mirror of https://github.com/boa-dev/boa.git
Browse Source
This Pull Request offers a basic VM fuzzer which relies on implied oracles (namely, "does it crash or timeout?"). It changes the following: - Adds an insns_remaining field to Context, denoting the number of instructions remaining to execute (only available when fuzzing) - Adds a JsNativeError variant, denoting when the number of instructions has been exceeded (only available when fuzzing) - Adds a VM fuzzer which looks for cases where Boa may crash on an input This offers no guarantees about correctness, only assertion violations. Depends on #2400. Any issues I raise in association with this fuzzer will link back to this fuzzer. You may run the fuzzer using the following commands: ```bash $ cd boa_engine $ cargo +nightly fuzz run -s none vm-implied ``` Co-authored-by: Addison Crump <addison.crump@cispa.de>pull/2441/head
Addison Crump
2 years ago
9 changed files with 153 additions and 26 deletions
@ -0,0 +1,25 @@
|
||||
#![no_main] |
||||
|
||||
mod common; |
||||
|
||||
use crate::common::FuzzSource; |
||||
use boa_engine::Context; |
||||
use boa_parser::Parser; |
||||
use libfuzzer_sys::{fuzz_target, Corpus}; |
||||
use std::io::Cursor; |
||||
|
||||
fn do_fuzz(original: FuzzSource) -> Corpus { |
||||
let mut ctx = Context::builder() |
||||
.interner(original.interner) |
||||
.instructions_remaining(0) |
||||
.build(); |
||||
let mut parser = Parser::new(Cursor::new(&original.source)); |
||||
if let Ok(parsed) = parser.parse_all(ctx.interner_mut()) { |
||||
let _ = ctx.compile(&parsed); |
||||
Corpus::Keep |
||||
} else { |
||||
Corpus::Reject |
||||
} |
||||
} |
||||
|
||||
fuzz_target!(|original: FuzzSource| -> Corpus { do_fuzz(original) }); |
@ -0,0 +1,19 @@
|
||||
#![no_main] |
||||
|
||||
mod common; |
||||
|
||||
use crate::common::FuzzSource; |
||||
use boa_engine::{Context, JsResult, JsValue}; |
||||
use libfuzzer_sys::fuzz_target; |
||||
|
||||
fn do_fuzz(original: FuzzSource) -> JsResult<JsValue> { |
||||
let mut ctx = Context::builder() |
||||
.interner(original.interner) |
||||
.instructions_remaining(1 << 16) |
||||
.build(); |
||||
ctx.eval(&original.source) |
||||
} |
||||
|
||||
fuzz_target!(|original: FuzzSource| { |
||||
let _ = do_fuzz(original); |
||||
}); |
Loading…
Reference in new issue