Merge Upstream

.github/workflows/swift.yml

@@ -10,44 +10,78 @@ jobs:
   build_test:
     timeout-minutes: 30
     strategy:
-      # If macos-latest fails, we still don't want to cancel ubuntu-latest or the other way around.
       fail-fast: false
       matrix:
         os: [macos-latest, ubuntu-latest]
         kind: [debug]
         include:
-          # On linux also build and test release.
           - os: ubuntu-latest
             kind: release
 
     runs-on: ${{ matrix.os }}
 
     env:
       SWIFT_VERSION: 6.1
+      DATABASE_URL: postgresql://postgres:postgres@localhost:5432/fuzzilli
+
+    services:
+      postgres:
+        image: postgres:16
+        env:
+          POSTGRES_USER: postgres
+          POSTGRES_PASSWORD: postgres
+          POSTGRES_DB: fuzzilli
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd="pg_isready -U postgres"
+          --health-interval=5s
+          --health-timeout=5s
+          --health-retries=10
 
     steps:
+      - uses: actions/checkout@v4
+
       - uses: actions/setup-node@v4
         with:
-          node-version: 25-nightly
+          node-version: 20
 
-      # Is it failing to run tests b/c we're overriding
-      # what swift binary to use?
-      - name: Setup Swift for Ubuntu
+      - name: Setup Swift (Linux only)
         if: runner.os == 'Linux'
         run: |
+          sudo apt-get update -q
+          sudo apt-get install -y libicu-dev libxml2 libsqlite3-dev libblocksruntime-dev tzdata
           wget -q https://download.swift.org/swift-${SWIFT_VERSION}-release/ubuntu2204/swift-${SWIFT_VERSION}-RELEASE/swift-${SWIFT_VERSION}-RELEASE-ubuntu22.04.tar.gz
           tar xzf swift-${SWIFT_VERSION}-RELEASE-ubuntu22.04.tar.gz
-          mv swift-${SWIFT_VERSION}-RELEASE-ubuntu22.04 /opt/swift
-          rm swift-${SWIFT_VERSION}-RELEASE-ubuntu22.04.tar.gz
-          export PATH="/opt/swift/usr/bin:${PATH}"
-      - uses: actions/checkout@v2
+          sudo mv swift-${SWIFT_VERSION}-RELEASE-ubuntu22.04 /opt/swift
+          echo "/opt/swift/usr/bin" | sudo tee -a /etc/environment
+          echo "/opt/swift/usr/bin" >> $GITHUB_PATH
+
+      - name: Wait for PostgreSQL
+        run: |
+          echo "Waiting for PostgreSQL to become ready..."
+          for i in {1..20}; do
+            pg_isready -h localhost -p 5432 -U postgres && break
+            sleep 2
+          done
+          psql $DATABASE_URL -c 'SELECT version();'
+
       - name: Build
         run: swift build -c ${{ matrix.kind }} -v
-      - name: Run tests with Node.js
+
+      - name: Run tests
+        env:
+          DATABASE_URL: ${{ env.DATABASE_URL }}
         run: swift test -c ${{ matrix.kind }} -v
+
       - name: Install jsvu
         run: npm install jsvu -g
+
       - name: Install d8
         run: jsvu --os=default --engines=v8
+
       - name: Run tests with d8
-        run: FUZZILLI_TEST_SHELL=~/.jsvu/engines/v8/v8 swift test -c ${{ matrix.kind }} -v
+        env:
+          FUZZILLI_TEST_SHELL: ~/.jsvu/engines/v8/v8
+          DATABASE_URL: ${{ env.DATABASE_URL }}
+        run: swift test -c ${{ matrix.kind }} -v

OWNERS

@@ -1,5 +1,9 @@
 cffsmith@google.com
+machenbach@google.com
+mdanylo@google.com
 mliedtke@google.com
+pawkra@google.com
 saelo@google.com
+tacet@google.com
 
 per-file WHITESPACE=*

README.md

@@ -2,10 +2,6 @@
 
 A (coverage-)guided fuzzer for dynamic language interpreters based on a custom intermediate language ("FuzzIL") which can be mutated and translated to JavaScript.
 
-Fuzzilli is developed and maintained by:
-- Samuel Groß, <saelo@google.com>
-- Carl Smith, <cffsmith@google.com>
-
 ## Usage
 
 The basic steps to use this fuzzer are:

Sources/FuzzILTool/main.swift

@@ -95,7 +95,7 @@ func loadProgramOrExit(from path: String) -> Program {
 
 let args = Arguments.parse(from: CommandLine.arguments)
 
-if args["-h"] != nil || args["--help"] != nil || args.numPositionalArguments != 1 || args.numOptionalArguments > 2 {
+if args["-h"] != nil || args["--help"] != nil || args.numPositionalArguments != 1 {
     print("""
           Usage:
           \(args.programName) options path
@@ -108,6 +108,7 @@ if args["-h"] != nil || args["--help"] != nil || args.numPositionalArguments !=
               --dumpProgram            : Dumps the internal representation of the program stored in the given protobuf file
               --checkCorpus            : Attempts to load all .fzil files in a directory and checks if they are statically valid
               --compile                : Compile the given JavaScript program to a FuzzIL program. Requires node.js
+              --outputPathJS           : If given, --compile will write the lifted JS file to the given path after compilation.
               --generate               : Generate a random program using Fuzzilli's code generators and save it to the specified path.
               --forDifferentialFuzzing : Enable additional features for better support of external differential fuzzing.
           """)
@@ -186,17 +187,27 @@ else if args.has("--compile") {
         exit(-1)
     }
 
-    print(fuzzILLifter.lift(program))
-    print()
-    print(jsLifter.lift(program))
+    if let js_path = args["--outputPathJS"] {
+        let content = jsLifter.lift(program)
+        do {
+            try content.write(to: URL(fileURLWithPath: js_path), atomically: false, encoding: String.Encoding.utf8)
+        } catch {
+            print("Failed to write file \(js_path): \(error)")
+            exit(-1)
+        }
+    } else {
+        print(fuzzILLifter.lift(program))
+        print()
+        print(jsLifter.lift(program))
 
-    do {
-        let outputPath = URL(fileURLWithPath: path).deletingPathExtension().appendingPathExtension("fzil")
-        try program.asProtobuf().serializedData().write(to: outputPath)
-        print("FuzzIL program written to \(outputPath.relativePath)")
-    } catch {
-        print("Failed to store output program to disk: \(error)")
-        exit(-1)
+        do {
+            let outputPath = URL(fileURLWithPath: path).deletingPathExtension().appendingPathExtension("fzil")
+            try program.asProtobuf().serializedData().write(to: outputPath)
+            print("FuzzIL program written to \(outputPath.relativePath)")
+        } catch {
+            print("Failed to store output program to disk: \(error)")
+            exit(-1)
+        }
     }
 }
 

Sources/Fuzzilli/Base/ProgramBuilder.swift

@@ -483,6 +483,36 @@ public class ProgramBuilder {
         return probability(0.5) ? randomBuiltinMethodName() : randomCustomMethodName()
     }
 
+    private static func generateConstrained<T: Equatable>(
+            _ generator: () -> T,
+            notIn: any Collection<T>,
+            fallback: () -> T) -> T {
+        var result: T
+        var attempts = 0
+        repeat {
+            if attempts >= 10 {
+                return fallback()
+            }
+            result = generator()
+            attempts += 1
+        } while notIn.contains(result)
+        return result
+    }
+
+    // Generate a string not already contained in `notIn` using the provided `generator`. If it fails
+    // repeatedly, return a random string instead.
+    public func generateString(_ generator: () -> String, notIn: any Collection<String>) -> String {
+        Self.generateConstrained(generator, notIn: notIn,
+            fallback: {String.random(ofLength: Int.random(in: 1...5))})
+    }
+
+    // Find a random variable to use as a string that isn't contained in `notIn`. If it fails
+    // repeatedly, create a random string literal instead.
+    public func findOrGenerateStringLikeVariable(notIn: any Collection<Variable>) -> Variable {
+        return Self.generateConstrained(randomJsVariable, notIn: notIn,
+            fallback: {loadString(String.random(ofLength: Int.random(in: 1...5)))})
+    }
+
     // Settings and constants controlling the behavior of randomParameters() below.
     // This determines how many variables of a given type need to be visible before
     // that type is considered a candidate for a parameter type. For example, if this
@@ -686,6 +716,13 @@ public class ProgramBuilder {
                     // Note that builtin constructors are handled above in the maybeGenerateConstructorAsPath call.
                     return self.randomVariable(forUseAs: .function())
                 }),
+            (.unboundFunction(), {
+                // TODO: We have the same issue as above for functions.
+                // First try to find an existing unbound function. if not present, try to find any
+                // function. Using any function as an unbound function is fine, it just misses the
+                // information about the receiver type (which for many functions doesn't matter).
+                return self.randomVariable(ofType: .unboundFunction()) ?? self.randomVariable(forUseAs: .function())
+            }),
             (.undefined, { return self.loadUndefined() }),
             (.constructor(), {
                     // TODO: We have the same issue as above for functions.
@@ -3823,17 +3860,20 @@ public class ProgramBuilder {
         }
 
         public func wasmTableInit(elementSegment: Variable, table: Variable, tableOffset: Variable, elementSegmentOffset: Variable, nrOfElementsToUpdate: Variable) {
-            // TODO: b/427115604 - assert that table.elemType IS_SUBTYPE_OF elementSegment.elemType (depending on refactor outcome).
+            let elementSegmentType = ILType.wasmFuncRef
+            let tableElemType = b.type(of: table).wasmTableType!.elementType
+            assert(elementSegmentType.Is(tableElemType))
+
             let addrType = b.type(of: table).wasmTableType!.isTable64 ? ILType.wasmi64 : ILType.wasmi32
             b.emit(WasmTableInit(), withInputs: [elementSegment, table, tableOffset, elementSegmentOffset, nrOfElementsToUpdate],
-                types: [.wasmElementSegment(), .object(ofGroup: "WasmTable"), addrType, addrType, addrType])
+                types: [.wasmElementSegment(), .object(ofGroup: "WasmTable"), addrType, .wasmi32, .wasmi32])
         }
 
         public func wasmTableCopy(dstTable: Variable, srcTable: Variable, dstOffset: Variable, srcOffset: Variable, count: Variable) {
-            // TODO: b/427115604 - assert that srcTable.elemType IS_SUBTYPE_OF dstTable.elemType (depending on refactor outcome).
             let dstTableType = b.type(of: dstTable).wasmTableType!
             let srcTableType = b.type(of: srcTable).wasmTableType!
             assert(dstTableType.isTable64 == srcTableType.isTable64)
+            assert(srcTableType.elementType.Is(dstTableType.elementType))
 
             let addrType = dstTableType.isTable64 ? ILType.wasmi64 : ILType.wasmi32
             b.emit(WasmTableCopy(), withInputs: [dstTable, srcTable, dstOffset, srcOffset, count],
@@ -4354,21 +4394,27 @@ public class ProgramBuilder {
 
         @discardableResult
         public func addTable(elementType: ILType, minSize: Int, maxSize: Int? = nil, definedEntries: [WasmTableType.IndexInTableAndWasmSignature] = [], definedEntryValues: [Variable] = [], isTable64: Bool) -> Variable {
-            let inputTypes = if elementType == .wasmFuncRef {
-                Array(repeating: .wasmFunctionDef() | .function(), count: definedEntries.count)
-            } else {
-                [ILType]()
-            }
+            let inputTypes = Array(repeating: getEntryTypeForTable(elementType: elementType), count: definedEntries.count)
             return b.emit(WasmDefineTable(elementType: elementType, limits: Limits(min: minSize, max: maxSize), definedEntries: definedEntries, isTable64: isTable64),
                 withInputs: definedEntryValues, types: inputTypes).output
         }
 
         @discardableResult
-        public func addElementSegment(elementsType: ILType,  elements: [Variable]) -> Variable {
-            let inputTypes = Array(repeating: elementsType, count: elements.count)
+        public func addElementSegment(elements: [Variable]) -> Variable {
+            let inputTypes = Array(repeating: getEntryTypeForTable(elementType: ILType.wasmFuncRef), count: elements.count)
             return b.emit(WasmDefineElementSegment(size: UInt32(elements.count)), withInputs: elements, types: inputTypes).output
         }
 
+        public func getEntryTypeForTable(elementType: ILType) -> ILType {
+            switch elementType {
+                case .wasmFuncRef:
+                    return .wasmFunctionDef() | .function()
+                default:
+                    return .object()
+            }
+        }
+
+
         // This result can be ignored right now, as we can only define one memory per module
         // Also this should be tracked like a global / table.
         @discardableResult