Implement LoadThis and LoadArguments operations (googleprojectzero#262)

amarekano · web-flow · commit 60b68c51af8a · 2021-09-10T17:07:13.000+02:00
diff --git a/Sources/Fuzzilli/Core/CodeGenerators.swift b/Sources/Fuzzilli/Core/CodeGenerators.swift
@@ -50,6 +50,15 @@ public let CodeGenerators: [CodeGenerator] = [
         b.loadNull()
     },
 
+    CodeGenerator("ThisGenerator") { b in
+        b.loadThis()
+    },
+
+    CodeGenerator("ArgumentsGenerator", inContext: .function) { b in
+        assert(b.context.contains(.function))
+        b.loadArguments()
+    },
+
     CodeGenerator("ObjectGenerator") { b in
         var initialProperties = [String: Variable]()
         for _ in 0..<Int.random(in: 0...10) {
diff --git a/Sources/Fuzzilli/Core/JavaScriptEnvironment.swift b/Sources/Fuzzilli/Core/JavaScriptEnvironment.swift
@@ -169,10 +169,6 @@ public class JavaScriptEnvironment: ComponentBase, Environment {
         registerBuiltin("NaN", ofType: .jsNaN)
         registerBuiltin("Infinity", ofType: .jsInfinity)
 
-        // Register pseudo builtins
-        registerBuiltin("this", ofType: .object())
-        registerBuiltin("arguments", ofType: .object())
-
         for (builtin, type) in additionalBuiltins {
             registerBuiltin(builtin, ofType: type)
         }
diff --git a/Sources/Fuzzilli/Core/ProgramBuilder.swift b/Sources/Fuzzilli/Core/ProgramBuilder.swift
@@ -1009,6 +1009,16 @@ public class ProgramBuilder {
         return perform(LoadNull()).output
     }
 
+    @discardableResult
+    public func loadThis() -> Variable {
+        return perform(LoadThis()).output
+    }
+
+    @discardableResult
+    public func loadArguments() -> Variable {
+        return perform(LoadArguments()).output
+    }
+
     @discardableResult
     public func loadRegExp(_ value: String, _ flags: RegExpFlags) -> Variable {
         return perform(LoadRegExp(value: value, flags: flags)).output
diff --git a/Sources/Fuzzilli/FuzzIL/AbstractInterpreter.swift b/Sources/Fuzzilli/FuzzIL/AbstractInterpreter.swift
@@ -319,6 +319,12 @@ public struct AbstractInterpreter {
         case is LoadNull:
             set(instr.output, .undefined)
 
+        case is LoadThis:
+            set(instr.output, .object())
+
+        case is LoadArguments:
+            set(instr.output, .iterable)
+
         case is LoadRegExp:
             set(instr.output, environment.regExpType)
 
diff --git a/Sources/Fuzzilli/FuzzIL/Instruction.swift b/Sources/Fuzzilli/FuzzIL/Instruction.swift
@@ -280,6 +280,10 @@ extension Instruction: ProtobufConvertible {
                 $0.loadUndefined = Fuzzilli_Protobuf_LoadUndefined()
             case is LoadNull:
                 $0.loadNull = Fuzzilli_Protobuf_LoadNull()
+            case is LoadThis:
+                $0.loadThis = Fuzzilli_Protobuf_LoadThis()
+            case is LoadArguments:
+                $0.loadArguments = Fuzzilli_Protobuf_LoadArguments()
             case let op as LoadRegExp:
                 $0.loadRegExp = Fuzzilli_Protobuf_LoadRegExp.with { $0.value = op.value; $0.flags = op.flags.rawValue }
             case let op as CreateObject:
@@ -514,6 +518,10 @@ extension Instruction: ProtobufConvertible {
             op = LoadUndefined()
         case .loadNull(_):
             op = LoadNull()
+        case .loadThis(_):
+            op = LoadThis()
+        case .loadArguments(_):
+            op = LoadArguments()
         case .loadRegExp(let p):
             op = LoadRegExp(value: p.value, flags: RegExpFlags(rawValue: p.flags))
         case .createObject(let p):
diff --git a/Sources/Fuzzilli/FuzzIL/Operations.swift b/Sources/Fuzzilli/FuzzIL/Operations.swift
@@ -137,6 +137,18 @@ class LoadNull: Operation {
     }
 }
 
+class LoadThis: Operation {
+    init() {
+        super.init(numInputs: 0, numOutputs: 1, attributes: [.isPure])
+    }
+}
+
+class LoadArguments: Operation {
+    init() {
+        super.init(numInputs: 0, numOutputs: 1, attributes: [.isPure])
+    }
+}
+
 public struct RegExpFlags: OptionSet, Hashable {
     public let rawValue: UInt32
 
diff --git a/Sources/Fuzzilli/FuzzIL/Semantics.swift b/Sources/Fuzzilli/FuzzIL/Semantics.swift
@@ -111,6 +111,10 @@ extension Instruction {
             canFold = true
         case (is LoadNull, is LoadNull):
             canFold = true
+        case (is LoadThis, is LoadThis):
+            canFold = false
+        case (is LoadArguments, is LoadArguments):
+            canFold = false
         case (let op1 as LoadRegExp, let op2 as LoadRegExp):
             canFold = op1.value  == op2.value && op1.flags == op2.flags
         case (let op1 as LoadBuiltin, let op2 as LoadBuiltin):
diff --git a/Sources/Fuzzilli/Lifting/FuzzILLifter.swift b/Sources/Fuzzilli/Lifting/FuzzILLifter.swift
@@ -49,6 +49,12 @@ public class FuzzILLifter: Lifter {
         case is LoadNull:
             w.emit("\(instr.output) <- LoadNull")
 
+        case is LoadThis:
+            w.emit("\(instr.output) <- LoadThis")
+
+        case is LoadArguments:
+            w.emit("\(instr.output) <- LoadArguments")
+
         case let op as CreateObject:
             var properties = [String]()
             for (index, propertyName) in op.propertyNames.enumerated() {
diff --git a/Sources/Fuzzilli/Lifting/JavaScriptLifter.swift b/Sources/Fuzzilli/Lifting/JavaScriptLifter.swift
@@ -182,6 +182,12 @@ public class JavaScriptLifter: Lifter {
             case is LoadNull:
                 output = Literal.new("null")
 
+            case is LoadThis:
+                output = Literal.new("this")
+
+            case is LoadArguments:
+                output = Literal.new("arguments")
+
             case let op as CreateObject:
                 var properties = [String]()
                 for (index, propertyName) in op.propertyNames.enumerated() {
diff --git a/Sources/Fuzzilli/Protobuf/operations.pb.swift b/Sources/Fuzzilli/Protobuf/operations.pb.swift
@@ -330,6 +330,26 @@ public struct Fuzzilli_Protobuf_LoadNull {
   public init() {}
 }
 
+public struct Fuzzilli_Protobuf_LoadThis {
+  // SwiftProtobuf.Message conformance is added in an extension below. See the
+  // `Message` and `Message+*Additions` files in the SwiftProtobuf library for
+  // methods supported on all messages.
+
+  public var unknownFields = SwiftProtobuf.UnknownStorage()
+
+  public init() {}
+}
+
+public struct Fuzzilli_Protobuf_LoadArguments {
+  // SwiftProtobuf.Message conformance is added in an extension below. See the
+  // `Message` and `Message+*Additions` files in the SwiftProtobuf library for
+  // methods supported on all messages.
+
+  public var unknownFields = SwiftProtobuf.UnknownStorage()
+
+  public init() {}
+}
+
 public struct Fuzzilli_Protobuf_LoadRegExp {
   // SwiftProtobuf.Message conformance is added in an extension below. See the
   // `Message` and `Message+*Additions` files in the SwiftProtobuf library for
@@ -1593,6 +1613,44 @@ extension Fuzzilli_Protobuf_LoadNull: SwiftProtobuf.Message, SwiftProtobuf._Mess
   }
 }
 
+extension Fuzzilli_Protobuf_LoadThis: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
+  public static let protoMessageName: String = _protobuf_package + ".LoadThis"
+  public static let _protobuf_nameMap = SwiftProtobuf._NameMap()
+
+  public mutating func decodeMessage<D: SwiftProtobuf.Decoder>(decoder: inout D) throws {
+    while let _ = try decoder.nextFieldNumber() {
+    }
+  }
+
+  public func traverse<V: SwiftProtobuf.Visitor>(visitor: inout V) throws {
+    try unknownFields.traverse(visitor: &visitor)
+  }
+
+  public static func ==(lhs: Fuzzilli_Protobuf_LoadThis, rhs: Fuzzilli_Protobuf_LoadThis) -> Bool {
+    if lhs.unknownFields != rhs.unknownFields {return false}
+    return true
+  }
+}
+
+extension Fuzzilli_Protobuf_LoadArguments: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
+  public static let protoMessageName: String = _protobuf_package + ".LoadArguments"
+  public static let _protobuf_nameMap = SwiftProtobuf._NameMap()
+
+  public mutating func decodeMessage<D: SwiftProtobuf.Decoder>(decoder: inout D) throws {
+    while let _ = try decoder.nextFieldNumber() {
+    }
+  }
+
+  public func traverse<V: SwiftProtobuf.Visitor>(visitor: inout V) throws {
+    try unknownFields.traverse(visitor: &visitor)
+  }
+
+  public static func ==(lhs: Fuzzilli_Protobuf_LoadArguments, rhs: Fuzzilli_Protobuf_LoadArguments) -> Bool {
+    if lhs.unknownFields != rhs.unknownFields {return false}
+    return true
+  }
+}
+
 extension Fuzzilli_Protobuf_LoadRegExp: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
   public static let protoMessageName: String = _protobuf_package + ".LoadRegExp"
   public static let _protobuf_nameMap: SwiftProtobuf._NameMap = [
diff --git a/Sources/Fuzzilli/Protobuf/operations.proto b/Sources/Fuzzilli/Protobuf/operations.proto
@@ -43,6 +43,12 @@ message LoadUndefined {
 message LoadNull {
 }
 
+message LoadThis {
+}
+
+message LoadArguments {
+}
+
 message LoadRegExp {
     string value = 1;
     uint32 flags = 2;
diff --git a/Sources/Fuzzilli/Protobuf/program.pb.swift b/Sources/Fuzzilli/Protobuf/program.pb.swift
@@ -129,6 +129,9 @@ public struct Fuzzilli_Protobuf_Instruction {
   // `Message` and `Message+*Additions` files in the SwiftProtobuf library for
   // methods supported on all messages.
 
+  /// The operation is either encoded as an index, referring to the nth operation
+  /// (so that shared operations are also only present once in the protobuf), or
+  /// as one of the many concrete Operation messages.
   public var inouts: [UInt32] = []
 
   public var operation: Fuzzilli_Protobuf_Instruction.OneOf_Operation? = nil
@@ -198,6 +201,22 @@ public struct Fuzzilli_Protobuf_Instruction {
     set {operation = .loadNull(newValue)}
   }
 
+  public var loadThis: Fuzzilli_Protobuf_LoadThis {
+    get {
+      if case .loadThis(let v)? = operation {return v}
+      return Fuzzilli_Protobuf_LoadThis()
+    }
+    set {operation = .loadThis(newValue)}
+  }
+
+  public var loadArguments: Fuzzilli_Protobuf_LoadArguments {
+    get {
+      if case .loadArguments(let v)? = operation {return v}
+      return Fuzzilli_Protobuf_LoadArguments()
+    }
+    set {operation = .loadArguments(newValue)}
+  }
+
   public var loadRegExp: Fuzzilli_Protobuf_LoadRegExp {
     get {
       if case .loadRegExp(let v)? = operation {return v}
@@ -898,6 +917,8 @@ public struct Fuzzilli_Protobuf_Instruction {
     case loadBoolean(Fuzzilli_Protobuf_LoadBoolean)
     case loadUndefined(Fuzzilli_Protobuf_LoadUndefined)
     case loadNull(Fuzzilli_Protobuf_LoadNull)
+    case loadThis(Fuzzilli_Protobuf_LoadThis)
+    case loadArguments(Fuzzilli_Protobuf_LoadArguments)
     case loadRegExp(Fuzzilli_Protobuf_LoadRegExp)
     case createObject(Fuzzilli_Protobuf_CreateObject)
     case createArray(Fuzzilli_Protobuf_CreateArray)
@@ -1023,6 +1044,14 @@ public struct Fuzzilli_Protobuf_Instruction {
         guard case .loadNull(let l) = lhs, case .loadNull(let r) = rhs else { preconditionFailure() }
         return l == r
       }()
+      case (.loadThis, .loadThis): return {
+        guard case .loadThis(let l) = lhs, case .loadThis(let r) = rhs else { preconditionFailure() }
+        return l == r
+      }()
+      case (.loadArguments, .loadArguments): return {
+        guard case .loadArguments(let l) = lhs, case .loadArguments(let r) = rhs else { preconditionFailure() }
+        return l == r
+      }()
       case (.loadRegExp, .loadRegExp): return {
         guard case .loadRegExp(let l) = lhs, case .loadRegExp(let r) = rhs else { preconditionFailure() }
         return l == r
@@ -1489,6 +1518,8 @@ extension Fuzzilli_Protobuf_Instruction: SwiftProtobuf.Message, SwiftProtobuf._M
     8: .same(proto: "loadBoolean"),
     9: .same(proto: "loadUndefined"),
     10: .same(proto: "loadNull"),
+    65: .same(proto: "loadThis"),
+    66: .same(proto: "loadArguments"),
     77: .same(proto: "loadRegExp"),
     11: .same(proto: "createObject"),
     12: .same(proto: "createArray"),
@@ -2372,6 +2403,32 @@ extension Fuzzilli_Protobuf_Instruction: SwiftProtobuf.Message, SwiftProtobuf._M
           self.operation = .nop(v)
         }
       }()
+      case 65: try {
+        var v: Fuzzilli_Protobuf_LoadThis?
+        var hadOneofValue = false
+        if let current = self.operation {
+          hadOneofValue = true
+          if case .loadThis(let m) = current {v = m}
+        }
+        try decoder.decodeSingularMessageField(value: &v)
+        if let v = v {
+          if hadOneofValue {try decoder.handleConflictingOneOf()}
+          self.operation = .loadThis(v)
+        }
+      }()
+      case 66: try {
+        var v: Fuzzilli_Protobuf_LoadArguments?
+        var hadOneofValue = false
+        if let current = self.operation {
+          hadOneofValue = true
+          if case .loadArguments(let m) = current {v = m}
+        }
+        try decoder.decodeSingularMessageField(value: &v)
+        if let v = v {
+          if hadOneofValue {try decoder.handleConflictingOneOf()}
+          self.operation = .loadArguments(v)
+        }
+      }()
       case 67: try {
         var v: Fuzzilli_Protobuf_BeginArrowFunctionDefinition?
         var hadOneofValue = false
@@ -3058,6 +3115,14 @@ extension Fuzzilli_Protobuf_Instruction: SwiftProtobuf.Message, SwiftProtobuf._M
       guard case .nop(let v)? = self.operation else { preconditionFailure() }
       try visitor.visitSingularMessageField(value: v, fieldNumber: 64)
     }()
+    case .loadThis?: try {
+      guard case .loadThis(let v)? = self.operation else { preconditionFailure() }
+      try visitor.visitSingularMessageField(value: v, fieldNumber: 65)
+    }()
+    case .loadArguments?: try {
+      guard case .loadArguments(let v)? = self.operation else { preconditionFailure() }
+      try visitor.visitSingularMessageField(value: v, fieldNumber: 66)
+    }()
     case .beginArrowFunctionDefinition?: try {
       guard case .beginArrowFunctionDefinition(let v)? = self.operation else { preconditionFailure() }
       try visitor.visitSingularMessageField(value: v, fieldNumber: 67)
diff --git a/Sources/Fuzzilli/Protobuf/program.proto b/Sources/Fuzzilli/Protobuf/program.proto
@@ -22,8 +22,6 @@ message Instruction {
     // The operation is either encoded as an index, referring to the nth operation
     // (so that shared operations are also only present once in the protobuf), or
     // as one of the many concrete Operation messages.
-    // Note: fields 65 and 66 are reserved due to the removal of BeginStrictFunctionDefinition and EndStrictFunctionDefinition
-    reserved 65, 66;
     repeated uint32 inouts = 1;
     oneof operation {
         uint32 opIdx = 2;
@@ -35,6 +33,8 @@ message Instruction {
         LoadBoolean loadBoolean = 8;
         LoadUndefined loadUndefined = 9;
         LoadNull loadNull = 10;
+        LoadThis loadThis = 65;
+        LoadArguments loadArguments = 66;
         LoadRegExp loadRegExp = 77;
         CreateObject createObject = 11;
         CreateArray createArray = 12;
diff --git a/Sources/FuzzilliCli/CodeGeneratorWeights.swift b/Sources/FuzzilliCli/CodeGeneratorWeights.swift
@@ -25,6 +25,8 @@ let codeGeneratorWeights = [
     "BooleanGenerator":                      1,
     "UndefinedGenerator":                    1,
     "NullGenerator":                         1,
+    "ThisGenerator":                         1,
+    "ArgumentsGenerator":                    1,
     "BuiltinGenerator":                      5,
     "ObjectGenerator":                       10,
     "ArrayGenerator":                        10,
