xref: /PHP-8.4/sapi/fuzzer/fuzzer-tracing-jit.c (revision df286a1b)
1 /*
2    +----------------------------------------------------------------------+
3    | Copyright (c) The PHP Group                                          |
4    +----------------------------------------------------------------------+
5    | This source file is subject to version 3.01 of the PHP license,      |
6    | that is bundled with this package in the file LICENSE, and is        |
7    | available through the world-wide-web at the following url:           |
8    | https://www.php.net/license/3_01.txt                                 |
9    | If you did not receive a copy of the PHP license and are unable to   |
10    | obtain it through the world-wide-web, please send a note to          |
11    | license@php.net so we can mail you a copy immediately.               |
12    +----------------------------------------------------------------------+
13    | Authors: Nikita Popov <nikic@php.net>                                |
14    +----------------------------------------------------------------------+
15  */
16 
17 #include "fuzzer-execute-common.h"
18 
LLVMFuzzerTestOneInput(const uint8_t * Data,size_t Size)19 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
20 	if (Size > MAX_SIZE) {
21 		/* Large inputs have a large impact on fuzzer performance,
22 		 * but are unlikely to be necessary to reach new codepaths. */
23 		return 0;
24 	}
25 
26 	zend_string *jit_option = ZSTR_INIT_LITERAL("opcache.jit", 1);
27 
28 	/* First run without JIT to determine whether we bail out. We should not run JITed code if
29 	 * we bail out here, as the JIT code may loop infinitely. */
30 	steps_left = MAX_STEPS;
31 	bailed_out = false;
32 	zend_alter_ini_entry_chars(
33 		jit_option, "off", sizeof("off")-1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
34 	fuzzer_do_request_from_buffer(
35 		FILE_NAME, (const char *) Data, Size, /* execute */ 1, opcache_invalidate);
36 
37 	if (!bailed_out) {
38 		steps_left = MAX_STEPS;
39 		zend_alter_ini_entry_chars(jit_option,
40 			"tracing", sizeof("tracing")-1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
41 		zend_execute_ex = orig_execute_ex;
42 		/* Trace & compile */
43 		fuzzer_do_request_from_buffer(
44 			FILE_NAME, (const char *) Data, Size, /* execute */ 1, NULL);
45 		/* Execute trace */
46 		fuzzer_do_request_from_buffer(
47 			FILE_NAME, (const char *) Data, Size, /* execute */ 1, opcache_invalidate);
48 		zend_execute_ex = fuzzer_execute_ex;
49 	}
50 
51 	zend_string_release(jit_option);
52 
53 	return 0;
54 }
55 
LLVMFuzzerInitialize(int * argc,char *** argv)56 int LLVMFuzzerInitialize(int *argc, char ***argv) {
57 	char *opcache_path = get_opcache_path();
58 	assert(opcache_path && "Failed to determine opcache path");
59 
60 	char ini_buf[512];
61 	snprintf(ini_buf, sizeof(ini_buf),
62 		"zend_extension=%s\n"
63 		"opcache.validate_timestamps=0\n"
64 		"opcache.file_update_protection=0\n"
65 		"opcache.memory_consumption=1024\n"
66 		"opcache.jit_buffer_size=128M\n"
67 		"opcache.jit_hot_func=1\n"
68 		"opcache.jit_hot_loop=1\n"
69 		"opcache.jit_hot_return=1\n"
70 		"opcache.jit_hot_side_exit=1\n"
71 		"opcache.jit_max_root_traces=100000\n"
72 		"opcache.jit_max_side_traces=100000\n"
73 		"opcache.jit_max_exit_counters=100000\n"
74 		"opcache.protect_memory=1\n",
75 		opcache_path);
76 	free(opcache_path);
77 
78 	create_file();
79 	fuzzer_init_php_for_execute(ini_buf);
80 	return 0;
81 }
82