Closed Bug 1431443 Opened 6 years ago Closed 6 years ago

Land JS fuzzing target for BinASTReader

Categories

(Core :: JavaScript Engine, defect, P2)

All
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla60
Tracking Status
firefox-esr52 --- unaffected
firefox58 --- unaffected
firefox59 --- unaffected
firefox60 --- fixed

People

(Reporter: decoder, Assigned: decoder)

References

Details

(Keywords: sec-want)

Attachments

(1 file)

This bug is about landing a fuzzing target for BinASTReader once bug 1431090 landed. The current implementation is not enabled in our codebase, but marking this s-s nonetheless because I don't know for sure if this won't be enabled in Nightly for testing purposes at any point in time.
Priority: -- → P2
Fuzzing target for BinAST, derived from the jsapi-test we already had. This will probably work best with the next revision of BinAST that is coming up now because the current format doesn't work well for fuzzing. I made additional local patches to the implementation itself to make it easier to fuzz but found only minor bugs.
Attachment #8951232 - Flags: review?(jdemooij)
Attachment #8951232 - Flags: review?(dteller)
Comment on attachment 8951232 [details] [diff] [review]
fuzzing-target-binast.patch

Review of attachment 8951232 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/fuzz-tests/testBinASTReader.cpp
@@ +40,5 @@
> +
> +    if (!size) return 0;
> +
> +    CompileOptions options(gCx);
> +    options.setIntroductionType("unit test parse")

Nit: It's not a unit test :)

::: js/src/moz.build
@@ +682,5 @@
>          'frontend/BinToken.cpp'
>      ]
>  
> +    # Instrument BinAST files for fuzzing as we have a fuzzing target for BinAST.
> +    if CONFIG['FUZZING_INTERFACES'] and CONFIG['LIBFUZZER']:

Don't we also need CONFIG['JS_BUILD_BINAST']?
Attachment #8951232 - Flags: review?(dteller) → review+
Comment on attachment 8951232 [details] [diff] [review]
fuzzing-target-binast.patch

Review of attachment 8951232 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM, modulo Yoric's comment.
Attachment #8951232 - Flags: review?(jdemooij) → review+
Group: javascript-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: