Added constructables function and probabilistic selection of object groups (googleprojectzero#168)

Author: carl-smith

Sources/Fuzzilli/Core/CodeTemplate.swift

@@ -72,7 +72,10 @@ public class CodeTemplate {
                 var properties: [String] = []
                 var methods: [String] = []
 
-                // TODO: add group with probability here as well?
+                var group: String? = nil
+                if probability(0.2) {
+                    group = chooseUniform(from: fuzzer.environment.constructables)
+                }
 
                 // Generate random properties.
                 // We filter the candidates to avoid cycles in our objects.
@@ -90,9 +93,8 @@ public class CodeTemplate {
                     methods.append(chooseUniform(from: fuzzer.environment.customMethodNames))
                 }
 
-                return .object(withProperties: properties, withMethods: methods)
+                return .object(ofGroup: group, withProperties: properties, withMethods: methods)
             })
-            // TODO: emit functions here as well?
     }
 
     /// Generate a random function signature.

Sources/Fuzzilli/Core/Environment.swift

@@ -72,6 +72,9 @@ public protocol Environment: Component {
     /// The type representing arrays in the target environment.
     /// Used e.g. for arrays created through a literal.
     var arrayType: Type { get }
+
+    /// Returns an array of constructable types
+    var constructables: [String] { get }
 
     /// Retuns the type representing a function with the given signature.
     func functionType(forSignature signature: FunctionSignature) -> Type