Added support for async arrow functions (googleprojectzero#96)

Author: amarekano

Sources/Fuzzilli/Core/CodeGenerators.swift

@@ -140,6 +140,14 @@ public let CodeGenerators: [CodeGenerator] = [
         }
     },
 
+    CodeGenerator("AsyncArrowFunctionGenerator") { b in
+        b.defineAsyncArrowFunction(withSignature: FunctionSignature(withParameterCount: Int.random(in: 2...5), hasRestParam: probability(0.1))) { _ in
+            b.generateRecursive()
+            b.await(value: b.randVar())
+            b.doReturn(value: b.randVar())
+        }
+    },
+
     CodeGenerator("PropertyRetrievalGenerator", input: .object()) { b, obj in
         let propertyName = b.type(of: obj).randomProperty() ?? b.genPropertyNameForRead()
         b.loadProperty(propertyName, of: obj)

Sources/Fuzzilli/Core/ProgramBuilder.swift

@@ -706,6 +706,14 @@ public class ProgramBuilder {
         perform(EndAsyncFunctionDefinition())
         return instruction.output
     }
+
+    @discardableResult
+    public func defineAsyncArrowFunction(withSignature signature: FunctionSignature, _ body: ([Variable]) -> ()) -> Variable {
+        let instruction = perform(BeginAsyncArrowFunctionDefinition(signature: signature))
+        body(Array(instruction.innerOutputs))
+        perform(EndAsyncArrowFunctionDefinition())
+        return instruction.output
+    }
 
     public func doReturn(value: Variable) {
         perform(Return(), withInputs: [value])

Sources/Fuzzilli/FuzzIL/Instruction.swift

@@ -329,6 +329,10 @@ extension Instruction: ProtobufConvertible {
                 $0.beginAsyncFunctionDefinition = Fuzzilli_Protobuf_BeginAsyncFunctionDefinition.with { $0.signature = op.signature.asProtobuf() }
             case is EndAsyncFunctionDefinition:
                 $0.endAsyncFunctionDefinition = Fuzzilli_Protobuf_EndAsyncFunctionDefinition()
+            case let op as BeginAsyncArrowFunctionDefinition:
+                $0.beginAsyncArrowFunctionDefinition = Fuzzilli_Protobuf_BeginAsyncArrowFunctionDefinition.with { $0.signature = op.signature.asProtobuf() }
+            case is EndAsyncArrowFunctionDefinition:
+                $0.endAsyncArrowFunctionDefinition = Fuzzilli_Protobuf_EndAsyncArrowFunctionDefinition()
             case is Return:
                 $0.return = Fuzzilli_Protobuf_Return()
             case is Yield:
@@ -516,6 +520,10 @@ extension Instruction: ProtobufConvertible {
             op = BeginAsyncFunctionDefinition(signature: try FunctionSignature(from: p.signature))
         case .endAsyncFunctionDefinition(_):
             op = EndAsyncFunctionDefinition()
+        case .beginAsyncArrowFunctionDefinition(let p):
+            op = BeginAsyncArrowFunctionDefinition(signature: try FunctionSignature(from: p.signature))
+        case .endAsyncArrowFunctionDefinition(_):
+            op = EndAsyncArrowFunctionDefinition()
         case .return(_):
             op = Return()
         case .yield(_):

Sources/Fuzzilli/FuzzIL/Operations.swift

@@ -371,6 +371,10 @@ class EndGeneratorFunctionDefinition: EndAnyFunctionDefinition {}
 class BeginAsyncFunctionDefinition: BeginAnyFunctionDefinition {}
 class EndAsyncFunctionDefinition: EndAnyFunctionDefinition {}
 
+// A ES6 async arrow function
+class BeginAsyncArrowFunctionDefinition: BeginAnyFunctionDefinition {}
+class EndAsyncArrowFunctionDefinition: EndAnyFunctionDefinition {}
+
 class Return: Operation {
     init() {
         super.init(numInputs: 1, numOutputs: 0, attributes: [.isJump])

Sources/Fuzzilli/FuzzIL/Semantics.swift

@@ -76,6 +76,8 @@ extension Operation {
             return endOp is EndGeneratorFunctionDefinition
         case is BeginAsyncFunctionDefinition:
             return endOp is EndAsyncFunctionDefinition
+        case is BeginAsyncArrowFunctionDefinition:
+            return endOp is EndAsyncArrowFunctionDefinition
         case is BeginWith:
             return endOp is EndWith
         case is BeginIf:

Sources/Fuzzilli/Lifting/JavaScriptLifter.swift

@@ -253,8 +253,13 @@ public class JavaScriptLifter: ComponentBase, Lifter {
 
             case let op as BeginAsyncFunctionDefinition:
                 liftFunctionDefinitionBegin(op, "async function")
+
+            case let op as BeginAsyncArrowFunctionDefinition:
+                let params = liftFunctionDefinitionParameters(op)
+                w.emit("\(constDecl) \(instr.output) = async (\(params)) => {")
+                w.increaseIndentionLevel()
 
-            case is EndArrowFunctionDefinition:
+            case is EndArrowFunctionDefinition, is EndAsyncArrowFunctionDefinition:
                 w.decreaseIndentionLevel()
                 w.emit("};")
 

Sources/Fuzzilli/Protobuf/operations.pb.swift

@@ -673,6 +673,37 @@ public struct Fuzzilli_Protobuf_EndAsyncFunctionDefinition {
   public init() {}
 }
 
+public struct Fuzzilli_Protobuf_BeginAsyncArrowFunctionDefinition {
+  // SwiftProtobuf.Message conformance is added in an extension below. See the
+  // `Message` and `Message+*Additions` files in the SwiftProtobuf library for
+  // methods supported on all messages.
+
+  public var signature: Fuzzilli_Protobuf_FunctionSignature {
+    get {return _signature ?? Fuzzilli_Protobuf_FunctionSignature()}
+    set {_signature = newValue}
+  }
+  /// Returns true if `signature` has been explicitly set.
+  public var hasSignature: Bool {return self._signature != nil}
+  /// Clears the value of `signature`. Subsequent reads from it will return its default value.
+  public mutating func clearSignature() {self._signature = nil}
+
+  public var unknownFields = SwiftProtobuf.UnknownStorage()
+
+  public init() {}
+
+  fileprivate var _signature: Fuzzilli_Protobuf_FunctionSignature? = nil
+}
+
+public struct Fuzzilli_Protobuf_EndAsyncArrowFunctionDefinition {
+  // SwiftProtobuf.Message conformance is added in an extension below. See the
+  // `Message` and `Message+*Additions` files in the SwiftProtobuf library for
+  // methods supported on all messages.
+
+  public var unknownFields = SwiftProtobuf.UnknownStorage()
+
+  public init() {}
+}
+
 public struct Fuzzilli_Protobuf_Return {
   // SwiftProtobuf.Message conformance is added in an extension below. See the
   // `Message` and `Message+*Additions` files in the SwiftProtobuf library for
@@ -2015,6 +2046,54 @@ extension Fuzzilli_Protobuf_EndAsyncFunctionDefinition: SwiftProtobuf.Message, S
   }
 }
 
+extension Fuzzilli_Protobuf_BeginAsyncArrowFunctionDefinition: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
+  public static let protoMessageName: String = _protobuf_package + ".BeginAsyncArrowFunctionDefinition"
+  public static let _protobuf_nameMap: SwiftProtobuf._NameMap = [
+    1: .same(proto: "signature"),
+  ]
+
+  public mutating func decodeMessage<D: SwiftProtobuf.Decoder>(decoder: inout D) throws {
+    while let fieldNumber = try decoder.nextFieldNumber() {
+      switch fieldNumber {
+      case 1: try decoder.decodeSingularMessageField(value: &self._signature)
+      default: break
+      }
+    }
+  }
+
+  public func traverse<V: SwiftProtobuf.Visitor>(visitor: inout V) throws {
+    if let v = self._signature {
+      try visitor.visitSingularMessageField(value: v, fieldNumber: 1)
+    }
+    try unknownFields.traverse(visitor: &visitor)
+  }
+
+  public static func ==(lhs: Fuzzilli_Protobuf_BeginAsyncArrowFunctionDefinition, rhs: Fuzzilli_Protobuf_BeginAsyncArrowFunctionDefinition) -> Bool {
+    if lhs._signature != rhs._signature {return false}
+    if lhs.unknownFields != rhs.unknownFields {return false}
+    return true
+  }
+}
+
+extension Fuzzilli_Protobuf_EndAsyncArrowFunctionDefinition: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
+  public static let protoMessageName: String = _protobuf_package + ".EndAsyncArrowFunctionDefinition"
+  public static let _protobuf_nameMap = SwiftProtobuf._NameMap()
+
+  public mutating func decodeMessage<D: SwiftProtobuf.Decoder>(decoder: inout D) throws {
+    while let _ = try decoder.nextFieldNumber() {
+    }
+  }
+
+  public func traverse<V: SwiftProtobuf.Visitor>(visitor: inout V) throws {
+    try unknownFields.traverse(visitor: &visitor)
+  }
+
+  public static func ==(lhs: Fuzzilli_Protobuf_EndAsyncArrowFunctionDefinition, rhs: Fuzzilli_Protobuf_EndAsyncArrowFunctionDefinition) -> Bool {
+    if lhs.unknownFields != rhs.unknownFields {return false}
+    return true
+  }
+}
+
 extension Fuzzilli_Protobuf_Return: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
   public static let protoMessageName: String = _protobuf_package + ".Return"
   public static let _protobuf_nameMap = SwiftProtobuf._NameMap()

Sources/Fuzzilli/Protobuf/operations.proto

@@ -144,6 +144,13 @@ message BeginAsyncFunctionDefinition {
 message EndAsyncFunctionDefinition {
 }
 
+message BeginAsyncArrowFunctionDefinition {
+    FunctionSignature signature = 1;
+}
+
+message EndAsyncArrowFunctionDefinition {
+}
+
 message Return {
 }
 

Sources/Fuzzilli/Protobuf/program.pb.swift

@@ -341,6 +341,22 @@ public struct Fuzzilli_Protobuf_Instruction {
     set {_uniqueStorage()._operation = .endAsyncFunctionDefinition(newValue)}
   }
 
+  public var beginAsyncArrowFunctionDefinition: Fuzzilli_Protobuf_BeginAsyncArrowFunctionDefinition {
+    get {
+      if case .beginAsyncArrowFunctionDefinition(let v)? = _storage._operation {return v}
+      return Fuzzilli_Protobuf_BeginAsyncArrowFunctionDefinition()
+    }
+    set {_uniqueStorage()._operation = .beginAsyncArrowFunctionDefinition(newValue)}
+  }
+
+  public var endAsyncArrowFunctionDefinition: Fuzzilli_Protobuf_EndAsyncArrowFunctionDefinition {
+    get {
+      if case .endAsyncArrowFunctionDefinition(let v)? = _storage._operation {return v}
+      return Fuzzilli_Protobuf_EndAsyncArrowFunctionDefinition()
+    }
+    set {_uniqueStorage()._operation = .endAsyncArrowFunctionDefinition(newValue)}
+  }
+
   public var `return`: Fuzzilli_Protobuf_Return {
     get {
       if case .return(let v)? = _storage._operation {return v}
@@ -693,6 +709,8 @@ public struct Fuzzilli_Protobuf_Instruction {
     case endGeneratorFunctionDefinition(Fuzzilli_Protobuf_EndGeneratorFunctionDefinition)
     case beginAsyncFunctionDefinition(Fuzzilli_Protobuf_BeginAsyncFunctionDefinition)
     case endAsyncFunctionDefinition(Fuzzilli_Protobuf_EndAsyncFunctionDefinition)
+    case beginAsyncArrowFunctionDefinition(Fuzzilli_Protobuf_BeginAsyncArrowFunctionDefinition)
+    case endAsyncArrowFunctionDefinition(Fuzzilli_Protobuf_EndAsyncArrowFunctionDefinition)
     case `return`(Fuzzilli_Protobuf_Return)
     case yield(Fuzzilli_Protobuf_Yield)
     case yieldEach(Fuzzilli_Protobuf_YieldEach)
@@ -772,6 +790,8 @@ public struct Fuzzilli_Protobuf_Instruction {
       case (.endGeneratorFunctionDefinition(let l), .endGeneratorFunctionDefinition(let r)): return l == r
       case (.beginAsyncFunctionDefinition(let l), .beginAsyncFunctionDefinition(let r)): return l == r
       case (.endAsyncFunctionDefinition(let l), .endAsyncFunctionDefinition(let r)): return l == r
+      case (.beginAsyncArrowFunctionDefinition(let l), .beginAsyncArrowFunctionDefinition(let r)): return l == r
+      case (.endAsyncArrowFunctionDefinition(let l), .endAsyncArrowFunctionDefinition(let r)): return l == r
       case (.return(let l), .return(let r)): return l == r
       case (.yield(let l), .yield(let r)): return l == r
       case (.yieldEach(let l), .yieldEach(let r)): return l == r
@@ -878,6 +898,8 @@ extension Fuzzilli_Protobuf_Instruction: SwiftProtobuf.Message, SwiftProtobuf._M
     70: .same(proto: "endGeneratorFunctionDefinition"),
     71: .same(proto: "beginAsyncFunctionDefinition"),
     72: .same(proto: "endAsyncFunctionDefinition"),
+    79: .same(proto: "beginAsyncArrowFunctionDefinition"),
+    80: .same(proto: "endAsyncArrowFunctionDefinition"),
     29: .same(proto: "return"),
     73: .same(proto: "yield"),
     74: .same(proto: "yieldEach"),
@@ -1543,6 +1565,22 @@ extension Fuzzilli_Protobuf_Instruction: SwiftProtobuf.Message, SwiftProtobuf._M
           }
           try decoder.decodeSingularMessageField(value: &v)
           if let v = v {_storage._operation = .comment(v)}
+        case 79:
+          var v: Fuzzilli_Protobuf_BeginAsyncArrowFunctionDefinition?
+          if let current = _storage._operation {
+            try decoder.handleConflictingOneOf()
+            if case .beginAsyncArrowFunctionDefinition(let m) = current {v = m}
+          }
+          try decoder.decodeSingularMessageField(value: &v)
+          if let v = v {_storage._operation = .beginAsyncArrowFunctionDefinition(v)}
+        case 80:
+          var v: Fuzzilli_Protobuf_EndAsyncArrowFunctionDefinition?
+          if let current = _storage._operation {
+            try decoder.handleConflictingOneOf()
+            if case .endAsyncArrowFunctionDefinition(let m) = current {v = m}
+          }
+          try decoder.decodeSingularMessageField(value: &v)
+          if let v = v {_storage._operation = .endAsyncArrowFunctionDefinition(v)}
         default: break
         }
       }
@@ -1705,6 +1743,10 @@ extension Fuzzilli_Protobuf_Instruction: SwiftProtobuf.Message, SwiftProtobuf._M
         try visitor.visitSingularMessageField(value: v, fieldNumber: 77)
       case .comment(let v)?:
         try visitor.visitSingularMessageField(value: v, fieldNumber: 78)
+      case .beginAsyncArrowFunctionDefinition(let v)?:
+        try visitor.visitSingularMessageField(value: v, fieldNumber: 79)
+      case .endAsyncArrowFunctionDefinition(let v)?:
+        try visitor.visitSingularMessageField(value: v, fieldNumber: 80)
       case nil: break
       }
     }

Sources/Fuzzilli/Protobuf/program.proto

@@ -60,6 +60,8 @@ message Instruction {
         EndGeneratorFunctionDefinition endGeneratorFunctionDefinition = 70;
         BeginAsyncFunctionDefinition beginAsyncFunctionDefinition = 71;
         EndAsyncFunctionDefinition endAsyncFunctionDefinition = 72;
+        BeginAsyncArrowFunctionDefinition beginAsyncArrowFunctionDefinition= 79;
+        EndAsyncArrowFunctionDefinition endAsyncArrowFunctionDefinition = 80;
         Return return = 29;
         Yield yield = 73;
         YieldEach yieldEach = 74;