def directMain(): logPrefix = os.path.join(mkdtemp(prefix="domfuzz-rdf-main"), "t") print logPrefix collector = createCollector.createCollector("DOMFuzz") bc = BrowserConfig(sys.argv[1:], collector) if bc.options.argURL: extraPrefs = randomPrefs.grabExtraPrefs(bc.options.argURL) else: extraPrefs = "" br = BrowserResult(bc, bc.options.argURL or "about:blank", logPrefix, extraPrefs=extraPrefs, leaveProfile=True) print br.level if bc.options.submit: if br.level >= bc.options.minimumInterestingLevel: testcaseFilename = bc.options.argURL print "Submitting " + testcaseFilename quality = 0 collector.submit(br.crashInfo, testcaseFilename, quality) else: print "Not submitting (not interesting)" else: sys.exit(br.level)
def main(): printMachineInfo() options = parseOpts() collector = createCollector.createCollector( "DOMFuzz" if options.testType == 'dom' else "jsfunfuzz") refreshSignatures(collector) options.tempDir = tempfile.mkdtemp("fuzzbot") print options.tempDir buildInfo = ensureBuild(options) assert os.path.isdir(buildInfo.buildDir) numProcesses = multiprocessing.cpu_count() if "-asan" in buildInfo.buildDir: # This should really be based on the amount of RAM available, but I don't know how to compute that in Python. # I could guess 1 GB RAM per core, but that wanders into sketchyville. numProcesses = max(numProcesses // 2, 1) if sps.isARMv7l: # Even though ARM boards generally now have many cores, each core is not as powerful # as x86/64 ones, so restrict fuzzing to only 1 core for now. numProcesses = 1 forkJoin.forkJoin(options.tempDir, numProcesses, loopFuzzingAndReduction, options, buildInfo, collector) # Remove build directory if we created it if options.testType == 'dom' and not \ (options.existingBuildDir or options.buildOptions is not None): shutil.rmtree(buildInfo.buildDir) shutil.rmtree(options.tempDir)
def parseOptions(args): parser = OptionParser() parser.disable_interspersed_args() parser.add_option("--minlevel", type="int", dest="minimumInterestingLevel", default=jsInteresting.JS_OVERALL_MISMATCH, help="minimum js/jsInteresting.py level for lithium to consider the testcase interesting") parser.add_option("--timeout", type="int", dest="timeout", default=10, help="timeout in seconds") parser.add_option("--flags", dest="flagsSpaceSep", default="", help="space-separated list of one set of flags") options, args = parser.parse_args(args) if len(args) != 3: raise Exception("Wrong number of positional arguments. Need 3 (knownPath, jsengine, infilename).") options.knownPath = args[0] options.jsengine = args[1] options.infilename = args[2] options.flags = options.flagsSpaceSep.split(" ") if options.flagsSpaceSep else [] if not os.path.exists(options.jsengine): raise Exception("js shell does not exist: " + options.jsengine) # For jsInteresting: options.valgrind = False options.shellIsDeterministic = True # We shouldn't be in compareJIT with a non-deterministic build options.collector = createCollector.createCollector("jsfunfuzz") return options
def main(): printMachineInfo() options = parseOpts() collector = createCollector.createCollector("DOMFuzz" if options.testType == 'dom' else "jsfunfuzz") refreshSignatures(collector) options.tempDir = tempfile.mkdtemp("fuzzbot") print options.tempDir buildInfo = ensureBuild(options) assert os.path.isdir(buildInfo.buildDir) numProcesses = multiprocessing.cpu_count() if "-asan" in buildInfo.buildDir: # This should really be based on the amount of RAM available, but I don't know how to compute that in Python. # I could guess 1 GB RAM per core, but that wanders into sketchyville. numProcesses = max(numProcesses // 2, 1) if sps.isARMv7l: # Even though ARM boards generally now have many cores, each core is not as powerful # as x86/64 ones, so restrict fuzzing to only 1 core for now. numProcesses = 1 forkJoin.forkJoin(options.tempDir, numProcesses, loopFuzzingAndReduction, options, buildInfo, collector) # Remove build directory if we created it if options.testType == 'dom' and not \ (options.existingBuildDir or options.buildOptions is not None): shutil.rmtree(buildInfo.buildDir) shutil.rmtree(options.tempDir)
def parseOptions(args): parser = OptionParser() parser.disable_interspersed_args() parser.add_option("--valgrind", action="store_true", dest="valgrind", default=False, help="use valgrind with a reasonable set of options") parser.add_option("--submit", action="store_true", dest="submit", default=False, help="submit to fuzzmanager (if interesting)") parser.add_option("--minlevel", type="int", dest="minimumInterestingLevel", default=JS_FINE + 1, help="minimum js/jsInteresting.py level for lithium to consider the testcase interesting") parser.add_option("--timeout", type="int", dest="timeout", default=120, help="timeout in seconds") options, args = parser.parse_args(args) if len(args) < 2: raise Exception("Not enough positional arguments") options.knownPath = args[0] options.jsengineWithArgs = args[1:] options.collector = createCollector.createCollector("jsfunfuzz") if not os.path.exists(options.jsengineWithArgs[0]): raise Exception("js shell does not exist: " + options.jsengineWithArgs[0]) options.shellIsDeterministic = inspectShell.queryBuildConfiguration(options.jsengineWithArgs[0], 'more-deterministic') return options
def parseOptions(args): parser = OptionParser() parser.disable_interspersed_args() parser.add_option("--valgrind", action="store_true", dest="valgrind", default=False, help="use valgrind with a reasonable set of options") parser.add_option("--submit", action="store_true", dest="submit", default=False, help="submit to fuzzmanager (if interesting)") parser.add_option("--minlevel", type="int", dest="minimumInterestingLevel", default=JS_FINE + 1, help="minimum js/jsInteresting.py level for lithium to consider the testcase interesting") parser.add_option("--timeout", type="int", dest="timeout", default=120, help="timeout in seconds") options, args = parser.parse_args(args) if len(args) < 2: raise Exception("Not enough positional arguments") options.knownPath = args[0] options.jsengineWithArgs = args[1:] options.collector = createCollector.createCollector("jsfunfuzz") if not os.path.exists(options.jsengineWithArgs[0]): raise Exception("js shell does not exist: " + options.jsengineWithArgs[0]) options.shellIsDeterministic = inspectShell.queryBuildConfiguration(options.jsengineWithArgs[0], 'more-deterministic') return options
def parseOptions(args): parser = OptionParser() parser.disable_interspersed_args() parser.add_option("--minlevel", type="int", dest="minimumInterestingLevel", default=jsInteresting.JS_OVERALL_MISMATCH, help="minimum js/jsInteresting.py level for lithium to consider the testcase interesting") parser.add_option("--timeout", type="int", dest="timeout", default=10, help="timeout in seconds") parser.add_option("--flags", dest="flagsSpaceSep", default="", help="space-separated list of one set of flags") options, args = parser.parse_args(args) if len(args) != 3: raise Exception("Wrong number of positional arguments. Need 3 (knownPath, jsengine, infilename).") options.knownPath = args[0] options.jsengine = args[1] options.infilename = args[2] options.flags = options.flagsSpaceSep.split(" ") if options.flagsSpaceSep else [] if not os.path.exists(options.jsengine): raise Exception("js shell does not exist: " + options.jsengine) # For jsInteresting: options.valgrind = False options.shellIsDeterministic = True # We shouldn't be in compareJIT with a non-deterministic build options.collector = createCollector.createCollector("jsfunfuzz") return options
def start_runs(): collector = createCollector.createCollector("DOMFuzz") try: refreshSignatures(collector) except Exception: pass many_timed_runs(None, sps.createWtmpDir(os.getcwdu()), sys.argv[1:], collector, quiet=False)
def directMain(): logPrefix = os.path.join(mkdtemp(prefix="domfuzz-rdf-main"), "t") print logPrefix collector = createCollector.createCollector("DOMFuzz") bc = BrowserConfig(sys.argv[1:], collector) if bc.options.argURL: extraPrefs = randomPrefs.grabExtraPrefs(bc.options.argURL) else: extraPrefs = "" br = BrowserResult(bc, bc.options.argURL or "about:blank", logPrefix, extraPrefs=extraPrefs, leaveProfile=True) print br.level if bc.options.submit: if br.level >= bc.options.minimumInterestingLevel: testcaseFilename = bc.options.argURL print "Submitting " + testcaseFilename quality = 0 collector.submit(br.crashInfo, testcaseFilename, quality) else: print "Not submitting (not interesting)" else: sys.exit(br.level)
def init(args): global bcForLithium bcForLithium = BrowserConfig(args, createCollector.createCollector("DOMFuzz"))
def mightUseDivision(code): # Work around MSVC division inconsistencies (bug 948321) # by leaving division out of *-cj-in.js files on Windows. # (Unfortunately, this will also match regexps and a bunch # of other things.) i = 0 while i < len(code): if code[i] == '/': if i + 1 < len(code) and (code[i + 1] == '/' or code[i + 1] == '*'): # An open-comment like "//" or "/*" is okay. Skip the next character. i += 1 elif i > 0 and code[i - 1] == '*': # A close-comment like "*/" is okay too. pass else: # Plain "/" could be division (or regexp or something else) return True i += 1 return False assert not mightUseDivision("//") assert not mightUseDivision("// a") assert not mightUseDivision("/*FOO*/") assert mightUseDivision("a / b") assert mightUseDivision("eval('/**/'); a / b;") assert mightUseDivision("eval('//x'); a / b;") if __name__ == "__main__": many_timed_runs(None, sps.createWtmpDir(os.getcwdu()), sys.argv[1:], createCollector.createCollector("jsfunfuzz"))
# metaMax controls how many [generated js functions] each browser instance will run # (but fuzz-finish-auto also enforces a time limit) # # Want it small: # Deterministic repro from seed (because of time limit) (but how often do we actually repro-from-seed? and this is fixable) # Limit on how much work Lithium has (but how much time do we spend in Lithium, compared to fuzzing?) # Waste less time in huge GCs (especially with fuzzMultiDoc) # Small variations on initial reftests are often the most interesting # Less chance for the fuzzer to tie itself in exponential knots, and hang unexpectedly (e.g. repeated cloneNode) # # Want it large: # Depth is more important as we scale # Depth is important to fuzzerRandomJS # Waste less time in startup, shutdown # Waste less time parsing breakpad symbol files (!) # Waste less time waiting for hanging testcases (?) metaMax = 30000 return "#fuzz=" + str(metaSeed) + ",0," + str(metaPer) + "," + str(metaInterval) + "," + str(metaMax) + ",0" def afterColon(s): tail = s.partition(": ")[2] return tail.strip() if __name__ == "__main__": many_timed_runs(None, sps.createWtmpDir(os.getcwdu()), sys.argv[1:], createCollector.createCollector("DOMFuzz"), quiet=False)
# by leaving division out of *-cj-in.js files on Windows. # (Unfortunately, this will also match regexps and a bunch # of other things.) i = 0 while i < len(code): if code[i] == '/': if i + 1 < len(code) and (code[i + 1] == '/' or code[i + 1] == '*'): # An open-comment like "//" or "/*" is okay. Skip the next character. i += 1 elif i > 0 and code[i - 1] == '*': # A close-comment like "*/" is okay too. pass else: # Plain "/" could be division (or regexp or something else) return True i += 1 return False assert not mightUseDivision("//") assert not mightUseDivision("// a") assert not mightUseDivision("/*FOO*/") assert mightUseDivision("a / b") assert mightUseDivision("eval('/**/'); a / b;") assert mightUseDivision("eval('//x'); a / b;") if __name__ == "__main__": many_timed_runs(None, sps.createWtmpDir(os.getcwdu()), sys.argv[1:], createCollector.createCollector("jsfunfuzz"))