[quickjs] Adds project quickjs (#3540)

* Adds project quickjs

* Activate ubsan for quickjs

* Loop for fuzz targets

* Revert "Activate ubsan for quickjs"

This reverts commit 55678410ad.

* Language for quickjs

projects/quickjs/Dockerfile

@@ -0,0 +1,22 @@
+# Copyright 2020 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+FROM gcr.io/oss-fuzz-base/base-builder
+RUN apt-get update && apt-get install -y make
+RUN git clone --depth 1 https://github.com/horhof/quickjs quickjs
+WORKDIR $SRC/
+COPY build.sh $SRC/
+COPY fuzz*.c $SRC/

projects/quickjs/build.sh

@@ -0,0 +1,33 @@
+#!/bin/bash -eu
+# Copyright 2020 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+# build quickjs
+cd quickjs
+# Makefile should not override CFLAGS
+sed -i -e 's/CFLAGS=/CFLAGS+=/' Makefile
+CONFIG_CLANG=y make libquickjs.a
+zip -r $OUT/fuzz_eval_seed_corpus.zip tests/*.js
+zip -r $OUT/fuzz_eval_seed_corpus.zip examples/*.js
+zip -r $OUT/fuzz_compile_seed_corpus.zip tests/*.js
+zip -r $OUT/fuzz_compile_seed_corpus.zip examples/*.js
+
+cd ..
+FUZZ_TARGETS="fuzz_eval fuzz_compile fuzz_regexp"
+for f in $FUZZ_TARGETS; do
+    $CC $CFLAGS -Iquickjs -c $f.c -o $f.o
+    $CXX $CXXFLAGS $f.o -o $OUT/$f quickjs/libquickjs.a $LIB_FUZZING_ENGINE
+done

projects/quickjs/fuzz_compile.c

@@ -0,0 +1,83 @@
+/* Copyright 2020 Google Inc.
+ 
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ 
+ http://www.apache.org/licenses/LICENSE-2.0
+ 
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ */
+
+#include "quickjs-libc.h"
+
+#include <stdint.h>
+#include <stdio.h>
+
+static int initialized = 0;
+JSRuntime *rt;
+JSContext *ctx;
+static int nbinterrupts = 0;
+
+// handle timeouts from infinite loops
+static int interrupt_handler(JSRuntime *rt, void *opaque)
+{
+    nbinterrupts++;
+    return (nbinterrupts > 100);
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+    if (initialized == 0) {
+        rt = JS_NewRuntime();
+        // 64 Mo
+        JS_SetMemoryLimit(rt, 0x4000000);
+        //TODO JS_SetMaxStackSize ?
+        ctx = JS_NewContextRaw(rt);
+        JS_SetModuleLoaderFunc(rt, NULL, js_module_loader, NULL);
+        JS_AddIntrinsicBaseObjects(ctx);
+        JS_AddIntrinsicDate(ctx);
+        JS_AddIntrinsicEval(ctx);
+        JS_AddIntrinsicStringNormalize(ctx);
+        JS_AddIntrinsicRegExp(ctx);
+        JS_AddIntrinsicJSON(ctx);
+        JS_AddIntrinsicProxy(ctx);
+        JS_AddIntrinsicMapSet(ctx);
+        JS_AddIntrinsicTypedArrays(ctx);
+        JS_AddIntrinsicPromise(ctx);
+        JS_AddIntrinsicBigInt(ctx);
+        JS_SetInterruptHandler(JS_GetRuntime(ctx), interrupt_handler, NULL);
+        js_std_add_helpers(ctx, 0, NULL);
+        initialized = 1;
+    }
+
+    if (Size > 0) {
+        if (Data[Size-1] != 0) {
+            return 0;
+        }
+        JSValue obj;
+        obj = JS_Eval(ctx, (const char *)Data, Size-1, "<none>", JS_EVAL_FLAG_COMPILE_ONLY | JS_EVAL_TYPE_GLOBAL | JS_EVAL_TYPE_MODULE);
+        //TODO target with JS_ParseJSON
+        if (JS_IsException(obj)) {
+            return 0;
+        }
+        size_t bytecode_size;
+        uint8_t* bytecode = JS_WriteObject(ctx, &bytecode_size, obj, JS_WRITE_OBJ_BYTECODE);
+        JS_FreeValue(ctx, obj);
+        if ( !bytecode ) {
+            return 0;
+        }
+        obj = JS_ReadObject(ctx, bytecode, bytecode_size, JS_READ_OBJ_BYTECODE);
+        JS_FreeValue(ctx, obj);
+        nbinterrupts = 0;
+        //this needs patching so as not to exit on JS exception
+        js_std_eval_binary(ctx, bytecode, bytecode_size, 0);
+        js_std_loop(ctx);
+        js_free(ctx, bytecode);
+    }
+
+    return 0;
+}

projects/quickjs/fuzz_eval.c

@@ -0,0 +1,70 @@
+/* Copyright 2020 Google Inc.
+ 
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ 
+ http://www.apache.org/licenses/LICENSE-2.0
+ 
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ */
+
+#include "quickjs-libc.h"
+
+#include <stdint.h>
+#include <stdio.h>
+
+static int initialized = 0;
+JSRuntime *rt;
+JSContext *ctx;
+static int nbinterrupts = 0;
+
+// handle timeouts from infinite loops
+static int interrupt_handler(JSRuntime *rt, void *opaque)
+{
+    nbinterrupts++;
+    return (nbinterrupts > 100);
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+    if (initialized == 0) {
+        rt = JS_NewRuntime();
+        // 64 Mo
+        JS_SetMemoryLimit(rt, 0x4000000);
+        //TODO JS_SetMaxStackSize ?
+        ctx = JS_NewContextRaw(rt);
+        JS_SetModuleLoaderFunc(rt, NULL, js_module_loader, NULL);
+        JS_AddIntrinsicBaseObjects(ctx);
+        JS_AddIntrinsicDate(ctx);
+        JS_AddIntrinsicEval(ctx);
+        JS_AddIntrinsicStringNormalize(ctx);
+        JS_AddIntrinsicRegExp(ctx);
+        JS_AddIntrinsicJSON(ctx);
+        JS_AddIntrinsicProxy(ctx);
+        JS_AddIntrinsicMapSet(ctx);
+        JS_AddIntrinsicTypedArrays(ctx);
+        JS_AddIntrinsicPromise(ctx);
+        JS_AddIntrinsicBigInt(ctx);
+        JS_SetInterruptHandler(JS_GetRuntime(ctx), interrupt_handler, NULL);
+        js_std_add_helpers(ctx, 0, NULL);
+        initialized = 1;
+    }
+
+    if (Size > 0) {
+        //is it more efficient to malloc(Size+1) and memcpy ?
+        if (Data[Size-1] != 0) {
+            return 0;
+        }
+        nbinterrupts = 0;
+        //the final 0 does not count (as in strlen)
+        JS_Eval(ctx, (const char *)Data, Size-1, "<none>", JS_EVAL_TYPE_GLOBAL);
+        //TODO targets with JS_ParseJSON, JS_ReadObject
+        js_std_loop(ctx);
+    }
+
+    return 0;
+}

projects/quickjs/fuzz_regexp.c

@@ -0,0 +1,79 @@
+/* Copyright 2020 Google Inc.
+ 
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ 
+ http://www.apache.org/licenses/LICENSE-2.0
+ 
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ */
+
+#include "libregexp.h"
+#include "quickjs-libc.h"
+
+#include <stdint.h>
+#include <stdio.h>
+
+#define CAPTURE_COUNT_MAX 255
+
+FILE *outfile=NULL;
+JSRuntime *rt;
+JSContext *ctx;
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+    if (outfile == NULL) {
+        outfile = fopen("/dev/null", "w");
+        rt = JS_NewRuntime();
+        // 64 Mo
+        JS_SetMemoryLimit(rt, 0x4000000);
+        //TODO JS_SetMaxStackSize ?
+        ctx = JS_NewContextRaw(rt);
+    }
+    int len, ret, i;
+    uint8_t *bc;
+    char error_msg[64];
+    const uint8_t *input;
+    uint8_t *capture[CAPTURE_COUNT_MAX * 2];
+    int capture_count;
+    size_t Size1=Size;
+
+    //Splits buffer into 2 sub buffers delimited by null character
+    for (i=0; i<Size; i++) {
+        if (Data[i] == 0) {
+            Size1=i;
+            break;
+        }
+    }
+    if (Size1 == Size) {
+        //missing delimiter
+        return 0;
+    }
+    bc = lre_compile(&len, error_msg, sizeof(error_msg), (const char *) Data,
+                     Size1, 0, ctx);
+    if (!bc) {
+        return 0;
+    }
+    input = Data+Size1+1;
+    ret = lre_exec(capture, bc, input, 0, Size-(Size1+1), 0, ctx);
+    if (ret == 1) {
+        capture_count = lre_get_capture_count(bc);
+        for(i = 0; i < 2 * capture_count; i++) {
+            uint8_t *ptr;
+            ptr = capture[i];
+            fprintf(outfile, "%d: ", i);
+            if (!ptr)
+                fprintf(outfile, "<nil>");
+            else
+                fprintf(outfile, "%u", (int)(ptr - (uint8_t *)input));
+            fprintf(outfile, "\n");
+        }
+    }
+    free(bc);
+
+    return 0;
+}

projects/quickjs/project.yaml

@@ -0,0 +1,8 @@
+homepage: "https://bellard.org/quickjs/"
+language: c
+primary_contact: "fabrice@bellard.org"
+auto_ccs :
+- "p.antoine@catenacyber.fr"
+
+sanitizers:
+- address