Create a structure-aware JavaScript fuzzer to find deep bugs

boa_engine/Cargo.toml

@@ -39,9 +39,9 @@ fuzzer = ["arbitrary", "boa_interner/fuzzer", "num-bigint/arbitrary"]
 
 [dependencies]
 arbitrary = { version = "1", features = ["derive"], optional = true }
-boa_unicode = { path = "../boa_unicode", version = "0.13.0" }
-boa_interner = { path = "../boa_interner", version = "0.13.0" }
-boa_gc = { path = "../boa_gc", version = "0.13.0" }
+boa_unicode = { path = "../boa_unicode", version = "0.14.0" }
+boa_interner = { path = "../boa_interner", version = "0.14.0" }
+boa_gc = { path = "../boa_gc", version = "0.14.0" }
 gc = { version = "0.4.1" }
 boa_profiler = { path = "../boa_profiler", version = "0.14.0" }
 serde = { version = "1.0.136", features = ["derive", "rc"] }

boa_engine/src/context/mod.rs

@@ -85,6 +85,7 @@ pub struct Context {
     /// Whether or not global strict mode is active.
     strict: bool,
 
+    /// The maximum number of instructions which will be executed in this context.
     #[cfg(feature = "fuzzer")]
     pub(crate) max_insns: usize,
 

boa_engine/src/vm/mod.rs

@@ -1473,6 +1473,9 @@ impl Context {
         while self.vm.frame().pc < self.vm.frame().code.code.len() {
             #[cfg(feature = "fuzzer")]
             {
+                // update and check how many VM instructions have been executed to make sure we
+                // don't introduce a spurious timeout in the fuzzer from a source which loops
+                // infinitely
                 insns_executed += 1;
                 if insns_executed > self.max_insns {
                     return Err("instruction max exceeded".into());

boa_inputgen/Cargo.toml

@@ -1,8 +1,32 @@
 [package]
 name = "boa_inputgen"
-authors = ["Addison Crump <[email protected]>"]
-version = "0.1.0"
+version = "0.14.0"
 edition = "2021"
+rust-version = "1.58"
+authors = ["Addison Crump <[email protected]>"]
+description = "Arbitrary JavaScript input generator used to fuzz Boa."
+repository = "https://github.com/boa-dev/boa"
+keywords = ["javascript", "js", "fuzzing", "testing"]
+categories = ["compilers"]
+license = "Unlicense/MIT"
+exclude = [
+    "../.vscode/*",
+    "../.editorconfig",
+    "../test262/*",
+    "../node_modules/*",
+    "../target/*",
+    "../dist/*",
+    "../.github/*",
+    "../assets/*",
+    "../docs/*",
+    "../*.js",
+    "../test_ignore.txt",
+    "../yarn.lock",
+    "../package.json",
+    "../index.html",
+    "../tests/*",
+    "../.github/*",
+]
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 

boa_inputgen/src/data.rs

@@ -0,0 +1,88 @@
+use std::collections::HashSet;
+
+use arbitrary::{size_hint, Arbitrary, Unstructured};
+use spin::lazy::Lazy;
+
+use boa_engine::syntax::ast::node::StatementList;
+use boa_interner::{Interner, ToInternedString};
+
+use crate::replace_syms;
+
+static ALPHA: Lazy<Vec<u8>> = Lazy::new(|| {
+    let mut all = Vec::new();
+    all.extend(b'A'..b'Z');
+    all.extend(b'a'..b'z');
+    all
+});
+
+static ALPHANUM: Lazy<Vec<u8>> = Lazy::new(|| {
+    let mut all = Vec::new();
+    all.extend(b'0'..b'9');
+    all.extend(b'A'..b'Z');
+    all.extend(b'a'..b'z');
+    all
+});
+
+#[derive(Debug, PartialEq, Eq, Hash)]
+struct Name {
+    name: String,
+}
+
+impl<'a> arbitrary::Arbitrary<'a> for Name {
+    fn arbitrary(u: &mut Unstructured<'a>) -> arbitrary::Result<Self> {
+        let first = u8::arbitrary(u)?; // at least one
+        let first = ALPHA[(first as usize) % ALPHA.len()];
+        let mut chars: Vec<u8> = vec![first];
+        let mut second: Vec<u8> = Arbitrary::arbitrary(u)?;
+        second
+            .iter_mut()
+            .for_each(|c| *c = ALPHANUM[(*c as usize) % ALPHANUM.len()]);
+        chars.extend(second);
+        Ok(Self {
+            name: String::from_utf8(chars).unwrap(),
+        })
+    }
+
+    fn size_hint(depth: usize) -> (usize, Option<usize>) {
+        size_hint::and(u8::size_hint(depth), Vec::<u8>::size_hint(depth))
+    }
+}
+
+/// Fuzz data which can be arbitrarily generated and used to test boa's parser, compiler, and vm
+#[derive(Debug, Clone)]
+pub struct FuzzData {
+    source: String,
+}
+
+impl<'a> Arbitrary<'a> for FuzzData {
+    fn arbitrary(u: &mut Unstructured<'a>) -> arbitrary::Result<Self> {
+        let first_name = Name::arbitrary(u)?; // need at least one
+        let mut vars = HashSet::<Name>::arbitrary(u)?;
+        vars.insert(first_name);
+        let mut sample = StatementList::arbitrary(u)?;
+        let mut interner = Interner::with_capacity(vars.len());
+        let syms = vars
+            .into_iter()
+            .map(|var| interner.get_or_intern(var.name))
+            .collect::<Vec<_>>();
+        replace_syms(&syms, &mut sample);
+        Ok(Self {
+            source: sample.to_interned_string(&interner),
+        })
+    }
+
+    fn size_hint(depth: usize) -> (usize, Option<usize>) {
+        size_hint::and_all(&[
+            Name::size_hint(depth),
+            HashSet::<Name>::size_hint(depth),
+            StatementList::size_hint(depth),
+        ])
+    }
+}
+
+impl FuzzData {
+    /// Get the source represented by this fuzz data
+    pub fn get_source(&self) -> &str {
+        &self.source
+    }
+}