oven-sh
diff --git a/‎build.zig‎
Lines changed: 11 additions & 0 deletions b/‎build.zig‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎cmake/CompilerFlags.cmake‎
Lines changed: 17 additions & 0 deletions b/‎cmake/CompilerFlags.cmake‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎cmake/Options.cmake‎
Lines changed: 2 additions & 0 deletions b/‎cmake/Options.cmake‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎cmake/targets/BuildBun.cmake‎
Lines changed: 1 addition & 0 deletions b/‎cmake/targets/BuildBun.cmake‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎package.json‎
Lines changed: 1 addition & 0 deletions b/‎package.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/bun.js/bindings/FuzzilliREPRL.cpp‎
Lines changed: 286 additions & 0 deletions b/‎src/bun.js/bindings/FuzzilliREPRL.cpp‎
Lines changed: 286 additions & 0 deletions
@@ -32,6 +32,7 @@ const BunBuildOptions = struct {
     /// enable debug logs in release builds
     enable_logs: bool = false,
     enable_asan: bool,
+    enable_fuzzilli: bool,
     enable_valgrind: bool,
     use_mimalloc: bool,
     tracy_callstack_depth: u16,
@@ -81,6 +82,7 @@ const BunBuildOptions = struct {
         opts.addOption(bool, "baseline", this.isBaseline());
         opts.addOption(bool, "enable_logs", this.enable_logs);
         opts.addOption(bool, "enable_asan", this.enable_asan);
+        opts.addOption(bool, "enable_fuzzilli", this.enable_fuzzilli);
         opts.addOption(bool, "enable_valgrind", this.enable_valgrind);
         opts.addOption(bool, "use_mimalloc", this.use_mimalloc);
         opts.addOption([]const u8, "reported_nodejs_version", b.fmt("{f}", .{this.reported_nodejs_version}));
@@ -255,6 +257,7 @@ pub fn build(b: *Build) !void {
         .tracy_callstack_depth = b.option(u16, "tracy_callstack_depth", "") orelse 10,
         .enable_logs = b.option(bool, "enable_logs", "Enable logs in release") orelse false,
         .enable_asan = b.option(bool, "enable_asan", "Enable asan") orelse false,
+        .enable_fuzzilli = b.option(bool, "enable_fuzzilli", "Enable fuzzilli instrumentation") orelse false,
         .enable_valgrind = b.option(bool, "enable_valgrind", "Enable valgrind") orelse false,
         .use_mimalloc = b.option(bool, "use_mimalloc", "Use mimalloc as default allocator") orelse false,
         .llvm_codegen_threads = b.option(u32, "llvm_codegen_threads", "Number of threads to use for LLVM codegen") orelse 1,
@@ -490,6 +493,7 @@ fn addMultiCheck(
                 .no_llvm = root_build_options.no_llvm,
                 .enable_asan = root_build_options.enable_asan,
                 .enable_valgrind = root_build_options.enable_valgrind,
+                .enable_fuzzilli = root_build_options.enable_fuzzilli,
                 .use_mimalloc = root_build_options.use_mimalloc,
                 .override_no_export_cpp_apis = root_build_options.override_no_export_cpp_apis,
             };
@@ -605,13 +609,20 @@ fn configureObj(b: *Build, opts: *BunBuildOptions, obj: *Compile) void {
 
     obj.no_link_obj = opts.os != .windows;
 
+
     if (opts.enable_asan and !enableFastBuild(b)) {
         if (@hasField(Build.Module, "sanitize_address")) {
+            if (opts.enable_fuzzilli) {
+                obj.sanitize_coverage_trace_pc_guard = true;
+            }
             obj.root_module.sanitize_address = true;
         } else {
             const fail_step = b.addFail("asan is not supported on this platform");
             obj.step.dependOn(&fail_step.step);
         }
+    } else if (opts.enable_fuzzilli) {
+        const fail_step = b.addFail("fuzzilli requires asan");
+        obj.step.dependOn(&fail_step.step);
     }
     obj.bundle_compiler_rt = false;
     obj.bundle_ubsan_rt = false;
 
@@ -51,6 +51,23 @@ if(ENABLE_ASAN)
   )
 endif()
 
+if(ENABLE_FUZZILLI)
+  register_compiler_flags(
+    DESCRIPTION "Enable coverage instrumentation for fuzzing"
+    -fsanitize-coverage=trace-pc-guard
+  )
+
+  register_linker_flags(
+    DESCRIPTION "Link coverage instrumentation"
+    -fsanitize-coverage=trace-pc-guard
+  )
+
+  register_compiler_flags(
+    DESCRIPTION "Enable fuzzilli-specific code"
+    -DFUZZILLI_ENABLED
+  )
+endif()
+
 # --- Optimization level ---
 if(DEBUG)
   register_compiler_flags(
 
@@ -127,6 +127,8 @@ if (NOT ENABLE_ASAN)
   set(ENABLE_ZIG_ASAN OFF)
 endif()
 
+optionx(ENABLE_FUZZILLI BOOL "If fuzzilli support should be enabled" DEFAULT OFF)
+
 if(RELEASE AND LINUX AND CI AND NOT ENABLE_ASSERTIONS AND NOT ENABLE_ASAN)
   set(DEFAULT_LTO ON)
 else()
 
@@ -695,6 +695,7 @@ register_command(
       -Dcpu=${ZIG_CPU}
       -Denable_logs=$<IF:$<BOOL:${ENABLE_LOGS}>,true,false>
       -Denable_asan=$<IF:$<BOOL:${ENABLE_ZIG_ASAN}>,true,false>
+      -Denable_fuzzilli=$<IF:$<BOOL:${ENABLE_FUZZILLI}>,true,false>
       -Denable_valgrind=$<IF:$<BOOL:${ENABLE_VALGRIND}>,true,false>
       -Duse_mimalloc=$<IF:$<BOOL:${USE_MIMALLOC_AS_DEFAULT_ALLOCATOR}>,true,false>
       -Dllvm_codegen_threads=${LLVM_ZIG_CODEGEN_THREADS}
 
@@ -33,6 +33,7 @@
     "bd:v": "(bun run --silent build:debug &> /tmp/bun.debug.build.log || (cat /tmp/bun.debug.build.log && rm -rf /tmp/bun.debug.build.log && exit 1)) && rm -f /tmp/bun.debug.build.log && ./build/debug/bun-debug",
     "bd": "BUN_DEBUG_QUIET_LOGS=1 bun --silent bd:v",
     "build:debug": "export COMSPEC=\"C:\\Windows\\System32\\cmd.exe\" && bun ./scripts/build.mjs -GNinja -DCMAKE_BUILD_TYPE=Debug -B build/debug --log-level=NOTICE",
+    "build:debug:fuzzilli": "export COMSPEC=\"C:\\Windows\\System32\\cmd.exe\" && bun ./scripts/build.mjs -GNinja -DCMAKE_BUILD_TYPE=Debug -B build/debug-fuzz  -DENABLE_FUZZILLI=ON --log-level=NOTICE",
     "build:debug:noasan": "export COMSPEC=\"C:\\Windows\\System32\\cmd.exe\" && bun ./scripts/build.mjs -GNinja -DCMAKE_BUILD_TYPE=Debug -DENABLE_ASAN=OFF -B build/debug --log-level=NOTICE",
     "build:release": "bun ./scripts/build.mjs -GNinja -DCMAKE_BUILD_TYPE=Release -B build/release",
     "build:ci": "bun ./scripts/build.mjs -GNinja -DCMAKE_BUILD_TYPE=Release -DCMAKE_VERBOSE_MAKEFILE=ON -DCI=true -B build/release-ci --verbose --fresh",
 
@@ -0,0 +1,286 @@
+#ifdef FUZZILLI_ENABLED
+#include "JavaScriptCore/CallFrame.h"
+#include "JavaScriptCore/Identifier.h"
+#include "JavaScriptCore/JSGlobalObject.h"
+#include "ZigGlobalObject.h"
+#include "root.h"
+#include "wtf/text/WTFString.h"
+#include <cerrno>
+#include <csignal>
+#include <cstdlib>
+#include <cstring>
+#include <fcntl.h>
+#include <sanitizer/asan_interface.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <unistd.h>
+
+#define REPRL_DWFD 103
+
+extern "C" {
+
+// Signal handler to ensure output is flushed before crash
+static void fuzzilliSignalHandler(int sig)
+{
+    // Flush all output
+    fflush(stdout);
+    fflush(stderr);
+    fsync(STDOUT_FILENO);
+    fsync(STDERR_FILENO);
+
+    // Re-raise the signal with default handler
+    signal(sig, SIG_DFL);
+    raise(sig);
+}
+
+// Implementation of the global fuzzilli() function for Bun
+// This function is used by Fuzzilli to:
+// 1. Test crash detection with fuzzilli('FUZZILLI_CRASH', type)
+// 2. Print output with fuzzilli('FUZZILLI_PRINT', value)
+static JSC::EncodedJSValue JSC_HOST_CALL_ATTRIBUTES functionFuzzilli(JSC::JSGlobalObject* globalObject, JSC::CallFrame* callFrame)
+{
+    JSC::VM& vm = globalObject->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    if (callFrame->argumentCount() < 1) {
+        return JSC::JSValue::encode(JSC::jsUndefined());
+    }
+
+    JSC::JSValue arg0 = callFrame->argument(0);
+    WTF::String command = arg0.toWTFString(globalObject);
+    RETURN_IF_EXCEPTION(scope, JSC::JSValue::encode(JSC::jsUndefined()));
+
+    if (command == "FUZZILLI_CRASH"_s) {
+        // Fuzzilli uses this to test crash detection
+        // The second argument is an integer specifying the crash type
+        int crashType = 0;
+        if (callFrame->argumentCount() >= 2) {
+            JSC::JSValue arg1 = callFrame->argument(1);
+            crashType = arg1.toInt32(globalObject);
+        }
+
+        // Print the crash type for debugging
+        fprintf(stdout, "FUZZILLI_CRASH: %d\n", crashType);
+        fflush(stdout);
+
+        // Trigger different types of crashes for testing (similar to V8 implementation)
+        switch (crashType) {
+        case 0:
+            // IMMEDIATE_CRASH - Simple abort
+            std::abort();
+            break;
+
+        case 1:
+            // CHECK failure - assertion in release builds
+            // Use __builtin_trap() for a direct crash
+            __builtin_trap();
+            break;
+
+        case 2:
+            // DCHECK failure - always crash (use trap instead of assert which is disabled in release)
+            __builtin_trap();
+            break;
+
+        case 3:
+            // Wild write - heap buffer overflow (will be caught by ASAN)
+            {
+                volatile char* buffer = new char[10];
+                buffer[20] = 'x'; // Write past the end - ASAN should catch this
+                // Don't delete to make it more obvious
+            }
+            break;
+
+        case 4:
+            // Use-after-free (will be caught by ASAN)
+            {
+                volatile char* buffer = new char[10];
+                delete[] buffer;
+                buffer[0] = 'x'; // Use after free - ASAN should catch this
+            }
+            break;
+
+        case 5:
+            // Null pointer dereference
+            {
+                volatile int* ptr = nullptr;
+                *ptr = 42;
+            }
+            break;
+
+        case 6:
+            // Stack buffer overflow (will be caught by ASAN)
+            {
+                volatile char buffer[10];
+                volatile char* p = const_cast<char*>(buffer);
+                p[20] = 'x'; // Write past stack buffer
+            }
+            break;
+
+        case 7:
+            // Double free (will be caught by ASAN)
+            {
+                char* buffer = new char[10];
+                delete[] buffer;
+                delete[] buffer; // Double free - ASAN should catch this
+            }
+            break;
+
+        case 8:
+            // Verify DEBUG or ASAN is enabled
+            // Expected to be compiled with debug or ASAN, don't crash
+            fprintf(stdout, "DEBUG or ASAN is enabled\n");
+            fflush(stdout);
+            break;
+
+        default:
+            // Unknown crash type, just abort
+            std::abort();
+            break;
+        }
+    } else if (command == "FUZZILLI_PRINT"_s) {
+        // Optional: Print the second argument
+        if (callFrame->argumentCount() >= 2) {
+            JSC::JSValue arg1 = callFrame->argument(1);
+            WTF::String output = arg1.toWTFString(globalObject);
+            RETURN_IF_EXCEPTION(scope, JSC::JSValue::encode(JSC::jsUndefined()));
+
+            FILE* f = fdopen(REPRL_DWFD, "w");
+            fprintf(f, "%s\n", output.utf8().data());
+            fflush(f);
+        }
+    }
+
+    return JSC::JSValue::encode(JSC::jsUndefined());
+}
+
+// ============================================================================
+// Coverage instrumentation for Fuzzilli
+// Based on workerd implementation
+// Only enabled when ASAN is active
+// ============================================================================
+
+#define SHM_SIZE 0x200000
+#define MAX_EDGES ((SHM_SIZE - 4) * 8)
+
+struct shmem_data {
+    uint32_t num_edges;
+    unsigned char edges[];
+};
+
+// Global coverage data
+static struct shmem_data* __shmem = nullptr;
+static uint32_t* __edges_start = nullptr;
+static uint32_t* __edges_stop = nullptr;
+
+// Reset edge guards for next iteration
+static void __sanitizer_cov_reset_edgeguards()
+{
+    if (!__edges_start || !__edges_stop) return;
+    uint64_t N = 0;
+    for (uint32_t* x = __edges_start; x < __edges_stop && N < MAX_EDGES; x++) {
+        *x = ++N;
+    }
+}
+
+// Called by the compiler to initialize coverage instrumentation
+extern "C" void __sanitizer_cov_trace_pc_guard_init(uint32_t* start, uint32_t* stop)
+{
+    // Avoid duplicate initialization
+    if (start == stop || *start) return;
+
+    if (__edges_start != nullptr || __edges_stop != nullptr) {
+        fprintf(stderr, "[COV] Coverage instrumentation is only supported for a single module\n");
+        _exit(-1);
+    }
+
+    __edges_start = start;
+    __edges_stop = stop;
+
+    // Map the shared memory region
+    const char* shm_key = getenv("SHM_ID");
+    if (!shm_key) {
+        fprintf(stderr, "[COV] no shared memory bitmap available, using malloc\n");
+        __shmem = (struct shmem_data*)malloc(SHM_SIZE);
+        if (!__shmem) {
+            fprintf(stderr, "[COV] Failed to allocate coverage bitmap\n");
+            _exit(-1);
+        }
+        memset(__shmem, 0, SHM_SIZE);
+    } else {
+        int fd = shm_open(shm_key, O_RDWR, S_IREAD | S_IWRITE);
+        if (fd <= -1) {
+            fprintf(stderr, "[COV] Failed to open shared memory region: %s\n", strerror(errno));
+            _exit(-1);
+        }
+
+        __shmem = (struct shmem_data*)mmap(0, SHM_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
+        if (__shmem == MAP_FAILED) {
+            fprintf(stderr, "[COV] Failed to mmap shared memory region\n");
+            _exit(-1);
+        }
+    }
+
+    __sanitizer_cov_reset_edgeguards();
+    __shmem->num_edges = stop - start;
+    fprintf(stderr, "[COV] Coverage instrumentation initialized with %u edges\n", __shmem->num_edges);
+}
+
+// Called by the compiler for each edge
+extern "C" void __sanitizer_cov_trace_pc_guard(uint32_t* guard)
+{
+    // There's a small race condition here: if this function executes in two threads for the same
+    // edge at the same time, the first thread might disable the edge (by setting the guard to zero)
+    // before the second thread fetches the guard value (and thus the index). However, our
+    // instrumentation ignores the first edge (see libcoverage.c) and so the race is unproblematic.
+    if (!__shmem) return;
+    uint32_t index = *guard;
+    // If this function is called before coverage instrumentation is properly initialized we want to return early.
+    if (!index) return;
+    __shmem->edges[index / 8] |= 1 << (index % 8);
+    *guard = 0;
+}
+
+// Function to reset coverage for next REPRL iteration
+// This should be called after each script execution
+JSC_DEFINE_HOST_FUNCTION(jsResetCoverage, (JSC::JSGlobalObject * globalObject, JSC::CallFrame*))
+{
+    __sanitizer_cov_reset_edgeguards();
+    return JSC::JSValue::encode(JSC::jsUndefined());
+}
+
+// Register the fuzzilli() function on a Bun global object
+void Bun__REPRL__registerFuzzilliFunctions(Zig::GlobalObject* globalObject)
+{
+    JSC::VM& vm = globalObject->vm();
+
+    // Install signal handlers to ensure output is flushed before crashes
+    // This is important for ASAN output to be captured
+    signal(SIGABRT, fuzzilliSignalHandler);
+    signal(SIGSEGV, fuzzilliSignalHandler);
+    signal(SIGILL, fuzzilliSignalHandler);
+    signal(SIGFPE, fuzzilliSignalHandler);
+
+    globalObject->putDirectNativeFunction(
+        vm,
+        globalObject,
+        JSC::Identifier::fromString(vm, "fuzzilli"_s),
+        2, // max 2 arguments
+        functionFuzzilli,
+        JSC::ImplementationVisibility::Public,
+        JSC::NoIntrinsic,
+        JSC::PropertyAttribute::DontEnum | JSC::PropertyAttribute::DontDelete);
+
+    globalObject->putDirectNativeFunction(
+        vm,
+        globalObject,
+        JSC::Identifier::fromString(vm, "resetCoverage"_s),
+        0,
+        jsResetCoverage,
+        JSC::ImplementationVisibility::Public,
+        JSC::NoIntrinsic,
+        JSC::PropertyAttribute::DontEnum | JSC::PropertyAttribute::DontDelete);
+}
+
+} // extern "C"
+
+#endif // FUZZILLI_ENABLED