github
/
boa
mirror of https://github.com/boa-dev/boa.git
1
0
Fork 0
Code Issues Releases Wiki Activity
Rust编写的JavaScript引擎,该项目是一个试验性质的项目。
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2751 Commits
22 Branches
24 Tags
686 MiB
Tree: 6f5c25ced6
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '6f5c25ced6'
${ noResults }
boa/fuzz/fuzz_targets/bytecompiler-implied.rs

30 lines
695 B
Raw Normal View History Unescape

VM Fuzzer (#2401) This Pull Request offers a basic VM fuzzer which relies on implied oracles (namely, "does it crash or timeout?"). It changes the following: - Adds an insns_remaining field to Context, denoting the number of instructions remaining to execute (only available when fuzzing) - Adds a JsNativeError variant, denoting when the number of instructions has been exceeded (only available when fuzzing) - Adds a VM fuzzer which looks for cases where Boa may crash on an input This offers no guarantees about correctness, only assertion violations. Depends on #2400. Any issues I raise in association with this fuzzer will link back to this fuzzer. You may run the fuzzer using the following commands: ```bash $ cd boa_engine $ cargo +nightly fuzz run -s none vm-implied ``` Co-authored-by: Addison Crump <addison.crump@cispa.de>
2 years ago
#![no_main]
mod common;
use crate::common::FuzzSource;
Update fuzzers and add building them to CI (#2983) * update fuzzers for latest changes * build fuzzers in CI workflow * move fuzz builds before examples, oops * use explicit versioning
1 year ago
use boa_engine::{Context, Script};
use boa_parser::Source;
VM Fuzzer (#2401) This Pull Request offers a basic VM fuzzer which relies on implied oracles (namely, "does it crash or timeout?"). It changes the following: - Adds an insns_remaining field to Context, denoting the number of instructions remaining to execute (only available when fuzzing) - Adds a JsNativeError variant, denoting when the number of instructions has been exceeded (only available when fuzzing) - Adds a VM fuzzer which looks for cases where Boa may crash on an input This offers no guarantees about correctness, only assertion violations. Depends on #2400. Any issues I raise in association with this fuzzer will link back to this fuzzer. You may run the fuzzer using the following commands: ```bash $ cd boa_engine $ cargo +nightly fuzz run -s none vm-implied ``` Co-authored-by: Addison Crump <addison.crump@cispa.de>
2 years ago
use libfuzzer_sys::{fuzz_target, Corpus};
use std::io::Cursor;
fn do_fuzz(original: FuzzSource) -> Corpus {
let mut ctx = Context::builder()
.interner(original.interner)
.instructions_remaining(0)
Update fuzzers and add building them to CI (#2983) * update fuzzers for latest changes * build fuzzers in CI workflow * move fuzz builds before examples, oops * use explicit versioning
1 year ago
.build()
.unwrap();
if let Ok(parsed) = Script::parse(
Source::from_reader(Cursor::new(&original.source), None),
None,
&mut ctx,
) {
let _ = parsed.codeblock(&mut ctx);
VM Fuzzer (#2401) This Pull Request offers a basic VM fuzzer which relies on implied oracles (namely, "does it crash or timeout?"). It changes the following: - Adds an insns_remaining field to Context, denoting the number of instructions remaining to execute (only available when fuzzing) - Adds a JsNativeError variant, denoting when the number of instructions has been exceeded (only available when fuzzing) - Adds a VM fuzzer which looks for cases where Boa may crash on an input This offers no guarantees about correctness, only assertion violations. Depends on #2400. Any issues I raise in association with this fuzzer will link back to this fuzzer. You may run the fuzzer using the following commands: ```bash $ cd boa_engine $ cargo +nightly fuzz run -s none vm-implied ``` Co-authored-by: Addison Crump <addison.crump@cispa.de>
2 years ago
Corpus::Keep
} else {
Corpus::Reject
}
}
fuzz_target!(|original: FuzzSource| -> Corpus { do_fuzz(original) });