Bug 1455593 - BinAST multipart fuzzing changes. r=arai
authorChristian Holler <choller@mozilla.com>
Mon, 17 Sep 2018 11:43:07 +0000
changeset 492604 b26a70a0fe8f22ee4a5118c7c563ab98a115e692
parent 492603 8719cf957ca5801241d727664d3d0d01a7965431
child 492605 9205d38f866cc1e50cb67c87fe2a02654cde8417
push id9984
push userffxbld-merge
push dateMon, 15 Oct 2018 21:07:35 +0000
treeherdermozilla-beta@183d27ea8570 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersarai
bugs1455593
milestone64.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1455593 - BinAST multipart fuzzing changes. r=arai Differential Revision: https://phabricator.services.mozilla.com/D6013
js/src/frontend/BinTokenReaderBase.h
js/src/fuzz-tests/testBinASTReader.cpp
js/src/jsapi-tests/moz.build
js/src/moz.build
--- a/js/src/frontend/BinTokenReaderBase.h
+++ b/js/src/frontend/BinTokenReaderBase.h
@@ -126,20 +126,22 @@ class MOZ_STACK_CLASS BinTokenReaderBase
         MOZ_ASSERT(N > 0);
         MOZ_ASSERT(value[N - 1] == 0);
         MOZ_ASSERT(!hasRaisedError());
 
         if (current_ + N - 1 > stop_) {
             return false;
         }
 
+#ifndef FUZZING
         // Perform lookup, without side-effects.
         if (!std::equal(current_, current_ + N + (expectNul ? 0 : -1)/*implicit NUL*/, value)) {
             return false;
         }
+#endif
 
         // Looks like we have a match. Now perform side-effects
         current_ += N + (expectNul ? 0 : -1);
         updateLatestKnownGood();
         return true;
     }
 
     void updateLatestKnownGood();
--- a/js/src/fuzz-tests/testBinASTReader.cpp
+++ b/js/src/fuzz-tests/testBinASTReader.cpp
@@ -55,18 +55,18 @@ testBinASTReaderFuzz(const uint8_t* buf,
         return 0;
     }
 
     UsedNameTracker binUsedNames(gCx);
 
     Directives directives(false);
     GlobalSharedContext globalsc(gCx, ScopeKind::Global, directives, false);
 
-    BinASTParser<js::frontend::BinTokenReaderTester> reader(gCx, gCx->tempLifoAlloc(),
-                                                            binUsedNames, options);
+    BinASTParser<js::frontend::BinTokenReaderMultipart> reader(gCx, gCx->tempLifoAlloc(),
+                                                               binUsedNames, options);
 
     // Will be deallocated once `reader` goes out of scope.
     auto binParsed = reader.parse(&globalsc, binSource);
     RootedValue binExn(gCx);
     if (binParsed.isErr()) {
         js::GetAndClearException(gCx, &binExn);
         return 0;
     }
--- a/js/src/jsapi-tests/moz.build
+++ b/js/src/jsapi-tests/moz.build
@@ -140,21 +140,23 @@ if CONFIG['ENABLE_STREAMS']:
 
 
 if CONFIG['NIGHTLY_BUILD']:
     # The Error interceptor only exists on Nightly.
     UNIFIED_SOURCES += [
         'testErrorInterceptor.cpp',
     ]
 
-if CONFIG['JS_BUILD_BINAST'] and CONFIG['JS_STANDALONE']:
+if CONFIG['JS_BUILD_BINAST'] and CONFIG['JS_STANDALONE'] and not CONFIG['FUZZING']:
     # Standalone builds leave the source directory untouched,
     # which lets us run tests with the data files intact.
     # Otherwise, in the current state of the build system,
     # we can't have data files in js/src tests.
+    # Also, fuzzing builds modify the const matching in the
+    # token reader and hence affect the correctness of the tests.
     UNIFIED_SOURCES += [
         'testBinASTReader.cpp',
         'testBinTokenReaderTester.cpp'
     ]
 
 
 DEFINES['EXPORT_JS_API'] = True
 
--- a/js/src/moz.build
+++ b/js/src/moz.build
@@ -718,19 +718,21 @@ if CONFIG['JS_BUILD_BINAST']:
         'frontend/BinSource.cpp',
         'frontend/BinToken.cpp',
         'frontend/BinTokenReaderBase.cpp',
         'frontend/BinTokenReaderMultipart.cpp',
     ]
 
     # Instrument BinAST files for fuzzing as we have a fuzzing target for BinAST.
     if CONFIG['FUZZING_INTERFACES'] and CONFIG['LIBFUZZER']:
+        SOURCES['frontend/BinSource-auto.cpp'].flags += libfuzzer_flags
         SOURCES['frontend/BinSource.cpp'].flags += libfuzzer_flags
         SOURCES['frontend/BinToken.cpp'].flags += libfuzzer_flags
-        SOURCES['frontend/BinTokenReaderTester.cpp'].flags += libfuzzer_flags
+        SOURCES['frontend/BinTokenReaderBase.cpp'].flags += libfuzzer_flags
+        SOURCES['frontend/BinTokenReaderMultipart.cpp'].flags += libfuzzer_flags
 
 # Wasm code should use WASM_HUGE_MEMORY instead of JS_CODEGEN_X64
 # so that it is easy to use the huge-mapping optimization for other
 # 64-bit platforms in the future.
 
 if CONFIG['JS_CODEGEN_X64'] or CONFIG['JS_CODEGEN_ARM64']:
     DEFINES['WASM_HUGE_MEMORY'] = True