Misc improvements / javascript parser proto fuzzer.

- Add modules.
- Misc additions to the dictionary (based on the coverage report).
- Pass the command line flags to V8 (for debugging purposes).

Bug: 
Change-Id: Ic0777906cbfd86f1c551df33b7af95e0a5a26b0f
Reviewed-on: https://chromium-review.googlesource.com/727806Reviewed-by: Jonathan Metzman <metzman@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#510084}

testing/libfuzzer/fuzzers/dicts/javascript_parser_proto.dict

@@ -182,6 +182,18 @@ $0 "," $1
 "for (" $0 "in" $1 ") {" $2 "}"
 "for (" $0 "of" $1 ")" $2
 "for (" $0 "of" $1 ") {" $2 "}"
+"for (" $0 ";" $1 ";" $2 ")" $3
+"for (" $0 ";" $1 ";" $2 ") {" $3 "}"
+"for await (" $0 ")" $1
+"for await (" $0 ") {" $1 " }"
+"for await (" $0 "in" $1 ")" $2
+"for await (" $0 "in" $1 ") {" $2 "}"
+"for await (" $0 "of" $1 ")" $2
+"for await (" $0 "of" $1 ") {" $2 "}"
+"for await (" $0 ";" $1 ";" $2 ")" $3
+"for await (" $0 ";" $1 ";" $2 ") {" $3 "}"
+"while (" $0 ")" $1
+"while (" $0 ") {" $1 "}"
 "continue"
 "continue;"
 "continue" $0
@@ -195,7 +207,9 @@ $0 "," $1
 
 # Switch statements
 "switch (" $0 ")" $1
+"switch (" $0 ") {" $1 "}"
 "case" $0 ": " $1
+"case" $0 ": {" $1 "}"
 "default :" $0
 
 # Try-catch statements
@@ -278,3 +292,16 @@ $0 "`foo`"
 
 # Conditional expression
 $0 "?" $1 ":" $2
+$0 "?" $1 ":" $2 ";"
+
+# Assignment expressions
+$0 "=" $1
+$0 "=" $1 ";"
+
+# Import / export (for modules)
+"import" $0 ";"
+"export" $0 ";"
+
+# Misc.
+"eval('');"
+

testing/libfuzzer/fuzzers/generate_javascript_parser_proto.py

@@ -100,7 +100,8 @@ def main(argv):
                   '}\n'
                   '\n'
                   'message Source {\n'
-                  '  repeated Token tokens = 1;\n'
+                  '  required bool is_module = 1;\n'
+                  '  repeated Token tokens = 2;\n'
                   '}\n')
 
   proto_contents = proto_header + GenerateProtoContents(words) + proto_footer

testing/libfuzzer/fuzzers/javascript_parser_proto_fuzzer.cc

@@ -26,6 +26,7 @@ std::string protobuf_to_string(
 extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) {
   v8::V8::InitializeICUDefaultLocation((*argv)[0]);
   v8::V8::InitializeExternalStartupData((*argv)[0]);
+  v8::V8::SetFlagsFromCommandLine(argc, *argv, true);
 
   v8::Platform* platform = v8::platform::CreateDefaultPlatform();
   v8::V8::InitializePlatform(platform);
@@ -46,7 +47,7 @@ DEFINE_BINARY_PROTO_FUZZER(
   v8::Context::Scope context_scope(context);
 
   std::string source_string = protobuf_to_string(source_protobuf);
-  v8::Local<v8::String> source =
+  v8::Local<v8::String> source_v8_string =
       v8::String::NewFromUtf8(isolate, source_string.c_str(),
                               v8::NewStringType::kNormal)
           .ToLocalChecked();
@@ -54,9 +55,28 @@ DEFINE_BINARY_PROTO_FUZZER(
   {
     v8::TryCatch try_catch(isolate);
 
-    v8::MaybeLocal<v8::Script> script = v8::Script::Compile(context, source);
+    if (source_protobuf.is_module()) {
+      v8::Local<v8::String> name =
+          v8::String::NewFromUtf8(isolate, "module.js",
+                                  v8::NewStringType::kNormal)
+              .ToLocalChecked();
+
+      v8::ScriptOrigin origin(
+          name, v8::Local<v8::Integer>(), v8::Local<v8::Integer>(),
+          v8::Local<v8::Boolean>(), v8::Local<v8::Integer>(),
+          v8::Local<v8::Value>(), v8::Local<v8::Boolean>(),
+          v8::Local<v8::Boolean>(), v8::True(isolate));
+      v8::ScriptCompiler::Source source(source_v8_string, origin);
+      v8::MaybeLocal<v8::Module> module =
+          v8::ScriptCompiler::CompileModule(isolate, &source);
+      // TODO(marja): Figure out a more elegant way to silence the warning.
+      module.IsEmpty();
+    } else {
+      v8::MaybeLocal<v8::Script> script =
+          v8::Script::Compile(context, source_v8_string);
       // TODO(marja): Figure out a more elegant way to silence the warning.
       script.IsEmpty();
+    }
 
     // TODO(crbug.com/775796): run the code once we find a way to avoid endless
     // loops.