Skip to content

Commit

Permalink
Collect runtime types only on variable definition (googleprojectzero#128
Browse files Browse the repository at this point in the history 
)
  • Loading branch information
@samo98
samo98 authored Aug 31, 2020
1 parent c03daa9 commit 359bc34
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 26 deletions.
37 changes: 21 additions & 16 deletions Sources/Fuzzilli/Core/ProgramBuilder.swift
View file
Original file line number Diff line number Diff line change
Expand Up @@ -245,12 +245,7 @@ public class ProgramBuilder {

/// Type information access.
public func type(of v: Variable) -> Type {
let runtimeType = program.runtimeType(of: v)
if runtimeType == .unknown {
return interpreter?.type(of: v) ?? .unknown
} else {
return runtimeType
}
return interpreter?.type(of: v) ?? .unknown
}

public func methodSignature(of methodName: String, on object: Variable) -> FunctionSignature {
Expand Down Expand Up @@ -335,27 +330,37 @@ public class ProgramBuilder {
}

/// Maps a variable from the program that is currently configured for adoption into the program being constructed.
public func adopt(_ variable: Variable, keepType: Bool) -> Variable {
public func adopt(_ variable: Variable) -> Variable {
if !varMaps.last!.contains(variable) {
varMaps[varMaps.count - 1][variable] = nextVariable()
}
let currentVariable = varMaps.last![variable]!

if keepType, let currentType = typeMaps.last![variable] {
program.setRuntimeType(of: currentVariable, to: currentType)
}
return currentVariable
return varMaps.last![variable]!
}

/// Maps a list of variables from the program that is currently configured for adoption into the program being constructed.
public func adopt(_ variables: [Variable], keepTypes: Bool) -> [Variable] {
return variables.map{ adopt($0, keepType: keepTypes) }
public func adopt(_ variables: [Variable]) -> [Variable] {
return variables.map(adopt)
}

private func adoptTypes(from origInstr: Instruction, to newInstr: Instruction) {
for (originalVariable, adoptedVariable) in zip(origInstr.allOutputs, newInstr.allOutputs) {
if let type = typeMaps.last![originalVariable], type != .unknown {
program.setRuntimeType(of: adoptedVariable, to: type)

interpreter?.setType(of: adoptedVariable, to: type)
}
}
}

/// Adopts an instruction from the program that is currently configured for adoption into the program being constructed.
public func adopt(_ instruction: Instruction, keepTypes: Bool) {
let newInouts = adopt(Array(instruction.inputs), keepTypes: false) + adopt(Array(instruction.allOutputs), keepTypes: keepTypes)
internalAppend(Instruction(operation: instruction.operation, inouts: newInouts))
let newInouts = adopt(Array(instruction.inputs)) + adopt(Array(instruction.allOutputs))
let adoptedInstruction = Instruction(operation: instruction.operation, inouts: newInouts)
internalAppend(adoptedInstruction)
if keepTypes {
adoptTypes(from: instruction, to: adoptedInstruction)
}
}


Expand Down
9 changes: 0 additions & 9 deletions Sources/Fuzzilli/Lifting/JavaScriptLifter.swift
View file
Original file line number Diff line number Diff line change
Expand Up @@ -219,13 +219,11 @@ public class JavaScriptLifter: ComponentBase, Lifter {
let dest = MemberExpression.new() <> input(0) <> "." <> op.propertyName
let expr = AssignmentExpression.new() <> dest <> " = " <> input(1)
w.emit(expr)
maybeUpdateType(instr.input(0))

case let op as DeleteProperty:
let target = MemberExpression.new() <> input(0) <> "." <> op.propertyName
let expr = UnaryExpression.new() <> "delete " <> target
w.emit(expr)
maybeUpdateType(instr.input(0))

case let op as LoadElement:
output = MemberExpression.new() <> input(0) <> "[" <> op.index <> "]"
Expand All @@ -234,13 +232,11 @@ public class JavaScriptLifter: ComponentBase, Lifter {
let dest = MemberExpression.new() <> input(0) <> "[" <> op.index <> "]"
let expr = AssignmentExpression.new() <> dest <> " = " <> input(1)
w.emit(expr)
maybeUpdateType(instr.input(0))

case let op as DeleteElement:
let target = MemberExpression.new() <> input(0) <> "[" <> op.index <> "]"
let expr = UnaryExpression.new() <> "delete " <> target
w.emit(expr)
maybeUpdateType(instr.input(0))

case is LoadComputedProperty:
output = MemberExpression.new() <> input(0) <> "[" <> input(1).text <> "]"
Expand All @@ -249,13 +245,11 @@ public class JavaScriptLifter: ComponentBase, Lifter {
let dest = MemberExpression.new() <> input(0) <> "[" <> input(1).text <> "]"
let expr = AssignmentExpression.new() <> dest <> " = " <> input(2)
w.emit(expr)
maybeUpdateType(instr.input(0))

case is DeleteComputedProperty:
let target = MemberExpression.new() <> input(0) <> "[" <> input(1).text <> "]"
let expr = UnaryExpression.new() <> "delete " <> target
w.emit(expr)
maybeUpdateType(instr.input(0))

case is TypeOf:
output = UnaryExpression.new() <> "typeof " <> input(0)
Expand Down Expand Up @@ -348,11 +342,9 @@ public class JavaScriptLifter: ComponentBase, Lifter {

case is Dup:
w.emit("\(decl(instr.output)) = \(input(0));")
maybeUpdateType(instr.output)

case is Reassign:
w.emit("\(instr.input(0)) = \(input(1));")
maybeUpdateType(instr.input(0))

case let op as Compare:
output = BinaryExpression.new() <> input(0) <> " " <> op.op.token <> " " <> input(1)
Expand Down Expand Up @@ -438,7 +430,6 @@ public class JavaScriptLifter: ComponentBase, Lifter {
case is BeginForIn:
w.emit("for (\(decl(instr.innerOutput)) in \(input(0))) {")
w.increaseIndentionLevel()
maybeUpdateType(instr.innerOutput)

case is EndForIn:
w.decreaseIndentionLevel()
Expand Down
2 changes: 1 addition & 1 deletion Sources/Fuzzilli/Mutators/InputMutator.swift
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ public class InputMutator: BaseInstructionMutator {
}

public override func mutate(_ instr: Instruction, _ b: ProgramBuilder) {
var inouts = b.adopt(instr.inouts, keepTypes: false)
var inouts = b.adopt(instr.inouts)

// Replace one input
let selectedInput = Int.random(in: 0..<instr.numInputs)
Expand Down

0 comments on commit 359bc34

Please sign in to comment.