Allow Symbols to be constructed by generateVariable

Author: Samuel Groß

Sources/Fuzzilli/Core/Environment.swift

@@ -73,7 +73,7 @@ public protocol Environment: Component {
     /// Used e.g. for arrays created through a literal.
     var arrayType: Type { get }
 
-    /// Returns an array of constructable types
+    /// All other types exposed by the environment for which a constructor builtin exists. E.g. Uint8Array or Symbol in Javascript.
     var constructables: [String] { get }
 
     /// Retuns the type representing a function with the given signature.

Sources/Fuzzilli/Core/JavaScriptEnvironment.swift

@@ -68,7 +68,9 @@ public class JavaScriptEnvironment: ComponentBase, Environment {
     private var groups: [String: ObjectGroup] = [:]
 
     public var constructables = [String]()
-    public let nonConstructables = ["Math", "JSON", "Reflect", "Symbol"]
+    
+    // Builtin objects (ObjectGroups to be precise) that are not constructors.
+    public let nonConstructors = ["Math", "JSON", "Reflect"]
 
     public init(additionalBuiltins: [String: Type], additionalObjectGroups: [ObjectGroup]) {
         super.init(name: "JavaScriptEnvironment")
@@ -183,13 +185,15 @@ public class JavaScriptEnvironment: ComponentBase, Environment {
         for group in groups.keys where !group.contains("Constructor") {
             assert(builtins.contains(group), "We cannot call the constructor for the given group \(group)")
 
-            if !nonConstructables.contains(group) {
-                assert(type(ofBuiltin: group).constructorSignature != nil, "We don't have a constructor signature for \(group)")
-                // These are basically the groups that need to be constructable i.e. callable with the new keyword.
+            if !nonConstructors.contains(group) {
+                // These are the groups that are constructable i.e. for which a builtin exists with the name of the group
+                // that can be called as function or constructor and returns an object of that group.
+                assert(type(ofBuiltin: group).signature != nil, "We don't have a constructor signature for \(group)")
+                assert(type(ofBuiltin: group).signature!.outputType.group == group, "The constructor for \(group) returns an invalid type")
                 constructables.append(group)
             }
         }
-
+        
         customPropertyNames = ["a", "b", "c", "d", "e"]
         customMethodNames = ["m", "n", "o", "p"]
         methodNames.formUnion(customMethodNames)
@@ -346,7 +350,7 @@ public extension Type {
     }
 
     /// Type of the JavaScript Object constructor builtin.
-    static let jsObjectConstructor = .functionAndConstructor([.anything...] => .object()) + .object(ofGroup: "ObjectConstructor", withProperties: ["prototype"], withMethods: ["assign", "fromEntries", "getOwnPropertyDescriptor", "getOwnPropertyDescriptors", "getOwnPropertyNames", "getOwnPropertySymbols", "is", "preventExtensions", "seal", "create", "defineProperties", "defineProperty", "freeze", "getPrototypeOf", "setPrototypeOf", "isExtensible", "isFrozen", "isSealed", "keys", "entries", "values"])
+    static let jsObjectConstructor = .functionAndConstructor([.anything...] => .object(ofGroup: "Object")) + .object(ofGroup: "ObjectConstructor", withProperties: ["prototype"], withMethods: ["assign", "fromEntries", "getOwnPropertyDescriptor", "getOwnPropertyDescriptors", "getOwnPropertyNames", "getOwnPropertySymbols", "is", "preventExtensions", "seal", "create", "defineProperties", "defineProperty", "freeze", "getPrototypeOf", "setPrototypeOf", "isExtensible", "isFrozen", "isSealed", "keys", "entries", "values"])
 
     /// Type of the JavaScript Array constructor builtin.
     static let jsArrayConstructor = .functionAndConstructor([.integer] => .jsArray) + .object(ofGroup: "ArrayConstructor", withProperties: ["prototype"], withMethods: ["from", "of", "isArray"])

Sources/Fuzzilli/Core/ProgramBuilder.swift

@@ -477,12 +477,22 @@ public class ProgramBuilder {
         }
 
         if let group = type.group {
-            // We check this during Environment initialization, but let's keep this just in case.
-            assert(fuzzer.environment.type(ofBuiltin: group) != .unknown, "We don't know how to construct \(group)")
-            let constructionSignature = fuzzer.environment.type(ofBuiltin: group).constructorSignature!
-            let arguments = generateCallArguments(for: constructionSignature)
+            // Objects with predefined groups must be constructable through a Builtin exposed by the Environment.
+            // Normally, that builtin is a .constructor(), but we also allow just a .function() for constructing object.
+            // This is for example necessary for JavaScript Symbols, as the Symbol builtin is not a constructor.
+            let constructorType = fuzzer.environment.type(ofBuiltin: group)
+            assert(constructorType.Is(.function() | .constructor()), "We don't know how to construct \(group)")
+            assert(constructorType.signature != nil, "We don't know how to construct \(group) (missing signature for constructor)")
+            assert(constructorType.signature!.outputType.group == group, "We don't know how to construct \(group) (invalid signature for constructor)")
+            
+            let constructorSignature = constructorType.signature!
+            let arguments = generateCallArguments(for: constructorSignature)
             let constructor = loadBuiltin(group)
-            obj = construct(constructor, withArgs: arguments)
+            if !constructorType.Is(.constructor()) {
+                obj = callFunction(constructor, withArgs: arguments)
+            } else {
+                obj = construct(constructor, withArgs: arguments)
+            }
         } else {
             // Either generate a literal or use the store property stuff.
             if probability(0.8) { // Do the literal