File: js_in_process_fuzzer.cc

package info (click to toggle)
chromium 138.0.7204.157-1
  • links: PTS, VCS
  • area: main
  • in suites: trixie
  • size: 6,071,864 kB
  • sloc: cpp: 34,936,859; ansic: 7,176,967; javascript: 4,110,704; python: 1,419,953; asm: 946,768; xml: 739,967; pascal: 187,324; sh: 89,623; perl: 88,663; objc: 79,944; sql: 50,304; cs: 41,786; fortran: 24,137; makefile: 21,806; php: 13,980; tcl: 13,166; yacc: 8,925; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (124 lines) | stat: -rw-r--r-- 4,764 bytes parent folder | download | duplicates (4) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
 
// Copyright 2024 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include <optional>
#include <string_view>

#include "base/strings/escape.h"
#include "base/strings/utf_string_conversions.h"
#include "base/test/bind.h"
#include "base/time/time.h"
#include "chrome/browser/ui/browser.h"
#include "chrome/test/base/ui_test_utils.h"
#include "chrome/test/fuzzing/in_process_fuzzer.h"
#include "chrome/test/fuzzing/in_process_fuzzer_buildflags.h"
#include "content/public/browser/browser_thread.h"
#include "content/public/test/browser_test_utils.h"

// This is an example use of the InProcessFuzzer framework.
// It runs arbitrary JS within the context of an existing
// loaded page, which is much quicker than loading a new
// page each time. It has no awareness of JS syntax so
// it's unlikely to be an effective fuzzer; future
// developments may feed it a useful corpus or dictionary
// or add a mutator. This is a first step in that direction.

class JsInProcessFuzzer : public InProcessFuzzer {
 public:
  JsInProcessFuzzer();
  void SetUpOnMainThread() override;
  base::CommandLine::StringVector GetChromiumCommandLineArguments() override;

  int Fuzz(const uint8_t* data, size_t size) override;
};

REGISTER_IN_PROCESS_FUZZER(JsInProcessFuzzer)

namespace {

// We have a timeout to avoid JavaScript infinite loops hanging the
// fuzzer. Empirically, valid JS cases complete locally well within 2
// seconds so allow 8 seconds to account for slowness on fuzzing
// infrastructure.

#if BUILDFLAG(IS_FUZZILLI)
// Fuzzilli handles timeouts by itself so that it detects when there are
// infinite loops.
constexpr std::optional<base::TimeDelta> kJsExecutionTimeout = std::nullopt;
constexpr RunLoopTimeoutBehavior kJsRunLoopTimeoutBehavior =
    RunLoopTimeoutBehavior::kDefault;
#else
constexpr std::optional<base::TimeDelta> kJsExecutionTimeout = base::Seconds(8);
constexpr RunLoopTimeoutBehavior kJsRunLoopTimeoutBehavior =
    RunLoopTimeoutBehavior::kDeclareInfiniteLoop;
#endif

constexpr std::string_view kBlankHtmlPage =
    "<html><head><title>Test page</title></head>"
    "<body><p>Test text.</p></body></html>";

}  // namespace

JsInProcessFuzzer::JsInProcessFuzzer()
    : InProcessFuzzer(InProcessFuzzerOptions{
          .run_loop_timeout_behavior = kJsRunLoopTimeoutBehavior,
          .run_loop_timeout = kJsExecutionTimeout,
      }) {}

void JsInProcessFuzzer::SetUpOnMainThread() {
  InProcessFuzzer::SetUpOnMainThread();
  std::string url_string = "data:text/html;charset=utf-8,";
  const bool kUsePlus = false;
  url_string.append(base::EscapeQueryParamValue(kBlankHtmlPage, kUsePlus));
  CHECK(ui_test_utils::NavigateToURL(browser(), GURL(url_string)));
#if BUILDFLAG(IS_FUZZILLI)
  // Fuzzilli needs to see this. Unfortunately, we install a signal handler at
  // //content/public/test/browser_test_base.cc that exits when one of those
  // signals occur. Disabling it allows for Fuzzilli to see them.
  signal(SIGSEGV, SIG_DFL);
  signal(SIGTERM, SIG_DFL);
#endif
}

base::CommandLine::StringVector
JsInProcessFuzzer::GetChromiumCommandLineArguments() {
#if BUILDFLAG(IS_FUZZILLI)
  char template_str[] = "/tmp/fuzzilli_tmp/XXXXXX";
  char* path_dir = mkdtemp(template_str);
  std::string user_data_dir = "--user-data-dir=" + std::string(path_dir);
#endif
  return {
      FILE_PATH_LITERAL("--js-flags='--jit-fuzzing --allow-natives-syntax "
                        "--expose-gc --fuzzing --future --harmony'"),
#if BUILDFLAG(IS_FUZZILLI)
      // This was caused by some issues with disks filling up fast, because
      // Fuzzilli restarts the binary very frequently.
      user_data_dir,
#endif
  };
}

int JsInProcessFuzzer::Fuzz(const uint8_t* data, size_t size) {
  std::string_view js_str(reinterpret_cast<const char*>(data), size);
  content::WebContents* contents =
      browser()->tab_strip_model()->GetActiveWebContents();
  content::RenderFrameHost* rfh = contents->GetPrimaryMainFrame();
  // Execute JS within an existing page - that's the essence of this
  // fuzzer and why it's much quicker than html_in_process_fuzzer
  // or page_load_in_process_fuzzer.
  // We use a synchronous function because we set the InProcessFuzzer's
  // kDeclareInfiniteLoop behaviour in case of infinite loops.
  // We invoke ExecJs with default options, which turns on user gestures in JS
  // so that this can in theory explore APIs which are gated behind that
  // restriction (subject to future developments with dictionaries, corpora,
  // etc.)
  testing::AssertionResult res = content::ExecJs(rfh, js_str);
#if BUILDFLAG(IS_FUZZILLI)
  // Fuzzilli needs to know when an exception was uncaught.
  if (!res) {
    return -1;
  }
#endif
  return 0;
}