Whitelist natives for fuzzing

This adds two flags for whitelisting natives on fuzzers: --allow-natives-for-fuzzing: Enables a small subset of runtime functions and replaces others with undefined. --allow-natives-for-differential-fuzzing Restricts the allowed runtime functions even further, excluding the ones that break differential fuzzing. Bug: chromium:1044942 Change-Id: I890bd4a6ff7c2e483dd74155290a7ace06f85239 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2020773Reviewed-by: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Michael Achenbach <machenbach@chromium.org> Cr-Commit-Position: refs/heads/master@{#66068}

Whitelist natives for fuzzing
This adds two flags for whitelisting natives on fuzzers: --allow-natives-for-fuzzing: Enables a small subset of runtime functions and replaces others with undefined. --allow-natives-for-differential-fuzzing Restricts the allowed runtime functions even further, excluding the ones that break differential fuzzing. Bug: chromium:1044942 Change-Id: I890bd4a6ff7c2e483dd74155290a7ace06f85239 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2020773Reviewed-by: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Michael Achenbach <machenbach@chromium.org> Cr-Commit-Position: refs/heads/master@{#66068}
2ee598ae · Michael Achenbach · Commit Bot · d0a872df · 2ee598ae · 2ee598ae
Commit 2ee598ae authored Jan 30, 2020 by Michael Achenbach Committed by Commit Bot Jan 31, 2020
9 changed files
--- a/src/flags/flag-definitions.h
+++ b/src/flags/flag-definitions.h
@@ -1208,6 +1208,15 @@ DEFINE_IMPLICATION(trace_maps, log_code)

 // parser.cc
 DEFINE_BOOL(allow_natives_syntax, false, "allow natives syntax")
+DEFINE_BOOL(allow_natives_for_fuzzing, false,
+            "allow only natives explicitly whitelisted for fuzzers")
+DEFINE_BOOL(allow_natives_for_differential_fuzzing, false,
+            "allow only natives explicitly whitelisted for differential "
+            "fuzzers")
+DEFINE_IMPLICATION(allow_natives_for_differential_fuzzing, allow_natives_syntax)
+DEFINE_IMPLICATION(allow_natives_for_fuzzing, allow_natives_syntax)
+DEFINE_IMPLICATION(allow_natives_for_differential_fuzzing,
+                   allow_natives_for_fuzzing)
 DEFINE_BOOL(parse_only, false, "only parse the sources")

 // simulator-arm.cc, simulator-arm64.cc and simulator-mips.cc

--- a/src/parsing/parser.cc
+++ b/src/parsing/parser.cc
@@ -361,6 +361,12 @@ Expression* Parser::NewV8Intrinsic(const AstRawString* name,
    DCHECK_EQ(Context::kNotFound,
              Context::IntrinsicIndexForName(name->raw_data(), name->length()));

+    // When fuzzing, only allow whitelisted runtime functions.
+    if (FLAG_allow_natives_for_fuzzing &&
+        !Runtime::IsWhitelistedForFuzzing(function->function_id)) {
+      return factory()->NewUndefinedLiteral(kNoSourcePosition);
+    }
+
    // Check that the expected number of arguments are being passed.
    if (function->nargs != -1 && function->nargs != args.length()) {
      ReportMessage(MessageTemplate::kRuntimeWrongNumArgs);
@@ -370,6 +376,11 @@ Expression* Parser::NewV8Intrinsic(const AstRawString* name,
    return factory()->NewCallRuntime(function, args, pos);
  }

+  // Intrinsics are not supported for fuzzing.
+  if (FLAG_allow_natives_for_fuzzing) {
+    return factory()->NewUndefinedLiteral(kNoSourcePosition);
+  }
+
  int context_index =
      Context::IntrinsicIndexForName(name->raw_data(), name->length());


--- a/src/runtime/runtime.cc
+++ b/src/runtime/runtime.cc
@@ -192,6 +192,31 @@ bool Runtime::MayAllocate(FunctionId id) {
  }
 }

+bool Runtime::IsWhitelistedForFuzzing(FunctionId id) {
+  CHECK(FLAG_allow_natives_for_fuzzing);
+  switch (id) {
+    // Runtime functions whitelisted for all fuzzers. Only add functions that
+    // help increase coverage or that perform extra checks.
+    case Runtime::kArrayBufferDetach:
+    case Runtime::kDeoptimizeFunction:
+    case Runtime::kDeoptimizeNow:
+    case Runtime::kEnableCodeLoggingForTesting:
+    case Runtime::kGetUndetectable:
+    case Runtime::kHeapObjectVerify:
+    case Runtime::kNeverOptimizeFunction:
+    case Runtime::kOptimizeFunctionOnNextCall:
+    case Runtime::kPrepareFunctionForOptimization:
+      return true;
+    // Runtime functions only permitted for non-differential fuzzers.
+    // This list may contain functions returning different values in the
+    // context of different flags passed to V8.
+    case Runtime::kIsBeingInterpreted:
+      return !FLAG_allow_natives_for_differential_fuzzing;
+    default:
+      return false;
+  }
+}
+
 const Runtime::Function* Runtime::FunctionForName(const unsigned char* name,
                                                  int length) {
  base::CallOnce(&initialize_function_name_map_once,

--- a/src/runtime/runtime.h
+++ b/src/runtime/runtime.h
@@ -709,10 +709,14 @@ class Runtime : public AllStatic {
  // sentinel, always.
  static bool IsNonReturning(FunctionId id);

-  // Check if a runtime function with the given {id}  may trigger a heap
+  // Check if a runtime function with the given {id} may trigger a heap
  // allocation.
  static bool MayAllocate(FunctionId id);

+  // Check if a runtime function with the given {id} is whitelisted for
+  // using it with fuzzers.
+  static bool IsWhitelistedForFuzzing(FunctionId id);
+
  // Get the intrinsic function with the given name.
  static const Function* FunctionForName(const unsigned char* name, int length);


--- a/test/mjsunit/call-intrinsic-differential-fuzzing.js
+++ b/test/mjsunit/call-intrinsic-differential-fuzzing.js
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-for-differential-fuzzing
+
+// Test blacklisted intrinsics in the context of differential fuzzing.
+assertEquals(undefined, %IsBeingInterpreted());
--- a/test/mjsunit/call-intrinsic-fuzzing.js
+++ b/test/mjsunit/call-intrinsic-fuzzing.js
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-for-fuzzing
+
+// Test whitelisted/blacklisted intrinsics in the context of fuzzing.
+
+// Blacklisted intrinsics are replaced with undefined.
+assertEquals(undefined, %GetOptimizationStatus(function (){}));
+
+// Blacklisted intrinsics can have wrong arguments.
+%GetOptimizationStatus(1, 2, 3, 4);
+
+// We don't care if an intrinsic actually exists.
+assertEquals(undefined, %FooBar());
+
+// Check whitelisted intrinsic.
+assertNotEquals(undefined, %IsBeingInterpreted());
--- a/tools/clusterfuzz/testdata/failure_output.txt
+++ b/tools/clusterfuzz/testdata/failure_output.txt
@@ -9,9 +9,9 @@
 # Compared x64,ignition with x64,ignition_turbo
 #
 # Flags of x64,ignition:
--correctness-fuzzer-suppressions --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --wasm-staging --no-wasm-async-compilation --suppress-asm-messages --random-seed 12345 --turbo-filter=~ --noopt --liftoff --no-wasm-tier-up --flag1 --flag2=0
+--correctness-fuzzer-suppressions --expose-gc --allow-natives-for-differential-fuzzing --invoke-weak-callbacks --omit-quit --es-staging --wasm-staging --no-wasm-async-compilation --suppress-asm-messages --random-seed 12345 --turbo-filter=~ --noopt --liftoff --no-wasm-tier-up --flag1 --flag2=0
 # Flags of x64,ignition_turbo:
--correctness-fuzzer-suppressions --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --wasm-staging --no-wasm-async-compilation --suppress-asm-messages --random-seed 12345 --flag3
+--correctness-fuzzer-suppressions --expose-gc --allow-natives-for-differential-fuzzing --invoke-weak-callbacks --omit-quit --es-staging --wasm-staging --no-wasm-async-compilation --suppress-asm-messages --random-seed 12345 --flag3
 #
 # Difference:
 - unknown

--- a/tools/clusterfuzz/testdata/sanity_check_output.txt
+++ b/tools/clusterfuzz/testdata/sanity_check_output.txt
@@ -9,9 +9,9 @@
 # Compared x64,ignition with x64,ignition_turbo
 #
 # Flags of x64,ignition:
--correctness-fuzzer-suppressions --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --wasm-staging --no-wasm-async-compilation --suppress-asm-messages --random-seed 12345 --turbo-filter=~ --noopt --liftoff --no-wasm-tier-up
+--correctness-fuzzer-suppressions --expose-gc --allow-natives-for-differential-fuzzing --invoke-weak-callbacks --omit-quit --es-staging --wasm-staging --no-wasm-async-compilation --suppress-asm-messages --random-seed 12345 --turbo-filter=~ --noopt --liftoff --no-wasm-tier-up
 # Flags of x64,ignition_turbo:
--correctness-fuzzer-suppressions --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --wasm-staging --no-wasm-async-compilation --suppress-asm-messages --random-seed 12345
+--correctness-fuzzer-suppressions --expose-gc --allow-natives-for-differential-fuzzing --invoke-weak-callbacks --omit-quit --es-staging --wasm-staging --no-wasm-async-compilation --suppress-asm-messages --random-seed 12345
 #
 # Difference:
 - unknown

--- a/tools/clusterfuzz/v8_commands.py
+++ b/tools/clusterfuzz/v8_commands.py
@@ -16,7 +16,7 @@ import v8_fuzz_config
 DEFAULT_FLAGS = [
  '--correctness-fuzzer-suppressions',
  '--expose-gc',
-  '--allow-natives-syntax',
+  '--allow-natives-for-differential-fuzzing',
  '--invoke-weak-callbacks',
  '--omit-quit',
  '--es-staging',