Coverage Report

Created: 2025-06-13 06:43

/src/php-src/sapi/fuzzer/fuzzer-tracing-jit.c
Line
Count
Source
1
/*
2
   +----------------------------------------------------------------------+
3
   | Copyright (c) The PHP Group                                          |
4
   +----------------------------------------------------------------------+
5
   | This source file is subject to version 3.01 of the PHP license,      |
6
   | that is bundled with this package in the file LICENSE, and is        |
7
   | available through the world-wide-web at the following url:           |
8
   | https://www.php.net/license/3_01.txt                                 |
9
   | If you did not receive a copy of the PHP license and are unable to   |
10
   | obtain it through the world-wide-web, please send a note to          |
11
   | license@php.net so we can mail you a copy immediately.               |
12
   +----------------------------------------------------------------------+
13
   | Authors: Nikita Popov <nikic@php.net>                                |
14
   +----------------------------------------------------------------------+
15
 */
16
17
#include "fuzzer-execute-common.h"
18
19
47.9k
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
20
47.9k
  if (Size > MAX_SIZE) {
21
    /* Large inputs have a large impact on fuzzer performance,
22
     * but are unlikely to be necessary to reach new codepaths. */
23
17
    return 0;
24
17
  }
25
26
47.9k
  zend_string *jit_option = ZSTR_INIT_LITERAL("opcache.jit", 1);
27
28
  /* First run without JIT to determine whether we bail out. We should not run JITed code if
29
   * we bail out here, as the JIT code may loop infinitely. */
30
47.9k
  steps_left = MAX_STEPS;
31
47.9k
  bailed_out = false;
32
47.9k
  zend_alter_ini_entry_chars(
33
47.9k
    jit_option, "off", sizeof("off")-1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
34
47.9k
  fuzzer_do_request_from_buffer(
35
47.9k
    FILE_NAME, (const char *) Data, Size, /* execute */ 1, opcache_invalidate);
36
37
47.9k
  if (!bailed_out) {
38
33.1k
    steps_left = MAX_STEPS;
39
33.1k
    zend_alter_ini_entry_chars(jit_option,
40
33.1k
      "tracing", sizeof("tracing")-1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
41
33.1k
    zend_execute_ex = orig_execute_ex;
42
    /* Trace & compile */
43
33.1k
    fuzzer_do_request_from_buffer(
44
33.1k
      FILE_NAME, (const char *) Data, Size, /* execute */ 1, NULL);
45
    /* Execute trace */
46
33.1k
    fuzzer_do_request_from_buffer(
47
33.1k
      FILE_NAME, (const char *) Data, Size, /* execute */ 1, opcache_invalidate);
48
33.1k
    zend_execute_ex = fuzzer_execute_ex;
49
33.1k
  }
50
51
47.9k
  zend_string_release(jit_option);
52
53
47.9k
  return 0;
54
47.9k
}
55
56
4
int LLVMFuzzerInitialize(int *argc, char ***argv) {
57
4
  char *opcache_path = get_opcache_path();
58
4
  assert(opcache_path && "Failed to determine opcache path");
59
60
4
  char ini_buf[512];
61
4
  snprintf(ini_buf, sizeof(ini_buf),
62
4
    "zend_extension=%s\n"
63
4
    "opcache.validate_timestamps=0\n"
64
4
    "opcache.file_update_protection=0\n"
65
4
    "opcache.memory_consumption=1024\n"
66
4
    "opcache.jit_buffer_size=128M\n"
67
4
    "opcache.jit_hot_func=1\n"
68
4
    "opcache.jit_hot_loop=1\n"
69
4
    "opcache.jit_hot_return=1\n"
70
4
    "opcache.jit_hot_side_exit=1\n"
71
4
    "opcache.jit_max_root_traces=100000\n"
72
4
    "opcache.jit_max_side_traces=100000\n"
73
4
    "opcache.jit_max_exit_counters=100000\n"
74
4
    "opcache.protect_memory=1\n",
75
4
    opcache_path);
76
4
  free(opcache_path);
77
78
4
  create_file();
79
4
  fuzzer_init_php_for_execute(ini_buf);
80
4
  return 0;
81
4
}