diff options
Diffstat (limited to 'js/xpconnect/src/xpcrtfuzzing')
-rw-r--r-- | js/xpconnect/src/xpcrtfuzzing/xpcrtfuzzing.cpp | 162 | ||||
-rw-r--r-- | js/xpconnect/src/xpcrtfuzzing/xpcrtfuzzing.h | 25 |
2 files changed, 187 insertions, 0 deletions
diff --git a/js/xpconnect/src/xpcrtfuzzing/xpcrtfuzzing.cpp b/js/xpconnect/src/xpcrtfuzzing/xpcrtfuzzing.cpp new file mode 100644 index 0000000000..95982733cd --- /dev/null +++ b/js/xpconnect/src/xpcrtfuzzing/xpcrtfuzzing.cpp @@ -0,0 +1,162 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * vim: set ts=8 sts=2 et sw=2 tw=80: + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "xpcrtfuzzing/xpcrtfuzzing.h" + +#include "mozilla/Assertions.h" // MOZ_CRASH +#include "mozilla/Utf8.h" // mozilla::Utf8Unit + +#include <stdio.h> // fflush, fprintf, fputs + +#include "FuzzingInterface.h" +#include "jsapi.h" + +#include "js/CompilationAndEvaluation.h" // JS::Evaluate +#include "js/CompileOptions.h" // JS::CompileOptions +#include "js/Conversions.h" // JS::Conversions +#include "js/ErrorReport.h" // JS::PrintError +#include "js/Exception.h" // JS::StealPendingExceptionStack +#include "js/experimental/TypedData.h" // JS_GetUint8ClampedArrayData, JS_NewUint8ClampedArray +#include "js/PropertyAndElement.h" // JS_SetProperty, JS_HasOwnProperty +#include "js/RootingAPI.h" // JS::Rooted +#include "js/SourceText.h" // JS::Source{Ownership,Text} +#include "js/Value.h" // JS::Value + +using mozilla::dom::AutoJSAPI; + +static AutoJSAPI* gJsapi = nullptr; +static std::string gFuzzModuleName; + +static void CrashOnPendingException() { + if (gJsapi->HasException()) { + gJsapi->ReportException(); + + MOZ_CRASH("Unhandled exception from JS runtime!"); + } +} + +int FuzzXPCRuntimeStart(AutoJSAPI* jsapi, int* argc, char*** argv, + LibFuzzerDriver fuzzerDriver) { + gFuzzModuleName = getenv("FUZZER"); + gJsapi = jsapi; + + int ret = FuzzXPCRuntimeInit(); + if (ret) { + fprintf(stderr, "Fuzzing Interface: Error: Initialize callback failed\n"); + return ret; + } + + ret = fuzzerDriver(argc, argv, FuzzXPCRuntimeFuzz); + if (!ret) { + fprintf(stdout, "Trying to shutdown!\n"); + int shutdown = FuzzXPCRuntimeShutdown(); + if (shutdown) { + fprintf(stderr, "Fuzzing Interface: Error: Shutdown callback failed\n"); + return shutdown; + } + } + + return ret; +} + +int FuzzXPCRuntimeInit() { + JSContext* cx = gJsapi->cx(); + JS::Rooted<JS::Value> v(cx); + JS::CompileOptions opts(cx); + + // Load the fuzzing module specified in the FUZZER environment variable + JS::EvaluateUtf8Path(cx, opts, gFuzzModuleName.c_str(), &v); + + // Any errors while loading the fuzzing module should be fatal + CrashOnPendingException(); + + return 0; +} + +int FuzzXPCRuntimeFuzz(const uint8_t* buf, size_t size) { + if (!size) { + return 0; + } + + JSContext* cx = gJsapi->cx(); + + JS::Rooted<JSObject*> arr(cx, JS_NewUint8ClampedArray(cx, size)); + if (!arr) { + MOZ_CRASH("OOM"); + } + + do { + JS::AutoCheckCannotGC nogc; + bool isShared; + uint8_t* data = JS_GetUint8ClampedArrayData(arr, &isShared, nogc); + MOZ_RELEASE_ASSERT(!isShared); + memcpy(data, buf, size); + } while (false); + + JS::Rooted<JSObject*> global(cx, JS::CurrentGlobalOrNull(cx)); + JS::RootedValue arrVal(cx, JS::ObjectValue(*arr)); + if (!JS_SetProperty(cx, global, "fuzzBuf", arrVal)) { + MOZ_CRASH("JS_SetProperty failed"); + } + + JS::Rooted<JS::Value> v(cx); + JS::CompileOptions opts(cx); + + static const char data[] = "JSFuzzIterate();"; + + JS::SourceText<mozilla::Utf8Unit> srcBuf; + if (!srcBuf.init(cx, data, strlen(data), JS::SourceOwnership::Borrowed)) { + return 1; + } + + if (!JS::Evaluate(cx, opts.setFileAndLine(__FILE__, __LINE__), srcBuf, &v) && + !JS_IsExceptionPending(cx)) { + // A return value of `false` without a pending exception indicates + // a timeout as triggered by the `timeout` shell function. + return 1; + } + + // The fuzzing module is required to handle any exceptions + CrashOnPendingException(); + + int32_t ret = 0; + if (!ToInt32(cx, v, &ret)) { + MOZ_CRASH("Must return an int32 compatible return value!"); + } + + return ret; +} + +int FuzzXPCRuntimeShutdown() { + JSContext* cx = gJsapi->cx(); + JS::Rooted<JS::Value> v(cx); + JS::CompileOptions opts(cx); + JS::Rooted<JSObject*> global(cx, JS::CurrentGlobalOrNull(cx)); + + bool found = false; + if (JS_HasOwnProperty(cx, global, "JSFuzzShutdown", &found)) { + if (found) { + static const char data[] = "JSFuzzShutdown();"; + JS::SourceText<mozilla::Utf8Unit> srcBuf; + if (!srcBuf.init(cx, data, strlen(data), JS::SourceOwnership::Borrowed)) { + return 1; + } + + if (!JS::Evaluate(cx, opts.setFileAndLine(__FILE__, __LINE__), srcBuf, + &v) && + !JS_IsExceptionPending(cx)) { + // A return value of `false` without a pending exception indicates + // a timeout as triggered by the `timeout` shell function. + return 1; + } + } + } + + // The fuzzing module is required to handle any exceptions + CrashOnPendingException(); + + return 0; +} diff --git a/js/xpconnect/src/xpcrtfuzzing/xpcrtfuzzing.h b/js/xpconnect/src/xpcrtfuzzing/xpcrtfuzzing.h new file mode 100644 index 0000000000..89cdf5996b --- /dev/null +++ b/js/xpconnect/src/xpcrtfuzzing/xpcrtfuzzing.h @@ -0,0 +1,25 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * vim: set ts=8 sts=2 et sw=2 tw=80: + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +// xpcrtfuzzing.h - Functionality for XPC runtime fuzzing + +#ifndef shell_xpcrtfuzzing_h +#define shell_xpcrtfuzzing_h + +#include "mozilla/dom/ScriptSettings.h" // mozilla::dom::AutoJSAPI +#include "FuzzerRegistry.h" // LibFuzzerDriver + +// This is the entry point of the XPC runtime fuzzing code from the XPC shell +int FuzzXPCRuntimeStart(mozilla::dom::AutoJSAPI* jsapi, int* argc, char*** argv, + LibFuzzerDriver); + +// These are the traditional libFuzzer-style functions for initialization +// and fuzzing iteration. +int FuzzXPCRuntimeInit(); +int FuzzXPCRuntimeFuzz(const uint8_t* buf, size_t size); +int FuzzXPCRuntimeShutdown(); + +#endif /* shell_xpcrtfuzzing_h */ |