DXR is a code search and navigation tool aimed at making sense of large projects. It supports full-text and regex searches as well as structural queries.

Line Code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
 * vim: set ts=8 sts=2 et sw=2 tw=80:
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "fuzz-tests/tests.h"

#include <stdio.h>

#include "js/AllocPolicy.h"
#include "js/Initialization.h"
#include "js/RootingAPI.h"
#include "vm/JSContext.h"

#ifdef LIBFUZZER
#  include "FuzzerDefs.h"
#endif

using namespace mozilla;

JS::PersistentRootedObject gGlobal;
JSContext* gCx = nullptr;

static const JSClass* getGlobalClass() {
  static const JSClass c = {"global", JSCLASS_GLOBAL_FLAGS,
                            &JS::DefaultGlobalClassOps};
  return &c;
}

static JSObject* jsfuzz_createGlobal(JSContext* cx, JSPrincipals* principals) {
  /* Create the global object. */
  JS::RealmOptions options;
  options.creationOptions()
      .setStreamsEnabled(true)
      .setFieldsEnabled(false)
      .setAwaitFixEnabled(true);
  return JS_NewGlobalObject(cx, getGlobalClass(), principals,
                            JS::FireOnNewGlobalHook, options);
}

static bool jsfuzz_init(JSContext** cx, JS::PersistentRootedObject* global) {
  *cx = JS_NewContext(8L * 1024 * 1024);
  if (!*cx) {
    return false;
  }

  const size_t MAX_STACK_SIZE = 500000;

  JS_SetNativeStackQuota(*cx, MAX_STACK_SIZE);

  js::UseInternalJobQueues(*cx);
  if (!JS::InitSelfHostedCode(*cx)) {
    return false;
  }
  global->init(*cx);
  *global = jsfuzz_createGlobal(*cx, nullptr);
  if (!*global) {
    return false;
  }
  JS::EnterRealm(*cx, *global);
  return true;
}

static void jsfuzz_uninit(JSContext* cx) {
  if (cx) {
    JS_DestroyContext(cx);
    cx = nullptr;
  }
}

int main(int argc, char* argv[]) {
  if (!JS_Init()) {
    fprintf(stderr, "Error: Call to jsfuzz_init() failed\n");
    return 1;
  }

  if (!jsfuzz_init(&gCx, &gGlobal)) {
    fprintf(stderr, "Error: Call to jsfuzz_init() failed\n");
    return 1;
  }

  const char* fuzzerEnv = getenv("FUZZER");
  if (!fuzzerEnv) {
    fprintf(stderr,
            "Must specify fuzzing target in FUZZER environment variable\n");
    return 1;
  }

  std::string moduleNameStr(getenv("FUZZER"));

  FuzzerFunctions funcs =
      FuzzerRegistry::getInstance().getModuleFunctions(moduleNameStr);
  FuzzerInitFunc initFunc = funcs.first;
  FuzzerTestingFunc testingFunc = funcs.second;
  if (initFunc) {
    int ret = initFunc(&argc, &argv);
    if (ret) {
      fprintf(stderr, "Fuzzing Interface: Error: Initialize callback failed\n");
      return ret;
    }
  }

  if (!testingFunc) {
    fprintf(stderr, "Fuzzing Interface: Error: No testing callback found\n");
    return 1;
  }

#ifdef LIBFUZZER
  fuzzer::FuzzerDriver(&argc, &argv, testingFunc);
#elif __AFL_COMPILER
  testingFunc(nullptr, 0);
#endif

  jsfuzz_uninit(gCx);

  JS_ShutDown();

  return 0;
}