/src/php-src/sapi/fuzzer/fuzzer-function-jit.c

Source
/*
   +----------------------------------------------------------------------+
   | Copyright (c) The PHP Group                                          |
   +----------------------------------------------------------------------+
   | This source file is subject to version 3.01 of the PHP license,      |
   | that is bundled with this package in the file LICENSE, and is        |
   | available through the world-wide-web at the following url:           |
   | https://www.php.net/license/3_01.txt                                 |
   | If you did not receive a copy of the PHP license and are unable to   |
   | obtain it through the world-wide-web, please send a note to          |
   | license@php.net so we can mail you a copy immediately.               |
   +----------------------------------------------------------------------+
   | Authors: Nikita Popov <nikic@php.net>                                |
   +----------------------------------------------------------------------+
 */

#include "fuzzer-execute-common.h"

int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
  if (Size > MAX_SIZE) {
    /* Large inputs have a large impact on fuzzer performance,
     * but are unlikely to be necessary to reach new codepaths. */
    return 0;
  }

  zend_string *jit_option = ZSTR_INIT_LITERAL("opcache.jit", 1);

  /* First run without JIT to determine whether we bail out. We should not run JITed code if
   * we bail out here, as the JIT code may loop infinitely. */
  steps_left = MAX_STEPS;
  bailed_out = false;
  zend_alter_ini_entry_chars(
    jit_option, "off", sizeof("off")-1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
  fuzzer_do_request_from_buffer(
    FILE_NAME, (const char *) Data, Size, /* execute */ 1, opcache_invalidate);

  if (!bailed_out) {
    steps_left = MAX_STEPS;
    zend_alter_ini_entry_chars(jit_option,
      "function", sizeof("function")-1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
    zend_execute_ex = orig_execute_ex;
    fuzzer_do_request_from_buffer(
      FILE_NAME, (const char *) Data, Size, /* execute */ 1, opcache_invalidate);
    zend_execute_ex = fuzzer_execute_ex;
  }

  zend_string_release(jit_option);

  return 0;
}

int LLVMFuzzerInitialize(int *argc, char ***argv) {
  char *opcache_path = get_opcache_path();
  assert(opcache_path && "Failed to determine opcache path");

  char ini_buf[512];
  snprintf(ini_buf, sizeof(ini_buf),
    "zend_extension=%s\n"
    "opcache.validate_timestamps=0\n"
    "opcache.file_update_protection=0\n"
    "opcache.jit_buffer_size=128M\n"
    "opcache.protect_memory=1\n",
    opcache_path);
  free(opcache_path);

  create_file();
  fuzzer_init_php_for_execute(ini_buf);
  return 0;
}

Line	Count	Source
1		/*
2		+----------------------------------------------------------------------+
3		\| Copyright (c) The PHP Group \|
4		+----------------------------------------------------------------------+
5		\| This source file is subject to version 3.01 of the PHP license, \|
6		\| that is bundled with this package in the file LICENSE, and is \|
7		\| available through the world-wide-web at the following url: \|
8		\| https://www.php.net/license/3_01.txt \|
9		\| If you did not receive a copy of the PHP license and are unable to \|
10		\| obtain it through the world-wide-web, please send a note to \|
11		\| license@php.net so we can mail you a copy immediately. \|
12		+----------------------------------------------------------------------+
13		\| Authors: Nikita Popov <nikic@php.net> \|
14		+----------------------------------------------------------------------+
15		*/
16
17		#include "fuzzer-execute-common.h"
18
19	47.9k	int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
20	47.9k	if (Size > MAX_SIZE) {
21		/* Large inputs have a large impact on fuzzer performance,
22		* but are unlikely to be necessary to reach new codepaths. */
23	17	return 0;
24	17	}
25
26	47.9k	zend_string *jit_option = ZSTR_INIT_LITERAL("opcache.jit", 1);
27
28		/* First run without JIT to determine whether we bail out. We should not run JITed code if
29		* we bail out here, as the JIT code may loop infinitely. */
30	47.9k	steps_left = MAX_STEPS;
31	47.9k	bailed_out = false;
32	47.9k	zend_alter_ini_entry_chars(
33	47.9k	jit_option, "off", sizeof("off")-1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
34	47.9k	fuzzer_do_request_from_buffer(
35	47.9k	FILE_NAME, (const char ) Data, Size, / execute */ 1, opcache_invalidate);
36
37	47.9k	if (!bailed_out) {
38	33.1k	steps_left = MAX_STEPS;
39	33.1k	zend_alter_ini_entry_chars(jit_option,
40	33.1k	"function", sizeof("function")-1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
41	33.1k	zend_execute_ex = orig_execute_ex;
42	33.1k	fuzzer_do_request_from_buffer(
43	33.1k	FILE_NAME, (const char ) Data, Size, / execute */ 1, opcache_invalidate);
44	33.1k	zend_execute_ex = fuzzer_execute_ex;
45	33.1k	}
46
47	47.9k	zend_string_release(jit_option);
48
49	47.9k	return 0;
50	47.9k	}
51
52	4	int LLVMFuzzerInitialize(int argc, char **argv) {
53	4	char *opcache_path = get_opcache_path();
54	4	assert(opcache_path && "Failed to determine opcache path");
55
56	4	char ini_buf[512];
57	4	snprintf(ini_buf, sizeof(ini_buf),
58	4	"zend_extension=%s\n"
59	4	"opcache.validate_timestamps=0\n"
60	4	"opcache.file_update_protection=0\n"
61	4	"opcache.jit_buffer_size=128M\n"
62	4	"opcache.protect_memory=1\n",
63	4	opcache_path);
64	4	free(opcache_path);
65
66	4	create_file();
67	4	fuzzer_init_php_for_execute(ini_buf);
68	4	return 0;
69	4	}

Coverage Report

Created: 2025-06-13 06:43