[regexp, fuzzer] improve regexp fuzzer coverage.

R=jochen@chromium.org, machenbach@chromium.org BUG=chromium:577261 LOG=N Review URL: https://codereview.chromium.org/1660463002 Cr-Commit-Position: refs/heads/master@{#33661}

[regexp, fuzzer] improve regexp fuzzer coverage.
R=jochen@chromium.org, machenbach@chromium.org BUG=chromium:577261 LOG=N Review URL: https://codereview.chromium.org/1660463002 Cr-Commit-Position: refs/heads/master@{#33661}
4da26845 · yangguo · Commit bot · 8c04a35c · 4da26845 · 4da26845
Commit 4da26845 authored Feb 02, 2016 by yangguo Committed by Commit bot Feb 02, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 29 additions and 7 deletions

regexp.cc test/fuzzer/regexp.cc +17 -7

testcfg.py test/fuzzer/testcfg.py +12 -0

No files found.
--- a/test/fuzzer/regexp.cc
+++ b/test/fuzzer/regexp.cc
@@ -14,6 +14,12 @@

 namespace i = v8::internal;

+void Test(v8::Isolate* isolate, i::Handle<i::JSRegExp> regexp,
+          i::Handle<i::String> subject, i::Handle<i::JSArray> results_array) {
+  v8::TryCatch try_catch(isolate);
+  USE(i::RegExpImpl::Exec(regexp, subject, 0, results_array));
+}
+
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
  v8_fuzzer::FuzzerSupport* support = v8_fuzzer::FuzzerSupport::Get();
  v8::Isolate* isolate = support->GetIsolate();
@@ -42,7 +48,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
  const uint8_t one_byte_array[6] = {'f', 'o', 'o', 'b', 'a', 'r'};
  const i::uc16 two_byte_array[6] = {'f', 0xD83D, 0xDCA9, 'b', 'a', 0x2603};

-  i::Handle<i::JSArray> results_array = factory->NewJSArray(4);
+  i::Handle<i::JSArray> results_array = factory->NewJSArray(5);
  i::Handle<i::String> one_byte =
      factory->NewStringFromOneByte(i::Vector<const uint8_t>(one_byte_array, 6))
          .ToHandleChecked();
@@ -51,13 +57,17 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
          .ToHandleChecked();

  for (int flags = 0; flags <= kAllFlags; flags++) {
-    v8::TryCatch try_catch(isolate);
-    i::MaybeHandle<i::JSRegExp> maybe_regexp =
-        i::JSRegExp::New(source, static_cast<i::JSRegExp::Flags>(flags));
    i::Handle<i::JSRegExp> regexp;
-    if (!maybe_regexp.ToHandle(&regexp)) continue;
-    USE(i::RegExpImpl::Exec(regexp, one_byte, 0, results_array).is_null() &&
-        i::RegExpImpl::Exec(regexp, two_byte, 0, results_array).is_null());
+    {
+      v8::TryCatch try_catch(isolate);
+      i::MaybeHandle<i::JSRegExp> maybe_regexp =
+          i::JSRegExp::New(source, static_cast<i::JSRegExp::Flags>(flags));
+      if (!maybe_regexp.ToHandle(&regexp)) continue;
+    }
+    Test(isolate, regexp, one_byte, results_array);
+    Test(isolate, regexp, two_byte, results_array);
+    Test(isolate, regexp, factory->empty_string(), results_array);
+    Test(isolate, regexp, source, results_array);
  }

  return 0;

--- a/test/fuzzer/testcfg.py
+++ b/test/fuzzer/testcfg.py
@@ -8,6 +8,15 @@ from testrunner.local import testsuite
 from testrunner.objects import testcase


+class FuzzerVariantGenerator(testsuite.VariantGenerator):
+  # Only run the fuzzer with standard variant.
+  def FilterVariantsByTest(self, testcase):
+    return self.standard_variant
+
+  def GetFlagSets(self, testcase, variant):
+    return testsuite.FAST_VARIANT_FLAGS[variant]
+
+
 class FuzzerTestSuite(testsuite.TestSuite):
  SUB_TESTS = ( 'parser', 'regexp', )

@@ -31,6 +40,9 @@ class FuzzerTestSuite(testsuite.TestSuite):
    suite, name = testcase.path.split('/')
    return [os.path.join(self.root, suite, name)]

+  def _VariantGeneratorFactory(self):
+    return FuzzerVariantGenerator
+

 def GetSuite(name, root):
  return FuzzerTestSuite(name, root)