quickjs/fuzz/fuzz_eval.c
Renáta Hodován 01454caf78
OSS-Fuzz targets improvements (#267)
* Move fuzz target sources from the oss-fuzz repository here

* Add support to build libFuzzer targets
* Simplify the fuzz_eval and fuzz_compile targets

The use of JS_NewContext instead of JS_NewContextRaw spares to call
JS_AddIntrinsic<XYZ> functions from the fuzz target, since the public
JS_NewContext API does exactly the same.

* Simplify the fuzz_regexp target

fuzz_regexp doesn't need to be dependant on libquickjs since the
runtime and the context - that were provided by libquickjs - were
only created to call two simple functions implemented in libquickjs
which could be mimicked by the fuzzer.
The removal of runtime and context objects implicated further
simplifications, like the omission of their one-time creation.
Finally, writing the result of the regexp operations into a file
is also superfluous, since it's not used by anybody.

* Recreate and destroy JS runtime and context in fuzz_eval and fuzz_compile targets

Before this patch, the test executions were not independent,
since all the executed tests used the same JavaScript runtime and
context, causing irreproducible failure reports.

* Enable bignumber support in eval and compile targets

Big numbers are used by the input corpus, but the targets were not
able to interpret them since they were not compiled into them.
This change improved the inital coverage of the fuzz_eval target with
21% and the coverage of the fuzz_compile target with 25% when using
the official corpus.

* Ensure std and os modules are available in the fuzz_eval and fuzz_compile targets
* Add fuzzer dictionary with builtin and variable names. Furthermore, added a JS script that collects all the builtin
names from the executing engine. 
* Move common fuzzer code into one place
* Enable to define the LIB_FUZZING_ENGINE variable to ease the oss-fuzz integration
* Add README to fuzzers
2024-05-08 18:19:48 +02:00

50 lines
1.5 KiB
C

/* Copyright 2020 Google Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#include "quickjs.h"
#include "quickjs-libc.h"
#include "fuzz/fuzz_common.h"
#include <stdint.h>
#include <stdio.h>
#include <string.h>
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
if (size == 0)
return 0;
JSRuntime *rt = JS_NewRuntime();
JSContext *ctx = JS_NewContext(rt);
test_one_input_init(rt, ctx);
uint8_t *null_terminated_data = malloc(size + 1);
memcpy(null_terminated_data, data, size);
null_terminated_data[size] = 0;
reset_nbinterrupts();
//the final 0 does not count (as in strlen)
JSValue val = JS_Eval(ctx, (const char *)null_terminated_data, size, "<none>", JS_EVAL_TYPE_GLOBAL);
free(null_terminated_data);
//TODO targets with JS_ParseJSON, JS_ReadObject
if (!JS_IsException(val)) {
js_std_loop(ctx);
JS_FreeValue(ctx, val);
}
js_std_free_handlers(rt);
JS_FreeContext(ctx);
JS_FreeRuntime(rt);
return 0;
}