1439737 - Further structured clone deserialize fuzzing

Status: RESOLVED INCOMPLETE

(Core :: JavaScript Engine, enhancement, P2)

Description

[Jason Orendorff [:jorendorff]]

1.  The JS engine allows the browser to add ReadStructuredClone hooks,
    to support serializing additional object types that exist only
    in the browser.

    https://searchfox.org/mozilla-central/search?q=ReadStructuredClone

    These hooks represent exactly the same kind of risk as the code in
    StructuredClone.cpp, but shell-based fuzzing can't test them.
    The hooks aren't present in the shell.

2.  Structured cloning has a version number and a `scope` argument
    which I guess we currently don't fuzz? Maybe we don't need to,
    but we should check.

If there are bugs, we may want to make API changes so that it's easier for hook authors to avoid pitfalls.

Comment 1

[Christian Holler (:decoder)]

We could use the libfuzzer-based approach for testing these if we can come up with C++ targets that instantiate these classes in a useful way (similar to how gtests would do it). I can look at some of these targets later, but this might need help from the respective developers in order to know how to use these classes properly (if they already have gtests, it should be easier).

Comment 2

[Matthew Gaudet (he/him) [:mgaudet]]

Steve: Is there still value in this bug?

Comment 3

[Steve Fink [:sfink] [:s:]]

I'm going to 302 :decoder, who has made this much better and would be the one to know what else remains. There's probably not a lot of value in a JS engine bug for this.

Comment 4

[Christian Holler (:decoder)]

We already have a fuzzing target in browser since bug 1590068, so that should cover all the browser cases.

However, bug 1874421 is currently preventing some of these targets from being reached and that needs attention as it limits what's being tested. I suggest closing this bug and opening it up once bug 1874421 has been resolved.