def directMain():
logPrefix = os.path.join(mkdtemp(prefix="domfuzz-rdf-main"), "t")
print logPrefix
collector = createCollector.createCollector("DOMFuzz")
bc = BrowserConfig(sys.argv[1:], collector)
if bc.options.argURL:
extraPrefs = randomPrefs.grabExtraPrefs(bc.options.argURL)
else:
extraPrefs = ""
br = BrowserResult(bc,
bc.options.argURL or "about:blank",
logPrefix,
extraPrefs=extraPrefs,
leaveProfile=True)
print br.level
if bc.options.submit:
if br.level >= bc.options.minimumInterestingLevel:
testcaseFilename = bc.options.argURL
print "Submitting " + testcaseFilename
quality = 0
collector.submit(br.crashInfo, testcaseFilename, quality)
else:
print "Not submitting (not interesting)"
else:
sys.exit(br.level)
def main():
printMachineInfo()
options = parseOpts()
collector = createCollector.createCollector(
"DOMFuzz" if options.testType == 'dom' else "jsfunfuzz")
refreshSignatures(collector)
options.tempDir = tempfile.mkdtemp("fuzzbot")
print options.tempDir
buildInfo = ensureBuild(options)
assert os.path.isdir(buildInfo.buildDir)
numProcesses = multiprocessing.cpu_count()
if "-asan" in buildInfo.buildDir:
# This should really be based on the amount of RAM available, but I don't know how to compute that in Python.
# I could guess 1 GB RAM per core, but that wanders into sketchyville.
numProcesses = max(numProcesses // 2, 1)
if sps.isARMv7l:
# Even though ARM boards generally now have many cores, each core is not as powerful
# as x86/64 ones, so restrict fuzzing to only 1 core for now.
numProcesses = 1
forkJoin.forkJoin(options.tempDir, numProcesses, loopFuzzingAndReduction,
options, buildInfo, collector)
# Remove build directory if we created it
if options.testType == 'dom' and not \
(options.existingBuildDir or options.buildOptions is not None):
shutil.rmtree(buildInfo.buildDir)
shutil.rmtree(options.tempDir)
def parseOptions(args):
parser = OptionParser()
parser.disable_interspersed_args()
parser.add_option("--minlevel",
type="int", dest="minimumInterestingLevel",
default=jsInteresting.JS_OVERALL_MISMATCH,
help="minimum js/jsInteresting.py level for lithium to consider the testcase interesting")
parser.add_option("--timeout",
type="int", dest="timeout",
default=10,
help="timeout in seconds")
parser.add_option("--flags",
dest="flagsSpaceSep",
default="",
help="space-separated list of one set of flags")
options, args = parser.parse_args(args)
if len(args) != 3:
raise Exception("Wrong number of positional arguments. Need 3 (knownPath, jsengine, infilename).")
options.knownPath = args[0]
options.jsengine = args[1]
options.infilename = args[2]
options.flags = options.flagsSpaceSep.split(" ") if options.flagsSpaceSep else []
if not os.path.exists(options.jsengine):
raise Exception("js shell does not exist: " + options.jsengine)
# For jsInteresting:
options.valgrind = False
options.shellIsDeterministic = True # We shouldn't be in compareJIT with a non-deterministic build
options.collector = createCollector.createCollector("jsfunfuzz")
return options
def main():
printMachineInfo()
options = parseOpts()
collector = createCollector.createCollector("DOMFuzz" if options.testType == 'dom' else "jsfunfuzz")
refreshSignatures(collector)
options.tempDir = tempfile.mkdtemp("fuzzbot")
print options.tempDir
buildInfo = ensureBuild(options)
assert os.path.isdir(buildInfo.buildDir)
numProcesses = multiprocessing.cpu_count()
if "-asan" in buildInfo.buildDir:
# This should really be based on the amount of RAM available, but I don't know how to compute that in Python.
# I could guess 1 GB RAM per core, but that wanders into sketchyville.
numProcesses = max(numProcesses // 2, 1)
if sps.isARMv7l:
# Even though ARM boards generally now have many cores, each core is not as powerful
# as x86/64 ones, so restrict fuzzing to only 1 core for now.
numProcesses = 1
forkJoin.forkJoin(options.tempDir, numProcesses, loopFuzzingAndReduction, options, buildInfo, collector)
# Remove build directory if we created it
if options.testType == 'dom' and not \
(options.existingBuildDir or options.buildOptions is not None):
shutil.rmtree(buildInfo.buildDir)
shutil.rmtree(options.tempDir)
def parseOptions(args):
parser = OptionParser()
parser.disable_interspersed_args()
parser.add_option("--valgrind",
action="store_true", dest="valgrind",
default=False,
help="use valgrind with a reasonable set of options")
parser.add_option("--submit",
action="store_true", dest="submit",
default=False,
help="submit to fuzzmanager (if interesting)")
parser.add_option("--minlevel",
type="int", dest="minimumInterestingLevel",
default=JS_FINE + 1,
help="minimum js/jsInteresting.py level for lithium to consider the testcase interesting")
parser.add_option("--timeout",
type="int", dest="timeout",
default=120,
help="timeout in seconds")
options, args = parser.parse_args(args)
if len(args) < 2:
raise Exception("Not enough positional arguments")
options.knownPath = args[0]
options.jsengineWithArgs = args[1:]
options.collector = createCollector.createCollector("jsfunfuzz")
if not os.path.exists(options.jsengineWithArgs[0]):
raise Exception("js shell does not exist: " + options.jsengineWithArgs[0])
options.shellIsDeterministic = inspectShell.queryBuildConfiguration(options.jsengineWithArgs[0], 'more-deterministic')
return options
def parseOptions(args):
parser = OptionParser()
parser.disable_interspersed_args()
parser.add_option("--valgrind",
action="store_true", dest="valgrind",
default=False,
help="use valgrind with a reasonable set of options")
parser.add_option("--submit",
action="store_true", dest="submit",
default=False,
help="submit to fuzzmanager (if interesting)")
parser.add_option("--minlevel",
type="int", dest="minimumInterestingLevel",
default=JS_FINE + 1,
help="minimum js/jsInteresting.py level for lithium to consider the testcase interesting")
parser.add_option("--timeout",
type="int", dest="timeout",
default=120,
help="timeout in seconds")
options, args = parser.parse_args(args)
if len(args) < 2:
raise Exception("Not enough positional arguments")
options.knownPath = args[0]
options.jsengineWithArgs = args[1:]
options.collector = createCollector.createCollector("jsfunfuzz")
if not os.path.exists(options.jsengineWithArgs[0]):
raise Exception("js shell does not exist: " + options.jsengineWithArgs[0])
options.shellIsDeterministic = inspectShell.queryBuildConfiguration(options.jsengineWithArgs[0], 'more-deterministic')
return options
def parseOptions(args):
parser = OptionParser()
parser.disable_interspersed_args()
parser.add_option("--minlevel",
type="int", dest="minimumInterestingLevel",
default=jsInteresting.JS_OVERALL_MISMATCH,
help="minimum js/jsInteresting.py level for lithium to consider the testcase interesting")
parser.add_option("--timeout",
type="int", dest="timeout",
default=10,
help="timeout in seconds")
parser.add_option("--flags",
dest="flagsSpaceSep",
default="",
help="space-separated list of one set of flags")
options, args = parser.parse_args(args)
if len(args) != 3:
raise Exception("Wrong number of positional arguments. Need 3 (knownPath, jsengine, infilename).")
options.knownPath = args[0]
options.jsengine = args[1]
options.infilename = args[2]
options.flags = options.flagsSpaceSep.split(" ") if options.flagsSpaceSep else []
if not os.path.exists(options.jsengine):
raise Exception("js shell does not exist: " + options.jsengine)
# For jsInteresting:
options.valgrind = False
options.shellIsDeterministic = True # We shouldn't be in compareJIT with a non-deterministic build
options.collector = createCollector.createCollector("jsfunfuzz")
return options
def start_runs():
collector = createCollector.createCollector("DOMFuzz")
try:
refreshSignatures(collector)
except Exception:
pass
many_timed_runs(None, sps.createWtmpDir(os.getcwdu()), sys.argv[1:], collector, quiet=False)
def directMain():
logPrefix = os.path.join(mkdtemp(prefix="domfuzz-rdf-main"), "t")
print logPrefix
collector = createCollector.createCollector("DOMFuzz")
bc = BrowserConfig(sys.argv[1:], collector)
if bc.options.argURL:
extraPrefs = randomPrefs.grabExtraPrefs(bc.options.argURL)
else:
extraPrefs = ""
br = BrowserResult(bc, bc.options.argURL or "about:blank", logPrefix, extraPrefs=extraPrefs, leaveProfile=True)
print br.level
if bc.options.submit:
if br.level >= bc.options.minimumInterestingLevel:
testcaseFilename = bc.options.argURL
print "Submitting " + testcaseFilename
quality = 0
collector.submit(br.crashInfo, testcaseFilename, quality)
else:
print "Not submitting (not interesting)"
else:
sys.exit(br.level)
def init(args):
global bcForLithium
bcForLithium = BrowserConfig(args, createCollector.createCollector("DOMFuzz"))
def mightUseDivision(code):
# Work around MSVC division inconsistencies (bug 948321)
# by leaving division out of *-cj-in.js files on Windows.
# (Unfortunately, this will also match regexps and a bunch
# of other things.)
i = 0
while i < len(code):
if code[i] == '/':
if i + 1 < len(code) and (code[i + 1] == '/' or code[i + 1] == '*'):
# An open-comment like "//" or "/*" is okay. Skip the next character.
i += 1
elif i > 0 and code[i - 1] == '*':
# A close-comment like "*/" is okay too.
pass
else:
# Plain "/" could be division (or regexp or something else)
return True
i += 1
return False
assert not mightUseDivision("//")
assert not mightUseDivision("// a")
assert not mightUseDivision("/*FOO*/")
assert mightUseDivision("a / b")
assert mightUseDivision("eval('/**/'); a / b;")
assert mightUseDivision("eval('//x'); a / b;")
if __name__ == "__main__":
many_timed_runs(None, sps.createWtmpDir(os.getcwdu()), sys.argv[1:], createCollector.createCollector("jsfunfuzz"))
# metaMax controls how many [generated js functions] each browser instance will run
# (but fuzz-finish-auto also enforces a time limit)
#
# Want it small:
# Deterministic repro from seed (because of time limit) (but how often do we actually repro-from-seed? and this is fixable)
# Limit on how much work Lithium has (but how much time do we spend in Lithium, compared to fuzzing?)
# Waste less time in huge GCs (especially with fuzzMultiDoc)
# Small variations on initial reftests are often the most interesting
# Less chance for the fuzzer to tie itself in exponential knots, and hang unexpectedly (e.g. repeated cloneNode)
#
# Want it large:
# Depth is more important as we scale
# Depth is important to fuzzerRandomJS
# Waste less time in startup, shutdown
# Waste less time parsing breakpad symbol files (!)
# Waste less time waiting for hanging testcases (?)
metaMax = 30000
return "#fuzz=" + str(metaSeed) + ",0," + str(metaPer) + "," + str(metaInterval) + "," + str(metaMax) + ",0"
def afterColon(s):
tail = s.partition(": ")[2]
return tail.strip()
if __name__ == "__main__":
many_timed_runs(None, sps.createWtmpDir(os.getcwdu()), sys.argv[1:], createCollector.createCollector("DOMFuzz"), quiet=False)
# by leaving division out of *-cj-in.js files on Windows.
# (Unfortunately, this will also match regexps and a bunch
# of other things.)
i = 0
while i < len(code):
if code[i] == '/':
if i + 1 < len(code) and (code[i + 1] == '/'
or code[i + 1] == '*'):
# An open-comment like "//" or "/*" is okay. Skip the next character.
i += 1
elif i > 0 and code[i - 1] == '*':
# A close-comment like "*/" is okay too.
pass
else:
# Plain "/" could be division (or regexp or something else)
return True
i += 1
return False
assert not mightUseDivision("//")
assert not mightUseDivision("// a")
assert not mightUseDivision("/*FOO*/")
assert mightUseDivision("a / b")
assert mightUseDivision("eval('/**/'); a / b;")
assert mightUseDivision("eval('//x'); a / b;")
if __name__ == "__main__":
many_timed_runs(None, sps.createWtmpDir(os.getcwdu()), sys.argv[1:],
createCollector.createCollector("jsfunfuzz"))
