From efcb6fc8a9de488e6926a8c3a43019dc0d0b5350 Mon Sep 17 00:00:00 2001 From: hzzhouzebin Date: Sun, 12 May 2024 15:29:25 +0800 Subject: [PATCH 1/2] Auto apply Fuzzilli Signed-off-by: hzzhouzebin --- arkfuzzilli/BUILD.gn | 2 +- patch/ets_runtime.diff | 148 +++++++++++++++++++++++++++++++++------ patch/fuzzilli.diff | 152 ++++++++++++++++++++++++----------------- patch/toolchain.diff | 2 +- script/build.sh | 8 ++- 5 files changed, 225 insertions(+), 87 deletions(-) diff --git a/arkfuzzilli/BUILD.gn b/arkfuzzilli/BUILD.gn index 7cec0d6..5440f69 100644 --- a/arkfuzzilli/BUILD.gn +++ b/arkfuzzilli/BUILD.gn @@ -40,7 +40,7 @@ ohos_executable("arkfuzzer") { cflags = [] cflags += [ "-fsanitize-coverage=trace-pc-guard" ] - cflags += [ "-fsanitize-coverage-allowlist=../../ark_fuzzilli/arkfuzzilli/allowlist.txt" ] + cflags += [ "-fsanitize-coverage-allowlist=../../arkfuzzilli/allowlist.txt" ] ldflags = [] ldflags += [ "-Wl,-Bstatic" ] diff --git a/patch/ets_runtime.diff b/patch/ets_runtime.diff index fe4e1b7..6ebeaf2 100644 --- a/patch/ets_runtime.diff +++ b/patch/ets_runtime.diff @@ -1,8 +1,8 @@ diff --git a/BUILD.gn b/BUILD.gn -index 95cb26c32..981af9770 100644 +index 9cbaf7f7c..0421c1535 100644 --- a/BUILD.gn +++ b/BUILD.gn -@@ -1021,6 +1021,91 @@ libark_jsruntime_common_set("libark_jsruntime_arm_set") { +@@ -1042,6 +1042,91 @@ libark_jsruntime_common_set("libark_jsruntime_arm_set") { } } @@ -94,7 +94,7 @@ index 95cb26c32..981af9770 100644 libark_jsruntime_intl_common_set("libark_js_intl_set") { } -@@ -1135,7 +1220,7 @@ ohos_source_set("libark_jsruntime_static") { +@@ -1158,7 +1243,7 @@ ohos_source_set("libark_jsruntime_static") { deps = [ ":libark_js_intl_arm_set", @@ -104,10 +104,10 @@ index 95cb26c32..981af9770 100644 external_deps = [] if (!is_arkui_x) { diff --git a/ecmascript/ecma_context.cpp b/ecmascript/ecma_context.cpp -index b00cfe81a..f89ca208d 100644 +index c4303b537..3aa514b8e 100644 --- a/ecmascript/ecma_context.cpp +++ b/ecmascript/ecma_context.cpp -@@ -375,10 +375,10 @@ Expected EcmaContext::InvokeEcmaEntrypointForHotReload( +@@ -404,10 +404,10 @@ Expected EcmaContext::InvokeEcmaEntrypointForHotReload( AddPatchModule(recordName, moduleRecordHandle); // print exception information @@ -123,10 +123,10 @@ index b00cfe81a..f89ca208d 100644 } diff --git a/ecmascript/js_arraybuffer.cpp b/ecmascript/js_arraybuffer.cpp -index 178d0e14a..018bcd374 100644 +index a1ff8d115..f094d6430 100644 --- a/ecmascript/js_arraybuffer.cpp +++ b/ecmascript/js_arraybuffer.cpp -@@ -46,7 +46,7 @@ void JSArrayBuffer::CopyDataPointBytes(void *toBuf, void *fromBuf, int32_t fromI +@@ -47,7 +47,7 @@ void JSArrayBuffer::CopyDataPointBytes(void *toBuf, void *fromBuf, int32_t fromI void JSArrayBuffer::Attach(JSThread *thread, uint32_t arrayBufferByteLength, JSTaggedValue arrayBufferData, bool transferWithNativeAreaAllocator) { @@ -135,7 +135,7 @@ index 178d0e14a..018bcd374 100644 // only in transition, should the JSArrayBuffer with NativeAreaAllocator increase mem usage if (transferWithNativeAreaAllocator) { LOG_FULL(DEBUG) << "attaching for transfer"; -@@ -78,4 +78,4 @@ void JSArrayBuffer::Detach(JSThread *thread, bool transferWithNativeAreaAllocato +@@ -82,4 +82,4 @@ void JSArrayBuffer::Detach(JSThread *thread, bool transferWithNativeAreaAllocato SetArrayBufferData(thread, JSTaggedValue::Null()); SetArrayBufferByteLength(0); } @@ -143,10 +143,10 @@ index 178d0e14a..018bcd374 100644 \ No newline at end of file +} // namespace panda::ecmascript diff --git a/ecmascript/js_native_pointer.h b/ecmascript/js_native_pointer.h -index ce0981f6f..136d09ba3 100644 +index f21d59cc9..da9d245d1 100644 --- a/ecmascript/js_native_pointer.h +++ b/ecmascript/js_native_pointer.h -@@ -28,7 +28,7 @@ class JSNativePointer : public TaggedObject { +@@ -27,7 +27,7 @@ class JSNativePointer : public TaggedObject { public: static JSNativePointer *Cast(TaggedObject *object) { @@ -156,10 +156,10 @@ index ce0981f6f..136d09ba3 100644 } diff --git a/ecmascript/js_thread.cpp b/ecmascript/js_thread.cpp -index 6c66de8f1..056bb1cf9 100644 +index d4e5cc4c1..2010e78ba 100644 --- a/ecmascript/js_thread.cpp +++ b/ecmascript/js_thread.cpp -@@ -561,12 +561,14 @@ bool JSThread::CheckSafepoint() +@@ -739,12 +739,14 @@ bool JSThread::CheckSafepoint() } #endif // ECMASCRIPT_SUPPORT_CPUPROFILER bool gcTriggered = false; @@ -174,8 +174,54 @@ index 6c66de8f1..056bb1cf9 100644 auto heap = const_cast(GetEcmaVM()->GetHeap()); // Handle exit app senstive scene heap->HandleExitHighSensitiveEvent(); +@@ -1243,7 +1245,7 @@ void JSThread::PostFork() + ASSERT(GetState() == ThreadState::NATIVE); + } + } +-#ifndef NDEBUG ++// #ifndef NDEBUG + bool JSThread::IsInManagedState() const + { + ASSERT(this == JSThread::GetCurrent()); +@@ -1259,5 +1261,5 @@ void JSThread::SetMutatorLockState(MutatorLock::MutatorLockState newState) + { + mutatorLockState_ = newState; + } +-#endif ++// #endif + } // namespace panda::ecmascript +diff --git a/ecmascript/js_thread.h b/ecmascript/js_thread.h +index a3d98edec..f4d0f45be 100644 +--- a/ecmascript/js_thread.h ++++ b/ecmascript/js_thread.h +@@ -1278,11 +1278,11 @@ public: + static bool IsMainThread(); + PUBLIC_API void ManagedCodeBegin(); + PUBLIC_API void ManagedCodeEnd(); +-#ifndef NDEBUG ++// #ifndef NDEBUG + bool IsInManagedState() const; + MutatorLock::MutatorLockState GetMutatorLockState() const; + void SetMutatorLockState(MutatorLock::MutatorLockState newState); +-#endif ++// #endif + void SetWeakFinalizeTaskCallback(const WeakFinalizeTaskCallback &callback) + { + finalizeTaskCallback_ = callback; +@@ -1457,9 +1457,9 @@ private: + + uint64_t jobId_ {0}; + +-#ifndef NDEBUG ++// #ifndef NDEBUG + MutatorLock::MutatorLockState mutatorLockState_ = MutatorLock::MutatorLockState::UNLOCKED; +-#endif ++// #endif + + std::atomic needTermination_ {false}; + std::atomic hasTerminated_ {false}; diff --git a/ecmascript/mem/machine_code.cpp b/ecmascript/mem/machine_code.cpp -index 2b88f7449..a47415fc5 100644 +index b74f4b9ff..47a669ca6 100644 --- a/ecmascript/mem/machine_code.cpp +++ b/ecmascript/mem/machine_code.cpp @@ -18,6 +18,7 @@ @@ -185,24 +231,82 @@ index 2b88f7449..a47415fc5 100644 +#include "ecmascript/js_tagged_value-inl.h" namespace panda::ecmascript { - void MachineCode::SetData(const MachineCodeDesc *desc, JSHandle &method, size_t dataSize) + void MachineCode::SetData(const MachineCodeDesc &desc, JSHandle &method, size_t dataSize) +diff --git a/ecmascript/mutator_lock.cpp b/ecmascript/mutator_lock.cpp +index 5165275ee..b79ca7044 100644 +--- a/ecmascript/mutator_lock.cpp ++++ b/ecmascript/mutator_lock.cpp +@@ -19,7 +19,7 @@ + #include "js_thread.h" + + namespace panda::ecmascript { +-#ifndef NDEBUG ++// #ifndef NDEBUG + void MutatorLock::ReadLock() + { + ASSERT(!HasLock()); +@@ -75,7 +75,7 @@ void MutatorLock::SetState(MutatorLock::MutatorLockState newState) + { + JSThread::GetCurrent()->SetMutatorLockState(newState); + } +-#endif ++// #endif + + void SuspendBarrier::Wait() + { +diff --git a/ecmascript/mutator_lock.h b/ecmascript/mutator_lock.h +index 75b235715..8b8b39173 100644 +--- a/ecmascript/mutator_lock.h ++++ b/ecmascript/mutator_lock.h +@@ -21,7 +21,7 @@ + namespace panda::ecmascript { + + class MutatorLock : public RWLock { +-#ifndef NDEBUG ++// #ifndef NDEBUG + public: + enum MutatorLockState { UNLOCKED, RDLOCK, WRLOCK }; + void ReadLock(); +@@ -34,7 +34,7 @@ public: + private: + MutatorLockState GetState() const; + void SetState(MutatorLockState newState); +-#endif ++// #endif + }; + + class SuspendBarrier { diff --git a/ecmascript/object_factory.cpp b/ecmascript/object_factory.cpp -index 9852bab3d..c88b243f1 100644 +index efb5e215d..6f98a9558 100644 --- a/ecmascript/object_factory.cpp +++ b/ecmascript/object_factory.cpp -@@ -3148,6 +3148,7 @@ JSHandle ObjectFactory::NewBigInt(uint32_t length) - // static +@@ -3294,7 +3294,6 @@ JSHandle ObjectFactory::NewBigInt(uint32_t length) void ObjectFactory::NewObjectHook() const { -+ /* - #ifndef NDEBUG + CHECK_NO_HEAP_ALLOC; +-#ifndef NDEBUG if (vm_->GetJSOptions().EnableForceGC() && vm_->IsInitialized() && thread_->IsAllContextsInitialized()) { if (vm_->GetJSOptions().ForceFullGC()) { -@@ -3160,6 +3161,7 @@ void ObjectFactory::NewObjectHook() const + vm_->CollectGarbage(TriggerGCType::YOUNG_GC); +@@ -3305,7 +3304,7 @@ void ObjectFactory::NewObjectHook() const + vm_->CollectGarbage(TriggerGCType::OLD_GC); } } - #endif -+*/ +-#endif ++ } JSHandle ObjectFactory::NewTaggedQueue(uint32_t length) +diff --git a/ecmascript/pgo_profiler/pgo_profiler.cpp b/ecmascript/pgo_profiler/pgo_profiler.cpp +index f3459e0ed..f590229a6 100644 +--- a/ecmascript/pgo_profiler/pgo_profiler.cpp ++++ b/ecmascript/pgo_profiler/pgo_profiler.cpp +@@ -1787,7 +1787,7 @@ ProfileType PGOProfiler::GetRecordProfileType(const std::shared_ptr + } + ProfileType recordType {0}; + if (pf->IsBundlePack()) { +- ASSERT(recordName == JSPandaFile::ENTRY_FUNCTION_NAME); ++ // ASSERT(recordName == JSPandaFile::ENTRY_FUNCTION_NAME); + recordType = CreateRecordProfileType(abcId, ProfileType::RECORD_ID_FOR_BUNDLE); + recordInfos_->GetRecordPool()->Add(recordType, recordName); + return recordType; diff --git a/patch/fuzzilli.diff b/patch/fuzzilli.diff index c727cff..5ea9d5c 100644 --- a/patch/fuzzilli.diff +++ b/patch/fuzzilli.diff @@ -1,77 +1,105 @@ diff --git a/Sources/FuzzilliCli/Profiles/ArkProfile.swift b/Sources/FuzzilliCli/Profiles/ArkProfile.swift -index 1387cec..6a33543 100644 ---- a/Sources/FuzzilliCli/Profiles/ArkProfile.swift +new file mode 100644 +index 0000000..1387cec +--- /dev/null +++ b/Sources/FuzzilliCli/Profiles/ArkProfile.swift -@@ -33,13 +33,13 @@ let arkProfile = Profile( - guard randomize else { return args } - return args - }, -- +@@ -0,0 +1,89 @@ ++/* ++ * Copyright (c) 2024 Huawei Device Co., Ltd. ++ * Licensed under the Apache License, Version 2.0 (the "License"); ++ * you may not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ + - processEnv: [:], -- ++import Fuzzilli + - maxExecsBeforeRespawn: 10000, -- ++fileprivate let PrintGenerator = CodeGenerator("PrintGenerator", inputs: .preferred(.object())) { b, o in ++ let f = b.loadBuiltin("arkPrint") ++ b.callFunction(f, withArgs: [o]) ++} + - timeout: 10_000, -- ++fileprivate let RunNearStackLimitGenerator = CodeGenerator("RunNearStackLimitGenerator", inputs: .required(.function())) { b, f in ++ let fun = b.loadBuiltin("runNearStackLimit") ++ b.callFunction(fun, withArgs: [f]) ++} + - codePrefix: """ - function bgc() { - for(let i=0; i<0x10000; i+=1) {new String();} -@@ -47,35 +47,34 @@ let arkProfile = Profile( - for(let i=0; i<0x10000; i+=1) {a[i] = new Array(0x100);} - } - function sgc() { for(let i=0; i<0x10000; i+=1) {new String();} } -- ++let arkProfile = Profile( ++ processArgs: { randomize in ++ var args = [ ++ "" ++ ] ++ guard randomize else { return args } ++ return args ++ }, ++ ++ processEnv: [:], ++ ++ maxExecsBeforeRespawn: 10000, ++ ++ timeout: 10_000, ++ ++ codePrefix: """ ++ function bgc() { ++ for(let i=0; i<0x10000; i+=1) {new String();} ++ let a = new Array(0x10000); ++ for(let i=0; i<0x10000; i+=1) {a[i] = new Array(0x100);} ++ } ++ function sgc() { for(let i=0; i<0x10000; i+=1) {new String();} } ++ ++ function runNearStackLimit(f) { function t() { try { t(); } catch(e) { f(); } }; try { t(); } catch(e) {} } ++ function arkPrint(d) { print(JSON.stringify(d)); } ++ """, ++ ++ codeSuffix: """ ++ """, ++ ++ ecmaVersion: ECMAScriptVersion.es6, ++ ++ crashTests: ["fuzzilli('FUZZILLI_CRASH', 0)", "fuzzilli('FUZZILLI_CRASH', 1)"], ++ ++ additionalCodeGenerators: [ ++ (PrintGenerator, 40), ++ (RunNearStackLimitGenerator, 5) ++ ], ++ ++ additionalProgramTemplates: WeightedList([]), ++ ++ disabledCodeGenerators: [ ++ "EvalGenerator", ++ ], ++ ++ disabledMutators: [ ++ "ExplorationMutator", ++ "ProbingMutator", ++ ++ ], ++ ++ additionalBuiltins: [ ++ "runNearStackLimit" : .function([.function()] => .boolean), ++ "print" : .function([] => .undefined), ++ "arkPrint" : .function([] => .undefined), ++ "sgc" : .function([] => .undefined), ++ "bgc" : .function([] => .undefined), + - function runNearStackLimit(f) { function t() { try { t(); } catch(e) { f(); } }; try { t(); } catch(e) {} } - function arkPrint(d) { print(JSON.stringify(d)); } - """, -- ++ ], + - codeSuffix: """ - """, -- -+ - ecmaVersion: ECMAScriptVersion.es6, -- -+ - crashTests: ["fuzzilli('FUZZILLI_CRASH', 0)", "fuzzilli('FUZZILLI_CRASH', 1)"], -- -+ - additionalCodeGenerators: [ - (PrintGenerator, 40), - (RunNearStackLimitGenerator, 5) - ], -- -+ - additionalProgramTemplates: WeightedList([]), -- -+ - disabledCodeGenerators: [ - "EvalGenerator", - ], -- -+ - disabledMutators: [ - "ExplorationMutator", - "ProbingMutator", -- - ], -- -+ - additionalBuiltins: [ - "runNearStackLimit" : .function([.function()] => .boolean), - "print" : .function([] => .undefined), ++ optionalPostProcessor: nil ++) diff --git a/Sources/FuzzilliCli/Profiles/Profile.swift b/Sources/FuzzilliCli/Profiles/Profile.swift -index 5041f0f..c87db7e 100644 +index 1a02a6d..468cf48 100644 --- a/Sources/FuzzilliCli/Profiles/Profile.swift +++ b/Sources/FuzzilliCli/Profiles/Profile.swift -@@ -51,4 +51,5 @@ let profiles = [ +@@ -50,4 +50,5 @@ let profiles = [ + "jerryscript": jerryscriptProfile, "xs": xsProfile, "v8holefuzzing": v8HoleFuzzingProfile, - "serenity": serenityProfile, + "ark": arkProfile, ] diff --git a/patch/toolchain.diff b/patch/toolchain.diff index c90c233..96dacc7 100644 --- a/patch/toolchain.diff +++ b/patch/toolchain.diff @@ -17,7 +17,7 @@ index 81cc4ca..f67fce7 100644 + +group("arkfuzzer") { + deps = [ -+ "//ark_fuzzilli/arkfuzzilli:arkfuzzer", ++ "//arkfuzzilli:arkfuzzer", + ] +} \ No newline at end of file diff --git a/script/build.sh b/script/build.sh index afd04b1..4a6ad0f 100755 --- a/script/build.sh +++ b/script/build.sh @@ -46,6 +46,10 @@ if [ ! -L "$BASE_DIR/standalone/arkfuzzer" ]; then ln -s "$BASE_DIR/arkfuzzer" "$BASE_DIR/standalone/arkfuzzer" fi +if [ ! -L "$BASE_DIR/standalone/arkfuzzilli" ]; then + ln -s "$BASE_DIR/arkfuzzilli/" "$BASE_DIR/standalone/arkfuzzilli" +fi + cd "$BASE_DIR/standalone" ./prebuilts_download.sh python ark.py x64.release arkfuzzer @@ -53,7 +57,8 @@ python ark.py x64.release arkfuzzer # Fuzzilli cd "$BASE_DIR" if [ ! -d "$BASE_DIR/fuzzilli" ]; then - git clone https://github.com/googleprojectzero/fuzzilli.git + # git clone https://github.com/googleprojectzero/fuzzilli.git + git clone https://gitee.com/ark_standalone_build/github_fuzzilli.git $BASE_DIR/fuzzilli else if [ -d "$BASE_DIR/fuzzilli/.git" ]; then cd "$BASE_DIR/fuzzilli/" @@ -63,4 +68,5 @@ else fi cd "$BASE_DIR/fuzzilli/" +# git reset --hard 5696921ce2b021f5dacd56ba29f2a022c85b5891 git apply "$BASE_DIR/patch/fuzzilli.diff" \ No newline at end of file -- Gitee From 2f68734498c64f5460c705cad8e368aeb8b2670d Mon Sep 17 00:00:00 2001 From: hzzhouzebin Date: Sun, 12 May 2024 15:38:21 +0800 Subject: [PATCH 2/2] Support PGO Signed-off-by: hzzhouzebin --- arkfuzzilli/main.cpp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/arkfuzzilli/main.cpp b/arkfuzzilli/main.cpp index b047a56..25a51d9 100644 --- a/arkfuzzilli/main.cpp +++ b/arkfuzzilli/main.cpp @@ -124,7 +124,7 @@ panda::Local Fuzzilli(panda::JsiRuntimeCallInfo* runtimeCallI int Main(const int argc, const char **argv) { BlockSignals(); - + std::ofstream log("log.txt", std::ios::app); JSRuntimeOptions runtimeOptions; bool retOpt = runtimeOptions.ParseCommand(argc, argv); @@ -235,6 +235,10 @@ int Main(const int argc, const char **argv) { bool result = parseStatus; if (!parseStatus) { + runtimeOptions.SetEnablePGOProfiler(true); + std::string pgoFilePath = "./pgo/" + std::to_string(totalIndex) + ".ap"; + runtimeOptions.SetPGOProfilerPath(pgoFilePath); + EcmaVM *vm = JSNApi::CreateEcmaVM(runtimeOptions); if (vm == nullptr) { std::cerr << "Cannot Create vm" << std::endl; -- Gitee