search

MozillaSecurity / funfuzz

A collection of fuzzers in a harness for testing the SpiderMonkey JavaScript engine.
Mozilla Public License 2.0
629 stars 115 forks source link

A Question About Modifying funfuzz. #217

Open Implementist opened 5 years ago

Implementist commented 5 years ago

As far as I know, funfuzz have its own generator to generate js testcases. So my question is what should I do or which files should I modify If I am aimed to use my own js files as testcases.

nth10sd commented 5 years ago

Part of funfuzz (and in jsfunfuzz) is the random order fuzzer (randorderfuzz). It extracts testcases from the existing mozilla-central repositories over here and inserts them randomly into jsfunfuzz here.

You can try editing them to your liking.

Implementist commented 5 years ago

Mr Kwong, I'm sorry for responding you after 3 weeks. thease days I tried to modify file gen-grammar.js. And all I did like: modify the following method :

function regressionTestDependencies(maintest)
 {
     var files = [];

     if (rnd(3)) {
         // Include the chain of 'shell.js' files in their containing directories (starting from regressionTestsRoot)
         for (var i = regressionTestsRoot.length; i < maintest.length; ++i) {
             if (maintest.charAt(i) == "/" || maintest.charAt(i) == "\\") {
                 var shelljs = maintest.substr(0, i + 1) + "shell.js";
                 if (regressionTestList.indexOf(shelljs) != -1) {
                     files.push(shelljs);
                 }
             }
         }

         // Include prologue.js for jit-tests
         if (maintest.indexOf("jit-test") != -1) {
             files.push(libdir + "prologue.js");
         }
     }

     files.push(maintest);
     return files;
 }

to:

function regressionTestDependencies() {
    var files = [];
    var testcaseRoot = "/home/nisl/BrowserFuzzingData/generated/js_self_calling/";

    if (rnd(3)) {
        for (var i = 0; i < 13515; i++) {
            files.push(testcaseRoot + i + ".js");
        }
    }
    return files;
}

the testcaseRoot is the path of all of my test cases. one of them is like:

var a = function(e) {
    return e === null ? e : e;
};
a([true, true, [undefined, undefined, undefined, undefined, undefined, undefined, undefined, undefined, undefined]]);

And I still get an error when complie shell executing. The output is :

subprocess.CalledProcessError: Command '['sh', '/home/nisl/trees/mozilla-central/js/src/configure', '--target=i686-pc-linux', '--enable-debug', '--enable-more-deterministic', '--with-ccache', '--enable-gczeal', '--enable-debug-symbols', '--disable-tests']' returned non-zero exit status 1.
Something went wrong when calling: ['/home/nisl/anaconda3/envs/py3.6_env/bin/python', '-u', '-m', 'funfuzz.bot', '-b', '--random', '--target-time', '28800']
CalledProcessError(1, ['/home/nisl/anaconda3/envs/py3.6_env/bin/python', '-u', '-m', 'funfuzz.bot', '-b', '--random', '--target-time', '28800'])

Could you please give some advice about how to deal with this? Thanks a lot.

nth10sd commented 5 years ago

There will be .busted log files in ~/shell-cache, what do they output? It seems like your issue involves the compilation of the shell, which is not related to your js changes.