Add a JSParser target to fuzz-tests using libFuzzer
Categories
(Core :: JavaScript Engine, enhancement, P2)
Tracking
()
People
(Reporter: decoder, Assigned: decoder)
References
Details
(Keywords: sec-other, sec-want, Whiteboard: [post-critsmash-triage][adv-main79-])
Attachments
(1 file)
(deleted),
text/x-phabricator-request
|
Details |
We should add a simple target to js/src/fuzz-tests
that takes the libFuzzer-provided input and feeds it directly to JS::Evaluate
. This will probably not find many runtime bugs, but it will stress the parser a lot, in particular error paths in the parser that our normal JS fuzzers try to avoid. Especially with some new syntax being added to JS (BigInts, Nullish Coalescing, etc), this target should be able to provide additional value whenever we make parser changes. Historically, we have found such bugs before (mostly by accident through LangFuzz because the grammar is not perfect). Implementation should be trivial, I'll make a patch.
Marking this s-s because we need to do some testing first before landing this code to m-c to ensure we don't 0-day ourselves.
Updated•5 years ago
|
Assignee | ||
Comment 1•4 years ago
|
||
Assignee | ||
Comment 2•4 years ago
|
||
I had this backed out (https://hg.mozilla.org/integration/autoland/rev/cfc3b847727f6a9a284433db34ebfee7f5bb1882) because of linter failures. Apparently the linter considers all JS shell functions as undefined.
I will push a fixed patch next week.
Comment 3•4 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/a049b02d8c985f78da32fef1979d7e4e72636b43
https://hg.mozilla.org/mozilla-central/rev/a049b02d8c98
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Description
•