• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2023 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include <fuzzer/FuzzedDataProvider.h>
17 #include "jsvaluerefiscontainer_fuzzer.h"
18 #include "common_components/base/utf_helper.h"
19 #include "ecmascript/ecma_string-inl.h"
20 #include "ecmascript/global_env.h"
21 #include "ecmascript/js_api/js_api_tree_map.h"
22 #include "ecmascript/js_api/js_api_vector.h"
23 #include "ecmascript/js_api/js_api_tree_set.h"
24 #include "ecmascript/js_regexp.h"
25 #include "ecmascript/js_set.h"
26 #include "ecmascript/js_typed_array.h"
27 #include "ecmascript/linked_hash_table.h"
28 #include "ecmascript/napi/include/jsnapi.h"
29 #include "ecmascript/napi/jsnapi_helper.h"
30 #include "ecmascript/tagged_tree.h"
31 
32 using namespace panda;
33 using namespace panda::ecmascript;
34 using namespace common::utf_helper;
35 
36 namespace OHOS {
JSValueRefIsVectorFuzzTest(const uint8_t * data,size_t size)37 void JSValueRefIsVectorFuzzTest(const uint8_t *data, size_t size)
38 {
39     FuzzedDataProvider fdp(data, size);
40     const int arkProp = fdp.ConsumeIntegral<int>();
41     RuntimeOption option;
42     option.SetLogLevel(common::LOG_LEVEL::ERROR);
43     EcmaVM *vm = JSNApi::CreateJSVM(option);
44     {
45         JsiFastNativeScope scope(vm);
46         JSThread *thread = vm->GetJSThread();
47         ObjectFactory *factory = thread->GetEcmaVM()->GetFactory();
48         auto globalEnv = thread->GetEcmaVM()->GetGlobalEnv();
49         JSHandle<JSTaggedValue> proto = globalEnv->GetObjectFunctionPrototype();
50         JSHandle<JSHClass> vectorClass = factory->NewEcmaHClass(JSAPIVector::SIZE, JSType::JS_API_VECTOR, proto);
51         JSHandle<JSAPIVector> jsVector = JSHandle<JSAPIVector>::Cast(factory->NewJSObjectWithInit(vectorClass));
52         jsVector->SetLength(0);
53         JSHandle<JSTaggedValue> argumentTag = JSHandle<JSTaggedValue>::Cast(jsVector);
54         Local<JSValueRef> isVector = JSNApiHelper::ToLocal<JSAPIVector>(argumentTag);
55         isVector->IsVector(vm);
56         option.SetArkProperties(arkProp);
57     }
58     JSNApi::DestroyJSVM(vm);
59     return;
60 }
61 
JSValueRefIsMapFuzzTest(const uint8_t * data,size_t size)62 void JSValueRefIsMapFuzzTest(const uint8_t *data, size_t size)
63 {
64     FuzzedDataProvider fdp(data, size);
65     const int arkProp = fdp.ConsumeIntegral<int>();
66     RuntimeOption option;
67     option.SetLogLevel(common::LOG_LEVEL::ERROR);
68     EcmaVM *vm = JSNApi::CreateJSVM(option);
69     option.SetArkProperties(arkProp);
70     Local<MapRef> map = MapRef::New(vm);
71     map->IsMap(vm);
72     JSNApi::DestroyJSVM(vm);
73     return;
74 }
75 
JSValueRefIsRegExpFuzzTest(const uint8_t * data,size_t size)76 void JSValueRefIsRegExpFuzzTest(const uint8_t *data, size_t size)
77 {
78     FuzzedDataProvider fdp(data, size);
79     const int arkProp = fdp.ConsumeIntegral<int>();
80     RuntimeOption option;
81     option.SetLogLevel(common::LOG_LEVEL::ERROR);
82     EcmaVM *vm = JSNApi::CreateJSVM(option);
83     {
84         JsiFastNativeScope scope(vm);
85         if (size <= 0) {
86             return;
87         }
88         JSThread *thread = vm->GetJSThread();
89         ObjectFactory *factory = thread->GetEcmaVM()->GetFactory();
90         JSHandle<GlobalEnv> globalEnv = thread->GetEcmaVM()->GetGlobalEnv();
91         JSHandle<JSTaggedValue> proto = globalEnv->GetObjectFunctionPrototype();
92         JSHandle<JSHClass> jSRegExpClass = factory->NewEcmaHClass(JSRegExp::SIZE, JSType::JS_REG_EXP, proto);
93         JSHandle<JSRegExp> jSRegExp = JSHandle<JSRegExp>::Cast(factory->NewJSObject(jSRegExpClass));
94         jSRegExp->SetByteCodeBuffer(thread, JSTaggedValue::Undefined());
95         jSRegExp->SetOriginalSource(thread, JSTaggedValue::Undefined());
96         jSRegExp->SetGroupName(thread, JSTaggedValue::Undefined());
97         jSRegExp->SetOriginalFlags(thread, JSTaggedValue(0));
98         jSRegExp->SetLength(0);
99         option.SetArkProperties(arkProp);
100         JSHandle<JSTaggedValue> argumentTag = JSHandle<JSTaggedValue>::Cast(jSRegExp);
101         Local<JSValueRef> regexp = JSNApiHelper::ToLocal<JSRegExp>(argumentTag);
102         regexp->IsRegExp(vm);
103     }
104     JSNApi::DestroyJSVM(vm);
105     return;
106 }
107 
JSValueRefIsSetFuzzTest(const uint8_t * data,size_t size)108 void JSValueRefIsSetFuzzTest(const uint8_t *data, size_t size)
109 {
110     FuzzedDataProvider fdp(data, size);
111     const int arkProp = fdp.ConsumeIntegral<int>();
112     RuntimeOption option;
113     option.SetLogLevel(common::LOG_LEVEL::ERROR);
114     EcmaVM *vm = JSNApi::CreateJSVM(option);
115     {
116         JsiFastNativeScope scope(vm);
117         JSThread *thread = vm->GetJSThread();
118         ObjectFactory *factory = thread->GetEcmaVM()->GetFactory();
119         JSHandle<GlobalEnv> env = thread->GetEcmaVM()->GetGlobalEnv();
120         JSHandle<JSTaggedValue> constructor = env->GetBuiltinsSetFunction();
121         JSHandle<JSSet> set =
122             JSHandle<JSSet>::Cast(factory->NewJSObjectByConstructor(JSHandle<JSFunction>(constructor), constructor));
123         JSHandle<LinkedHashSet> hashSet = LinkedHashSet::Create(thread);
124         set->SetLinkedSet(thread, hashSet);
125         JSHandle<JSTaggedValue> setTag = JSHandle<JSTaggedValue>::Cast(set);
126         Local<SetRef> isSet = JSNApiHelper::ToLocal<SetRef>(setTag);
127         isSet->IsSet(vm);
128         option.SetArkProperties(arkProp);
129     }
130     JSNApi::DestroyJSVM(vm);
131     return;
132 }
133 
JSValueRefIsTreeMapFuzzTest(const uint8_t * data,size_t size)134 void JSValueRefIsTreeMapFuzzTest(const uint8_t *data, size_t size)
135 {
136     FuzzedDataProvider fdp(data, size);
137     const int arkProp = fdp.ConsumeIntegral<int>();
138     RuntimeOption option;
139     option.SetLogLevel(common::LOG_LEVEL::ERROR);
140     EcmaVM *vm = JSNApi::CreateJSVM(option);
141     {
142         JsiFastNativeScope scope(vm);
143         JSThread *thread = vm->GetJSThread();
144         ObjectFactory *factory = thread->GetEcmaVM()->GetFactory();
145         auto globalEnv = thread->GetEcmaVM()->GetGlobalEnv();
146         JSHandle<JSTaggedValue> proto = globalEnv->GetObjectFunctionPrototype();
147         JSHandle<JSHClass> mapClass = factory->NewEcmaHClass(JSAPITreeMap::SIZE, JSType::JS_API_TREE_MAP, proto);
148         JSHandle<JSAPITreeMap> jsTreeMap = JSHandle<JSAPITreeMap>::Cast(factory->NewJSObjectWithInit(mapClass));
149         JSHandle<TaggedTreeMap> treeMap(thread, TaggedTreeMap::Create(thread));
150         jsTreeMap->SetTreeMap(thread, treeMap);
151         JSHandle<JSTaggedValue> argumentTag = JSHandle<JSTaggedValue>::Cast(jsTreeMap);
152         Local<JSValueRef> isTreeMap = JSNApiHelper::ToLocal<JSAPITreeMap>(argumentTag);
153         isTreeMap->IsTreeMap(vm);
154         option.SetArkProperties(arkProp);
155     }
156     JSNApi::DestroyJSVM(vm);
157 }
158 
JSValueRefIsTreeSetFuzzTest(const uint8_t * data,size_t size)159 void JSValueRefIsTreeSetFuzzTest(const uint8_t *data, size_t size)
160 {
161     FuzzedDataProvider fdp(data, size);
162     const int arkProp = fdp.ConsumeIntegral<int>();
163     RuntimeOption option;
164     option.SetLogLevel(common::LOG_LEVEL::ERROR);
165     EcmaVM *vm = JSNApi::CreateJSVM(option);
166     {
167         JsiFastNativeScope scope(vm);
168         JSThread *thread = vm->GetJSThread();
169         ObjectFactory *factory = thread->GetEcmaVM()->GetFactory();
170         auto globalEnv = thread->GetEcmaVM()->GetGlobalEnv();
171         JSHandle<JSTaggedValue> proto = globalEnv->GetObjectFunctionPrototype();
172         JSHandle<JSHClass> setClass = factory->NewEcmaHClass(JSAPITreeSet::SIZE, JSType::JS_API_TREE_SET, proto);
173         JSHandle<JSAPITreeSet> jsTreeSet = JSHandle<JSAPITreeSet>::Cast(factory->NewJSObjectWithInit(setClass));
174         JSHandle<TaggedTreeSet> treeSet(thread, TaggedTreeSet::Create(thread));
175         jsTreeSet->SetTreeSet(thread, treeSet);
176         JSHandle<JSTaggedValue> argumentTag = JSHandle<JSTaggedValue>::Cast(jsTreeSet);
177         Local<JSValueRef> isTreeSet = JSNApiHelper::ToLocal<JSAPITreeSet>(argumentTag);
178         isTreeSet->IsTreeSet(vm);
179         option.SetArkProperties(arkProp);
180     }
181     JSNApi::DestroyJSVM(vm);
182 }
183 }
184 
185 // Fuzzer entry point.
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)186 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
187 {
188     // Run your code on data.
189     OHOS::JSValueRefIsVectorFuzzTest(data, size);
190     OHOS::JSValueRefIsMapFuzzTest(data, size);
191     OHOS::JSValueRefIsRegExpFuzzTest(data, size);
192     OHOS::JSValueRefIsSetFuzzTest(data, size);
193     OHOS::JSValueRefIsTreeMapFuzzTest(data, size);
194     OHOS::JSValueRefIsTreeSetFuzzTest(data, size);
195     return 0;
196 }