Create a structure-aware JavaScript fuzzer to find deep bugs

Cargo.toml

@@ -3,6 +3,7 @@ members = [
     "boa_cli",
     "boa_engine",
     "boa_gc",
+    "boa_inputgen",
     "boa_interner",
     "boa_profiler",
     "boa_tester",

boa_engine/Cargo.toml

@@ -18,7 +18,10 @@ deser = ["boa_interner/serde"]
 # Enable Boa's WHATWG console object implementation.
 console = []
 
+fuzzer = ["arbitrary", "boa_interner/fuzzer", "num-bigint/arbitrary"]
+
 [dependencies]
+arbitrary = { version = "1", features = ["derive"], optional = true }
 boa_unicode = { path = "../boa_unicode", version = "0.14.0" }
 boa_interner = { path = "../boa_interner", version = "0.14.0" }
 boa_gc = { path = "../boa_gc", version = "0.14.0" }

boa_engine/src/context/mod.rs

@@ -85,6 +85,10 @@ pub struct Context {
     /// Whether or not global strict mode is active.
     strict: bool,
 
+    /// The maximum number of instructions which will be executed in this context.
+    #[cfg(feature = "fuzzer")]
+    pub(crate) max_insns: usize,
+
     pub(crate) vm: Vm,
 }
 
@@ -97,6 +101,8 @@ impl Default for Context {
             console: Console::default(),
             intrinsics: Intrinsics::default(),
             strict: false,
+            #[cfg(feature = "fuzzer")]
+            max_insns: 1 << 20,
             vm: Vm {
                 frame: None,
                 stack: Vec::with_capacity(1024),
@@ -723,4 +729,10 @@ impl Context {
     pub fn set_trace(&mut self, trace: bool) {
         self.vm.trace = trace;
     }
+
+    /// Set the maximum number of instructions for this context
+    #[cfg(feature = "fuzzer")]
+    pub fn set_max_insns(&mut self, max_insns: usize) {
+        self.max_insns = max_insns;
+    }
 }

boa_engine/src/lib.rs

@@ -11,6 +11,8 @@
     html_favicon_url = "https://raw.githubusercontent.com/boa-dev/boa/main/assets/logo.svg"
 )]
 #![cfg_attr(not(test), forbid(clippy::unwrap_used))]
+#![cfg_attr(feature = "fuzzer", allow(clippy::use_self))] // false-positive on derive(Arbitrary)
+#![cfg_attr(not(feature = "fuzzer"), deny(clippy::use_self))]
 #![warn(
     clippy::perf,
     clippy::single_match_else,
@@ -26,7 +28,6 @@
     clippy::all,
     clippy::cast_lossless,
     clippy::redundant_closure_for_method_calls,
-    clippy::use_self,
     clippy::unnested_or_patterns,
     clippy::trivially_copy_pass_by_ref,
     clippy::needless_pass_by_value,

boa_engine/src/syntax/ast/constant.rs

@@ -24,6 +24,7 @@ use serde::{Deserialize, Serialize};
 /// [spec]: https://tc39.es/ecma262/#sec-primary-expression-literals
 /// [mdn]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Grammar_and_types#Literals
 #[cfg_attr(feature = "deser", derive(Serialize, Deserialize))]
+#[cfg_attr(feature = "fuzzer", derive(arbitrary::Arbitrary))]
 #[derive(Clone, Debug, Finalize, PartialEq)]
 pub enum Const {
     /// A string literal is zero or more characters enclosed in double (`"`) or single (`'`) quotation marks.

boa_engine/src/syntax/ast/node/array/mod.rs

@@ -27,6 +27,7 @@ mod tests;
 /// [spec]: https://tc39.es/ecma262/#prod-ArrayLiteral
 /// [mdn]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array
 #[cfg_attr(feature = "deser", derive(Serialize, Deserialize))]
+#[cfg_attr(feature = "fuzzer", derive(arbitrary::Arbitrary))]
 #[derive(Clone, Debug, Trace, Finalize, PartialEq)]
 pub struct ArrayDecl {
     #[cfg_attr(feature = "deser", serde(flatten))]
@@ -59,6 +60,13 @@ impl AsRef<[Node]> for ArrayDecl {
     }
 }
 
+#[cfg(feature = "fuzzer")]
+impl AsMut<[Node]> for ArrayDecl {
+    fn as_mut(&mut self) -> &mut [Node] {
+        &mut self.arr
+    }
+}
+
 impl<T> From<T> for ArrayDecl
 where
     T: Into<Box<[Node]>>,

boa_engine/src/syntax/ast/node/await_expr/mod.rs

@@ -20,11 +20,19 @@ mod tests;
 /// [spec]: https://tc39.es/ecma262/#prod-AwaitExpression
 /// [mdn]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/await
 #[cfg_attr(feature = "deser", derive(Serialize, Deserialize))]
+#[cfg_attr(feature = "fuzzer", derive(arbitrary::Arbitrary))]
 #[derive(Clone, Debug, Trace, Finalize, PartialEq)]
 pub struct AwaitExpr {
     expr: Box<Node>,
 }
 
+impl AwaitExpr {
+    #[cfg(feature = "fuzzer")]
+    pub fn expr_mut(&mut self) -> &mut Node {
+        &mut self.expr
+    }
+}
+
 impl<T> From<T> for AwaitExpr
 where
     T: Into<Box<Node>>,

boa_engine/src/syntax/ast/node/block/mod.rs

@@ -28,6 +28,7 @@ mod tests;
 /// [mdn]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/block
 #[cfg_attr(feature = "deser", derive(Serialize, Deserialize))]
 #[cfg_attr(feature = "deser", serde(transparent))]
+#[cfg_attr(feature = "fuzzer", derive(arbitrary::Arbitrary))]
 #[derive(Clone, Debug, Trace, Finalize, PartialEq)]
 pub struct Block {
     #[cfg_attr(feature = "deser", serde(flatten))]
@@ -40,6 +41,11 @@ impl Block {
         self.statements.items()
     }
 
+    #[cfg(feature = "fuzzer")]
+    pub fn items_mut(&mut self) -> &mut [Node] {
+        self.statements.items_mut()
+    }
+
     pub(crate) fn lexically_declared_names(&self, interner: &Interner) -> FxHashSet<Sym> {
         self.statements.lexically_declared_names(interner)
     }

boa_engine/src/syntax/ast/node/call/mod.rs

@@ -23,6 +23,7 @@ mod tests;
 /// [spec]: https://tc39.es/ecma262/#prod-CallExpression
 /// [mdn]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Functions#Calling_functions
 #[cfg_attr(feature = "deser", derive(Serialize, Deserialize))]
+#[cfg_attr(feature = "fuzzer", derive(arbitrary::Arbitrary))]
 #[derive(Clone, Debug, Trace, Finalize, PartialEq)]
 pub struct Call {
     expr: Box<Node>,
@@ -51,6 +52,16 @@ impl Call {
     pub fn args(&self) -> &[Node] {
         &self.args
     }
+
+    #[cfg(feature = "fuzzer")]
+    pub fn expr_mut(&mut self) -> &mut Node {
+        &mut self.expr
+    }
+
+    #[cfg(feature = "fuzzer")]
+    pub fn args_mut(&mut self) -> &mut [Node] {
+        &mut self.args
+    }
 }
 
 impl ToInternedString for Call {

boa_engine/src/syntax/ast/node/conditional/conditional_op/mod.rs

@@ -20,6 +20,7 @@ use serde::{Deserialize, Serialize};
 /// [spec]: https://tc39.es/ecma262/#prod-ConditionalExpression
 /// [mdn]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Grammar_and_types#Literals
 #[cfg_attr(feature = "deser", derive(Serialize, Deserialize))]
+#[cfg_attr(feature = "fuzzer", derive(arbitrary::Arbitrary))]
 #[derive(Clone, Debug, Trace, Finalize, PartialEq)]
 pub struct ConditionalOp {
     condition: Box<Node>,
@@ -40,6 +41,21 @@ impl ConditionalOp {
         &self.if_false
     }
 
+    #[cfg(feature = "fuzzer")]
+    pub fn cond_mut(&mut self) -> &mut Node {
+        &mut self.condition
+    }
+
+    #[cfg(feature = "fuzzer")]
+    pub fn if_true_mut(&mut self) -> &mut Node {
+        &mut self.if_true
+    }
+
+    #[cfg(feature = "fuzzer")]
+    pub fn if_false_mut(&mut self) -> &mut Node {
+        &mut self.if_false
+    }
+
     /// Creates a `ConditionalOp` AST node.
     pub fn new<C, T, F>(condition: C, if_true: T, if_false: F) -> Self
     where

boa_engine/src/syntax/ast/node/conditional/if_node/mod.rs

@@ -22,6 +22,7 @@ use serde::{Deserialize, Serialize};
 /// [falsy]: https://developer.mozilla.org/en-US/docs/Glossary/falsy
 /// [expression]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Expressions_and_Operators#Expressions
 #[cfg_attr(feature = "deser", derive(Serialize, Deserialize))]
+#[cfg_attr(feature = "fuzzer", derive(arbitrary::Arbitrary))]
 #[derive(Clone, Debug, Trace, Finalize, PartialEq)]
 pub struct If {
     cond: Box<Node>,
@@ -42,6 +43,21 @@ impl If {
         self.else_node.as_ref().map(Box::as_ref)
     }
 
+    #[cfg(feature = "fuzzer")]
+    pub fn cond_mut(&mut self) -> &mut Node {
+        &mut self.cond
+    }
+
+    #[cfg(feature = "fuzzer")]
+    pub fn body_mut(&mut self) -> &mut Node {
+        &mut self.body
+    }
+
+    #[cfg(feature = "fuzzer")]
+    pub fn else_node_mut(&mut self) -> Option<&mut Node> {
+        self.else_node.as_deref_mut()
+    }
+
     /// Creates an `If` AST node.
     pub fn new<C, B, E, OE>(condition: C, body: B, else_node: OE) -> Self
     where

boa_engine/src/syntax/ast/node/declaration/arrow_function_decl/mod.rs

@@ -19,6 +19,7 @@ use serde::{Deserialize, Serialize};
 /// [spec]: https://tc39.es/ecma262/#prod-ArrowFunction
 /// [mdn]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Functions/Arrow_functions
 #[cfg_attr(feature = "deser", derive(Serialize, Deserialize))]
+#[cfg_attr(feature = "fuzzer", derive(arbitrary::Arbitrary))]
 #[derive(Clone, Debug, Trace, Finalize, PartialEq)]
 pub struct ArrowFunctionDecl {
     name: Option<Sym>,
@@ -61,6 +62,21 @@ impl ArrowFunctionDecl {
         &self.body
     }
 
+    #[cfg(feature = "fuzzer")]
+    pub fn name_mut(&mut self) -> Option<&mut Sym> {
+        self.name.as_mut()
+    }
+
+    #[cfg(feature = "fuzzer")]
+    pub fn params_mut(&mut self) -> &mut FormalParameterList {
+        &mut self.params
+    }
+
+    #[cfg(feature = "fuzzer")]
+    pub fn body_mut(&mut self) -> &mut StatementList {
+        &mut self.body
+    }
+
     /// Implements the display formatting with indentation.
     pub(in crate::syntax::ast::node) fn to_indented_string(
         &self,

boa_engine/src/syntax/ast/node/declaration/async_function_decl/mod.rs

@@ -16,6 +16,7 @@ use serde::{Deserialize, Serialize};
 /// [spec]: https://tc39.es/ecma262/#sec-async-function-prototype-properties
 /// [mdn]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/async_function
 #[cfg_attr(feature = "deser", derive(Serialize, Deserialize))]
+#[cfg_attr(feature = "fuzzer", derive(arbitrary::Arbitrary))]
 #[derive(Clone, Debug, Trace, Finalize, PartialEq)]
 pub struct AsyncFunctionDecl {
     name: Sym,
@@ -52,6 +53,21 @@ impl AsyncFunctionDecl {
         self.body.items()
     }
 
+    #[cfg(feature = "fuzzer")]
+    pub fn name_mut(&mut self) -> &mut Sym {
+        &mut self.name
+    }
+
+    #[cfg(feature = "fuzzer")]
+    pub fn parameters_mut(&mut self) -> &mut FormalParameterList {
+        &mut self.parameters
+    }
+
+    #[cfg(feature = "fuzzer")]
+    pub fn body_mut(&mut self) -> &mut StatementList {
+        &mut self.body
+    }
+
     /// Implements the display formatting with indentation.
     pub(in crate::syntax::ast::node) fn to_indented_string(
         &self,