2016-01-26 10:38:37 +00:00
|
|
|
// Copyright 2016 the V8 project authors. All rights reserved.
|
|
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
|
|
// found in the LICENSE file.
|
|
|
|
|
|
|
|
#include "test/fuzzer/fuzzer-support.h"
|
|
|
|
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <string.h>
|
|
|
|
|
|
|
|
#include "include/libplatform/libplatform.h"
|
2021-08-23 13:01:06 +00:00
|
|
|
#include "include/v8-context.h"
|
|
|
|
#include "include/v8-initialization.h"
|
2019-05-24 13:51:59 +00:00
|
|
|
#include "src/flags/flags.h"
|
2020-09-01 10:37:26 +00:00
|
|
|
#include "src/trap-handler/trap-handler.h"
|
2016-04-28 13:32:17 +00:00
|
|
|
|
2016-01-26 10:38:37 +00:00
|
|
|
namespace v8_fuzzer {
|
|
|
|
|
|
|
|
FuzzerSupport::FuzzerSupport(int* argc, char*** argv) {
|
2016-04-28 13:32:17 +00:00
|
|
|
v8::internal::FLAG_expose_gc = true;
|
2016-01-26 10:38:37 +00:00
|
|
|
v8::V8::SetFlagsFromCommandLine(argc, *argv, true);
|
2016-06-08 12:09:25 +00:00
|
|
|
v8::V8::InitializeICUDefaultLocation((*argv)[0]);
|
2016-01-26 10:38:37 +00:00
|
|
|
v8::V8::InitializeExternalStartupData((*argv)[0]);
|
2017-11-13 13:16:49 +00:00
|
|
|
platform_ = v8::platform::NewDefaultPlatform();
|
|
|
|
v8::V8::InitializePlatform(platform_.get());
|
V8 Sandbox rebranding
This CL renames a number of things related to the V8 sandbox.
Mainly, what used to be under V8_HEAP_SANDBOX is now under
V8_SANDBOXED_EXTERNAL_POINTERS, while the previous V8 VirtualMemoryCage
is now simply the V8 Sandbox:
V8_VIRTUAL_MEMORY_CAGE => V8_SANDBOX
V8_HEAP_SANDBOX => V8_SANDBOXED_EXTERNAL_POINTERS
V8_CAGED_POINTERS => V8_SANDBOXED_POINTERS
V8VirtualMemoryCage => Sandbox
CagedPointer => SandboxedPointer
fake cage => partially reserved sandbox
src/security => src/sandbox
This naming scheme should simplify things: the sandbox is now the large
region of virtual address space inside which V8 mainly operates and
which should be considered untrusted. Mechanisms like sandboxed pointers
are then used to attempt to prevent escapes from the sandbox (i.e.
corruption of memory outside of it). Furthermore, the new naming scheme
avoids the confusion with the various other "cages" in V8, in
particular, the VirtualMemoryCage class, by dropping that name entirely.
Future sandbox features are developed under their own V8_SANDBOX_X flag,
and will, once final, be merged into V8_SANDBOX. Current future features
are sandboxed external pointers (using the external pointer table), and
sandboxed pointers (pointers guaranteed to point into the sandbox, e.g.
because they are encoded as offsets). This CL then also introduces a new
build flag, v8_enable_sandbox_future, which enables all future features.
Bug: v8:10391
Change-Id: I5174ea8f5ab40fb96a04af10853da735ad775c96
Cq-Include-Trybots: luci.v8.try:v8_linux64_heap_sandbox_dbg_ng,v8_linux_arm64_sim_heap_sandbox_dbg_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3322981
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Samuel Groß <saelo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78384}
2021-12-15 13:39:15 +00:00
|
|
|
#ifdef V8_SANDBOX
|
|
|
|
if (!v8::V8::InitializeSandbox()) {
|
|
|
|
FATAL("Could not initialize the sandbox");
|
2021-08-24 19:12:19 +00:00
|
|
|
}
|
|
|
|
#endif
|
2016-01-26 10:38:37 +00:00
|
|
|
v8::V8::Initialize();
|
|
|
|
|
2016-06-29 07:39:45 +00:00
|
|
|
allocator_ = v8::ArrayBuffer::Allocator::NewDefaultAllocator();
|
2016-01-26 10:38:37 +00:00
|
|
|
v8::Isolate::CreateParams create_params;
|
|
|
|
create_params.array_buffer_allocator = allocator_;
|
2021-07-26 11:16:47 +00:00
|
|
|
create_params.allow_atomics_wait = false;
|
2016-01-26 10:38:37 +00:00
|
|
|
isolate_ = v8::Isolate::New(create_params);
|
|
|
|
|
|
|
|
{
|
|
|
|
v8::Isolate::Scope isolate_scope(isolate_);
|
|
|
|
v8::HandleScope handle_scope(isolate_);
|
|
|
|
context_.Reset(isolate_, v8::Context::New(isolate_));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
FuzzerSupport::~FuzzerSupport() {
|
|
|
|
{
|
|
|
|
v8::Isolate::Scope isolate_scope(isolate_);
|
2017-09-04 10:05:10 +00:00
|
|
|
while (PumpMessageLoop()) {
|
|
|
|
// empty
|
|
|
|
}
|
2016-01-26 10:38:37 +00:00
|
|
|
|
|
|
|
v8::HandleScope handle_scope(isolate_);
|
|
|
|
context_.Reset();
|
|
|
|
}
|
|
|
|
|
2016-05-06 12:52:19 +00:00
|
|
|
isolate_->LowMemoryNotification();
|
2016-01-26 10:38:37 +00:00
|
|
|
isolate_->Dispose();
|
|
|
|
isolate_ = nullptr;
|
|
|
|
|
|
|
|
delete allocator_;
|
|
|
|
allocator_ = nullptr;
|
|
|
|
|
|
|
|
v8::V8::Dispose();
|
2021-11-30 13:38:10 +00:00
|
|
|
v8::V8::DisposePlatform();
|
2016-01-26 10:38:37 +00:00
|
|
|
}
|
|
|
|
|
2017-11-28 10:48:12 +00:00
|
|
|
std::unique_ptr<FuzzerSupport> FuzzerSupport::fuzzer_support_;
|
|
|
|
|
2016-01-26 10:38:37 +00:00
|
|
|
// static
|
2017-11-28 10:48:12 +00:00
|
|
|
void FuzzerSupport::InitializeFuzzerSupport(int* argc, char*** argv) {
|
Reland "[no-wasm] Exclude src/wasm from compilation"
This is a reland of 80f5dfda0147d6b078ae6c9d0eb947bd012bf72d. A condition
in pipeline.cc was inverted, which lead to a CSA verifier error.
Original change's description:
> [no-wasm] Exclude src/wasm from compilation
>
> This is the biggest chunk, including
> - all of src/wasm,
> - torque file for wasm objects,
> - torque file for wasm builtins,
> - wasm builtins,
> - wasm runtime functions,
> - int64 lowering,
> - simd scala lowering,
> - WasmGraphBuilder (TF graph construction for wasm),
> - wasm frame types,
> - wasm interrupts,
> - the JSWasmCall opcode,
> - wasm backing store allocation.
>
> Those components are all recursively entangled, so I found no way to
> split this change up further.
>
> Some includes that were recursively included by wasm headers needed to
> be added explicitly now.
>
> backing-store-unittest.cc is renamed to wasm-backing-store-unittest.cc
> because it only tests wasm backing stores. This file is excluded from
> no-wasm builds then.
>
> R=jkummerow@chromium.org, jgruber@chromium.org, mlippautz@chromium.org, petermarshall@chromium.org
>
> Bug: v8:11238
> Change-Id: I7558f2d12d2dd6c65128c4de7b79173668c80b2b
> Cq-Include-Trybots: luci.v8.try:v8_linux64_no_wasm_compile_rel
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2742955
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#73344}
TBR=jgruber@chromium.org
Bug: v8:11238
Change-Id: I20bd2847a59c68738b5a336cd42582b7b1499585
Cq-Include-Trybots: luci.v8.try:v8_linux64_no_wasm_compile_rel
Cq-Include-Trybots: luci.v8.try:v8_linux_verify_csa_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_verify_csa_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2752867
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73348}
2021-03-11 13:42:01 +00:00
|
|
|
#if V8_ENABLE_WEBASSEMBLY
|
2021-06-25 17:33:56 +00:00
|
|
|
if (V8_TRAP_HANDLER_SUPPORTED) {
|
2020-09-01 10:37:26 +00:00
|
|
|
constexpr bool kUseDefaultTrapHandler = true;
|
|
|
|
if (!v8::V8::EnableWebAssemblyTrapHandler(kUseDefaultTrapHandler)) {
|
|
|
|
FATAL("Could not register trap handler");
|
|
|
|
}
|
|
|
|
}
|
Reland "[no-wasm] Exclude src/wasm from compilation"
This is a reland of 80f5dfda0147d6b078ae6c9d0eb947bd012bf72d. A condition
in pipeline.cc was inverted, which lead to a CSA verifier error.
Original change's description:
> [no-wasm] Exclude src/wasm from compilation
>
> This is the biggest chunk, including
> - all of src/wasm,
> - torque file for wasm objects,
> - torque file for wasm builtins,
> - wasm builtins,
> - wasm runtime functions,
> - int64 lowering,
> - simd scala lowering,
> - WasmGraphBuilder (TF graph construction for wasm),
> - wasm frame types,
> - wasm interrupts,
> - the JSWasmCall opcode,
> - wasm backing store allocation.
>
> Those components are all recursively entangled, so I found no way to
> split this change up further.
>
> Some includes that were recursively included by wasm headers needed to
> be added explicitly now.
>
> backing-store-unittest.cc is renamed to wasm-backing-store-unittest.cc
> because it only tests wasm backing stores. This file is excluded from
> no-wasm builds then.
>
> R=jkummerow@chromium.org, jgruber@chromium.org, mlippautz@chromium.org, petermarshall@chromium.org
>
> Bug: v8:11238
> Change-Id: I7558f2d12d2dd6c65128c4de7b79173668c80b2b
> Cq-Include-Trybots: luci.v8.try:v8_linux64_no_wasm_compile_rel
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2742955
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Reviewed-by: Peter Marshall <petermarshall@chromium.org>
> Reviewed-by: Toon Verwaest <verwaest@chromium.org>
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#73344}
TBR=jgruber@chromium.org
Bug: v8:11238
Change-Id: I20bd2847a59c68738b5a336cd42582b7b1499585
Cq-Include-Trybots: luci.v8.try:v8_linux64_no_wasm_compile_rel
Cq-Include-Trybots: luci.v8.try:v8_linux_verify_csa_rel_ng
Cq-Include-Trybots: luci.v8.try:v8_linux64_verify_csa_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2752867
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73348}
2021-03-11 13:42:01 +00:00
|
|
|
#endif // V8_ENABLE_WEBASSEMBLY
|
2017-11-28 10:48:12 +00:00
|
|
|
DCHECK_NULL(FuzzerSupport::fuzzer_support_);
|
|
|
|
FuzzerSupport::fuzzer_support_ =
|
2019-09-10 10:12:00 +00:00
|
|
|
std::make_unique<v8_fuzzer::FuzzerSupport>(argc, argv);
|
2017-11-28 10:48:12 +00:00
|
|
|
}
|
2016-01-26 10:38:37 +00:00
|
|
|
|
2017-11-28 10:48:12 +00:00
|
|
|
// static
|
|
|
|
FuzzerSupport* FuzzerSupport::Get() {
|
|
|
|
DCHECK_NOT_NULL(FuzzerSupport::fuzzer_support_);
|
|
|
|
return FuzzerSupport::fuzzer_support_.get();
|
|
|
|
}
|
2016-01-26 10:38:37 +00:00
|
|
|
|
|
|
|
v8::Local<v8::Context> FuzzerSupport::GetContext() {
|
|
|
|
v8::Isolate::Scope isolate_scope(isolate_);
|
|
|
|
v8::EscapableHandleScope handle_scope(isolate_);
|
|
|
|
v8::Local<v8::Context> context =
|
|
|
|
v8::Local<v8::Context>::New(isolate_, context_);
|
|
|
|
return handle_scope.Escape(context);
|
|
|
|
}
|
|
|
|
|
2017-06-13 14:41:54 +00:00
|
|
|
bool FuzzerSupport::PumpMessageLoop(
|
|
|
|
v8::platform::MessageLoopBehavior behavior) {
|
2017-11-13 13:16:49 +00:00
|
|
|
return v8::platform::PumpMessageLoop(platform_.get(), isolate_, behavior);
|
2017-06-13 14:41:54 +00:00
|
|
|
}
|
|
|
|
|
2016-01-26 10:38:37 +00:00
|
|
|
} // namespace v8_fuzzer
|
|
|
|
|
2017-12-19 19:06:00 +00:00
|
|
|
// Explicitly specify some attributes to avoid issues with the linker dead-
|
|
|
|
// stripping the following function on macOS, as it is not called directly
|
|
|
|
// by fuzz target. LibFuzzer runtime uses dlsym() to resolve that function.
|
2022-02-17 10:40:49 +00:00
|
|
|
#if V8_OS_DARWIN
|
2017-12-19 19:06:00 +00:00
|
|
|
__attribute__((used)) __attribute__((visibility("default")))
|
2022-02-17 10:40:49 +00:00
|
|
|
#endif // V8_OS_DARWIN
|
2017-12-19 19:06:00 +00:00
|
|
|
extern "C" int
|
|
|
|
LLVMFuzzerInitialize(int* argc, char*** argv) {
|
2017-11-28 10:48:12 +00:00
|
|
|
v8_fuzzer::FuzzerSupport::InitializeFuzzerSupport(argc, argv);
|
2016-01-26 10:38:37 +00:00
|
|
|
return 0;
|
|
|
|
}
|