Add support for conditional operator (googleprojectzero#205)

Author: amarekano

Sources/Fuzzilli/Core/CodeGenerators.swift

@@ -321,6 +321,11 @@ public let CodeGenerators: [CodeGenerator] = [
         b.compare(lhs, rhs, with: chooseUniform(from: allComparators))
     },
 
+    CodeGenerator("ConditionalOperationGenerator", inputs: (.anything, .anything)) { b, lhs, rhs in
+        let condition = b.compare(lhs, rhs, with: chooseUniform(from: allComparators))
+        b.conditional(condition, lhs, rhs)
+    },
+
     CodeGenerator("ClassGenerator") { b in
         // Possibly pick a superclass
         var superclass: Variable? = nil

Sources/Fuzzilli/Core/ProgramBuilder.swift

@@ -1115,6 +1115,11 @@ public class ProgramBuilder {
         return perform(Compare(comparator), withInputs: [lhs, rhs]).output
     }
 
+    @discardableResult
+    public func conditional(_ condition: Variable, _ lhs: Variable, _ rhs: Variable) -> Variable {
+        return perform(ConditionalOperation(), withInputs: [condition, lhs, rhs]).output
+    }
+
     public func eval(_ string: String, with arguments: [Variable] = []) {
         perform(Eval(string, numArguments: arguments.count), withInputs: arguments)
     }

Sources/Fuzzilli/FuzzIL/AbstractInterpreter.swift

@@ -349,6 +349,10 @@ public struct AbstractInterpreter {
              is CallComputedMethod:
             set(instr.output, .unknown)
 
+        case is ConditionalOperation:
+            let outputType = state.type(of: instr.input(1)) | state.type(of: instr.input(2))
+            set(instr.output, outputType)
+
         case is CallFunction,
              is CallFunctionWithSpread:
             set(instr.output, inferCallResultType(of: instr.input(0)))

Sources/Fuzzilli/FuzzIL/Instruction.swift

@@ -387,6 +387,8 @@ extension Instruction: ProtobufConvertible {
                 $0.reassign = Fuzzilli_Protobuf_Reassign()
             case let op as Compare:
                 $0.compare = Fuzzilli_Protobuf_Compare.with { $0.op = convertEnum(op.op, allComparators) }
+            case is ConditionalOperation:
+                $0.conditionalOperation = Fuzzilli_Protobuf_ConditionalOperation()
             case let op as Eval:
                 $0.eval = Fuzzilli_Protobuf_Eval.with { $0.code = op.code }
             case let op as BeginClassDefinition:
@@ -613,6 +615,8 @@ extension Instruction: ProtobufConvertible {
             op = Reassign()
         case .compare(let p):
             op = Compare(try convertEnum(p.op, allComparators))
+        case .conditionalOperation(_):
+            op = ConditionalOperation()
         case .eval(let p):
             op = Eval(p.code, numArguments: inouts.count)
         case .beginClassDefinition(let p):

Sources/Fuzzilli/FuzzIL/Operations.swift

@@ -572,6 +572,13 @@ class Compare: Operation {
     }
 }
 
+/// Allows generation of conditional (i.e. condition ? exprIfTrue : exprIfFalse) statements
+class ConditionalOperation: Operation {
+    init() {
+        super.init(numInputs: 3, numOutputs: 1)
+    }
+}
+
 /// An operation that will be lifted to a given string. The string can use %@ placeholders which
 /// will be replaced by the input variables during lowering. Eval operations will also never be mutated.
 class Eval: Operation {

Sources/Fuzzilli/Lifting/FuzzILLifter.swift

@@ -188,6 +188,9 @@ public class FuzzILLifter: Lifter {
         case let op as Compare:
             w.emit("\(instr.output) <- Compare \(input(0)), '\(op.op.token)', \(input(1))")
 
+        case let op as ConditionalOperation:
+            w.emit("\(instr.output) <- \(input(0)), \(input(1)), \(input(2))")
+
         case let op as Eval:
             let args = instr.inputs.map({ $0.identifier }).joined(separator: ", ")
             w.emit("Eval '\(op.code)', [\(args)]")

Sources/Fuzzilli/Lifting/JSExpressions.swift

@@ -25,6 +25,7 @@ public let ArrayLiteral         = ExpressionType(precedence: 17,
 public let PostfixExpression    = ExpressionType(precedence: 16,                        inline: .singleUseOnly)
 public let UnaryExpression      = ExpressionType(precedence: 15, associativity: .right, inline: .singleUseOnly)
 public let BinaryExpression     = ExpressionType(precedence: 14, associativity: .none,  inline: .singleUseOnly)
+public let TernaryExpression    = ExpressionType(precedence: 4,  associativity: .none,  inline: .singleUseOnly)
 public let AssignmentExpression = ExpressionType(precedence: 3,                         inline: .never)
 public let ListExpression       = ExpressionType(precedence: 1,  associativity: .left,  inline: .never)
 

Sources/Fuzzilli/Lifting/JavaScriptLifter.swift

@@ -358,6 +358,9 @@ public class JavaScriptLifter: Lifter {
             case let op as Compare:
                 output = BinaryExpression.new() <> input(0) <> " " <> op.op.token <> " " <> input(1)
 
+            case is ConditionalOperation:
+                output = TernaryExpression.new() <> input(0) <> " ? " <> input(1) <> " : " <> input(2)
+
             case let op as Eval:
                 // Woraround until Strings implement the CVarArg protocol in the linux Foundation library...
                 // TODO can make this permanent, but then use different placeholder pattern

Sources/Fuzzilli/Protobuf/operations.pb.swift

@@ -901,6 +901,16 @@ public struct Fuzzilli_Protobuf_Compare {
   public init() {}
 }
 
+public struct Fuzzilli_Protobuf_ConditionalOperation {
+  // SwiftProtobuf.Message conformance is added in an extension below. See the
+  // `Message` and `Message+*Additions` files in the SwiftProtobuf library for
+  // methods supported on all messages.
+
+  public var unknownFields = SwiftProtobuf.UnknownStorage()
+
+  public init() {}
+}
+
 public struct Fuzzilli_Protobuf_Eval {
   // SwiftProtobuf.Message conformance is added in an extension below. See the
   // `Message` and `Message+*Additions` files in the SwiftProtobuf library for
@@ -2729,6 +2739,25 @@ extension Fuzzilli_Protobuf_Compare: SwiftProtobuf.Message, SwiftProtobuf._Messa
   }
 }
 
+extension Fuzzilli_Protobuf_ConditionalOperation: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
+  public static let protoMessageName: String = _protobuf_package + ".ConditionalOperation"
+  public static let _protobuf_nameMap = SwiftProtobuf._NameMap()
+
+  public mutating func decodeMessage<D: SwiftProtobuf.Decoder>(decoder: inout D) throws {
+    while let _ = try decoder.nextFieldNumber() {
+    }
+  }
+
+  public func traverse<V: SwiftProtobuf.Visitor>(visitor: inout V) throws {
+    try unknownFields.traverse(visitor: &visitor)
+  }
+
+  public static func ==(lhs: Fuzzilli_Protobuf_ConditionalOperation, rhs: Fuzzilli_Protobuf_ConditionalOperation) -> Bool {
+    if lhs.unknownFields != rhs.unknownFields {return false}
+    return true
+  }
+}
+
 extension Fuzzilli_Protobuf_Eval: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
   public static let protoMessageName: String = _protobuf_package + ".Eval"
   public static let _protobuf_nameMap: SwiftProtobuf._NameMap = [

Sources/Fuzzilli/Protobuf/operations.proto

@@ -244,6 +244,9 @@ message Compare {
     Comparator op = 1;
 }
 
+message ConditionalOperation {
+}
+
 message Eval {
     string code = 1;
 }