1 /*
2 * Copyright (c) 2023 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include <fuzzer/FuzzedDataProvider.h>
17 #include "jsvaluerefismodulenamespace_fuzzer.h"
18 #include "ecmascript/containers/containers_private.h"
19 #include "ecmascript/ecma_string-inl.h"
20 #include "ecmascript/global_env.h"
21 #include "ecmascript/js_api/js_api_list.h"
22 #include "ecmascript/js_api/js_api_queue.h"
23 #include "ecmascript/js_collator.h"
24 #include "ecmascript/js_handle.h"
25 #include "ecmascript/js_plural_rules.h"
26 #include "ecmascript/module/js_module_manager.h"
27 #include "ecmascript/module/js_module_source_text.h"
28 #include "ecmascript/napi/include/jsnapi.h"
29 #include "ecmascript/tagged_list.h"
30
31 using namespace panda;
32 using namespace panda::ecmascript;
33
34 namespace OHOS {
35 constexpr uint32_t ERROR_TYPE_LEN = 2;
36
IsModuleNamespaceObjectFuzztest(const uint8_t * data,size_t size)37 void IsModuleNamespaceObjectFuzztest(const uint8_t *data, size_t size)
38 {
39 FuzzedDataProvider fdp(data, size);
40 const int arkProp = fdp.ConsumeIntegral<int>();
41 RuntimeOption option;
42 option.SetLogLevel(common::LOG_LEVEL::ERROR);
43 option.SetArkProperties(arkProp);
44 EcmaVM *vm = JSNApi::CreateJSVM(option);
45 {
46 JsiFastNativeScope scope(vm);
47 ObjectFactory *objectFactory = vm->GetFactory();
48 JSHandle<SourceTextModule> module = objectFactory->NewSourceTextModule();
49 JSHandle<LocalExportEntry> localExportEntry1 = objectFactory->NewLocalExportEntry();
50 SourceTextModule::AddLocalExportEntry(vm->GetJSThread(), module, localExportEntry1, 0, ERROR_TYPE_LEN);
51 JSHandle<LocalExportEntry> localExportEntry2 = objectFactory->NewLocalExportEntry();
52 SourceTextModule::AddLocalExportEntry(vm->GetJSThread(), module, localExportEntry2, 1, ERROR_TYPE_LEN);
53 JSHandle<TaggedArray> localExportEntries(vm->GetJSThread(), module->GetLocalExportEntries(vm->GetJSThread()));
54 CString baseFileName = "a.abc";
55 module->SetEcmaModuleFilenameString(baseFileName);
56 ModuleManager *moduleManager = vm->GetJSThread()->GetModuleManager();
57 moduleManager->AddResolveImportedModule(baseFileName, module.GetTaggedValue());
58 JSHandle<ModuleNamespace> np = ModuleNamespace::ModuleNamespaceCreate(vm->GetJSThread(),
59 JSHandle<JSTaggedValue>::Cast(module), localExportEntries);
60 ModuleNamespace::PreventExtensions();
61 JSHandle<JSTaggedValue> moduleNamespaceTag = JSHandle<JSTaggedValue>::Cast(np);
62 Local<JSValueRef> moduleNamespace = JSNApiHelper::ToLocal<ModuleNamespace>(moduleNamespaceTag);
63 moduleNamespace->IsModuleNamespaceObject(vm);
64 }
65 JSNApi::DestroyJSVM(vm);
66 }
67
IsProxyFuzztest(const uint8_t * data,size_t size)68 void IsProxyFuzztest(const uint8_t *data, size_t size)
69 {
70 FuzzedDataProvider fdp(data, size);
71 const int arkProp = fdp.ConsumeIntegral<int>();
72 RuntimeOption option;
73 option.SetLogLevel(common::LOG_LEVEL::ERROR);
74 option.SetArkProperties(arkProp);
75 EcmaVM *vm = JSNApi::CreateJSVM(option);
76 {
77 JsiFastNativeScope scope(vm);
78 auto thread = vm->GetJSThread();
79 JSHandle<GlobalEnv> globalEnv = vm->GetGlobalEnv();
80 JSHandle<JSTaggedValue> hclass(thread, globalEnv->GetObjectFunction().GetObject<JSFunction>());
81 JSHandle<JSTaggedValue> targetHandle(
82 thread->GetEcmaVM()->GetFactory()->NewJSObjectByConstructor(JSHandle<JSFunction>::Cast(hclass), hclass));
83 JSHandle<JSTaggedValue> handlerHandle(
84 thread->GetEcmaVM()->GetFactory()->NewJSObjectByConstructor(JSHandle<JSFunction>::Cast(hclass), hclass));
85 JSHandle<JSProxy> proxyHandle = JSProxy::ProxyCreate(thread, targetHandle, handlerHandle);
86 Local<JSValueRef> proxy = JSNApiHelper::ToLocal<JSProxy>(JSHandle<JSTaggedValue>(proxyHandle));
87 proxy->IsProxy(vm);
88 }
89 JSNApi::DestroyJSVM(vm);
90 }
91
IsJSCollatorFuzztest(const uint8_t * data,size_t size)92 void IsJSCollatorFuzztest(const uint8_t *data, size_t size)
93 {
94 FuzzedDataProvider fdp(data, size);
95 const int arkProp = fdp.ConsumeIntegral<int>();
96 RuntimeOption option;
97 option.SetLogLevel(common::LOG_LEVEL::ERROR);
98 option.SetArkProperties(arkProp);
99 EcmaVM *vm = JSNApi::CreateJSVM(option);
100 {
101 JsiFastNativeScope scope(vm);
102 auto thread = vm->GetJSThread();
103 ObjectFactory *factory = vm->GetFactory();
104 JSHandle<JSTaggedValue> ctor = vm->GetGlobalEnv()->GetCollatorFunction();
105 JSHandle<JSCollator> collator =
106 JSHandle<JSCollator>::Cast(factory->NewJSObjectByConstructor(JSHandle<JSFunction>(ctor), ctor));
107 JSHandle<JSTaggedValue> localeStr = thread->GlobalConstants()->GetHandledEnUsString();
108 JSHandle<JSTaggedValue> undefinedHandle(thread, JSTaggedValue::Undefined());
109 JSHandle<JSCollator> initCollator =
110 JSCollator::InitializeCollator(thread, collator, localeStr, undefinedHandle);
111 JSHandle<JSTaggedValue> collatorTagHandleVal = JSHandle<JSTaggedValue>::Cast(initCollator);
112 Local<JSValueRef> object = JSNApiHelper::ToLocal<JSValueRef>(collatorTagHandleVal);
113 object->IsJSCollator(vm);
114 }
115 JSNApi::DestroyJSVM(vm);
116 }
117
IsJSPluralRulesFuzztest(const uint8_t * data,size_t size)118 void IsJSPluralRulesFuzztest(const uint8_t *data, size_t size)
119 {
120 FuzzedDataProvider fdp(data, size);
121 const int arkProp = fdp.ConsumeIntegral<int>();
122 RuntimeOption option;
123 option.SetLogLevel(common::LOG_LEVEL::ERROR);
124 option.SetArkProperties(arkProp);
125 EcmaVM *vm = JSNApi::CreateJSVM(option);
126 {
127 JsiFastNativeScope scope(vm);
128 auto thread = vm->GetJSThread();
129 ObjectFactory *factory = vm->GetFactory();
130 JSHandle<GlobalEnv> env = vm->GetGlobalEnv();
131 JSHandle<JSTaggedValue> optionHandle(thread, JSTaggedValue::Undefined());
132 JSHandle<JSTaggedValue> ctor = env->GetPluralRulesFunction();
133 JSHandle<JSPluralRules> pluralRules =
134 JSHandle<JSPluralRules>::Cast(factory->NewJSObjectByConstructor(JSHandle<JSFunction>(ctor), ctor));
135 JSHandle<JSTaggedValue> localeStr(factory->NewFromASCII("en-GB"));
136 JSHandle<JSPluralRules> initPluralRules =
137 JSPluralRules::InitializePluralRules(thread, pluralRules, localeStr, optionHandle);
138 JSHandle<JSTaggedValue> tagPlureRules = JSHandle<JSTaggedValue>::Cast(initPluralRules);
139 Local<JSValueRef> object = JSNApiHelper::ToLocal<JSValueRef>(tagPlureRules);
140 object->IsJSPluralRules(vm);
141 }
142 JSNApi::DestroyJSVM(vm);
143 }
144
IsStrictEqualsFuzztest(const uint8_t * data,size_t size)145 void IsStrictEqualsFuzztest(const uint8_t *data, size_t size)
146 {
147 FuzzedDataProvider fdp(data, size);
148 const int arkProp = fdp.ConsumeIntegral<int>();
149 RuntimeOption option;
150 option.SetLogLevel(common::LOG_LEVEL::ERROR);
151 option.SetArkProperties(arkProp);
152 EcmaVM *vm = JSNApi::CreateJSVM(option);
153 Local<ObjectRef> object = ObjectRef::New(vm);
154 Local<ObjectRef> object1 = ObjectRef::New(vm);
155 object->IsStrictEquals(vm, object1);
156 JSNApi::DestroyJSVM(vm);
157 }
158
IsJSListFormatFuzztest(const uint8_t * data,size_t size)159 void IsJSListFormatFuzztest(const uint8_t *data, size_t size)
160 {
161 FuzzedDataProvider fdp(data, size);
162 const int arkProp = fdp.ConsumeIntegral<int>();
163 RuntimeOption option;
164 option.SetLogLevel(common::LOG_LEVEL::ERROR);
165 option.SetArkProperties(arkProp);
166 EcmaVM *vm = JSNApi::CreateJSVM(option);
167 Local<JSValueRef> object = ObjectRef::New(vm);
168 object->IsJSListFormat(vm);
169 JSNApi::DestroyJSVM(vm);
170 }
171
IsJSPrimitiveRefFuzztest(const uint8_t * data,size_t size)172 void IsJSPrimitiveRefFuzztest(const uint8_t *data, size_t size)
173 {
174 FuzzedDataProvider fdp(data, size);
175 const int arkProp = fdp.ConsumeIntegral<int>();
176 RuntimeOption option;
177 option.SetLogLevel(common::LOG_LEVEL::ERROR);
178 option.SetArkProperties(arkProp);
179 EcmaVM *vm = JSNApi::CreateJSVM(option);
180 {
181 JsiFastNativeScope scope(vm);
182 auto thread = vm->GetJSThread();
183 auto factory = vm->GetFactory();
184 JSHandle<JSTaggedValue> nullHandle(thread, JSTaggedValue::Null());
185 JSHandle<JSHClass> jsClassHandle = factory->NewEcmaHClass(JSObject::SIZE, JSType::JS_PRIMITIVE_REF, nullHandle);
186 TaggedObject *taggedObject = factory->NewObject(jsClassHandle);
187 JSHandle<JSTaggedValue> jsTaggedValue(thread, JSTaggedValue(taggedObject));
188 Local<JSValueRef> jsValueRef = JSNApiHelper::ToLocal<JSPrimitiveRef>(jsTaggedValue);
189 jsValueRef->IsJSPrimitiveRef(vm);
190 }
191 JSNApi::DestroyJSVM(vm);
192 }
193
IsDequeFuzztest(const uint8_t * data,size_t size)194 void IsDequeFuzztest(const uint8_t *data, size_t size)
195 {
196 FuzzedDataProvider fdp(data, size);
197 const int arkProp = fdp.ConsumeIntegral<int>();
198 RuntimeOption option;
199 option.SetLogLevel(common::LOG_LEVEL::ERROR);
200 option.SetArkProperties(arkProp);
201 EcmaVM *vm = JSNApi::CreateJSVM(option);
202 {
203 JsiFastNativeScope scope(vm);
204 auto thread = vm->GetJSThread();
205 auto factory = vm->GetFactory();
206 JSHandle<JSTaggedValue> proto = thread->GetEcmaVM()->GetGlobalEnv()->GetFunctionPrototype();
207 JSHandle<JSHClass> queueClass = factory->NewEcmaHClass(JSAPIQueue::SIZE, JSType::JS_API_QUEUE, proto);
208 JSHandle<JSAPIQueue> jsQueue = JSHandle<JSAPIQueue>::Cast(factory->NewJSObjectWithInit(queueClass));
209 JSHandle<TaggedArray> newElements = factory->NewTaggedArray(JSAPIQueue::DEFAULT_CAPACITY_LENGTH);
210 jsQueue->SetLength(thread, JSTaggedValue(0));
211 jsQueue->SetFront(0);
212 jsQueue->SetTail(0);
213 jsQueue->SetElements(thread, newElements);
214 JSHandle<JSTaggedValue> Que = JSHandle<JSTaggedValue>::Cast(jsQueue);
215 Local<JSValueRef> jsValueRef = JSNApiHelper::ToLocal<ArrayRef>(Que);
216 jsValueRef->IsDeque(vm);
217 }
218 JSNApi::DestroyJSVM(vm);
219 }
220
CreateJSValueRef(EcmaVM * vm,panda::ecmascript::JSType type)221 Local<JSValueRef> CreateJSValueRef(EcmaVM *vm, panda::ecmascript::JSType type)
222 {
223 auto thread = vm->GetJSThread();
224 auto factory = vm->GetFactory();
225 JSHandle<JSTaggedValue> nullHandle(thread, JSTaggedValue::Null());
226 JSHandle<JSHClass> jsClassHandle = factory->NewEcmaHClass(JSObject::SIZE, type, nullHandle);
227 TaggedObject *taggedObject = factory->NewObject(jsClassHandle);
228 JSHandle<JSTaggedValue> jsTaggedValue(thread, JSTaggedValue(taggedObject));
229 return JSNApiHelper::ToLocal<JSValueRef>(jsTaggedValue);
230 }
231
IsJSIntlFuzztest(const uint8_t * data,size_t size)232 void IsJSIntlFuzztest(const uint8_t *data, size_t size)
233 {
234 FuzzedDataProvider fdp(data, size);
235 const int arkProp = fdp.ConsumeIntegral<int>();
236 RuntimeOption option;
237 option.SetLogLevel(common::LOG_LEVEL::ERROR);
238 option.SetArkProperties(arkProp);
239 EcmaVM *vm = JSNApi::CreateJSVM(option);
240 {
241 JsiFastNativeScope scope(vm);
242 Local<JSValueRef> jsInt1 = CreateJSValueRef(vm, JSType::JS_INTL);
243 jsInt1->IsJSIntl(vm);
244 }
245 JSNApi::DestroyJSVM(vm);
246 }
247
IsJSDateTimeFormatFuzztest(const uint8_t * data,size_t size)248 void IsJSDateTimeFormatFuzztest(const uint8_t *data, size_t size)
249 {
250 FuzzedDataProvider fdp(data, size);
251 const int arkProp = fdp.ConsumeIntegral<int>();
252 RuntimeOption option;
253 option.SetLogLevel(common::LOG_LEVEL::ERROR);
254 option.SetArkProperties(arkProp);
255 EcmaVM *vm = JSNApi::CreateJSVM(option);
256 {
257 JsiFastNativeScope scope(vm);
258 if (size <= 0) {
259 LOG_ECMA(ERROR) << "illegal input!";
260 return;
261 }
262 Local<JSValueRef> dateTime = CreateJSValueRef(vm, JSType::JS_DATE_TIME_FORMAT);
263 dateTime->IsJSDateTimeFormat(vm);
264 }
265 JSNApi::DestroyJSVM(vm);
266 }
267
IsJSNumberFormatFuzztest(const uint8_t * data,size_t size)268 void IsJSNumberFormatFuzztest(const uint8_t *data, size_t size)
269 {
270 FuzzedDataProvider fdp(data, size);
271 const int arkProp = fdp.ConsumeIntegral<int>();
272 RuntimeOption option;
273 option.SetLogLevel(common::LOG_LEVEL::ERROR);
274 option.SetArkProperties(arkProp);
275 EcmaVM *vm = JSNApi::CreateJSVM(option);
276 {
277 JsiFastNativeScope scope(vm);
278 Local<JSValueRef> number = CreateJSValueRef(vm, JSType::JS_NUMBER_FORMAT);
279 number->IsJSNumberFormat(vm);
280 }
281 JSNApi::DestroyJSVM(vm);
282 }
283
IsJSRelativeTimeFormatFuzztest(const uint8_t * data,size_t size)284 void IsJSRelativeTimeFormatFuzztest(const uint8_t *data, size_t size)
285 {
286 FuzzedDataProvider fdp(data, size);
287 const int arkProp = fdp.ConsumeIntegral<int>();
288 RuntimeOption option;
289 option.SetLogLevel(common::LOG_LEVEL::ERROR);
290 option.SetArkProperties(arkProp);
291 EcmaVM *vm = JSNApi::CreateJSVM(option);
292 {
293 JsiFastNativeScope scope(vm);
294 Local<JSValueRef> relative = CreateJSValueRef(vm, JSType::JS_RELATIVE_TIME_FORMAT);
295 relative->IsJSRelativeTimeFormat(vm);
296 }
297 JSNApi::DestroyJSVM(vm);
298 }
299 }
300
301 // Fuzzer entry point.
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)302 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
303 {
304 // Run your code on data.
305 OHOS::IsModuleNamespaceObjectFuzztest(data, size);
306 OHOS::IsProxyFuzztest(data, size);
307 OHOS::IsJSCollatorFuzztest(data, size);
308 OHOS::IsJSPluralRulesFuzztest(data, size);
309 OHOS::IsStrictEqualsFuzztest(data, size);
310 OHOS::IsJSListFormatFuzztest(data, size);
311 OHOS::IsJSPrimitiveRefFuzztest(data, size);
312 OHOS::IsDequeFuzztest(data, size);
313 OHOS::IsJSIntlFuzztest(data, size);
314 OHOS::IsJSDateTimeFormatFuzztest(data, size);
315 OHOS::IsJSNumberFormatFuzztest(data, size);
316 OHOS::IsJSRelativeTimeFormatFuzztest(data, size);
317 return 0;
318 }