Closed Bug 1596691 Opened 2 years ago Closed 1 year ago

Add a JSParser target to fuzz-tests using libFuzzer

Categories

(Core :: JavaScript Engine, enhancement, P2)

x86_64
Linux
enhancement

Tracking

()

RESOLVED FIXED
mozilla79
Tracking Status
firefox-esr68 --- wontfix
firefox72 --- wontfix
firefox76 --- wontfix
firefox77 --- wontfix
firefox78 --- wontfix
firefox79 --- fixed

People

(Reporter: decoder, Assigned: decoder)

References

Details

(Keywords: sec-other, sec-want, Whiteboard: [post-critsmash-triage][adv-main79-])

Attachments

(1 file)

We should add a simple target to js/src/fuzz-tests that takes the libFuzzer-provided input and feeds it directly to JS::Evaluate. This will probably not find many runtime bugs, but it will stress the parser a lot, in particular error paths in the parser that our normal JS fuzzers try to avoid. Especially with some new syntax being added to JS (BigInts, Nullish Coalescing, etc), this target should be able to provide additional value whenever we make parser changes. Historically, we have found such bugs before (mostly by accident through LangFuzz because the grammar is not perfect). Implementation should be trivial, I'll make a patch.

Marking this s-s because we need to do some testing first before landing this code to m-c to ensure we don't 0-day ourselves.

Depends on: 1596706
Priority: -- → P2
Depends on: 1617168
Depends on: 1625116
Depends on: 1633683
Depends on: 1635762

I had this backed out (https://hg.mozilla.org/integration/autoland/rev/cfc3b847727f6a9a284433db34ebfee7f5bb1882) because of linter failures. Apparently the linter considers all JS shell functions as undefined.

I will push a fixed patch next week.

Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla79
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Depends on: 1650340
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main79-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.