support generation of array with holes (googleprojectzero#197)

amarekano · web-flow · commit 2bd387dc907c · 2021-05-31T09:10:38.000+02:00
diff --git a/Sources/Fuzzilli/Lifting/JavaScriptLifter.swift b/Sources/Fuzzilli/Lifting/JavaScriptLifter.swift
@@ -187,7 +187,8 @@ public class JavaScriptLifter: Lifter {
                 output = ObjectLiteral.new("{" + properties.joined(separator: ",") + "}")
 
             case is CreateArray:
-                let elems = instr.inputs.map({ expr(for: $0).text }).joined(separator: ",")
+                // When creating arrays, treat undefined elements as holes. This also relies on literals always being inlined.
+                let elems = instr.inputs.map({ let text = expr(for: $0).text; return text == "undefined" ? "" : text }).joined(separator: ",")
                 output = ArrayLiteral.new("[" + elems + "]")
 
             case let op as CreateObjectWithSpread:
diff --git a/Tests/FuzzilliTests/LifterTest.swift b/Tests/FuzzilliTests/LifterTest.swift
@@ -363,6 +363,36 @@ class LifterTests: XCTestCase {
 
         XCTAssertEqual(lifted_program,expected_program)
     }
+
+    func testHoleyArrayLifting(){
+        let fuzzer = makeMockFuzzer()
+        let b = fuzzer.makeBuilder()
+
+        var initialValues = [Variable]()
+        initialValues.append(b.loadInt(1))
+        initialValues.append(b.loadInt(2))
+        initialValues.append(b.loadUndefined())
+        initialValues.append(b.loadInt(4))
+        initialValues.append(b.loadUndefined())
+        initialValues.append(b.loadInt(6))
+        let v = b.loadString("foobar")
+        b.reassign(v, to: b.loadUndefined())
+        initialValues.append(v)
+        b.createArray(with: initialValues)
+
+        let program = b.finalize()
+
+        let lifted_program = fuzzer.lifter.lift(program)
+
+        let expected_program = """
+        let v6 = "foobar";
+        v6 = undefined;
+        const v8 = [1,2,,4,,6,v6];
+
+        """
+
+        XCTAssertEqual(lifted_program,expected_program)
+    }
 }
 
 extension LifterTests {
@@ -376,6 +406,7 @@ extension LifterTests {
             ("testDoWhileLifting", testDoWhileLifting),
             ("testBlockStatements", testBlockStatements),
             ("testAsyncGeneratorLifting", testAsyncGeneratorLifting),
+            ("testHoleyArray", testHoleyArrayLifting),
         ]
     }
 }
diff --git a/Tests/FuzzilliTests/XCTestManifests.swift b/Tests/FuzzilliTests/XCTestManifests.swift
@@ -59,6 +59,7 @@ extension LifterTests {
         ("testFuzzILLifter", testFuzzILLifter),
         ("testLiftingOptions", testLiftingOptions),
         ("testNestedCodeStrings", testNestedCodeStrings),
+        ("testHoleyArray", testHoleyArrayLifting),
     ]
 }
 

Original file line number	Diff line number	Diff line change
`@@ -59,6 +59,7 @@ extension LifterTests {`
`59`	`59`	`("testFuzzILLifter", testFuzzILLifter),`
`60`	`60`	`("testLiftingOptions", testLiftingOptions),`
`61`	`61`	`("testNestedCodeStrings", testNestedCodeStrings),`
	`62`	`+ ("testHoleyArray", testHoleyArrayLifting),`
`62`	`63`	`]`
`63`	`64`	`}`
`64`	`65`