summaryrefslogtreecommitdiffstats
path: root/js/src/fuzz-tests/testStructuredCloneReader.cpp
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 19:33:14 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 19:33:14 +0000
commit36d22d82aa202bb199967e9512281e9a53db42c9 (patch)
tree105e8c98ddea1c1e4784a60a5a6410fa416be2de /js/src/fuzz-tests/testStructuredCloneReader.cpp
parentInitial commit. (diff)
downloadfirefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.tar.xz
firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.zip
Adding upstream version 115.7.0esr.upstream/115.7.0esr
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'js/src/fuzz-tests/testStructuredCloneReader.cpp')
-rw-r--r--js/src/fuzz-tests/testStructuredCloneReader.cpp84
1 files changed, 84 insertions, 0 deletions
diff --git a/js/src/fuzz-tests/testStructuredCloneReader.cpp b/js/src/fuzz-tests/testStructuredCloneReader.cpp
new file mode 100644
index 0000000000..6b70d8bc52
--- /dev/null
+++ b/js/src/fuzz-tests/testStructuredCloneReader.cpp
@@ -0,0 +1,84 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ * vim: set ts=8 sts=2 et sw=2 tw=80:
+ */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "mozilla/ScopeExit.h"
+
+#include "jsapi.h"
+
+#include "fuzz-tests/tests.h"
+#include "js/StructuredClone.h"
+#include "vm/Interpreter.h"
+
+#include "vm/JSContext-inl.h"
+
+using namespace js;
+
+// These are defined and pre-initialized by the harness (in tests.cpp).
+extern JS::PersistentRootedObject gGlobal;
+extern JSContext* gCx;
+
+static int testStructuredCloneReaderInit(int* argc, char*** argv) { return 0; }
+
+static int testStructuredCloneReaderFuzz(const uint8_t* buf, size_t size) {
+ auto gcGuard = mozilla::MakeScopeExit([&] {
+ JS::PrepareForFullGC(gCx);
+ JS::NonIncrementalGC(gCx, JS::GCOptions::Normal, JS::GCReason::API);
+ });
+
+ if (!size) return 0;
+
+ // Make sure to pad the buffer to a multiple of kSegmentAlignment
+ const size_t kSegmentAlignment = 8;
+ size_t buf_size = RoundUp(size, kSegmentAlignment);
+
+ JS::StructuredCloneScope scope = JS::StructuredCloneScope::DifferentProcess;
+
+ auto clonebuf = MakeUnique<JSStructuredCloneData>(scope);
+ if (!clonebuf || !clonebuf->Init(buf_size)) {
+ ReportOutOfMemory(gCx);
+ return 0;
+ }
+
+ // Copy buffer then pad with zeroes.
+ if (!clonebuf->AppendBytes((const char*)buf, size)) {
+ ReportOutOfMemory(gCx);
+ return 0;
+ }
+ char padding[kSegmentAlignment] = {0};
+ if (!clonebuf->AppendBytes(padding, buf_size - size)) {
+ ReportOutOfMemory(gCx);
+ return 0;
+ }
+
+ JS::CloneDataPolicy policy;
+ RootedValue deserialized(gCx);
+ if (!JS_ReadStructuredClone(gCx, *clonebuf, JS_STRUCTURED_CLONE_VERSION,
+ scope, &deserialized, policy, nullptr, nullptr)) {
+ return 0;
+ }
+
+ /* If we succeeded in deserializing, we should try to reserialize the data.
+ This has two main advantages:
+
+ 1) It tests parts of the serializer as well.
+ 2) The deserialized data is actually used, making it more likely to detect
+ further memory-related problems.
+
+ Tests show that this also doesn't cause a serious performance penalty.
+ */
+ mozilla::Maybe<JSAutoStructuredCloneBuffer> clonebufOut;
+
+ clonebufOut.emplace(scope, nullptr, nullptr);
+ if (!clonebufOut->write(gCx, deserialized, UndefinedHandleValue, policy)) {
+ return 0;
+ }
+
+ return 0;
+}
+
+MOZ_FUZZING_INTERFACE_RAW(testStructuredCloneReaderInit,
+ testStructuredCloneReaderFuzz, StructuredCloneReader);