Coverage Report

Created: 2025-12-31 07:28

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/php-src/sapi/fuzzer/fuzzer-tracing-jit.c
Line
Count
Source
1
/*
2
   +----------------------------------------------------------------------+
3
   | Copyright (c) The PHP Group                                          |
4
   +----------------------------------------------------------------------+
5
   | This source file is subject to version 3.01 of the PHP license,      |
6
   | that is bundled with this package in the file LICENSE, and is        |
7
   | available through the world-wide-web at the following url:           |
8
   | https://www.php.net/license/3_01.txt                                 |
9
   | If you did not receive a copy of the PHP license and are unable to   |
10
   | obtain it through the world-wide-web, please send a note to          |
11
   | license@php.net so we can mail you a copy immediately.               |
12
   +----------------------------------------------------------------------+
13
   | Authors: Nikita Popov <nikic@php.net>                                |
14
   +----------------------------------------------------------------------+
15
 */
16
17
#include "fuzzer-execute-common.h"
18
19
9.29k
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
20
9.29k
  if (Size > MAX_SIZE) {
21
    /* Large inputs have a large impact on fuzzer performance,
22
     * but are unlikely to be necessary to reach new codepaths. */
23
6
    return 0;
24
6
  }
25
26
9.29k
  zend_string *jit_option = ZSTR_INIT_LITERAL("opcache.jit", 1);
27
28
  /* First run without JIT to determine whether we bail out. We should not run JITed code if
29
   * we bail out here, as the JIT code may loop infinitely. */
30
9.29k
  steps_left = MAX_STEPS;
31
9.29k
  bailed_out = false;
32
9.29k
  zend_alter_ini_entry_chars(
33
9.29k
    jit_option, "off", sizeof("off")-1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
34
9.29k
  fuzzer_do_request_from_buffer(
35
9.29k
    FILE_NAME, (const char *) Data, Size, /* execute */ 1, opcache_invalidate);
36
37
9.29k
  if (!bailed_out) {
38
3.98k
    steps_left = MAX_STEPS;
39
3.98k
    zend_alter_ini_entry_chars(jit_option,
40
3.98k
      "tracing", sizeof("tracing")-1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
41
3.98k
    zend_execute_ex = orig_execute_ex;
42
    /* Trace & compile */
43
3.98k
    fuzzer_do_request_from_buffer(
44
3.98k
      FILE_NAME, (const char *) Data, Size, /* execute */ 1, NULL);
45
    /* Execute trace */
46
3.98k
    fuzzer_do_request_from_buffer(
47
3.98k
      FILE_NAME, (const char *) Data, Size, /* execute */ 1, opcache_invalidate);
48
3.98k
    zend_execute_ex = fuzzer_execute_ex;
49
3.98k
  }
50
51
9.29k
  zend_string_release(jit_option);
52
53
9.29k
  return 0;
54
9.29k
}
55
56
14
int LLVMFuzzerInitialize(int *argc, char ***argv) {
57
14
  char ini_buf[512];
58
14
  snprintf(ini_buf, sizeof(ini_buf),
59
14
    "opcache.validate_timestamps=0\n"
60
14
    "opcache.file_update_protection=0\n"
61
14
    "opcache.memory_consumption=1024\n"
62
14
    "opcache.jit_buffer_size=128M\n"
63
14
    "opcache.jit_hot_func=1\n"
64
14
    "opcache.jit_hot_loop=1\n"
65
14
    "opcache.jit_hot_return=1\n"
66
14
    "opcache.jit_hot_side_exit=1\n"
67
14
    "opcache.jit_max_root_traces=100000\n"
68
14
    "opcache.jit_max_side_traces=100000\n"
69
14
    "opcache.jit_max_exit_counters=100000\n"
70
14
    "opcache.protect_memory=1\n");
71
72
14
  create_file();
73
14
  fuzzer_init_php_for_execute(ini_buf);
74
14
  return 0;
75
14
}