OSS-Fuzz targets improvements (#267)

* Move fuzz target sources from the oss-fuzz repository here

* Add support to build libFuzzer targets
* Simplify the fuzz_eval and fuzz_compile targets

The use of JS_NewContext instead of JS_NewContextRaw spares to call
JS_AddIntrinsic<XYZ> functions from the fuzz target, since the public
JS_NewContext API does exactly the same.

* Simplify the fuzz_regexp target

fuzz_regexp doesn't need to be dependant on libquickjs since the
runtime and the context - that were provided by libquickjs - were
only created to call two simple functions implemented in libquickjs
which could be mimicked by the fuzzer.
The removal of runtime and context objects implicated further
simplifications, like the omission of their one-time creation.
Finally, writing the result of the regexp operations into a file
is also superfluous, since it's not used by anybody.

* Recreate and destroy JS runtime and context in fuzz_eval and fuzz_compile targets

Before this patch, the test executions were not independent,
since all the executed tests used the same JavaScript runtime and
context, causing irreproducible failure reports.

* Enable bignumber support in eval and compile targets

Big numbers are used by the input corpus, but the targets were not
able to interpret them since they were not compiled into them.
This change improved the inital coverage of the fuzz_eval target with
21% and the coverage of the fuzz_compile target with 25% when using
the official corpus.

* Ensure std and os modules are available in the fuzz_eval and fuzz_compile targets
* Add fuzzer dictionary with builtin and variable names. Furthermore, added a JS script that collects all the builtin
names from the executing engine. 
* Move common fuzzer code into one place
* Enable to define the LIB_FUZZING_ENGINE variable to ease the oss-fuzz integration
* Add README to fuzzers

Makefile

@@ -111,6 +111,7 @@ ifdef CONFIG_CLANG
       AR=$(CROSS_PREFIX)ar
     endif
   endif
+  LIB_FUZZING_ENGINE ?= "-fsanitize=fuzzer"
 else ifdef CONFIG_COSMO
   CONFIG_LTO=
   HOST_CC=gcc
@@ -248,6 +249,17 @@ qjs-debug$(EXE): $(patsubst %.o, %.debug.o, $(QJS_OBJS))
 qjsc$(EXE): $(OBJDIR)/qjsc.o $(QJS_LIB_OBJS)
 	$(CC) $(LDFLAGS) -o $@ $^ $(LIBS)
 
+fuzz_eval: $(OBJDIR)/fuzz_eval.o $(OBJDIR)/fuzz_common.o libquickjs.fuzz.a
+	$(CC) $(CFLAGS_OPT) $^ -o fuzz_eval $(LIB_FUZZING_ENGINE)
+
+fuzz_compile: $(OBJDIR)/fuzz_compile.o $(OBJDIR)/fuzz_common.o libquickjs.fuzz.a
+	$(CC) $(CFLAGS_OPT) $^ -o fuzz_compile $(LIB_FUZZING_ENGINE)
+
+fuzz_regexp: $(OBJDIR)/fuzz_regexp.o $(OBJDIR)/libregexp.fuzz.o $(OBJDIR)/cutils.fuzz.o $(OBJDIR)/libunicode.fuzz.o
+	$(CC) $(CFLAGS_OPT) $^ -o fuzz_regexp $(LIB_FUZZING_ENGINE)
+
+libfuzzer: fuzz_eval fuzz_compile fuzz_regexp
+
 ifneq ($(CROSS_PREFIX),)
 
 $(QJSC): $(OBJDIR)/qjsc.host.o \
@@ -289,6 +301,9 @@ libquickjs.a: $(patsubst %.o, %.nolto.o, $(QJS_LIB_OBJS))
 	$(AR) rcs $@ $^
 endif # CONFIG_LTO
 
+libquickjs.fuzz.a: $(patsubst %.o, %.fuzz.o, $(QJS_LIB_OBJS))
+	$(AR) rcs $@ $^
+
 repl.c: $(QJSC) repl.js
 	$(QJSC) -c -o $@ -m repl.js
 
@@ -317,6 +332,9 @@ run-test262-32: $(patsubst %.o, %.m32.o, $(OBJDIR)/run-test262.o $(QJS_LIB_OBJS)
 $(OBJDIR)/%.o: %.c | $(OBJDIR)
 	$(CC) $(CFLAGS_OPT) -c -o $@ $<
 
+$(OBJDIR)/fuzz_%.o: fuzz/fuzz_%.c | $(OBJDIR)
+	$(CC) $(CFLAGS_OPT) -c -I. -o $@ $<
+
 $(OBJDIR)/%.host.o: %.c | $(OBJDIR)
 	$(HOST_CC) $(CFLAGS_OPT) -c -o $@ $<
 
@@ -335,6 +353,9 @@ $(OBJDIR)/%.m32s.o: %.c | $(OBJDIR)
 $(OBJDIR)/%.debug.o: %.c | $(OBJDIR)
 	$(CC) $(CFLAGS_DEBUG) -c -o $@ $<
 
+$(OBJDIR)/%.fuzz.o: %.c | $(OBJDIR)
+	$(CC) $(CFLAGS_OPT) -fsanitize=fuzzer-no-link -c -o $@ $<
+
 $(OBJDIR)/%.check.o: %.c | $(OBJDIR)
 	$(CC) $(CFLAGS) -DCONFIG_CHECK_JSVALUE -c -o $@ $<
 
@@ -346,7 +367,7 @@ unicode_gen: $(OBJDIR)/unicode_gen.host.o $(OBJDIR)/cutils.host.o libunicode.c u
 
 clean:
 	rm -f repl.c qjscalc.c out.c
-	rm -f *.a *.o *.d *~ unicode_gen regexp_test $(PROGS)
+	rm -f *.a *.o *.d *~ unicode_gen regexp_test fuzz_eval fuzz_compile fuzz_regexp $(PROGS)
 	rm -f hello.c test_fib.c
 	rm -f examples/*.so tests/*.so
 	rm -rf $(OBJDIR)/ *.dSYM/ qjs-debug

fuzz/README

@@ -0,0 +1,27 @@
+libFuzzer support for QuickJS
+=============================
+
+Build QuickJS with libFuzzer support as follows:
+
+  CONFIG_CLANG=y make libfuzzer
+
+This can be extended with sanitizer support to improve efficacy:
+
+  CONFIG_CLANG=y CONFIG_ASAN=y make libfuzzer
+
+
+Currently, there are three fuzzing targets defined: fuzz_eval, fuzz_compile and fuzz_regexp.
+The above build command will produce an executable binary for each of them, which can be
+simply executed as:
+
+  ./fuzz_eval
+
+or with an initial corpus:
+
+  ./fuzz_compile corpus_dir/
+
+or with a predefined dictionary to improve its efficacy:
+
+  ./fuzz_eval -dict fuzz/fuzz.dict
+
+or with arbitrary CLI arguments provided by libFuzzer (https://llvm.org/docs/LibFuzzer.html).

fuzz/fuzz.dict

@@ -0,0 +1,257 @@
+"__loadScript"
+"abs"
+"acos"
+"acosh"
+"add"
+"AggregateError"
+"and"
+"apply"
+"Array"
+"ArrayBuffer"
+"asin"
+"asinh"
+"atan"
+"atan2"
+"atanh"
+"Atomics"
+"BigDecimal"
+"BigFloat"
+"BigFloatEnv"
+"BigInt"
+"BigInt64Array"
+"BigUint64Array"
+"Boolean"
+"cbrt"
+"ceil"
+"chdir"
+"clearTimeout"
+"close"
+"clz32"
+"compareExchange"
+"console"
+"construct"
+"cos"
+"cosh"
+"DataView"
+"Date"
+"decodeURI"
+"decodeURIComponent"
+"defineProperty"
+"deleteProperty"
+"dup"
+"dup2"
+"E"
+"encodeURI"
+"encodeURIComponent"
+"err"
+"Error"
+"escape"
+"eval"
+"EvalError"
+"evalScript"
+"exchange"
+"exec"
+"exit"
+"exp"
+"expm1"
+"fdopen"
+"Float32Array"
+"Float64Array"
+"floor"
+"fround"
+"Function"
+"gc"
+"get"
+"getcwd"
+"getenv"
+"getenviron"
+"getOwnPropertyDescriptor"
+"getpid"
+"getPrototypeOf"
+"globalThis"
+"has"
+"hypot"
+"imul"
+"in"
+"Infinity"
+"Int16Array"
+"Int32Array"
+"Int8Array"
+"InternalError"
+"isatty"
+"isExtensible"
+"isFinite"
+"isLockFree"
+"isNaN"
+"iterateBuiltIns"
+"JSON"
+"kill"
+"length"
+"LN10"
+"LN2"
+"load"
+"loadFile"
+"loadScript"
+"log"
+"log10"
+"LOG10E"
+"log1p"
+"log2"
+"LOG2E"
+"lstat"
+"Map"
+"Math"
+"max"
+"min"
+"mkdir"
+"NaN"
+"notify"
+"now"
+"Number"
+"O_APPEND"
+"O_CREAT"
+"O_EXCL"
+"O_RDONLY"
+"O_RDWR"
+"O_TRUNC"
+"O_WRONLY"
+"Object"
+"open"
+"Operators"
+"or"
+"os"
+"out"
+"ownKeys"
+"parse"
+"parseExtJSON"
+"parseFloat"
+"parseInt"
+"PI"
+"pipe"
+"platform"
+"popen"
+"pow"
+"preventExtensions"
+"print"
+"printf"
+"Promise"
+"Proxy"
+"puts"
+"random"
+"RangeError"
+"read"
+"readdir"
+"readlink"
+"realpath"
+"ReferenceError"
+"Reflect"
+"RegExp"
+"remove"
+"rename"
+"round"
+"S_IFBLK"
+"S_IFCHR"
+"S_IFDIR"
+"S_IFIFO"
+"S_IFLNK"
+"S_IFMT"
+"S_IFREG"
+"S_IFSOCK"
+"S_ISGID"
+"S_ISUID"
+"scriptArgs"
+"seek"
+"SEEK_CUR"
+"SEEK_END"
+"SEEK_SET"
+"set"
+"Set"
+"setenv"
+"setPrototypeOf"
+"setReadHandler"
+"setTimeout"
+"setWriteHandler"
+"SharedArrayBuffer"
+"SIGABRT"
+"SIGALRM"
+"SIGCHLD"
+"SIGCONT"
+"SIGFPE"
+"SIGILL"
+"SIGINT"
+"sign"
+"signal"
+"SIGPIPE"
+"SIGQUIT"
+"SIGSEGV"
+"SIGSTOP"
+"SIGTERM"
+"SIGTSTP"
+"SIGTTIN"
+"SIGTTOU"
+"SIGUSR1"
+"SIGUSR2"
+"sin"
+"sinh"
+"sleep"
+"sleepAsync"
+"sprintf"
+"sqrt"
+"SQRT1_2"
+"SQRT2"
+"stat"
+"std"
+"store"
+"strerror"
+"String"
+"stringify"
+"sub"
+"Symbol"
+"symlink"
+"SyntaxError"
+"tan"
+"tanh"
+"tmpfile"
+"trunc"
+"ttyGetWinSize"
+"ttySetRaw"
+"TypeError"
+"Uint16Array"
+"Uint32Array"
+"Uint8Array"
+"Uint8ClampedArray"
+"undefined"
+"unescape"
+"unsetenv"
+"URIError"
+"urlGet"
+"utimes"
+"wait"
+"waitpid"
+"WeakMap"
+"WeakSet"
+"WNOHANG"
+"Worker"
+"write"
+"xor"
+"v0"
+"v1"
+"v2"
+"v3"
+"v4"
+"v5"
+"v6"
+"v7"
+"v8"
+"v9"
+"v10"
+"v11"
+"v12"
+"v13"
+"v14"
+"v15"
+"v16"
+"v17"
+"v18"
+"v19"
+"v20"

fuzz/fuzz_common.h

@@ -0,0 +1,22 @@
+/* Copyright 2020 Google Inc.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ */
+
+#include "quickjs.h"
+#include "quickjs-libc.h"
+
+static int nbinterrupts = 0;
+
+void reset_nbinterrupts();
+void test_one_input_init(JSRuntime *rt, JSContext *ctx);