Implement Named Variables

This commit adds three new FuzzIL operations:

v3 <- LoadNamedVariable 'foo'
StoreNamedVariable 'bar' <- v1
DefineNamedVariable 'baz' <- v2

These are lifted, respectively, to:

const v3 = foo;
bar = v1;
var baz = v2;

This now makes a few things possible:

- The use of the 'var' keyword
- Triggerring variable hoisting (if a LoadNamedVariable happens before a
  DefineNamedVariable)
- Use of global variables (if a named variable is loaded/stored but
  never defined)
- Access to object properties inside a `with` statement (this previously
  required LoadFromScope/StoreToScope, which are now gone)

Author: Samuel Groß

Sources/Fuzzilli/Base/ProgramBuilder.swift

@@ -1995,6 +1995,11 @@ public class ProgramBuilder {
         return emit(BinaryOperation(op), withInputs: [lhs, rhs]).output
     }
 
+    @discardableResult
+    public func ternary(_ condition: Variable, _ lhs: Variable, _ rhs: Variable) -> Variable {
+        return emit(TernaryOperation(), withInputs: [condition, lhs, rhs]).output
+    }
+
     public func reassign(_ output: Variable, to input: Variable, with op: BinaryOperator) {
         emit(Update(op), withInputs: [output, input])
     }
@@ -2034,8 +2039,16 @@ public class ProgramBuilder {
     }
 
     @discardableResult
-    public func ternary(_ condition: Variable, _ lhs: Variable, _ rhs: Variable) -> Variable {
-        return emit(TernaryOperation(), withInputs: [condition, lhs, rhs]).output
+    public func loadNamedVariable(_ name: String) -> Variable {
+        return emit(LoadNamedVariable(name)).output
+    }
+
+    public func storeNamedVariable(_ name: String, _ value: Variable) {
+        emit(StoreNamedVariable(name), withInputs: [value])
+    }
+
+    public func defineNamedVariable(_ name: String, _ value: Variable) {
+        emit(DefineNamedVariable(name), withInputs: [value])
     }
 
     public func eval(_ string: String, with arguments: [Variable] = []) {
@@ -2048,15 +2061,6 @@ public class ProgramBuilder {
         emit(EndWith())
     }
 
-    @discardableResult
-    public func loadFromScope(id: String) -> Variable {
-        return emit(LoadFromScope(id: id)).output
-    }
-
-    public func storeToScope(_ value: Variable, as id: String) {
-        emit(StoreToScope(id: id), withInputs: [value])
-    }
-
     public func nop(numOutputs: Int = 0) {
         emit(Nop(numOutputs: numOutputs), withInputs: [])
     }

Sources/Fuzzilli/CodeGen/CodeGenerators.swift

@@ -1368,25 +1368,32 @@ public let CodeGenerators: [CodeGenerator] = [
         b.buildWith(obj) {
             withProbability(0.5, do: { () -> Void in
                 let propertyName = b.type(of: obj).randomProperty() ?? b.randomCustomPropertyName()
-                b.loadFromScope(id: propertyName)
+                b.loadNamedVariable(propertyName)
             }, else: { () -> Void in
                 let propertyName = b.type(of: obj).randomProperty() ?? b.randomCustomPropertyName()
                 let value = b.randomVariable()
-                b.storeToScope(value, as: propertyName)
+                b.storeNamedVariable(propertyName, value)
             })
             b.buildRecursive()
         }
     },
 
-    CodeGenerator("LoadFromScopeGenerator", inContext: .with) { b in
-        assert(b.context.contains(.with))
-        b.loadFromScope(id: b.randomPropertyName())
+    CodeGenerator("NamedVariableLoadGenerator") { b in
+        // We're using the custom property names set from the environment for named variables.
+        // It's not clear if there's something better since that set should be relatively small
+        // (increasing the probability that named variables will be reused), and it also makes
+        // sense to use property names if we're inside a `with` statement.
+        b.loadNamedVariable(b.randomCustomPropertyName())
     },
 
-    CodeGenerator("StoreToScopeGenerator", inContext: .with) { b in
-        assert(b.context.contains(.with))
+    CodeGenerator("NamedVariableStoreGenerator") { b in
         let value = b.randomVariable()
-        b.storeToScope(value, as: b.randomPropertyName())
+        b.storeNamedVariable(b.randomCustomPropertyName(), value)
+    },
+
+    CodeGenerator("NamedVariableDefinitionGenerator") { b in
+        let value = b.randomVariable()
+        b.defineNamedVariable(b.randomCustomPropertyName(), value)
     },
 
     RecursiveCodeGenerator("EvalGenerator") { b in

Sources/Fuzzilli/FuzzIL/Instruction.swift

@@ -632,6 +632,12 @@ extension Instruction: ProtobufConvertible {
                 }
             case .compare(let op):
                 $0.compare = Fuzzilli_Protobuf_Compare.with { $0.op = convertEnum(op.op, Comparator.allCases) }
+            case .loadNamedVariable(let op):
+                $0.loadNamedVariable = Fuzzilli_Protobuf_LoadNamedVariable.with { $0.variableName = op.variableName }
+            case .storeNamedVariable(let op):
+                $0.storeNamedVariable = Fuzzilli_Protobuf_StoreNamedVariable.with { $0.variableName = op.variableName }
+            case .defineNamedVariable(let op):
+                $0.defineNamedVariable = Fuzzilli_Protobuf_DefineNamedVariable.with { $0.variableName = op.variableName }
             case .eval(let op):
                 $0.eval = Fuzzilli_Protobuf_Eval.with { $0.code = op.code }
             case .callSuperConstructor:
@@ -666,10 +672,6 @@ extension Instruction: ProtobufConvertible {
                 $0.beginWith = Fuzzilli_Protobuf_BeginWith()
             case .endWith:
                 $0.endWith = Fuzzilli_Protobuf_EndWith()
-            case .loadFromScope(let op):
-                $0.loadFromScope = Fuzzilli_Protobuf_LoadFromScope.with { $0.id = op.id }
-            case .storeToScope(let op):
-                $0.storeToScope = Fuzzilli_Protobuf_StoreToScope.with { $0.id = op.id }
             case .beginIf(let op):
                 $0.beginIf = Fuzzilli_Protobuf_BeginIf.with {
                     $0.inverted = op.inverted
@@ -1033,6 +1035,12 @@ extension Instruction: ProtobufConvertible {
             op = DestructObjectAndReassign(properties: p.properties, hasRestElement: p.hasRestElement_p)
         case .compare(let p):
             op = Compare(try convertEnum(p.op, Comparator.allCases))
+        case .loadNamedVariable(let p):
+            op = LoadNamedVariable(p.variableName)
+        case .storeNamedVariable(let p):
+            op = StoreNamedVariable(p.variableName)
+        case .defineNamedVariable(let p):
+            op = DefineNamedVariable(p.variableName)
         case .eval(let p):
             op = Eval(p.code, numArguments: inouts.count)
         case .callSuperConstructor:
@@ -1061,10 +1069,6 @@ extension Instruction: ProtobufConvertible {
             op = BeginWith()
         case .endWith:
             op = EndWith()
-        case .loadFromScope(let p):
-            op = LoadFromScope(id: p.id)
-        case .storeToScope(let p):
-            op = StoreToScope(id: p.id)
         case .beginIf(let p):
             op = BeginIf(inverted: p.inverted)
         case .beginElse:

Sources/Fuzzilli/FuzzIL/JSTyper.swift

@@ -675,7 +675,8 @@ public struct JSTyper: Analyzer {
         case .compare:
             set(instr.output, .boolean)
 
-        case .loadFromScope:
+        case .loadNamedVariable:
+            // We don't currently track these.
             set(instr.output, .unknown)
 
         case .await:

Sources/Fuzzilli/FuzzIL/JsOperations.swift

@@ -1428,6 +1428,48 @@ final class Compare: JsOperation {
     }
 }
 
+// Named Variables.
+//
+// Named variables are used to cover global and `var` variables in JavaScript
+// as well as to support variable hoisting.
+//
+// When a named variable is defined, it becomes a `var` variable in JavaScript.
+// However, it is allowed to access (load/store) a named variable without
+// defining it first, in which case the access becomes either a global variable
+// access (if the variable isn't later defined) or a hoisted variable access.
+final class LoadNamedVariable: JsOperation {
+    override var opcode: Opcode { .loadNamedVariable(self) }
+
+    let variableName: String
+
+    init(_ name: String) {
+        self.variableName = name
+        super.init(numOutputs: 1, attributes: .isMutable)
+    }
+}
+
+final class StoreNamedVariable: JsOperation {
+    override var opcode: Opcode { .storeNamedVariable(self) }
+
+    let variableName: String
+
+    init(_ name: String) {
+        self.variableName = name
+        super.init(numInputs: 1, attributes: .isMutable)
+    }
+}
+
+final class DefineNamedVariable: JsOperation {
+    override var opcode: Opcode { .defineNamedVariable(self) }
+
+    let variableName: String
+
+    init(_ name: String) {
+        self.variableName = name
+        super.init(numInputs: 1, attributes: .isMutable)
+    }
+}
+
 /// An operation that will be lifted to a given string. The string can use %@ placeholders which
 /// will be replaced by the expressions for the input variables during lifting.
 final class Eval: JsOperation {
@@ -1457,28 +1499,6 @@ final class EndWith: JsOperation {
     }
 }
 
-final class LoadFromScope: JsOperation {
-    override var opcode: Opcode { .loadFromScope(self) }
-
-    let id: String
-
-    init(id: String) {
-        self.id = id
-        super.init(numOutputs: 1, attributes: [.isMutable], requiredContext: [.javascript, .with])
-    }
-}
-
-final class StoreToScope: JsOperation {
-    override var opcode: Opcode { .storeToScope(self) }
-
-    let id: String
-
-    init(id: String) {
-        self.id = id
-        super.init(numInputs: 1, attributes: [.isMutable], requiredContext: [.javascript, .with])
-    }
-}
-
 final class CallSuperConstructor: JsOperation {
     override var opcode: Opcode { .callSuperConstructor(self) }
 

Sources/Fuzzilli/FuzzIL/Opcodes.swift

@@ -143,11 +143,12 @@ enum Opcode {
     case destructObject(DestructObject)
     case destructObjectAndReassign(DestructObjectAndReassign)
     case compare(Compare)
+    case loadNamedVariable(LoadNamedVariable)
+    case storeNamedVariable(StoreNamedVariable)
+    case defineNamedVariable(DefineNamedVariable)
     case eval(Eval)
     case beginWith(BeginWith)
     case endWith(EndWith)
-    case loadFromScope(LoadFromScope)
-    case storeToScope(StoreToScope)
     case callSuperConstructor(CallSuperConstructor)
     case callSuperMethod(CallSuperMethod)
     case getPrivateProperty(GetPrivateProperty)

Sources/Fuzzilli/Lifting/FuzzILLifter.swift

@@ -462,6 +462,15 @@ public class FuzzILLifter: Lifter {
         case .compare(let op):
             w.emit("\(output()) <- Compare \(input(0)), '\(op.op.token)', \(input(1))")
 
+        case .loadNamedVariable(let op):
+            w.emit("\(output()) <- LoadNamedVariable '\(op.variableName)'")
+
+        case .storeNamedVariable(let op):
+            w.emit("StoreNamedVariable '\(op.variableName)' <- \(input(0))")
+
+        case .defineNamedVariable(let op):
+            w.emit("DefineNamedVariable '\(op.variableName)' <- \(input(0))")
+
         case .eval(let op):
             let args = instr.inputs.map(lift).joined(separator: ", ")
             w.emit("Eval '\(op.code)', [\(args)]")
@@ -481,12 +490,6 @@ public class FuzzILLifter: Lifter {
             w.decreaseIndentionLevel()
             w.emit("EndWith")
 
-        case .loadFromScope(let op):
-            w.emit("\(output()) <- LoadFromScope '\(op.id)'")
-
-        case .storeToScope(let op):
-            w.emit("StoreToScope '\(op.id)', \(input(0))")
-
         case .nop:
             w.emit("Nop")
 

Sources/Fuzzilli/Lifting/JavaScriptLifter.swift

@@ -762,6 +762,19 @@ public class JavaScriptLifter: Lifter {
                 let expr = BinaryExpression.new() + lhs + " " + op.op.token + " " + rhs
                 w.assign(expr, to: instr.output)
 
+            case .loadNamedVariable(let op):
+                w.assign(Identifier.new(op.variableName), to: instr.output)
+
+            case .storeNamedVariable(let op):
+                let NAME = op.variableName
+                let VALUE = w.retrieve(expressionFor: instr.input(0))
+                w.emit("\(NAME) = \(VALUE);")
+
+            case .defineNamedVariable(let op):
+                let NAME = op.variableName
+                let VALUE = w.retrieve(expressionFor: instr.input(0))
+                w.emit("var \(NAME) = \(VALUE);")
+
             case .eval(let op):
                 // Woraround until Strings implement the CVarArg protocol in the linux Foundation library...
                 // TODO can make this permanent, but then use different placeholder pattern
@@ -794,14 +807,6 @@ public class JavaScriptLifter: Lifter {
                 w.leaveCurrentBlock()
                 w.emit("}")
 
-            case .loadFromScope(let op):
-                w.assign(Identifier.new(op.id), to: instr.output)
-
-            case .storeToScope(let op):
-                let NAME = op.id
-                let VALUE = w.retrieve(expressionFor: instr.input(0))
-                w.emit("\(NAME) = \(VALUE);")
-
             case .nop:
                 break
 

Sources/Fuzzilli/Mutators/OperationMutator.swift

@@ -198,10 +198,13 @@ public class OperationMutator: BaseInstructionMutator {
             newOp = DestructObjectAndReassign(properties: newProperties.sorted(), hasRestElement: !op.hasRestElement)
         case .compare(_):
             newOp = Compare(chooseUniform(from: Comparator.allCases))
-        case .loadFromScope(_):
-            newOp = LoadFromScope(id: b.randomPropertyName())
-        case .storeToScope(_):
-            newOp = StoreToScope(id: b.randomPropertyName())
+        case .loadNamedVariable:
+            // We just use property names as variable names here. It's not clear if there's a better alternative and this also works well with `with` statements.
+            newOp = LoadNamedVariable(b.randomPropertyName())
+        case .storeNamedVariable:
+            newOp = StoreNamedVariable(b.randomPropertyName())
+        case .defineNamedVariable:
+            newOp = DefineNamedVariable(b.randomPropertyName())
         case .callSuperMethod(let op):
             let methodName = b.currentSuperType().randomMethod() ?? b.randomMethodName()
             newOp = CallSuperMethod(methodName: methodName, numArguments: op.numArguments)