luau/fuzz/proto.cpp

408 lines
12 KiB
C++
Raw Normal View History

// This file is part of the Luau programming language and is licensed under MIT License; see LICENSE.txt for details
#include "src/libfuzzer/libfuzzer_macro.h"
#include "luau.pb.h"
#include "Luau/BuiltinDefinitions.h"
#include "Luau/BytecodeBuilder.h"
2023-02-03 20:34:12 +08:00
#include "Luau/CodeGen.h"
#include "Luau/Common.h"
2022-02-25 07:15:41 +08:00
#include "Luau/Compiler.h"
2023-08-25 23:25:09 +08:00
#include "Luau/Config.h"
2022-02-25 07:15:41 +08:00
#include "Luau/Frontend.h"
#include "Luau/Linter.h"
#include "Luau/ModuleResolver.h"
#include "Luau/Parser.h"
#include "Luau/ToString.h"
2021-11-12 10:12:39 +08:00
#include "Luau/Transpiler.h"
2022-02-25 07:15:41 +08:00
#include "Luau/TypeInfer.h"
#include "lua.h"
#include "lualib.h"
#include <chrono>
// Select components to fuzz
const bool kFuzzCompiler = true;
const bool kFuzzLinter = true;
const bool kFuzzTypeck = true;
const bool kFuzzVM = true;
2021-11-12 10:12:39 +08:00
const bool kFuzzTranspile = true;
2023-07-14 23:57:16 +08:00
const bool kFuzzCodegenVM = true;
2023-07-08 01:14:35 +08:00
const bool kFuzzCodegenAssembly = true;
2021-12-03 07:20:08 +08:00
// Should we generate type annotations?
const bool kFuzzTypes = true;
2023-07-08 01:14:35 +08:00
const Luau::CodeGen::AssemblyOptions::Target kFuzzCodegenTarget = Luau::CodeGen::AssemblyOptions::A64;
static_assert(!(kFuzzVM && !kFuzzCompiler), "VM requires the compiler!");
2023-07-14 23:57:16 +08:00
static_assert(!(kFuzzCodegenVM && !kFuzzCompiler), "Codegen requires the compiler!");
2023-07-08 01:14:35 +08:00
static_assert(!(kFuzzCodegenAssembly && !kFuzzCompiler), "Codegen requires the compiler!");
2022-02-25 07:15:41 +08:00
std::vector<std::string> protoprint(const luau::ModuleSet& stat, bool types);
LUAU_FASTINT(LuauTypeInferRecursionLimit)
LUAU_FASTINT(LuauTypeInferTypePackLoopLimit)
LUAU_FASTINT(LuauCheckRecursionLimit)
LUAU_FASTINT(LuauTableTypeMaximumStringifierLength)
LUAU_FASTINT(LuauTypeInferIterationLimit)
LUAU_FASTINT(LuauTarjanChildLimit)
2022-02-25 07:15:41 +08:00
LUAU_FASTFLAG(DebugLuauFreezeArena)
2023-07-14 23:57:16 +08:00
LUAU_FASTFLAG(DebugLuauAbortingChecks)
std::chrono::milliseconds kInterruptTimeout(10);
std::chrono::time_point<std::chrono::system_clock> interruptDeadline;
size_t kHeapLimit = 512 * 1024 * 1024;
size_t heapSize = 0;
void interrupt(lua_State* L, int gc)
{
if (gc >= 0)
return;
if (std::chrono::system_clock::now() > interruptDeadline)
{
lua_checkstack(L, 1);
luaL_error(L, "execution timed out");
}
}
2022-03-05 00:19:20 +08:00
void* allocate(void* ud, void* ptr, size_t osize, size_t nsize)
{
if (nsize == 0)
{
heapSize -= osize;
free(ptr);
return NULL;
}
else
{
if (heapSize - osize + nsize > kHeapLimit)
return NULL;
heapSize -= osize;
heapSize += nsize;
return realloc(ptr, nsize);
}
}
lua_State* createGlobalState()
{
lua_State* L = lua_newstate(allocate, NULL);
2023-07-14 23:57:16 +08:00
if (kFuzzCodegenVM && Luau::CodeGen::isSupported())
2023-02-03 20:34:12 +08:00
Luau::CodeGen::create(L);
lua_callbacks(L)->interrupt = interrupt;
luaL_openlibs(L);
luaL_sandbox(L);
return L;
}
2023-04-14 20:05:27 +08:00
int registerTypes(Luau::Frontend& frontend, Luau::GlobalTypes& globals, bool forAutocomplete)
{
using namespace Luau;
using std::nullopt;
2023-04-14 20:05:27 +08:00
Luau::registerBuiltinGlobals(frontend, globals, forAutocomplete);
2023-03-11 03:20:04 +08:00
TypeArena& arena = globals.globalTypes;
BuiltinTypes& builtinTypes = *globals.builtinTypes;
// Vector3 stub
2023-01-04 01:33:19 +08:00
TypeId vector3MetaType = arena.addType(TableType{});
2023-01-04 01:33:19 +08:00
TypeId vector3InstanceType = arena.addType(ClassType{"Vector3", {}, nullopt, vector3MetaType, {}, {}, "Test"});
getMutable<ClassType>(vector3InstanceType)->props = {
2023-03-11 03:20:04 +08:00
{"X", {builtinTypes.numberType}},
{"Y", {builtinTypes.numberType}},
{"Z", {builtinTypes.numberType}},
};
2023-01-04 01:33:19 +08:00
getMutable<TableType>(vector3MetaType)->props = {
{"__add", {makeFunction(arena, nullopt, {vector3InstanceType, vector3InstanceType}, {vector3InstanceType})}},
};
2023-03-11 03:20:04 +08:00
globals.globalScope->exportedTypeBindings["Vector3"] = TypeFun{{}, vector3InstanceType};
// Instance stub
2023-01-04 01:33:19 +08:00
TypeId instanceType = arena.addType(ClassType{"Instance", {}, nullopt, nullopt, {}, {}, "Test"});
getMutable<ClassType>(instanceType)->props = {
2023-03-11 03:20:04 +08:00
{"Name", {builtinTypes.stringType}},
};
2023-03-11 03:20:04 +08:00
globals.globalScope->exportedTypeBindings["Instance"] = TypeFun{{}, instanceType};
// Part stub
2023-01-04 01:33:19 +08:00
TypeId partType = arena.addType(ClassType{"Part", {}, instanceType, nullopt, {}, {}, "Test"});
getMutable<ClassType>(partType)->props = {
{"Position", {vector3InstanceType}},
};
2023-03-11 03:20:04 +08:00
globals.globalScope->exportedTypeBindings["Part"] = TypeFun{{}, partType};
2023-03-11 03:20:04 +08:00
for (const auto& [_, fun] : globals.globalScope->exportedTypeBindings)
persist(fun.type);
return 0;
}
2022-04-29 09:04:52 +08:00
static void setupFrontend(Luau::Frontend& frontend)
{
2023-04-14 20:05:27 +08:00
registerTypes(frontend, frontend.globals, false);
2023-03-11 03:20:04 +08:00
Luau::freeze(frontend.globals.globalTypes);
2022-04-29 09:04:52 +08:00
2023-04-14 20:05:27 +08:00
registerTypes(frontend, frontend.globalsForAutocomplete, true);
2023-03-11 03:20:04 +08:00
Luau::freeze(frontend.globalsForAutocomplete.globalTypes);
2022-04-29 09:04:52 +08:00
frontend.iceHandler.onInternalError = [](const char* error) {
printf("ICE: %s\n", error);
LUAU_ASSERT(!"ICE");
};
}
2022-02-25 07:15:41 +08:00
struct FuzzFileResolver : Luau::FileResolver
{
std::optional<Luau::SourceCode> readSource(const Luau::ModuleName& name) override
{
auto it = source.find(name);
if (it == source.end())
return std::nullopt;
return Luau::SourceCode{it->second, Luau::SourceCode::Module};
}
std::optional<Luau::ModuleInfo> resolveModule(const Luau::ModuleInfo* context, Luau::AstExpr* expr) override
{
if (Luau::AstExprGlobal* g = expr->as<Luau::AstExprGlobal>())
return Luau::ModuleInfo{g->name.value};
return std::nullopt;
}
std::string getHumanReadableModuleName(const Luau::ModuleName& name) const override
{
return name;
}
std::optional<std::string> getEnvironmentForModule(const Luau::ModuleName& name) const override
{
return std::nullopt;
}
std::unordered_map<Luau::ModuleName, std::string> source;
};
struct FuzzConfigResolver : Luau::ConfigResolver
{
FuzzConfigResolver()
{
2022-04-22 05:04:22 +08:00
defaultConfig.mode = Luau::Mode::Nonstrict;
2022-02-25 07:15:41 +08:00
defaultConfig.enabledLint.warningMask = ~0ull;
defaultConfig.parseOptions.captureComments = true;
}
virtual const Luau::Config& getConfig(const Luau::ModuleName& name) const override
{
return defaultConfig;
}
Luau::Config defaultConfig;
};
2022-02-25 07:15:41 +08:00
static std::vector<std::string> debugsources;
2022-02-25 07:15:41 +08:00
DEFINE_PROTO_FUZZER(const luau::ModuleSet& message)
{
FInt::LuauTypeInferRecursionLimit.value = 100;
FInt::LuauTypeInferTypePackLoopLimit.value = 100;
FInt::LuauCheckRecursionLimit.value = 100;
FInt::LuauTypeInferIterationLimit.value = 1000;
FInt::LuauTarjanChildLimit.value = 1000;
FInt::LuauTableTypeMaximumStringifierLength.value = 100;
for (Luau::FValue<bool>* flag = Luau::FValue<bool>::list; flag; flag = flag->next)
if (strncmp(flag->name, "Luau", 4) == 0)
flag->value = true;
2022-02-25 07:15:41 +08:00
FFlag::DebugLuauFreezeArena.value = true;
2023-07-14 23:57:16 +08:00
FFlag::DebugLuauAbortingChecks.value = true;
2022-02-25 07:15:41 +08:00
std::vector<std::string> sources = protoprint(message, kFuzzTypes);
// stash source in a global for easier crash dump debugging
2022-02-25 07:15:41 +08:00
debugsources = sources;
static bool debug = getenv("LUAU_DEBUG") != 0;
if (debug)
{
2022-02-25 07:15:41 +08:00
for (std::string& source : sources)
fprintf(stdout, "--\n%s\n", source.c_str());
fflush(stdout);
}
2022-02-25 07:15:41 +08:00
// parse all sources
std::vector<std::unique_ptr<Luau::Allocator>> parseAllocators;
std::vector<std::unique_ptr<Luau::AstNameTable>> parseNameTables;
2022-02-25 07:15:41 +08:00
Luau::ParseOptions parseOptions;
parseOptions.captureComments = true;
2022-02-25 07:15:41 +08:00
std::vector<Luau::ParseResult> parseResults;
2022-02-25 07:15:41 +08:00
for (std::string& source : sources)
{
2022-02-25 07:15:41 +08:00
parseAllocators.push_back(std::make_unique<Luau::Allocator>());
parseNameTables.push_back(std::make_unique<Luau::AstNameTable>(*parseAllocators.back()));
2022-02-25 07:15:41 +08:00
parseResults.push_back(Luau::Parser::parse(source.c_str(), source.size(), *parseNameTables.back(), *parseAllocators.back(), parseOptions));
}
2022-02-25 07:15:41 +08:00
// typecheck all sources
if (kFuzzTypeck)
{
static FuzzFileResolver fileResolver;
2022-04-29 09:04:52 +08:00
static FuzzConfigResolver configResolver;
2023-03-31 20:21:14 +08:00
static Luau::FrontendOptions defaultOptions{/*retainFullTypeGraphs*/ true, /*forAutocomplete*/ false, /*runLintChecks*/ kFuzzLinter};
static Luau::Frontend frontend(&fileResolver, &configResolver, defaultOptions);
2022-02-25 07:15:41 +08:00
2022-04-29 09:04:52 +08:00
static int once = (setupFrontend(frontend), 0);
2023-03-11 03:20:04 +08:00
(void)once;
2022-02-25 07:15:41 +08:00
// restart
frontend.clear();
fileResolver.source.clear();
// load sources
for (size_t i = 0; i < sources.size(); i++)
{
2022-02-25 07:15:41 +08:00
std::string name = "module" + std::to_string(i);
fileResolver.source[name] = sources[i];
}
2022-02-25 07:15:41 +08:00
// check sources
for (size_t i = 0; i < sources.size(); i++)
{
2022-02-25 07:15:41 +08:00
std::string name = "module" + std::to_string(i);
try
{
2023-03-31 20:21:14 +08:00
frontend.check(name);
2022-04-22 05:04:22 +08:00
// Second pass in strict mode (forced by auto-complete)
2023-03-31 20:21:14 +08:00
Luau::FrontendOptions options = defaultOptions;
options.forAutocomplete = true;
frontend.check(name, options);
2022-02-25 07:15:41 +08:00
}
catch (std::exception&)
{
// This catches internal errors that the type checker currently (unfortunately) throws in some cases
}
}
2022-02-25 07:15:41 +08:00
// validate sharedEnv post-typecheck; valuable for debugging some typeck crashes but slows fuzzing down
// note: it's important for typeck to be destroyed at this point!
2023-03-11 03:20:04 +08:00
for (auto& p : frontend.globals.globalScope->bindings)
{
Luau::ToStringOptions opts;
opts.exhaustive = true;
opts.maxTableLength = 0;
opts.maxTypeLength = 0;
toString(p.second.typeId, opts); // toString walks the entire type, making sure ASAN catches access to destroyed type arenas
}
}
2022-02-25 07:15:41 +08:00
if (kFuzzTranspile)
2021-11-12 10:12:39 +08:00
{
2022-02-25 07:15:41 +08:00
for (Luau::ParseResult& parseResult : parseResults)
{
if (parseResult.root)
transpileWithTypes(*parseResult.root);
}
}
std::string bytecode;
// compile
if (kFuzzCompiler)
{
for (size_t i = 0; i < parseResults.size(); i++)
{
Luau::ParseResult& parseResult = parseResults[i];
Luau::AstNameTable& parseNameTable = *parseNameTables[i];
if (parseResult.errors.empty())
{
Luau::CompileOptions compileOptions;
try
{
Luau::BytecodeBuilder bcb;
2022-07-22 04:36:41 +08:00
Luau::compileOrThrow(bcb, parseResult, parseNameTable, compileOptions);
2022-02-25 07:15:41 +08:00
bytecode = bcb.getBytecode();
}
catch (const Luau::CompileError&)
{
// not all valid ASTs can be compiled due to limits on number of registers
}
}
}
2021-11-12 10:12:39 +08:00
}
2023-07-08 01:14:35 +08:00
// run codegen on resulting bytecode (in separate state)
if (kFuzzCodegenAssembly && bytecode.size())
{
static lua_State* globalState = luaL_newstate();
if (luau_load(globalState, "=fuzz", bytecode.data(), bytecode.size(), 0) == 0)
{
Luau::CodeGen::AssemblyOptions options;
options.outputBinary = true;
options.target = kFuzzCodegenTarget;
Luau::CodeGen::getAssembly(globalState, -1, options);
}
lua_pop(globalState, 1);
lua_gc(globalState, LUA_GCCOLLECT, 0);
}
2022-02-25 07:15:41 +08:00
// run resulting bytecode (from last successfully compiler module)
2023-07-14 23:57:16 +08:00
if ((kFuzzVM || kFuzzCodegenVM) && bytecode.size())
{
static lua_State* globalState = createGlobalState();
2023-02-03 20:34:12 +08:00
auto runCode = [](const std::string& bytecode, bool useCodegen) {
lua_State* L = lua_newthread(globalState);
luaL_sandboxthread(L);
2023-02-03 20:34:12 +08:00
if (luau_load(L, "=fuzz", bytecode.data(), bytecode.size(), 0) == 0)
{
if (useCodegen)
Luau::CodeGen::compile(L, -1);
2023-02-03 20:34:12 +08:00
interruptDeadline = std::chrono::system_clock::now() + kInterruptTimeout;
lua_resume(L, NULL, 0);
}
lua_pop(globalState, 1);
// we'd expect full GC to reclaim all memory allocated by the script
lua_gc(globalState, LUA_GCCOLLECT, 0);
LUAU_ASSERT(heapSize < 256 * 1024);
};
2023-07-14 23:57:16 +08:00
if (kFuzzVM)
runCode(bytecode, false);
2023-07-14 23:57:16 +08:00
if (kFuzzCodegenVM && Luau::CodeGen::isSupported())
2023-02-03 20:34:12 +08:00
runCode(bytecode, true);
}
}