[regexp] add fuzzer support for regexp parser and compiler.

R=jochen@chromium.org
BUG=chromium:577261
LOG=N

Review URL: https://codereview.chromium.org/1655853002

Cr-Commit-Position: refs/heads/master@{#33640}

BUILD.gn

@@ -1953,3 +1953,21 @@ source_set("parser_fuzzer") {
     ":toolchain",
   ]
 }
+
+source_set("regexp_fuzzer") {
+  sources = [
+    "test/fuzzer/regexp.cc",
+  ]
+
+  deps = [
+    ":fuzzer_support",
+  ]
+
+  configs -= [ "//build/config/compiler:chromium_code" ]
+  configs += [ "//build/config/compiler:no_chromium_code" ]
+  configs += [
+    ":internal_config",
+    ":features",
+    ":toolchain",
+  ]
+}

test/fuzzer/fuzzer.gyp

@@ -34,6 +34,32 @@
         'parser.cc',
       ],
     },
+    {
+      'target_name': 'regexp_fuzzer',
+      'type': 'executable',
+      'dependencies': [
+        'regexp_fuzzer_lib',
+      ],
+      'include_dirs': [
+        '../..',
+      ],
+      'sources': [
+        'fuzzer.cc',
+      ],
+    },
+    {
+      'target_name': 'regexp_fuzzer_lib',
+      'type': 'static_library',
+      'dependencies': [
+        'fuzzer_support',
+      ],
+      'include_dirs': [
+        '../..',
+      ],
+      'sources': [  ### gcmole(all) ###
+        'regexp.cc',
+      ],
+    },
     {
       'target_name': 'fuzzer_support',
       'type': 'static_library',
@@ -66,6 +92,7 @@
           'type': 'none',
           'dependencies': [
             'parser_fuzzer',
+            'regexp_fuzzer',
           ],
           'includes': [
             '../../build/isolate.gypi',

test/fuzzer/fuzzer.isolate

@@ -6,9 +6,11 @@
   'variables': {
     'files': [
       '<(PRODUCT_DIR)/parser_fuzzer<(EXECUTABLE_SUFFIX)',
+      '<(PRODUCT_DIR)/regexp_fuzzer<(EXECUTABLE_SUFFIX)',
       './fuzzer.status',
       './testcfg.py',
       './parser/',
+      './regexp/',
     ],
   },
   'includes': [

test/fuzzer/regexp.cc

@@ -0,0 +1,64 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "include/v8.h"
+#include "src/factory.h"
+#include "src/objects-inl.h"
+#include "src/objects.h"
+#include "src/regexp/jsregexp.h"
+#include "test/fuzzer/fuzzer-support.h"
+
+namespace i = v8::internal;
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  v8_fuzzer::FuzzerSupport* support = v8_fuzzer::FuzzerSupport::Get();
+  v8::Isolate* isolate = support->GetIsolate();
+
+  v8::Isolate::Scope isolate_scope(isolate);
+  v8::HandleScope handle_scope(isolate);
+  v8::Context::Scope context_scope(support->GetContext());
+  v8::TryCatch try_catch(isolate);
+
+  i::FLAG_harmony_unicode_regexps = true;
+  i::FLAG_harmony_regexp_lookbehind = true;
+
+  i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(isolate);
+  i::Factory* factory = i_isolate->factory();
+
+  if (size > INT_MAX) return 0;
+  i::MaybeHandle<i::String> maybe_source = factory->NewStringFromOneByte(
+      i::Vector<const uint8_t>(data, static_cast<int>(size)));
+  i::Handle<i::String> source;
+  if (!maybe_source.ToHandle(&source)) return 0;
+
+  static const int kAllFlags = i::JSRegExp::kGlobal | i::JSRegExp::kIgnoreCase |
+                               i::JSRegExp::kMultiline | i::JSRegExp::kSticky |
+                               i::JSRegExp::kUnicode;
+
+  const uint8_t one_byte_array[6] = {'f', 'o', 'o', 'b', 'a', 'r'};
+  const i::uc16 two_byte_array[6] = {'f', 0xD83D, 0xDCA9, 'b', 'a', 0x2603};
+
+  i::Handle<i::JSArray> results_array = factory->NewJSArray(4);
+  i::Handle<i::String> one_byte =
+      factory->NewStringFromOneByte(i::Vector<const uint8_t>(one_byte_array, 6))
+          .ToHandleChecked();
+  i::Handle<i::String> two_byte =
+      factory->NewStringFromTwoByte(i::Vector<const i::uc16>(two_byte_array, 6))
+          .ToHandleChecked();
+
+  for (int flags = 0; flags <= kAllFlags; flags++) {
+    v8::TryCatch try_catch(isolate);
+    i::MaybeHandle<i::JSRegExp> maybe_regexp =
+        i::JSRegExp::New(source, static_cast<i::JSRegExp::Flags>(flags));
+    i::Handle<i::JSRegExp> regexp;
+    if (!maybe_regexp.ToHandle(&regexp)) continue;
+    USE(i::RegExpImpl::Exec(regexp, one_byte, 0, results_array).is_null() &&
+        i::RegExpImpl::Exec(regexp, two_byte, 0, results_array).is_null());
+  }
+
+  return 0;
+}

test/fuzzer/regexp/test00

@@ -0,0 +1 @@
+a*

test/fuzzer/regexp/test01

@@ -0,0 +1 @@
+xyz{93}?

test/fuzzer/regexp/test02

@@ -0,0 +1 @@
+(foo|bar|baz)

test/fuzzer/regexp/test03

@@ -0,0 +1 @@
+[^]

test/fuzzer/regexp/test04

@@ -0,0 +1 @@
+[\d]

test/fuzzer/regexp/test05

@@ -0,0 +1 @@
+\c1

test/fuzzer/regexp/test06

@@ -0,0 +1 @@
+[a\]c]

test/fuzzer/regexp/test07

@@ -0,0 +1 @@
+\00011

test/fuzzer/regexp/test08

@@ -0,0 +1 @@
+(x)(x)(x)\2*

test/fuzzer/regexp/test09

@@ -0,0 +1 @@
+(?=a)?a

test/fuzzer/regexp/test10

@@ -0,0 +1 @@
+\1\2(a(?<=\1(b\1\2))\2)\1

test/fuzzer/regexp/test11

@@ -0,0 +1 @@
+\x34

test/fuzzer/regexp/test12

@@ -0,0 +1 @@
+\u{12345}|\u{23456}

test/fuzzer/regexp/test13

@@ -0,0 +1 @@
+^a

test/fuzzer/regexp/test14

@@ -0,0 +1 @@
+a{1,1}?

test/fuzzer/regexp/test15

@@ -0,0 +1 @@
+a\d

test/fuzzer/regexp/test16

@@ -0,0 +1 @@
+a[\q]

test/fuzzer/regexp/test17

@@ -0,0 +1 @@
+\0

test/fuzzer/regexp/test18

@@ -0,0 +1 @@
+a{1z}

test/fuzzer/regexp/test19

@@ -0,0 +1 @@
+{12z}

test/fuzzer/regexp/test20

@@ -0,0 +1 @@
+|

test/fuzzer/regexp/test21

@@ -0,0 +1 @@
+(?:ab)*

test/fuzzer/regexp/test22

@@ -0,0 +1 @@
+(?:a*)?

test/fuzzer/regexp/test23

@@ -0,0 +1 @@
+(?:a+){0}

test/fuzzer/regexp/test24

@@ -0,0 +1 @@
+a\Bc

test/fuzzer/testcfg.py

@@ -9,7 +9,7 @@ from testrunner.objects import testcase
 
 
 class FuzzerTestSuite(testsuite.TestSuite):
-  SUB_TESTS = ( 'parser', )
+  SUB_TESTS = ( 'parser', 'regexp', )
 
   def __init__(self, name, root):
     super(FuzzerTestSuite, self).__init__(name, root)