[Merged by Bors] - Parser Idempotency Fuzzer #2400
Conversation
Codecov Report
@@ Coverage Diff @@
## main #2400 +/- ##
==========================================
- Coverage 38.74% 38.70% -0.05%
==========================================
Files 313 314 +1
Lines 23856 23883 +27
==========================================
Hits 9244 9244
- Misses 14612 14639 +27
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
| pub struct FuzzData { | ||
| pub context: Context, | ||
| pub ast: StatementList, | ||
| } |
There was a problem hiding this comment.
Even if the usage of the structure could be considered straightforward, adding some documentation could be useful.
| let mut syms_available = Vec::with_capacity(8); | ||
| for c in 'a'..='h' { | ||
| syms_available.push(context.interner_mut().get_or_intern(&*String::from(c))); | ||
| } |
There was a problem hiding this comment.
Any reason to only have these symbols? Also, I see a TODO below requesting arbitrary string literals.
There was a problem hiding this comment.
Yes -- this creates a fixed pool of symbols to use in the AST. The AST, when generated, just throws random symbol indices in; we need to fix them to well-known (non-keyword) items in the symbol interner. Additionally, we don't want to generate them dynamically from the fuzz data because this can introduce "noise" into our sample (basically, bytes used previously to make symbols now form part of the AST or vice versa, unaligning the AST-generating bytes). This is also the reason for the TODO -- string literals from the arbitrary data could introduce quite a bit of undesirable noise, but not doing so means we don't test string parsing/interning. I decided not to for this PR because it could introduce so much noise that it would render this unusable.
| use std::error::Error; | ||
| use std::io::Cursor; | ||
|
|
||
| fn do_fuzz(mut data: FuzzData) -> Result<(), Box<dyn Error>> { |
There was a problem hiding this comment.
Even if the usage of the function could be considered straightforward, adding some documentation could be useful. A link to the libfuzzer documentation or to the cargo-fuzz documentation where this usage is explained would be nice.
Razican
requested review from
jedel1043,
HalidOdat,
jasonwilliams,
RageKnify and
raskad
Razican
added
enhancement
|
The merge conflict is just because the |
addisoncrump
force-pushed
the
fuzz-parser
branch
from
49ab7a4 to
2df18bf
Compare
I'm not sure if this is possible for cargo-fuzz, but I'll see. I seem to remember it having some trouble executing from a virtual workspace root. |
|
You should be able to easily. For example, on |
|
Yup -- the issue is that you cannot init the fuzzer directory in the virtual workspace root, but you can move it later. Interesting. |
|
Perhaps in the future we could put this into CI? It catches problems very fast. |
Yeah! Though, we'll need a proper CI platform for it. We can't run it on every PR because it could throw random errors at any time, A CI action that runs it every hour or so would be nice. |
There was a problem hiding this comment.
You should rebase this. I recently pushed a changed that extracted the parser from the engine into a crate, and the API of the Parser type changed slightly; it now requires only a &mut Interner reference to work.
This change should also speedup the fuzzer, because it would skip having to initialize the builtins in order to parse.
addisoncrump
force-pushed
the
fuzz-parser
branch
from
80bd041 to
a5350f9
Compare
I can ask if this would be appropriate for OSS-Fuzz? |
|
Maybe! We would need to apply for it though. |
|
bors r+ |
This comment was marked as outdated.
This comment was marked as outdated.
|
bors r+ |
This Pull Request offers a fuzzer which is capable of detecting faults in the parser and interner. It does so by ensuring that the parsed AST remains the same between a parsed source and the result of parsing the `to_interned_string` result of the first parsed source. It changes the following: - Adds a fuzzer for the parser and interner. Any issues I raise in association with this fuzzer will link back to this fuzzer. You may run the fuzzer using the following commands: ```bash $ cd boa_engine $ cargo +nightly fuzz run -s none parser-idempotency ``` Co-authored-by: Addison Crump <addison.crump@cispa.de>
|
Pull request successfully merged into main. Build succeeded: |
bors
bot
changed the title
This Pull Request offers a basic VM fuzzer which relies on implied oracles (namely, "does it crash or timeout?"). It changes the following: - Adds an insns_remaining field to Context, denoting the number of instructions remaining to execute (only available when fuzzing) - Adds a JsNativeError variant, denoting when the number of instructions has been exceeded (only available when fuzzing) - Adds a VM fuzzer which looks for cases where Boa may crash on an input This offers no guarantees about correctness, only assertion violations. Depends on #2400. Any issues I raise in association with this fuzzer will link back to this fuzzer. You may run the fuzzer using the following commands: ```bash $ cd boa_engine $ cargo +nightly fuzz run -s none vm-implied ``` Co-authored-by: Addison Crump <addison.crump@cispa.de>
This Pull Request offers a fuzzer which is capable of detecting faults in the parser and interner. It does so by ensuring that the parsed AST remains the same between a parsed source and the result of parsing the
to_interned_stringresult of the first parsed source.It changes the following:
Any issues I raise in association with this fuzzer will link back to this fuzzer.
You may run the fuzzer using the following commands:
$ cd boa_engine $ cargo +nightly fuzz run -s none parser-idempotency