profile

Author: mschwarzl

README.md

@@ -248,6 +248,12 @@ Special thanks to all users of Fuzzilli who have reported bugs found by it!
 - [CVE-2020-1912](https://www.facebook.com/security/advisories/cve-2020-1912): Memory corruption when executing lazily compiled inner generator functions
 - [CVE-2020-1914](https://www.facebook.com/security/advisories/cve-2020-1914): Bytecode corruption when handling the SaveGeneratorLong instruction
 
+#### [Workerd](https://github.com/cloudflare/workerd)
+- [PR 4793](https://github.com/cloudflare/workerd/pull/4793): OOB write in writeSync due to missing bounds check
+- [PR 4845](https://github.com/cloudflare/workerd/pull/4845): UAF in VFS file clone handling
+- [PR 4828](https://github.com/cloudflare/workerd/pull/4828): Segmentation fault on undefined keys in DH crypto API.
+- [PR 4853](https://github.com/cloudflare/workerd/pull/4853): Workerd hits illegal instruction due to missing branch in FileSystemModule::setLastModified.
+
 ## Disclaimer
 
 This is not an officially supported Google product.

Sources/Fuzzilli/Compiler/Compiler.swift

@@ -1161,10 +1161,9 @@ public class JavaScriptCompiler {
 
         case .awaitExpression(let awaitExpression):
                 // TODO await is also allowed at the top level of a module
-                /*if !contextAnalyzer.context.contains(.asyncFunction) {
+                if !contextAnalyzer.context.contains(.asyncFunction) {
                     throw CompilerError.invalidNodeError("`await` is currently only supported in async functions")
                 }
-                */
                 let argument = try compileExpression(awaitExpression.argument)
                 return emit(Await(), withInputs: [argument]).output
 

Sources/Fuzzilli/Compiler/JavaScriptParser.swift

@@ -43,7 +43,6 @@ public class JavaScriptParser {
         do {
             try runParserScript(withArguments: [])
         } catch {
-
             return nil
         }
     }

Sources/Fuzzilli/Compiler/Parser/parser.js

@@ -34,7 +34,7 @@ function tryReadFile(path) {
 
 // Parse the given JavaScript script and return an AST compatible with Fuzzilli's protobuf-based AST format.
 function parse(script, proto) {
-    let ast = Parser.parse(script, { allowAwaitOutsideFunction: true, plugins: ["topLevelAwait","v8intrinsic"] });
+    let ast = Parser.parse(script, { plugins: ["v8intrinsic"] });
 
     function assertNoError(err) {
         if (err) throw err;

Sources/Fuzzilli/FuzzIL/Code.swift

@@ -239,21 +239,9 @@ public struct Code: Collection {
                     throw FuzzilliError.codeVerificationError("variable \(input) is not visible anymore")
                 }
             }
-            
-            if instr.op is Await {
-                // if !contextAnalyzer.context.contains(.asyncFunction)
-                // {
-                //     if contextAnalyzer.context.contains(.subroutine) {
-                //         if !contextAnalyzer.context.contains(.method) && !contextAnalyzer.context.contains(.classMethod) && !contextAnalyzer.context.contains(.javascript) {
-                //             throw FuzzilliError.codeVerificationError("operation \(instr.op.name) inside an invalid context")
-                //         }
-                //     }
-                // }
-                // fall-through allow top-level await
-            } else {
-                guard instr.op.requiredContext.isSubset(of: contextAnalyzer.context) else {
-                    throw FuzzilliError.codeVerificationError("operation \(instr.op.name) inside an invalid context")
-                }
+
+            guard instr.op.requiredContext.isSubset(of: contextAnalyzer.context) else {
+                throw FuzzilliError.codeVerificationError("operation \(instr.op.name) inside an invalid context")
             }
 
             // Ensure that the instruction exists in the right context

Sources/Fuzzilli/Fuzzer.swift

@@ -431,6 +431,7 @@ public class Fuzzer {
         }
 
         let execution = execute(program, purpose: .programImport)
+
         var wasImported = false
         switch execution.outcome {
         case .crashed(let termsig):
@@ -673,15 +674,6 @@ public class Fuzzer {
         let execution = runner.run(script, withTimeout: timeout ?? config.timeout)
         dispatchEvent(events.PostExecute, data: execution)
 
-        //Stdout
-        // if !execution.stdout.isEmpty {
-        //     print(execution.stdout)
-        // }
-
-        // if !execution.stderr.isEmpty {
-        //     print(execution.stderr)
-        // }
-
         return execution
     }
 

Sources/FuzzilliCli/Profiles/WorkerdProfile.swift

@@ -1,4 +1,4 @@
-// Copyright 2020 Google LLC
+// Copyright 2025 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -15,9 +15,8 @@
 import Fuzzilli
 
 let workerdProfile = Profile(
-    processArgs: { randomize in
-        ["--reprl-fuzzilli"]
-    },
+    processArgs: { randomize in ["fuzzilli"] },
+
 
     processEnv: [:],
 

Sources/REPRLRun/main.swift

@@ -1,8 +1,21 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 import Foundation
 import libreprl
 
 func convertToCArray(_ array: [String]) -> UnsafeMutablePointer<UnsafePointer<Int8>?> {
-    print("Converting array to C array: \(array)")
     let buffer = UnsafeMutablePointer<UnsafePointer<Int8>?>.allocate(capacity: array.count + 1)
     for (i, str) in array.enumerated() {
         buffer[i] = UnsafePointer(str.withCString(strdup))
@@ -11,25 +24,12 @@ func convertToCArray(_ array: [String]) -> UnsafeMutablePointer<UnsafePointer<In
     return buffer
 }
 
-func printREPRLOutput(_ ctx: OpaquePointer?) {
-    let fuzzout = String(cString: reprl_fetch_fuzzout(ctx))
-    let stdout = String(cString: reprl_fetch_stdout(ctx))
-    let stderr = String(cString: reprl_fetch_stderr(ctx))
-
-    print("========== Fuzzout ==========")
-    print(fuzzout)
-    print("========== Stdout ==========")
-    print(stdout)
-    print("========== Stderr ==========")
-    print(stderr)
-}
-
 if CommandLine.arguments.count < 2 {
     print("Usage: \(CommandLine.arguments[0]) path/to/js_shell [args, ...]")
     exit(0)
 }
 
-print("Creating REPRL context...")
+
 let ctx = libreprl.reprl_create_context()
 if ctx == nil {
     print("Failed to create REPRL context??")
@@ -38,25 +38,16 @@ if ctx == nil {
 
 let argv = convertToCArray(Array(CommandLine.arguments[1...]))
 let envp = convertToCArray([])
-
-print("Initializing REPRL context with argv: \(CommandLine.arguments[1...])")
 if reprl_initialize_context(ctx, argv, envp, /* capture_stdout: */ 1, /* capture stderr: */ 1) != 0 {
     print("Failed to initialize REPRL context: \(String(cString: reprl_get_last_error(ctx)))")
-    printREPRLOutput(ctx)
-    exit(1)
-} else {
-    print("REPRL context initialized successfully.")
 }
 
 func execute(_ script: String) -> (status: Int32, exec_time: UInt64) {
     var exec_time: UInt64 = 0
     var status: Int32 = 0
-    print("Executing script: \(script)")
     script.withCString { ptr in
         status = reprl_execute(ctx, ptr, UInt64(script.utf8.count), 1_000_000, &exec_time, 0)
     }
-    print("Execution result: status = \(status), exec_time = \(exec_time)")
-    printREPRLOutput(ctx)
     return (status, exec_time)
 }
 
@@ -65,32 +56,29 @@ func runREPRLTests() {
     var numFailures = 0
 
     func expect_success(_ code: String) {
-        print("Expecting success for code: \(code)")
         if execute(code).status != 0 {
             print("Execution of \"\(code)\" failed")
             numFailures += 1
-        } else {
-            print("Success for code: \(code)")
         }
     }
 
     func expect_failure(_ code: String) {
-        print("Expecting failure for code: \(code)")
         if execute(code).status == 0 {
             print("Execution of \"\(code)\" unexpectedly succeeded")
             numFailures += 1
-        } else {
-            print("Failure as expected for code: \(code)")
         }
     }
 
     expect_success("42")
     expect_failure("throw 42")
 
+    // Verify that existing state is property reset between executions
     expect_success("globalProp = 42; Object.prototype.foo = \"bar\";")
     expect_success("if (typeof(globalProp) !== 'undefined') throw 'failure'")
     expect_success("if (typeof(({}).foo) !== 'undefined') throw 'failure'")
 
+    // Verify that rejected promises are properly reset between executions
+    // Only if async functions are available
     if execute("async function foo() {}").status == 0 {
         expect_failure("async function fail() { throw 42; }; fail()")
         expect_success("42")
@@ -101,19 +89,17 @@ func runREPRLTests() {
     if numFailures == 0 {
         print("All tests passed!")
     } else {
-        print("Not all tests passed. REPRL support may not be properly implemented.")
+        print("Not all tests passed. That means REPRL support likely isn't properly implemented in the target engine")
     }
 }
 
-print("Checking if REPRL works...")
+// Check whether REPRL works at all
 if execute("").status != 0 {
-    print("Initial script execution failed, REPRL support does not appear to be working")
-    printREPRLOutput(ctx)
+    print("Script execution failed, REPRL support does not appear to be working")
     exit(1)
-} else {
-    print("Initial REPRL check passed.")
 }
 
+// Run a couple of tests now
 runREPRLTests()
 
 print("Enter code to run, then hit enter to execute it")
@@ -124,15 +110,15 @@ while true {
         break
     }
 
-    print("Executing user input code...")
     let (status, exec_time) = execute(code)
 
     if status < 0 {
         print("Error during script execution: \(String(cString: reprl_get_last_error(ctx))). REPRL support in the target probably isn't working correctly...")
-        printREPRLOutput(ctx)
         continue
     }
 
     print("Execution finished with status \(status) (signaled: \(RIFSIGNALED(status) != 0), timed out: \(RIFTIMEDOUT(status) != 0)) and took \(exec_time / 1000)ms")
+    print("========== Fuzzout ==========\n\(String(cString: reprl_fetch_fuzzout(ctx)))")
+    print("========== Stdout ==========\n\(String(cString: reprl_fetch_stdout(ctx)))")
+    print("========== Stderr ==========\n\(String(cString: reprl_fetch_stderr(ctx)))")
 }
-

Targets/workerd/README.md

@@ -0,0 +1,8 @@
+# Target: workerd
+
+To build workerd for fuzzing:
+
+0. Clone [workerd](https://github.com/cloudflare/workerd/)
+1. Follow the instructions [here](https://github.com/cloudflare/workerd/blob/main/README.md#getting-started) 
+2. Run the fuzzbuild.sh script in the workerd root directory to build workerd with the fuzzili configuration
+

Targets/workerd/fuzzbuild.sh

@@ -0,0 +1,4 @@
+bazel --nohome_rc --nosystem_rc build --config=reprl-fuzzilli //src/workerd/server:workerd --action_env=CC=clang-19
+# test if REPRLRun works
+# swift run REPRLRun <path-to-workerd> fuzzilli <path-to-capnp-config> --experimental
+