Commit 2ee598ae authored by Michael Achenbach's avatar Michael Achenbach Committed by Commit Bot

Whitelist natives for fuzzing

This adds two flags for whitelisting natives on fuzzers:
--allow-natives-for-fuzzing:
Enables a small subset of runtime functions and replaces others with
undefined.
--allow-natives-for-differential-fuzzing
Restricts the allowed runtime functions even further, excluding the
ones that break differential fuzzing.

Bug: chromium:1044942
Change-Id: I890bd4a6ff7c2e483dd74155290a7ace06f85239
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2020773Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66068}
parent d0a872df
......@@ -1208,6 +1208,15 @@ DEFINE_IMPLICATION(trace_maps, log_code)
// parser.cc
DEFINE_BOOL(allow_natives_syntax, false, "allow natives syntax")
DEFINE_BOOL(allow_natives_for_fuzzing, false,
"allow only natives explicitly whitelisted for fuzzers")
DEFINE_BOOL(allow_natives_for_differential_fuzzing, false,
"allow only natives explicitly whitelisted for differential "
"fuzzers")
DEFINE_IMPLICATION(allow_natives_for_differential_fuzzing, allow_natives_syntax)
DEFINE_IMPLICATION(allow_natives_for_fuzzing, allow_natives_syntax)
DEFINE_IMPLICATION(allow_natives_for_differential_fuzzing,
allow_natives_for_fuzzing)
DEFINE_BOOL(parse_only, false, "only parse the sources")
// simulator-arm.cc, simulator-arm64.cc and simulator-mips.cc
......
......@@ -361,6 +361,12 @@ Expression* Parser::NewV8Intrinsic(const AstRawString* name,
DCHECK_EQ(Context::kNotFound,
Context::IntrinsicIndexForName(name->raw_data(), name->length()));
// When fuzzing, only allow whitelisted runtime functions.
if (FLAG_allow_natives_for_fuzzing &&
!Runtime::IsWhitelistedForFuzzing(function->function_id)) {
return factory()->NewUndefinedLiteral(kNoSourcePosition);
}
// Check that the expected number of arguments are being passed.
if (function->nargs != -1 && function->nargs != args.length()) {
ReportMessage(MessageTemplate::kRuntimeWrongNumArgs);
......@@ -370,6 +376,11 @@ Expression* Parser::NewV8Intrinsic(const AstRawString* name,
return factory()->NewCallRuntime(function, args, pos);
}
// Intrinsics are not supported for fuzzing.
if (FLAG_allow_natives_for_fuzzing) {
return factory()->NewUndefinedLiteral(kNoSourcePosition);
}
int context_index =
Context::IntrinsicIndexForName(name->raw_data(), name->length());
......
......@@ -192,6 +192,31 @@ bool Runtime::MayAllocate(FunctionId id) {
}
}
bool Runtime::IsWhitelistedForFuzzing(FunctionId id) {
CHECK(FLAG_allow_natives_for_fuzzing);
switch (id) {
// Runtime functions whitelisted for all fuzzers. Only add functions that
// help increase coverage or that perform extra checks.
case Runtime::kArrayBufferDetach:
case Runtime::kDeoptimizeFunction:
case Runtime::kDeoptimizeNow:
case Runtime::kEnableCodeLoggingForTesting:
case Runtime::kGetUndetectable:
case Runtime::kHeapObjectVerify:
case Runtime::kNeverOptimizeFunction:
case Runtime::kOptimizeFunctionOnNextCall:
case Runtime::kPrepareFunctionForOptimization:
return true;
// Runtime functions only permitted for non-differential fuzzers.
// This list may contain functions returning different values in the
// context of different flags passed to V8.
case Runtime::kIsBeingInterpreted:
return !FLAG_allow_natives_for_differential_fuzzing;
default:
return false;
}
}
const Runtime::Function* Runtime::FunctionForName(const unsigned char* name,
int length) {
base::CallOnce(&initialize_function_name_map_once,
......
......@@ -709,10 +709,14 @@ class Runtime : public AllStatic {
// sentinel, always.
static bool IsNonReturning(FunctionId id);
// Check if a runtime function with the given {id} may trigger a heap
// Check if a runtime function with the given {id} may trigger a heap
// allocation.
static bool MayAllocate(FunctionId id);
// Check if a runtime function with the given {id} is whitelisted for
// using it with fuzzers.
static bool IsWhitelistedForFuzzing(FunctionId id);
// Get the intrinsic function with the given name.
static const Function* FunctionForName(const unsigned char* name, int length);
......
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-for-differential-fuzzing
// Test blacklisted intrinsics in the context of differential fuzzing.
assertEquals(undefined, %IsBeingInterpreted());
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-for-fuzzing
// Test whitelisted/blacklisted intrinsics in the context of fuzzing.
// Blacklisted intrinsics are replaced with undefined.
assertEquals(undefined, %GetOptimizationStatus(function (){}));
// Blacklisted intrinsics can have wrong arguments.
%GetOptimizationStatus(1, 2, 3, 4);
// We don't care if an intrinsic actually exists.
assertEquals(undefined, %FooBar());
// Check whitelisted intrinsic.
assertNotEquals(undefined, %IsBeingInterpreted());
......@@ -9,9 +9,9 @@
# Compared x64,ignition with x64,ignition_turbo
#
# Flags of x64,ignition:
--correctness-fuzzer-suppressions --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --wasm-staging --no-wasm-async-compilation --suppress-asm-messages --random-seed 12345 --turbo-filter=~ --noopt --liftoff --no-wasm-tier-up --flag1 --flag2=0
--correctness-fuzzer-suppressions --expose-gc --allow-natives-for-differential-fuzzing --invoke-weak-callbacks --omit-quit --es-staging --wasm-staging --no-wasm-async-compilation --suppress-asm-messages --random-seed 12345 --turbo-filter=~ --noopt --liftoff --no-wasm-tier-up --flag1 --flag2=0
# Flags of x64,ignition_turbo:
--correctness-fuzzer-suppressions --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --wasm-staging --no-wasm-async-compilation --suppress-asm-messages --random-seed 12345 --flag3
--correctness-fuzzer-suppressions --expose-gc --allow-natives-for-differential-fuzzing --invoke-weak-callbacks --omit-quit --es-staging --wasm-staging --no-wasm-async-compilation --suppress-asm-messages --random-seed 12345 --flag3
#
# Difference:
- unknown
......
......@@ -9,9 +9,9 @@
# Compared x64,ignition with x64,ignition_turbo
#
# Flags of x64,ignition:
--correctness-fuzzer-suppressions --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --wasm-staging --no-wasm-async-compilation --suppress-asm-messages --random-seed 12345 --turbo-filter=~ --noopt --liftoff --no-wasm-tier-up
--correctness-fuzzer-suppressions --expose-gc --allow-natives-for-differential-fuzzing --invoke-weak-callbacks --omit-quit --es-staging --wasm-staging --no-wasm-async-compilation --suppress-asm-messages --random-seed 12345 --turbo-filter=~ --noopt --liftoff --no-wasm-tier-up
# Flags of x64,ignition_turbo:
--correctness-fuzzer-suppressions --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --wasm-staging --no-wasm-async-compilation --suppress-asm-messages --random-seed 12345
--correctness-fuzzer-suppressions --expose-gc --allow-natives-for-differential-fuzzing --invoke-weak-callbacks --omit-quit --es-staging --wasm-staging --no-wasm-async-compilation --suppress-asm-messages --random-seed 12345
#
# Difference:
- unknown
......
......@@ -16,7 +16,7 @@ import v8_fuzz_config
DEFAULT_FLAGS = [
'--correctness-fuzzer-suppressions',
'--expose-gc',
'--allow-natives-syntax',
'--allow-natives-for-differential-fuzzing',
'--invoke-weak-callbacks',
'--omit-quit',
'--es-staging',
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment