/src/php-src/sapi/fuzzer/fuzzer-function-jit.c

Source
/*
   +----------------------------------------------------------------------+
   | Copyright (c) The PHP Group                                          |
   +----------------------------------------------------------------------+
   | This source file is subject to version 3.01 of the PHP license,      |
   | that is bundled with this package in the file LICENSE, and is        |
   | available through the world-wide-web at the following url:           |
   | https://www.php.net/license/3_01.txt                                 |
   | If you did not receive a copy of the PHP license and are unable to   |
   | obtain it through the world-wide-web, please send a note to          |
   | license@php.net so we can mail you a copy immediately.               |
   +----------------------------------------------------------------------+
   | Authors: Nikita Popov <nikic@php.net>                                |
   +----------------------------------------------------------------------+
 */

#include "fuzzer-execute-common.h"

int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
  if (Size > MAX_SIZE) {
    /* Large inputs have a large impact on fuzzer performance,
     * but are unlikely to be necessary to reach new codepaths. */
    return 0;
  }

  zend_string *jit_option = ZSTR_INIT_LITERAL("opcache.jit", 1);

  /* First run without JIT to determine whether we bail out. We should not run JITed code if
   * we bail out here, as the JIT code may loop infinitely. */
  steps_left = MAX_STEPS;
  bailed_out = false;
  zend_alter_ini_entry_chars(
    jit_option, "off", sizeof("off")-1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
  fuzzer_do_request_from_buffer(
    FILE_NAME, (const char *) Data, Size, /* execute */ 1, opcache_invalidate);

  if (!bailed_out) {
    steps_left = MAX_STEPS;
    zend_alter_ini_entry_chars(jit_option,
      "function", sizeof("function")-1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
    zend_execute_ex = orig_execute_ex;
    fuzzer_do_request_from_buffer(
      FILE_NAME, (const char *) Data, Size, /* execute */ 1, opcache_invalidate);
    zend_execute_ex = fuzzer_execute_ex;
  }

  zend_string_release(jit_option);

  return 0;
}

int LLVMFuzzerInitialize(int *argc, char ***argv) {
  char ini_buf[512];
  snprintf(ini_buf, sizeof(ini_buf),
    "opcache.validate_timestamps=0\n"
    "opcache.file_update_protection=0\n"
    "opcache.jit_buffer_size=128M\n"
    "opcache.protect_memory=1\n");

  create_file();
  fuzzer_init_php_for_execute(ini_buf);
  return 0;
}

Line	Count	Source
1		/*
2		+----------------------------------------------------------------------+
3		\| Copyright (c) The PHP Group \|
4		+----------------------------------------------------------------------+
5		\| This source file is subject to version 3.01 of the PHP license, \|
6		\| that is bundled with this package in the file LICENSE, and is \|
7		\| available through the world-wide-web at the following url: \|
8		\| https://www.php.net/license/3_01.txt \|
9		\| If you did not receive a copy of the PHP license and are unable to \|
10		\| obtain it through the world-wide-web, please send a note to \|
11		\| license@php.net so we can mail you a copy immediately. \|
12		+----------------------------------------------------------------------+
13		\| Authors: Nikita Popov <nikic@php.net> \|
14		+----------------------------------------------------------------------+
15		*/
16
17		#include "fuzzer-execute-common.h"
18
19	42.8k	int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
20	42.8k	if (Size > MAX_SIZE) {
21		/* Large inputs have a large impact on fuzzer performance,
22		* but are unlikely to be necessary to reach new codepaths. */
23	5	return 0;
24	5	}
25
26	42.8k	zend_string *jit_option = ZSTR_INIT_LITERAL("opcache.jit", 1);
27
28		/* First run without JIT to determine whether we bail out. We should not run JITed code if
29		* we bail out here, as the JIT code may loop infinitely. */
30	42.8k	steps_left = MAX_STEPS;
31	42.8k	bailed_out = false;
32	42.8k	zend_alter_ini_entry_chars(
33	42.8k	jit_option, "off", sizeof("off")-1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
34	42.8k	fuzzer_do_request_from_buffer(
35	42.8k	FILE_NAME, (const char ) Data, Size, / execute */ 1, opcache_invalidate);
36
37	42.8k	if (!bailed_out) {
38	31.0k	steps_left = MAX_STEPS;
39	31.0k	zend_alter_ini_entry_chars(jit_option,
40	31.0k	"function", sizeof("function")-1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
41	31.0k	zend_execute_ex = orig_execute_ex;
42	31.0k	fuzzer_do_request_from_buffer(
43	31.0k	FILE_NAME, (const char ) Data, Size, / execute */ 1, opcache_invalidate);
44	31.0k	zend_execute_ex = fuzzer_execute_ex;
45	31.0k	}
46
47	42.8k	zend_string_release(jit_option);
48
49	42.8k	return 0;
50	42.8k	}
51
52	16	int LLVMFuzzerInitialize(int argc, char **argv) {
53	16	char ini_buf[512];
54	16	snprintf(ini_buf, sizeof(ini_buf),
55	16	"opcache.validate_timestamps=0\n"
56	16	"opcache.file_update_protection=0\n"
57	16	"opcache.jit_buffer_size=128M\n"
58	16	"opcache.protect_memory=1\n");
59
60	16	create_file();
61	16	fuzzer_init_php_for_execute(ini_buf);
62	16	return 0;
63	16	}

Coverage Report

Created: 2025-09-27 06:26