New issue
Advanced search Search tips

Issue 729025 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner: ----
Closed: Jun 2017
Cc:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug

Blocking:
issue 729024



Sign in to add a comment

Get complete list of runtime functions for whitelist

Project Member Reported by infe...@chromium.org, Jun 2 2017

Issue description

Current fuzzer whitelist for runtime functions is small. What should we add more ?

RUNTIME_FUNCTION_WHITELIST = [
    # List of allowed runtime functions. Others will be replaced with no-ops.
    '%ArrayBufferNeuter',
    '%DeoptimizeFunction',
    '%DeoptimizeNow',
    '%GetUndetectable',
    '%HeapObjectVerify',
    '%OptimizeFunctionOnNextCall',
]
 
Blockedon: 729026
Blockedon: -729026
Cc: mstarzinger@chromium.org jkummerow@chromium.org
I don't think that there are many other candidates.
Our runtime functions aren't hardened, aka. many of them just crash on incompatible inputs.
Given that we have full control over how and where we call runtime functions, we probably won't have much interest in hardening them further.
Status: WontFix (was: Untriaged)
Yes, this is WAI.

A few years ago, we tried the approach of explicitly fuzzing all runtime functions. That turned out to cause lots of churn for little to no benefit. So we have learned the lesson that it makes more sense not to fuzz runtime functions. The purpose of the whitelist is to allow fuzzers to use a few runtime functions that make generated fuzz tests more interesting (%OptimizeFunctionOnNextCall is the canonical example -- it's not interesting in itself, but it helps generated tests hit more interesting codepaths elsewhere).
The only additional runtime function that comes to mind at the moment that we could add would be %OptimizeOsr(n). This one triggers OSR (on-stack replacement) of an activation on the stack. Note that we would need to make it fail gracefully on "n" not being a number first, before we add it to the whitelist. Not sure if it's worth it though, as this can always be achieved by making the loop that triggers the OSR run longer.

Sign in to add a comment