Closed Bug 1638787 Opened 5 years ago Closed 5 years ago

Change JSRT fuzzing interface to return int32 and handle timeouts

Categories

(Core :: JavaScript Engine, enhancement, P2)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla78
Tracking Flags:
Tracking Status
firefox78 --- fixed

People

(Reporter: decoder, Assigned: decoder)

References

Details

Attachments

(1 file)

Bug 1638787 - Support return values and timeouts in JSRT fuzzing interface. r?jandem
47 bytes, text/x-phabricator-request
Details | Review

In bug 1635762, I've adjusted libFuzzer to allow non-zero return values in its iteration function. A non-zero return value indicates that the input is "bad" and should be discarded, even if it generated additional coverage. This can for example be used to signal libFuzzer that something timed out internally. Accumulating such internal timeouts in the corpus can make the whole fuzzing process really slow over time.

With this change, JSFuzzIterate is now also expected to return an int32 compatible return value, in particular 0 for a successful execution and 1 for anything abnormal that should be discarded.

In addition, I would like to support the use of timeout() by detecting the timeout on the C++ level and returning 1 in that case. This saves the interface consumer from running their code in evaluate, catching the timeout and returning appropriately.

Severity: -- → N/A
Priority: -- → P2
Pushed by choller@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ecc61cf8798f Support return values and timeouts in JSRT fuzzing interface. r=jandem

https://hg.mozilla.org/mozilla-central/rev/ecc61cf8798f

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox78: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla78
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: