VM Fuzzer (#2401)

This Pull Request offers a basic VM fuzzer which relies on implied oracles (namely, "does it crash or timeout?"). It changes the following: - Adds an insns_remaining field to Context, denoting the number of instructions remaining to execute (only available when fuzzing) - Adds a JsNativeError variant, denoting when the number of instructions has been exceeded (only available when fuzzing) - Adds a VM fuzzer which looks for cases where Boa may crash on an input This offers no guarantees about correctness, only assertion violations. Depends on #2400. Any issues I raise in association with this fuzzer will link back to this fuzzer. You may run the fuzzer using the following commands: ```bash $ cd boa_engine $ cargo +nightly fuzz run -s none vm-implied ``` Co-authored-by: Addison Crump <addison.crump@cispa.de>
2 years ago · c1b5f38d11
9 changed files with 153 additions and 26 deletions
--- a/boa_engine/src/context/mod.rs
+++ b/boa_engine/src/context/mod.rs
@ -97,6 +97,10 @@ pub struct Context {
    #[cfg(feature = "intl")]
    icu: icu::Icu,

+    /// Number of instructions remaining before a forced exit
+    #[cfg(feature = "fuzz")]
+    pub(crate) instructions_remaining: usize,
+
    pub(crate) vm: Vm,

    pub(crate) promise_job_queue: VecDeque<JobCallback>,
@ -593,6 +597,8 @@ pub struct ContextBuilder {
    interner: Option<Interner>,
    #[cfg(feature = "intl")]
    icu: Option<icu::Icu>,
+    #[cfg(feature = "fuzz")]
+    instructions_remaining: usize,
 }

 impl ContextBuilder {
@ -615,6 +621,15 @@ impl ContextBuilder {
        Ok(self)
    }

+    /// Specifies the number of instructions remaining to the [`Context`].
+    ///
+    /// This function is only available if the `fuzz` feature is enabled.
+    #[cfg(feature = "fuzz")]
+    pub fn instructions_remaining(mut self, instructions_remaining: usize) -> Self {
+        self.instructions_remaining = instructions_remaining;
+        self
+    }
+
    /// Creates a new [`ContextBuilder`] with a default empty [`Interner`]
    /// and a default [`BoaProvider`] if the `intl` feature is enabled.
    pub fn new() -> Self {
@ -643,6 +658,8 @@ impl ContextBuilder {
                icu::Icu::new(Box::new(icu_testdata::get_provider()))
                    .expect("Failed to initialize default icu data.")
            }),
+            #[cfg(feature = "fuzz")]
+            instructions_remaining: self.instructions_remaining,
            promise_job_queue: VecDeque::new(),
        };

--- a/boa_engine/src/error.rs
+++ b/boa_engine/src/error.rs
@ -503,6 +503,17 @@ impl JsNativeError {
        Self::new(JsNativeErrorKind::Uri, Box::default(), None)
    }

+    /// Creates a new `JsNativeError` that indicates that the context hit its execution limit. This
+    /// is only used in a fuzzing context.
+    #[cfg(feature = "fuzz")]
+    pub fn no_instructions_remain() -> Self {
+        Self::new(
+            JsNativeErrorKind::NoInstructionsRemain,
+            Box::default(),
+            None,
+        )
+    }
+
    /// Sets the message of this error.
    ///
    /// # Examples
@ -619,6 +630,12 @@ impl JsNativeError {
            }
            JsNativeErrorKind::Type => (constructors.type_error().prototype(), ErrorKind::Type),
            JsNativeErrorKind::Uri => (constructors.uri_error().prototype(), ErrorKind::Uri),
+            #[cfg(feature = "fuzz")]
+            JsNativeErrorKind::NoInstructionsRemain => {
+                unreachable!(
+                    "The NoInstructionsRemain native error cannot be converted to an opaque type."
+                )
+            }
        };

        let o = JsObject::from_proto_and_data(prototype, ObjectData::error(tag));
@ -747,6 +764,10 @@ pub enum JsNativeErrorKind {
    /// [e_uri]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI
    /// [d_uri]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/decodeURI
    Uri,
+    /// Error thrown when no instructions remain. Only used in a fuzzing context; not a valid JS
+    /// error variant.
+    #[cfg(feature = "fuzz")]
+    NoInstructionsRemain,
 }

 impl std::fmt::Display for JsNativeErrorKind {
@ -760,6 +781,8 @@ impl std::fmt::Display for JsNativeErrorKind {
            JsNativeErrorKind::Syntax => "SyntaxError",
            JsNativeErrorKind::Type => "TypeError",
            JsNativeErrorKind::Uri => "UriError",
+            #[cfg(feature = "fuzz")]
+            JsNativeErrorKind::NoInstructionsRemain => "NoInstructionsRemain",
        }
        .fmt(f)
    }
--- a/boa_engine/src/vm/mod.rs
+++ b/boa_engine/src/vm/mod.rs
@ -7,6 +7,8 @@ use crate::{
    vm::{call_frame::CatchAddresses, code_block::Readable},
    Context, JsResult, JsValue,
 };
+#[cfg(feature = "fuzz")]
+use crate::{JsError, JsNativeError};
 use boa_interner::ToInternedString;
 use boa_profiler::Profiler;
 use std::{convert::TryInto, mem::size_of, time::Instant};
@ -179,6 +181,13 @@ impl Context {
            });

        while self.vm.frame().pc < self.vm.frame().code.code.len() {
+            #[cfg(feature = "fuzz")]
+            if self.instructions_remaining == 0 {
+                return Err(JsError::from_native(JsNativeError::no_instructions_remain()));
+            } else {
+                self.instructions_remaining -= 1;
+            }
+
            let result = if self.vm.trace {
                let mut pc = self.vm.frame().pc;
                let opcode: Opcode = self
--- a/fuzz/Cargo.lock
+++ b/fuzz/Cargo.lock
@ -59,7 +59,6 @@ dependencies = [
 "chrono",
 "dyn-clone",
 "fast-float",
- "gc",
 "indexmap",
 "num-bigint",
 "num-integer",
@ -93,7 +92,8 @@ dependencies = [
 name = "boa_gc"
 version = "0.16.0"
 dependencies = [
- "gc",
+ "boa_macros",
+ "boa_profiler",
 ]

 [[package]]
@ -113,8 +113,10 @@ dependencies = [
 name = "boa_macros"
 version = "0.16.0"
 dependencies = [
+ "proc-macro2",
 "quote",
 "syn",
+ "synstructure",
 ]

 [[package]]
@ -167,9 +169,9 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"

 [[package]]
 name = "chrono"
-version = "0.4.22"
+version = "0.4.23"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bfd4d1b31faaa3a89d7934dbded3111da0d2ef28e3ebccdb4f0179f5929d1ef1"
+checksum = "16b0a3d9ed01224b22057780a37bb8c5dbfe1be8ba48678e7bf57ec4b385411f"
 dependencies = [
 "iana-time-zone",
 "js-sys",
@ -263,27 +265,6 @@ version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "95765f67b4b18863968b4a1bd5bb576f732b29a4a28c7cd84c09fa3e2875f33c"

-[[package]]
-name = "gc"
-version = "0.4.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3edaac0f5832202ebc99520cb77c932248010c4645d20be1dc62d6579f5b3752"
-dependencies = [
- "gc_derive",
-]
-
-[[package]]
-name = "gc_derive"
-version = "0.4.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "60df8444f094ff7885631d80e78eb7d88c3c2361a98daaabb06256e4500db941"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
- "synstructure",
-]
-
 [[package]]
 name = "getrandom"
 version = "0.2.8"
--- a/fuzz/Cargo.toml
+++ b/fuzz/Cargo.toml
@ -27,3 +27,15 @@ name = "parser-idempotency"
 path = "fuzz_targets/parser-idempotency.rs"
 test = false
 doc = false
+
+[[bin]]
+name = "vm-implied"
+path = "fuzz_targets/vm-implied.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "bytecompiler-implied"
+path = "fuzz_targets/bytecompiler-implied.rs"
+test = false
+doc = false
--- a/fuzz/README.md
+++ b/fuzz/README.md
@ -35,3 +35,22 @@ following:
     information, as the inputs parsed between the two should be the same.

 In this way, this fuzzer can identify correctness issues present in the parser.
+
+## Bytecompiler Fuzzer
+
+The bytecompiler fuzzer, located in [bytecompiler-implied.rs](fuzz_targets/bytecompiler-implied.rs), identifies cases
+which cause an assertion failure in the bytecompiler. These crashes can cause denial of service issues and may block the
+discovery of crash cases in the VM fuzzer.
+
+## VM Fuzzer
+
+The VM fuzzer, located in [vm-implied.rs](fuzz_targets/vm-implied.rs), identifies crash cases in the VM. It does so by
+generating an arbitrary AST, converting it to source code (to remove invalid inputs), then executing that source code.
+Because we are not comparing against any invariants other than "does it crash", this fuzzer will only discover faults
+which cause the VM to terminate unexpectedly, e.g. as a result of a panic. It will not discover logic errors present in
+the VM.
+
+To ensure that the VM does not attempt to execute an infinite loop, Boa is restricted to a finite number of instructions
+before the VM is terminated. If a program takes more than a second or so to execute, it likely indicates an issue in the
+VM (as we expect the fuzzer to execute only a certain amount of instructions, which should take significantly less
+time).
--- a/fuzz/fuzz_targets/bytecompiler-implied.rs
+++ b/fuzz/fuzz_targets/bytecompiler-implied.rs
@ -0,0 +1,25 @@
+#![no_main]
+
+mod common;
+
+use crate::common::FuzzSource;
+use boa_engine::Context;
+use boa_parser::Parser;
+use libfuzzer_sys::{fuzz_target, Corpus};
+use std::io::Cursor;
+
+fn do_fuzz(original: FuzzSource) -> Corpus {
+    let mut ctx = Context::builder()
+        .interner(original.interner)
+        .instructions_remaining(0)
+        .build();
+    let mut parser = Parser::new(Cursor::new(&original.source));
+    if let Ok(parsed) = parser.parse_all(ctx.interner_mut()) {
+        let _ = ctx.compile(&parsed);
+        Corpus::Keep
+    } else {
+        Corpus::Reject
+    }
+}
+
+fuzz_target!(|original: FuzzSource| -> Corpus { do_fuzz(original) });
--- a/fuzz/fuzz_targets/common.rs
+++ b/fuzz/fuzz_targets/common.rs
@ -2,7 +2,7 @@ use boa_ast::{
    visitor::{VisitWith, VisitorMut},
    Expression, StatementList,
 };
-use boa_interner::{Interner, Sym};
+use boa_interner::{Interner, Sym, ToInternedString};
 use libfuzzer_sys::arbitrary;
 use libfuzzer_sys::arbitrary::{Arbitrary, Unstructured};
 use std::fmt::{Debug, Formatter};
@ -72,3 +72,25 @@ impl Debug for FuzzData {
            .finish_non_exhaustive()
    }
 }
+
+pub struct FuzzSource {
+    pub interner: Interner,
+    pub source: String,
+}
+
+impl<'a> Arbitrary<'a> for FuzzSource {
+    fn arbitrary(u: &mut Unstructured<'a>) -> arbitrary::Result<Self> {
+        let data = FuzzData::arbitrary(u)?;
+        let source = data.ast.to_interned_string(&data.interner);
+        Ok(Self {
+            interner: data.interner,
+            source,
+        })
+    }
+}
+
+impl Debug for FuzzSource {
+    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
+        f.write_fmt(format_args!("Fuzzed source:\n{}", self.source))
+    }
+}
--- a/fuzz/fuzz_targets/vm-implied.rs
+++ b/fuzz/fuzz_targets/vm-implied.rs
@ -0,0 +1,19 @@
+#![no_main]
+
+mod common;
+
+use crate::common::FuzzSource;
+use boa_engine::{Context, JsResult, JsValue};
+use libfuzzer_sys::fuzz_target;
+
+fn do_fuzz(original: FuzzSource) -> JsResult<JsValue> {
+    let mut ctx = Context::builder()
+        .interner(original.interner)
+        .instructions_remaining(1 << 16)
+        .build();
+    ctx.eval(&original.source)
+}
+
+fuzz_target!(|original: FuzzSource| {
+    let _ = do_fuzz(original);
+});