v8
V8 is Google’s open source high-performance JavaScript and WebAssembly engine, written in C++.
Loading...
Searching...
No Matches
fuzzilli.cc
Go to the documentation of this file.
1// Copyright 2023 the V8 project authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "src/fuzzilli/fuzzilli.h"
6
7#include "include/v8-extension.h"
8#include "include/v8-primitive.h"
9#include "include/v8-template.h"
10#include "src/api/api.h"
11#include "src/execution/isolate-inl.h"
12#include "src/execution/isolate.h"
13#include "src/fuzzilli/cov.h"
14#include "src/sandbox/sandbox.h"
15#include "src/sandbox/testing.h"
16
17#ifdef V8_OS_LINUX
18#include <signal.h>
19#include <unistd.h>
20#endif // V8_OS_LINUX
21
22namespace v8 {
23namespace internal {
24
29
30// We have to assume that the fuzzer will be able to call this function e.g. by
31// enumerating the properties of the global object and eval'ing them. As such
32// this function is implemented in a way that requires passing some magic value
33// as first argument (with the idea being that the fuzzer won't be able to
34// generate this value) which then also acts as a selector for the operation
35// to perform.
36void FuzzilliExtension::Fuzzilli(const FunctionCallbackInfo<Value>& info) {
37 v8::Isolate* isolate = info.GetIsolate();
38
39 v8::String::Utf8Value operation(isolate, info[0]);
40 if (*operation == nullptr) {
41 return;
42 }
43
44 if (strcmp(*operation, "FUZZILLI_CRASH") == 0) {
45 auto arg = info[1]
46 ->Int32Value(info.GetIsolate()->GetCurrentContext())
47 .FromMaybe(0);
48 switch (arg) {
49 case 0:
50 IMMEDIATE_CRASH();
51 break;
52 case 1:
53 CHECK(false);
54 break;
55 case 2:
56 DCHECK(false);
57 break;
58 case 3: {
59 // Access an invalid address.
60 // We want to use an "interesting" address for the access (instead of
61 // e.g. nullptr). In the (unlikely) case that the address is actually
62 // mapped, simply increment the pointer until it crashes.
63 // The cast ensures that this works correctly on both 32-bit and 64-bit.
64 Address addr = static_cast<Address>(0x414141414141ull);
65 char* ptr = reinterpret_cast<char*>(addr);
66 for (int i = 0; i < 1024; i++) {
67 *ptr = 'A';
68 ptr += 1 * i::MB;
69 }
70 break;
71 }
72 case 4: {
73 // Use-after-free, likely only crashes in ASan builds.
74 auto* vec = new std::vector<int>(4);
75 delete vec;
76 USE(vec->at(0));
77 break;
78 }
79 case 5: {
80 // Out-of-bounds access (1), likely only crashes in ASan or
81 // "hardened"/"safe" libc++ builds.
82 std::vector<int> vec(5);
83 USE(vec[5]);
84 break;
85 }
86 case 6: {
87 // Out-of-bounds access (2), likely only crashes in ASan builds.
88 std::vector<int> vec(6);
89 memset(vec.data(), 42, 0x100);
90 break;
91 }
92 case 7: {
93 if (i::v8_flags.hole_fuzzing) {
94 // This should crash with a segmentation fault only
95 // when --hole-fuzzing is used.
96 char* ptr = reinterpret_cast<char*>(0x414141414141ull);
97 for (int i = 0; i < 1024; i++) {
98 *ptr = 'A';
99 ptr += 1 * i::GB;
100 }
101 }
102 break;
103 }
104 case 8: {
105 // This allows Fuzzilli to check that DEBUG is defined, which should be
106 // the case if dcheck_always_on is set. This is useful for fuzzing as
107 // there are some integrity checks behind DEBUG.
108#ifdef DEBUG
109 IMMEDIATE_CRASH();
110#endif
111 break;
112 }
113 default:
114 break;
115 }
116 } else if (strcmp(*operation, "FUZZILLI_PRINT") == 0) {
117 static FILE* fzliout = fdopen(REPRL_DWFD, "w");
118 if (!fzliout) {
119 fprintf(
120 stderr,
121 "Fuzzer output channel not available, printing to stdout instead\n");
122 fzliout = stdout;
123 }
124
125 v8::String::Utf8Value string(isolate, info[1]);
126 if (*string == nullptr) {
127 return;
128 }
129 fprintf(fzliout, "%s\n", *string);
130 fflush(fzliout);
131 }
132}
133
134} // namespace internal
135} // namespace v8
v8::FunctionTemplate::New
static Local< FunctionTemplate > New(Isolate *isolate, FunctionCallback callback=nullptr, Local< Value > data=Local< Value >(), Local< Signature > signature=Local< Signature >(), int length=0, ConstructorBehavior behavior=ConstructorBehavior::kAllow, SideEffectType side_effect_type=SideEffectType::kHasSideEffect, const CFunction *c_function=nullptr, uint16_t instance_type=0, uint16_t allowed_receiver_instance_type_range_start=0, uint16_t allowed_receiver_instance_type_range_end=0)
Definition api.cc:1101
v8::internal::FuzzilliExtension::GetNativeFunctionTemplate
v8::Local< v8::FunctionTemplate > GetNativeFunctionTemplate(v8::Isolate *isolate, v8::Local< v8::String > name) override
Definition fuzzilli.cc:25
v8::internal::FuzzilliExtension::Fuzzilli
static void Fuzzilli(const v8::FunctionCallbackInfo< v8::Value > &info)
Definition fuzzilli.cc:36
REPRL_DWFD
#define REPRL_DWFD
Definition fuzzilli.h:18
IMMEDIATE_CRASH
#define IMMEDIATE_CRASH()
Definition immediate-crash.h:181
v8::internal::GB
constexpr int GB
Definition v8-internal.h:57
v8::internal::v8_flags
V8_EXPORT_PRIVATE FlagValues v8_flags
v8::internal::MB
too high values may cause the compiler to set high thresholds for inlining to as much as possible avoid inlined allocation of objects that cannot escape trace load stores from virtual maglev objects use TurboFan fast string builder analyze liveness of environment slots and zap dead values trace TurboFan load elimination emit data about basic block usage in builtins to this enable builtin reordering when run mksnapshot flag for emit warnings when applying builtin profile data verify register allocation in TurboFan randomly schedule instructions to stress dependency tracking enable store store elimination in TurboFan rewrite far to near simulate GC compiler thread race related to allow float parameters to be passed in simulator mode JS Wasm Run additional turbo_optimize_inlined_js_wasm_wrappers enable experimental feedback collection in generic lowering enable Turboshaft s WasmLoadElimination enable Turboshaft s low level load elimination for JS enable Turboshaft s escape analysis for string concatenation use enable Turbolev features that we want to ship in the not too far future trace individual Turboshaft reduction steps trace intermediate Turboshaft reduction steps invocation count threshold for early optimization Enables optimizations which favor memory size over execution speed Enables sampling allocation profiler with X as a sample interval min size of a semi the new space consists of two semi spaces max size of the Collect garbage after Collect garbage after keeps maps alive for< n > old space garbage collections print one detailed trace line in allocation gc speed threshold for starting incremental marking via a task in percent of available threshold for starting incremental marking immediately in percent of available Use a single schedule for determining a marking schedule between JS and C objects schedules the minor GC task with kUserVisible priority max worker number of concurrent for NumberOfWorkerThreads start background threads that allocate memory concurrent_array_buffer_sweeping use parallel threads to clear weak refs in the atomic pause trace progress of the incremental marking trace object counts and memory usage * MB
Definition flags.cc:2197
v8::internal::string
template const char * string
Definition conversions.cc:932
CHECK
#define CHECK(condition)
Definition logging.h:124
DCHECK
#define DCHECK(condition)
Definition logging.h:482
USE
#define USE(...)
Definition macros.h:293