mirror of
https://github.com/bellard/quickjs.git
synced 2024-11-24 14:48:12 +08:00
01454caf78
* Move fuzz target sources from the oss-fuzz repository here * Add support to build libFuzzer targets * Simplify the fuzz_eval and fuzz_compile targets The use of JS_NewContext instead of JS_NewContextRaw spares to call JS_AddIntrinsic<XYZ> functions from the fuzz target, since the public JS_NewContext API does exactly the same. * Simplify the fuzz_regexp target fuzz_regexp doesn't need to be dependant on libquickjs since the runtime and the context - that were provided by libquickjs - were only created to call two simple functions implemented in libquickjs which could be mimicked by the fuzzer. The removal of runtime and context objects implicated further simplifications, like the omission of their one-time creation. Finally, writing the result of the regexp operations into a file is also superfluous, since it's not used by anybody. * Recreate and destroy JS runtime and context in fuzz_eval and fuzz_compile targets Before this patch, the test executions were not independent, since all the executed tests used the same JavaScript runtime and context, causing irreproducible failure reports. * Enable bignumber support in eval and compile targets Big numbers are used by the input corpus, but the targets were not able to interpret them since they were not compiled into them. This change improved the inital coverage of the fuzz_eval target with 21% and the coverage of the fuzz_compile target with 25% when using the official corpus. * Ensure std and os modules are available in the fuzz_eval and fuzz_compile targets * Add fuzzer dictionary with builtin and variable names. Furthermore, added a JS script that collects all the builtin names from the executing engine. * Move common fuzzer code into one place * Enable to define the LIB_FUZZING_ENGINE variable to ease the oss-fuzz integration * Add README to fuzzers
50 lines
1.5 KiB
C
50 lines
1.5 KiB
C
/* Copyright 2020 Google Inc.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
#include "quickjs.h"
|
|
#include "quickjs-libc.h"
|
|
#include "fuzz/fuzz_common.h"
|
|
|
|
#include <stdint.h>
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
|
|
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
|
|
if (size == 0)
|
|
return 0;
|
|
|
|
JSRuntime *rt = JS_NewRuntime();
|
|
JSContext *ctx = JS_NewContext(rt);
|
|
test_one_input_init(rt, ctx);
|
|
|
|
uint8_t *null_terminated_data = malloc(size + 1);
|
|
memcpy(null_terminated_data, data, size);
|
|
null_terminated_data[size] = 0;
|
|
|
|
reset_nbinterrupts();
|
|
//the final 0 does not count (as in strlen)
|
|
JSValue val = JS_Eval(ctx, (const char *)null_terminated_data, size, "<none>", JS_EVAL_TYPE_GLOBAL);
|
|
free(null_terminated_data);
|
|
//TODO targets with JS_ParseJSON, JS_ReadObject
|
|
if (!JS_IsException(val)) {
|
|
js_std_loop(ctx);
|
|
JS_FreeValue(ctx, val);
|
|
}
|
|
js_std_free_handlers(rt);
|
|
JS_FreeContext(ctx);
|
|
JS_FreeRuntime(rt);
|
|
return 0;
|
|
}
|