Merge pull request #41 from VRIG-RITSEC/rebase-downstream-main

Rebase downstream main

Author: chase1k

.github/workflows/swift.yml

@@ -29,7 +29,8 @@ jobs:
       - uses: actions/setup-node@v4
         with:
           node-version: 25-nightly
-
+      - name: Swift Version
+        run: swift --version
       # Is it failing to run tests b/c we're overriding
       # what swift binary to use?
       - name: Setup Swift for Ubuntu
@@ -43,6 +44,13 @@ jobs:
       - uses: actions/checkout@v2
       - name: Build
         run: swift build -c ${{ matrix.kind }} -v
+      - name: Install protobuf
+        # Install protoc so the presubmit can also validate the generated *.pb.swift files.
+        if: ${{ matrix.os == 'ubuntu-latest' && matrix.kind == 'debug' }}
+        run: sudo apt install -y protobuf-compiler
+      - name: Run presubmit checks
+        if: ${{ matrix.os == 'ubuntu-latest' && matrix.kind == 'debug' }}
+        run: python3 Tools/presubmit.py
       - name: Run tests with Node.js
         run: swift test -c ${{ matrix.kind }} -v
       - name: Install jsvu

OWNERS

@@ -1,5 +1,9 @@
 cffsmith@google.com
+machenbach@google.com
+mdanylo@google.com
 mliedtke@google.com
+pawkra@google.com
 saelo@google.com
+tacet@google.com
 
 per-file WHITESPACE=*

Package.swift

@@ -25,7 +25,7 @@ let package = Package(
         .library(name: "Fuzzilli",targets: ["Fuzzilli"]),
     ],
     dependencies: [
-        .package(url: "https://github.com/apple/swift-protobuf.git", from: "1.31.0"),
+        .package(url: "https://github.com/apple/swift-protobuf.git", from: "1.32.0"),
         .package(
           url: "https://github.com/apple/swift-collections.git",
           .upToNextMinor(from: "1.2.0")

README.md

@@ -2,10 +2,6 @@
 
 A (coverage-)guided fuzzer for dynamic language interpreters based on a custom intermediate language ("FuzzIL") which can be mutated and translated to JavaScript.
 
-Fuzzilli is developed and maintained by:
-- Samuel Groß, <saelo@google.com>
-- Carl Smith, <cffsmith@google.com>
-
 ## Usage
 
 The basic steps to use this fuzzer are:

Sources/FuzzILTool/main.swift

@@ -95,7 +95,7 @@ func loadProgramOrExit(from path: String) -> Program {
 
 let args = Arguments.parse(from: CommandLine.arguments)
 
-if args["-h"] != nil || args["--help"] != nil || args.numPositionalArguments != 1 || args.numOptionalArguments > 2 {
+if args["-h"] != nil || args["--help"] != nil || args.numPositionalArguments != 1 {
     print("""
           Usage:
           \(args.programName) options path
@@ -108,6 +108,7 @@ if args["-h"] != nil || args["--help"] != nil || args.numPositionalArguments !=
               --dumpProgram            : Dumps the internal representation of the program stored in the given protobuf file
               --checkCorpus            : Attempts to load all .fzil files in a directory and checks if they are statically valid
               --compile                : Compile the given JavaScript program to a FuzzIL program. Requires node.js
+              --outputPathJS           : If given, --compile will write the lifted JS file to the given path after compilation.
               --generate               : Generate a random program using Fuzzilli's code generators and save it to the specified path.
               --forDifferentialFuzzing : Enable additional features for better support of external differential fuzzing.
           """)
@@ -186,17 +187,27 @@ else if args.has("--compile") {
         exit(-1)
     }
 
-    print(fuzzILLifter.lift(program))
-    print()
-    print(jsLifter.lift(program))
+    if let js_path = args["--outputPathJS"] {
+        let content = jsLifter.lift(program)
+        do {
+            try content.write(to: URL(fileURLWithPath: js_path), atomically: false, encoding: String.Encoding.utf8)
+        } catch {
+            print("Failed to write file \(js_path): \(error)")
+            exit(-1)
+        }
+    } else {
+        print(fuzzILLifter.lift(program))
+        print()
+        print(jsLifter.lift(program))
 
-    do {
-        let outputPath = URL(fileURLWithPath: path).deletingPathExtension().appendingPathExtension("fzil")
-        try program.asProtobuf().serializedData().write(to: outputPath)
-        print("FuzzIL program written to \(outputPath.relativePath)")
-    } catch {
-        print("Failed to store output program to disk: \(error)")
-        exit(-1)
+        do {
+            let outputPath = URL(fileURLWithPath: path).deletingPathExtension().appendingPathExtension("fzil")
+            try program.asProtobuf().serializedData().write(to: outputPath)
+            print("FuzzIL program written to \(outputPath.relativePath)")
+        } catch {
+            print("Failed to store output program to disk: \(error)")
+            exit(-1)
+        }
     }
 }
 

Sources/Fuzzilli/Base/ProgramBuilder.swift

@@ -19,6 +19,38 @@ import Foundation
 /// This provides methods for constructing and appending random
 /// instances of the different kinds of operations in a program.
 public class ProgramBuilder {
+
+    /// Runtime data used by code generators to share data between different stubs inside the same
+    /// code generator. It is strictly required that all pushed values are also popped again in the
+    /// same code generator.
+    public class GeneratorRuntimeData {
+        private var data = [String : Stack<Variable>]()
+
+        public func push(_ key: String, _ value: Variable) {
+            data[key, default: .init()].push(value)
+        }
+
+        public func pop(_ key: String) -> Variable {
+            assert(data[key] != nil)
+            return data[key]!.pop()
+        }
+
+        // Fetch the most recent value for this key and push it back.
+        public func popAndPush(_ key: String) -> Variable {
+            assert(data[key] != nil)
+            return data[key]!.top
+        }
+
+        func reset() {
+            #if DEBUG
+            for (key, value) in data {
+                assert(value.isEmpty, "Stale entries for runtime data '\(key)'")
+            }
+            #endif
+            data.removeAll(keepingCapacity: false)
+        }
+    }
+
     /// The fuzzer instance for which this builder is active.
     public let fuzzer: Fuzzer
 
@@ -147,6 +179,9 @@ public class ProgramBuilder {
     /// The remaining CodeGenerators to call as part of a building / CodeGen step, these will "clean up" the state and fix the contexts.
     public var scheduled: Stack<GeneratorStub> = Stack()
 
+    // Runtime data that can be shared between different stubs within a CodeGenerator.
+    var runtimeData = GeneratorRuntimeData()
+
     /// Stack of active switch blocks.
     private var activeSwitchBlocks = Stack<SwitchBlock>()
 
@@ -214,6 +249,7 @@ public class ProgramBuilder {
         activeObjectLiterals.removeAll()
         activeClassDefinitions.removeAll()
         buildLog?.reset()
+        runtimeData.reset()
     }
 
     /// Finalizes and returns the constructed program, then resets this builder so it can be reused for building another program.
@@ -483,6 +519,36 @@ public class ProgramBuilder {
         return probability(0.5) ? randomBuiltinMethodName() : randomCustomMethodName()
     }
 
+    private static func generateConstrained<T: Equatable>(
+            _ generator: () -> T,
+            notIn: any Collection<T>,
+            fallback: () -> T) -> T {
+        var result: T
+        var attempts = 0
+        repeat {
+            if attempts >= 10 {
+                return fallback()
+            }
+            result = generator()
+            attempts += 1
+        } while notIn.contains(result)
+        return result
+    }
+
+    // Generate a string not already contained in `notIn` using the provided `generator`. If it fails
+    // repeatedly, return a random string instead.
+    public func generateString(_ generator: () -> String, notIn: any Collection<String>) -> String {
+        Self.generateConstrained(generator, notIn: notIn,
+            fallback: {String.random(ofLength: Int.random(in: 1...5))})
+    }
+
+    // Find a random variable to use as a string that isn't contained in `notIn`. If it fails
+    // repeatedly, create a random string literal instead.
+    public func findOrGenerateStringLikeVariable(notIn: any Collection<Variable>) -> Variable {
+        return Self.generateConstrained(randomJsVariable, notIn: notIn,
+            fallback: {loadString(String.random(ofLength: Int.random(in: 1...5)))})
+    }
+
     // Settings and constants controlling the behavior of randomParameters() below.
     // This determines how many variables of a given type need to be visible before
     // that type is considered a candidate for a parameter type. For example, if this
@@ -500,15 +566,15 @@ public class ProgramBuilder {
     //
     // This will attempt to find a parameter types for which at least a few variables of a compatible types are
     // currently available to (potentially) later be used as arguments for calling the generated subroutine.
-    public func randomParameters(n wantedNumberOfParameters: Int? = nil) -> SubroutineDescriptor {
+    public func randomParameters(n wantedNumberOfParameters: Int? = nil, withRestParameterProbability restProbability: Double = 0.2) -> SubroutineDescriptor {
         assert(probabilityOfUsingAnythingAsParameterTypeIfAvoidable >= 0 && probabilityOfUsingAnythingAsParameterTypeIfAvoidable <= 1)
 
         // If the caller didn't specify how many parameters to generated, find an appropriate
         // number of parameters based on how many variables are currently visible (and can
         // therefore later be used as arguments for calling the new function).
         let n: Int
         if let requestedN = wantedNumberOfParameters {
-            assert(requestedN > 0)
+            assert(requestedN >= 0)
             n = requestedN
         } else {
             switch numberOfVisibleVariables {
@@ -537,15 +603,27 @@ public class ProgramBuilder {
         }
 
         var params = ParameterList()
-        for _ in 0..<n {
+
+        let generateRestParameter = n > 0 && probability(restProbability)
+        let numPlainParams = generateRestParameter ? n - 1 : n
+
+        func randomParamType() -> ILType {
             if probability(probabilityOfUsingAnythingAsParameterTypeIfAvoidable) {
-                params.append(.jsAnything)
+                return .jsAnything
             } else {
-                params.append(.plain(chooseUniform(from: candidates)))
+                return chooseUniform(from: candidates)
             }
         }
 
-        // TODO: also generate rest parameters and maybe even optional ones sometimes?
+        for _ in 0..<numPlainParams {
+            params.append(.plain(randomParamType()))
+        }
+
+        if generateRestParameter {
+            params.append(.rest(randomParamType()))
+        }
+
+        // TODO: also generate optional parameters sometimes?
 
         return .parameters(params)
     }
@@ -686,6 +764,13 @@ public class ProgramBuilder {
                     // Note that builtin constructors are handled above in the maybeGenerateConstructorAsPath call.
                     return self.randomVariable(forUseAs: .function())
                 }),
+            (.unboundFunction(), {
+                // TODO: We have the same issue as above for functions.
+                // First try to find an existing unbound function. if not present, try to find any
+                // function. Using any function as an unbound function is fine, it just misses the
+                // information about the receiver type (which for many functions doesn't matter).
+                return self.randomVariable(ofType: .unboundFunction()) ?? self.randomVariable(forUseAs: .function())
+            }),
             (.undefined, { return self.loadUndefined() }),
             (.constructor(), {
                     // TODO: We have the same issue as above for functions.
@@ -2038,7 +2123,7 @@ public class ProgramBuilder {
 
         var numberOfGeneratedInstructions = 0
 
-        // calculate all input requirements of this CodeGenerator.
+        // Calculate all input requirements of this CodeGenerator.
         let inputTypes = Set(generator.parts.reduce([]) { res, gen in
             return res + gen.inputs.types
         })
@@ -3823,17 +3908,20 @@ public class ProgramBuilder {
         }
 
         public func wasmTableInit(elementSegment: Variable, table: Variable, tableOffset: Variable, elementSegmentOffset: Variable, nrOfElementsToUpdate: Variable) {
-            // TODO: b/427115604 - assert that table.elemType IS_SUBTYPE_OF elementSegment.elemType (depending on refactor outcome).
+            let elementSegmentType = ILType.wasmFuncRef
+            let tableElemType = b.type(of: table).wasmTableType!.elementType
+            assert(elementSegmentType.Is(tableElemType))
+
             let addrType = b.type(of: table).wasmTableType!.isTable64 ? ILType.wasmi64 : ILType.wasmi32
             b.emit(WasmTableInit(), withInputs: [elementSegment, table, tableOffset, elementSegmentOffset, nrOfElementsToUpdate],
-                types: [.wasmElementSegment(), .object(ofGroup: "WasmTable"), addrType, addrType, addrType])
+                types: [.wasmElementSegment(), .object(ofGroup: "WasmTable"), addrType, .wasmi32, .wasmi32])
         }
 
         public func wasmTableCopy(dstTable: Variable, srcTable: Variable, dstOffset: Variable, srcOffset: Variable, count: Variable) {
-            // TODO: b/427115604 - assert that srcTable.elemType IS_SUBTYPE_OF dstTable.elemType (depending on refactor outcome).
             let dstTableType = b.type(of: dstTable).wasmTableType!
             let srcTableType = b.type(of: srcTable).wasmTableType!
             assert(dstTableType.isTable64 == srcTableType.isTable64)
+            assert(srcTableType.elementType.Is(dstTableType.elementType))
 
             let addrType = dstTableType.isTable64 ? ILType.wasmi64 : ILType.wasmi32
             b.emit(WasmTableCopy(), withInputs: [dstTable, srcTable, dstOffset, srcOffset, count],
@@ -4354,21 +4442,27 @@ public class ProgramBuilder {
 
         @discardableResult
         public func addTable(elementType: ILType, minSize: Int, maxSize: Int? = nil, definedEntries: [WasmTableType.IndexInTableAndWasmSignature] = [], definedEntryValues: [Variable] = [], isTable64: Bool) -> Variable {
-            let inputTypes = if elementType == .wasmFuncRef {
-                Array(repeating: .wasmFunctionDef() | .function(), count: definedEntries.count)
-            } else {
-                [ILType]()
-            }
+            let inputTypes = Array(repeating: getEntryTypeForTable(elementType: elementType), count: definedEntries.count)
             return b.emit(WasmDefineTable(elementType: elementType, limits: Limits(min: minSize, max: maxSize), definedEntries: definedEntries, isTable64: isTable64),
                 withInputs: definedEntryValues, types: inputTypes).output
         }
 
         @discardableResult
-        public func addElementSegment(elementsType: ILType,  elements: [Variable]) -> Variable {
-            let inputTypes = Array(repeating: elementsType, count: elements.count)
+        public func addElementSegment(elements: [Variable]) -> Variable {
+            let inputTypes = Array(repeating: getEntryTypeForTable(elementType: ILType.wasmFuncRef), count: elements.count)
             return b.emit(WasmDefineElementSegment(size: UInt32(elements.count)), withInputs: elements, types: inputTypes).output
         }
 
+        public func getEntryTypeForTable(elementType: ILType) -> ILType {
+            switch elementType {
+                case .wasmFuncRef:
+                    return .wasmFunctionDef() | .function()
+                default:
+                    return .object()
+            }
+        }
+
+
         // This result can be ignored right now, as we can only define one memory per module
         // Also this should be tracked like a global / table.
         @discardableResult

Sources/Fuzzilli/CodeGen/CodeGenerator.swift

@@ -381,4 +381,4 @@ extension CodeGenerator: CustomStringConvertible {
         let names = self.parts.map { $0.name }
         return names.joined(separator: ",")
     }
-}
+}

Sources/Fuzzilli/CodeGen/CodeGeneratorWeights.swift

@@ -192,7 +192,6 @@ public let codeGeneratorWeights = [
     "PrototypeOverwriteGenerator":              10,
     "CallbackPropertyGenerator":                10,
     "MethodCallWithDifferentThisGenerator":     5,
-    "WeirdClassGenerator":                      10,
     "ProxyGenerator":                           10,
     "LengthChangeGenerator":                    5,
     "ElementKindChangeGenerator":               5,