1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2  * vim: set ts=8 sts=2 et sw=2 tw=80:
3  * This Source Code Form is subject to the terms of the Mozilla Public
4  * License, v. 2.0. If a copy of the MPL was not distributed with this
5  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
6 
7 #include "shell/jsrtfuzzing/jsrtfuzzing.h"
8 
9 #include "mozilla/ArrayUtils.h"  // mozilla::ArrayLength
10 #include "mozilla/Assertions.h"  // MOZ_CRASH
11 #include "mozilla/Utf8.h"        // mozilla::Utf8Unit
12 
13 #include <stdio.h>  // fflush, fprintf, fputs
14 
15 #include "FuzzerDefs.h"
16 #include "FuzzingInterface.h"
17 #include "jsapi.h"  // JS_ClearPendingException, JS_IsExceptionPending, JS_SetProperty
18 
19 #include "js/CompilationAndEvaluation.h"  // JS::Evaluate
20 #include "js/CompileOptions.h"            // JS::CompileOptions
21 #include "js/ErrorReport.h"               // JS::PrintError
22 #include "js/Exception.h"                 // JS::StealPendingExceptionStack
23 #include "js/RootingAPI.h"                // JS::Rooted
24 #include "js/SourceText.h"                // JS::Source{Ownership,Text}
25 #include "js/Value.h"                     // JS::Value
26 #include "shell/jsshell.h"  // js::shell::{reportWarnings,PrintStackTrace,sArg{c,v}}
27 #include "vm/Interpreter.h"
28 #include "vm/TypedArrayObject.h"
29 
30 #include "vm/ArrayBufferObject-inl.h"
31 #include "vm/JSContext-inl.h"
32 
33 static JSContext* gCx = nullptr;
34 static std::string gFuzzModuleName;
35 
CrashOnPendingException()36 static void CrashOnPendingException() {
37   if (JS_IsExceptionPending(gCx)) {
38     JS::ExceptionStack exnStack(gCx);
39     (void)JS::StealPendingExceptionStack(gCx, &exnStack);
40 
41     JS::ErrorReportBuilder report(gCx);
42     if (!report.init(gCx, exnStack, JS::ErrorReportBuilder::WithSideEffects)) {
43       fprintf(stderr, "out of memory initializing JS::ErrorReportBuilder\n");
44       fflush(stderr);
45     } else {
46       JS::PrintError(gCx, stderr, report, js::shell::reportWarnings);
47       if (!js::shell::PrintStackTrace(gCx, exnStack.stack())) {
48         fputs("(Unable to print stack trace)\n", stderr);
49       }
50     }
51 
52     MOZ_CRASH("Unhandled exception from JS runtime!");
53   }
54 }
55 
FuzzJSRuntimeStart(JSContext * cx,int * argc,char *** argv)56 int js::shell::FuzzJSRuntimeStart(JSContext* cx, int* argc, char*** argv) {
57   gCx = cx;
58   gFuzzModuleName = getenv("FUZZER");
59 
60   int ret = FuzzJSRuntimeInit(argc, argv);
61   if (ret) {
62     fprintf(stderr, "Fuzzing Interface: Error: Initialize callback failed\n");
63     return ret;
64   }
65 
66 #ifdef LIBFUZZER
67   fuzzer::FuzzerDriver(&shell::sArgc, &shell::sArgv, FuzzJSRuntimeFuzz);
68 #elif __AFL_COMPILER
69   MOZ_CRASH("AFL is unsupported for JS runtime fuzzing integration");
70 #endif
71   return 0;
72 }
73 
FuzzJSRuntimeInit(int * argc,char *** argv)74 int js::shell::FuzzJSRuntimeInit(int* argc, char*** argv) {
75   JS::Rooted<JS::Value> v(gCx);
76   JS::CompileOptions opts(gCx);
77 
78   // Load the fuzzing module specified in the FUZZER environment variable
79   JS::EvaluateUtf8Path(gCx, opts, gFuzzModuleName.c_str(), &v);
80 
81   // Any errors while loading the fuzzing module should be fatal
82   CrashOnPendingException();
83 
84   return 0;
85 }
86 
FuzzJSRuntimeFuzz(const uint8_t * buf,size_t size)87 int js::shell::FuzzJSRuntimeFuzz(const uint8_t* buf, size_t size) {
88   if (!size) {
89     return 0;
90   }
91 
92   JS::Rooted<JSObject*> arr(gCx, JS_NewUint8ClampedArray(gCx, size));
93   if (!arr) {
94     MOZ_CRASH("OOM");
95   }
96 
97   do {
98     JS::AutoCheckCannotGC nogc;
99     bool isShared;
100     uint8_t* data = JS_GetUint8ClampedArrayData(arr, &isShared, nogc);
101     MOZ_RELEASE_ASSERT(!isShared);
102     memcpy(data, buf, size);
103   } while (false);
104 
105   JS::RootedValue arrVal(gCx, JS::ObjectValue(*arr));
106   if (!JS_SetProperty(gCx, gCx->global(), "fuzzBuf", arrVal)) {
107     MOZ_CRASH("JS_SetProperty failed");
108   }
109 
110   JS::Rooted<JS::Value> v(gCx);
111   JS::CompileOptions opts(gCx);
112 
113   static const char data[] = "JSFuzzIterate();";
114 
115   JS::SourceText<mozilla::Utf8Unit> srcBuf;
116   if (!srcBuf.init(gCx, data, mozilla::ArrayLength(data) - 1,
117                    JS::SourceOwnership::Borrowed)) {
118     return 1;
119   }
120 
121   if (!JS::Evaluate(gCx, opts.setFileAndLine(__FILE__, __LINE__), srcBuf, &v) &&
122       !JS_IsExceptionPending(gCx)) {
123     // A return value of `false` without a pending exception indicates
124     // a timeout as triggered by the `timeout` shell function.
125     return 1;
126   }
127 
128   // The fuzzing module is required to handle any exceptions
129   CrashOnPendingException();
130 
131   int32_t ret = 0;
132   if (!ToInt32(gCx, v, &ret)) {
133     MOZ_CRASH("Must return an int32 compatible return value!");
134   }
135 
136   return ret;
137 }
138