exc) {
if (verbose) {
console.log("Parse Script C++: fail");
}
}
try {
parse(code, parseModuleCpp);
isModuleCpp = true;
if (verbose) {
console.log("Parse Module C++: succeed");
}
} catch (exc) {
if (verbose) {
console.log("Parse Module C++: fail");
}
}
try {
parse(code, parseScriptRust);
isScriptRust = true;
if (verbose) {
console.log("Parse Script Rust: succeed");
}
} catch (exc) {
if (verbose) {
console.log("Parse Script Rust: fail");
}
}
try {
parse(code, parseModuleRust);
isModuleRust = true;
if (verbose) {
console.log("Parse Module Rust: succeed");
}
} catch (exc) {
if (verbose) {
console.log("Parse Module Rust: fail");
}
}
if ((isScriptRust && !isScriptCpp) || (isModuleRust && !isModuleCpp)) {
crash("Rust accept more than C++");
}
}
function JSFuzzIterate() {
// This function is called per iteration. You must ensure that:
//
// 1) Each of your actions/decisions is only based on fuzzBuf,
// in particular not on Math.random(), Date/Time or other
// external inputs.
//
// 2) Your actions should be deterministic. The same fuzzBuf
// should always lead to the same set of actions/decisions.
//
// 3) You can modify the global where needed, but ensure that
// each iteration is isolated from one another by cleaning
// any modifications to the global after each iteration.
// In particular, iterations must not depend on or influence
// each other in any way (see also 1)).
//
// 4) You must catch all exceptions.
let code = String.fromCharCode(...fuzzBuf);
timed(3, _ => test(code));
return 0;
}
function testFile(file) {
let content = os.file.readFile(file);
test(content, true);
}
|