Misc improvements / javascript parser proto fuzzer.

- Add modules. - Misc additions to the dictionary (based on the coverage report). - Pass the command line flags to V8 (for debugging purposes). Bug: Change-Id: Ic0777906cbfd86f1c551df33b7af95e0a5a26b0f Reviewed-on: https://chromium-review.googlesource.com/727806Reviewed-by: Jonathan Metzman <metzman@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/master@{#510084}

Misc improvements / javascript parser proto fuzzer.
- Add modules. - Misc additions to the dictionary (based on the coverage report). - Pass the command line flags to V8 (for debugging purposes). Bug: Change-Id: Ic0777906cbfd86f1c551df33b7af95e0a5a26b0f Reviewed-on: https://chromium-review.googlesource.com/727806Reviewed-by: Jonathan Metzman <metzman@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/master@{#510084}
5bfe9338 · Marja Hölttä · Commit Bot · bf382246 · 5bfe9338 · 5bfe9338
Commit 5bfe9338 authored Oct 19, 2017 by Marja Hölttä Committed by Commit Bot Oct 19, 2017
3 changed files
--- a/testing/libfuzzer/fuzzers/dicts/javascript_parser_proto.dict
+++ b/testing/libfuzzer/fuzzers/dicts/javascript_parser_proto.dict
@@ -182,6 +182,18 @@ $0 "," $1
 "for (" $0 "in" $1 ") {" $2 "}"
 "for (" $0 "of" $1 ")" $2
 "for (" $0 "of" $1 ") {" $2 "}"
+"for (" $0 ";" $1 ";" $2 ")" $3
+"for (" $0 ";" $1 ";" $2 ") {" $3 "}"
+"for await (" $0 ")" $1
+"for await (" $0 ") {" $1 " }"
+"for await (" $0 "in" $1 ")" $2
+"for await (" $0 "in" $1 ") {" $2 "}"
+"for await (" $0 "of" $1 ")" $2
+"for await (" $0 "of" $1 ") {" $2 "}"
+"for await (" $0 ";" $1 ";" $2 ")" $3
+"for await (" $0 ";" $1 ";" $2 ") {" $3 "}"
+"while (" $0 ")" $1
+"while (" $0 ") {" $1 "}"
 "continue"
 "continue;"
 "continue" $0
@@ -195,7 +207,9 @@ $0 "," $1

 # Switch statements
 "switch (" $0 ")" $1
+"switch (" $0 ") {" $1 "}"
 "case" $0 ": " $1
+"case" $0 ": {" $1 "}"
 "default :" $0

 # Try-catch statements
@@ -278,3 +292,16 @@ $0 "`foo`"

 # Conditional expression
 $0 "?" $1 ":" $2
+$0 "?" $1 ":" $2 ";"
+
+# Assignment expressions
+$0 "=" $1
+$0 "=" $1 ";"
+
+# Import / export (for modules)
+"import" $0 ";"
+"export" $0 ";"
+
+# Misc.
+"eval('');"
+
--- a/testing/libfuzzer/fuzzers/generate_javascript_parser_proto.py
+++ b/testing/libfuzzer/fuzzers/generate_javascript_parser_proto.py
@@ -100,7 +100,8 @@ def main(argv):
                  '}\n'
                  '\n'
                  'message Source {\n'
-                  '  repeated Token tokens = 1;\n'
+                  '  required bool is_module = 1;\n'
+                  '  repeated Token tokens = 2;\n'
                  '}\n')

  proto_contents = proto_header + GenerateProtoContents(words) + proto_footer

--- a/testing/libfuzzer/fuzzers/javascript_parser_proto_fuzzer.cc
+++ b/testing/libfuzzer/fuzzers/javascript_parser_proto_fuzzer.cc
@@ -26,6 +26,7 @@ std::string protobuf_to_string(
 extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) {
  v8::V8::InitializeICUDefaultLocation((*argv)[0]);
  v8::V8::InitializeExternalStartupData((*argv)[0]);
+  v8::V8::SetFlagsFromCommandLine(argc, *argv, true);

  v8::Platform* platform = v8::platform::CreateDefaultPlatform();
  v8::V8::InitializePlatform(platform);
@@ -46,7 +47,7 @@ DEFINE_BINARY_PROTO_FUZZER(
  v8::Context::Scope context_scope(context);

  std::string source_string = protobuf_to_string(source_protobuf);
-  v8::Local<v8::String> source =
+  v8::Local<v8::String> source_v8_string =
      v8::String::NewFromUtf8(isolate, source_string.c_str(),
                              v8::NewStringType::kNormal)
          .ToLocalChecked();
@@ -54,9 +55,28 @@ DEFINE_BINARY_PROTO_FUZZER(
  {
    v8::TryCatch try_catch(isolate);

-    v8::MaybeLocal<v8::Script> script = v8::Script::Compile(context, source);
-    // TODO(marja): Figure out a more elegant way to silence the warning.
-    script.IsEmpty();
+    if (source_protobuf.is_module()) {
+      v8::Local<v8::String> name =
+          v8::String::NewFromUtf8(isolate, "module.js",
+                                  v8::NewStringType::kNormal)
+              .ToLocalChecked();
+
+      v8::ScriptOrigin origin(
+          name, v8::Local<v8::Integer>(), v8::Local<v8::Integer>(),
+          v8::Local<v8::Boolean>(), v8::Local<v8::Integer>(),
+          v8::Local<v8::Value>(), v8::Local<v8::Boolean>(),
+          v8::Local<v8::Boolean>(), v8::True(isolate));
+      v8::ScriptCompiler::Source source(source_v8_string, origin);
+      v8::MaybeLocal<v8::Module> module =
+          v8::ScriptCompiler::CompileModule(isolate, &source);
+      // TODO(marja): Figure out a more elegant way to silence the warning.
+      module.IsEmpty();
+    } else {
+      v8::MaybeLocal<v8::Script> script =
+          v8::Script::Compile(context, source_v8_string);
+      // TODO(marja): Figure out a more elegant way to silence the warning.
+      script.IsEmpty();
+    }

    // TODO(crbug.com/775796): run the code once we find a way to avoid endless
    // loops.