diff options
| author | aizatsky <aizatsky@chromium.org> | 2015-11-18 13:53:16 -0800 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2015-11-18 21:54:43 +0000 |
| commit | 96d06e2e7af982c5fd98a964fce740117d1e9d52 (patch) | |
| tree | 0fe83ec2e108984f03fa2913df166d813238ec64 /testing | |
| parent | b1723ed336199cc11039ca4a2746e20a7ebc3e9a (diff) | |
| download | chromium_src-96d06e2e7af982c5fd98a964fce740117d1e9d52.zip chromium_src-96d06e2e7af982c5fd98a964fce740117d1e9d52.tar.gz chromium_src-96d06e2e7af982c5fd98a964fce740117d1e9d52.tar.bz2 | |
Libfuzzer test for v8 json parser
BUG=
Review URL: https://codereview.chromium.org/1451993002
Cr-Commit-Position: refs/heads/master@{#360424}
Diffstat (limited to 'testing')
| -rw-r--r-- | testing/libfuzzer/BUILD.gn | 15 | ||||
| -rw-r--r-- | testing/libfuzzer/v8_json_parser_fuzzer.cc | 77 |
2 files changed, 92 insertions, 0 deletions
diff --git a/testing/libfuzzer/BUILD.gn b/testing/libfuzzer/BUILD.gn index 519c4a7..b46e090 100644 --- a/testing/libfuzzer/BUILD.gn +++ b/testing/libfuzzer/BUILD.gn @@ -200,3 +200,18 @@ test("vp9_parser_fuzzer") { "//media", ] } + +test("v8_json_parser_fuzzer") { + sources = [ + "v8_json_parser_fuzzer.cc", + ] + deps = [ + ":libfuzzer_main", + "//v8", + "//v8:v8_libplatform", + ] + data = [ + "$root_out_dir/natives_blob.bin", + "$root_out_dir/snapshot_blob.bin", + ] +} diff --git a/testing/libfuzzer/v8_json_parser_fuzzer.cc b/testing/libfuzzer/v8_json_parser_fuzzer.cc new file mode 100644 index 0000000..117e31d --- /dev/null +++ b/testing/libfuzzer/v8_json_parser_fuzzer.cc @@ -0,0 +1,77 @@ +// Copyright (c) 2015 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <assert.h> +#include <linux/limits.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> + +#include "v8/include/v8.h" + +using namespace v8; + +namespace v8 { +namespace platform { +v8::Platform* CreateDefaultPlatform(int thread_pool_size = 0); +} // namespace platform +} // namespace v8 + + +class ArrayBufferAllocator : public v8::ArrayBuffer::Allocator { + public: + virtual void* Allocate(size_t length) { + void* data = AllocateUninitialized(length); + return data == NULL ? data : memset(data, 0, length); + } + virtual void* AllocateUninitialized(size_t length) { + return malloc(length); + } + virtual void Free(void* data, size_t) { free(data); } +}; + +static char *ProgramPath() { + char *path = new char[PATH_MAX + 1]; + assert(path); + ssize_t sz = readlink("/proc/self/exe", path, PATH_MAX); + assert(sz > 0); + path[sz] = 0; + return path; +} + +static Isolate* Init() { + V8::InitializeICU(); + V8::InitializeExternalStartupData(ProgramPath()); + Platform* platform = platform::CreateDefaultPlatform(); + V8::InitializePlatform(platform); + V8::Initialize(); + + ArrayBufferAllocator* allocator = new ArrayBufferAllocator(); + Isolate::CreateParams create_params; + create_params.array_buffer_allocator = allocator; + Isolate* isolate = Isolate::New(create_params); + assert(isolate); + + return isolate; +} + +static Isolate* isolate = Init(); + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data, + unsigned long size) { + Isolate::Scope isolate_scope(isolate); + HandleScope handle_scope(isolate); + Local<Context> context = Context::New(isolate); + Context::Scope context_scope(context); + + Local<String> source = + String::NewFromOneByte(isolate, data, + NewStringType::kNormal, size).ToLocalChecked(); + + JSON::Parse(source); + + return 0; +} + |