Add Array.prototype.at to JS environment model

Samuel Groß · Samuel Groß · commit ff8f8c90da5e · 2022-10-27T16:03:19.000+02:00
Drive-by: make an assertion in PostProcessor.swift more specific
diff --git a/Sources/Fuzzilli/Core/JavaScriptEnvironment.swift b/Sources/Fuzzilli/Core/JavaScriptEnvironment.swift
@@ -314,7 +314,7 @@ public extension JSType {
     static let jsPlainObject = JSType.object(ofGroup: "Object", withProperties: ["__proto__"])
 
     /// Type of a JavaScript array.
-    static let jsArray = JSType.iterable + JSType.object(ofGroup: "Array", withProperties: ["__proto__", "length", "constructor"], withMethods: ["concat", "copyWithin", "fill", "find", "findIndex", "pop", "push", "reverse", "shift", "unshift", "slice", "sort", "splice", "includes", "indexOf", "keys", "entries", "forEach", "filter", "map", "every", "some", "reduce", "reduceRight", "toString", "toLocaleString", "join", "lastIndexOf", "values", "flat", "flatMap"])
+    static let jsArray = JSType.iterable + JSType.object(ofGroup: "Array", withProperties: ["__proto__", "length", "constructor"], withMethods: ["at", "concat", "copyWithin", "fill", "find", "findIndex", "pop", "push", "reverse", "shift", "unshift", "slice", "sort", "splice", "includes", "indexOf", "keys", "entries", "forEach", "filter", "map", "every", "some", "reduce", "reduceRight", "toString", "toLocaleString", "join", "lastIndexOf", "values", "flat", "flatMap"])
 
     /// Type of a JavaScript Map object.
     static let jsMap = JSType.iterable + JSType.object(ofGroup: "Map", withProperties: ["__proto__", "size"], withMethods: ["clear", "delete", "entries", "forEach", "get", "has", "keys", "set", "values"])
@@ -579,6 +579,7 @@ public extension ObjectGroup {
             "constructor" : .jsFunction([.integer] => .jsArray),
         ],
         methods: [
+            "at"             : [.integer] => .unknown,
             "copyWithin"     : [.integer, .integer, .opt(.integer)] => .jsArray,
             "entries"        : [] => .jsArray,
             "every"          : [.function(), .opt(.object())] => .boolean,
diff --git a/Sources/Fuzzilli/Minimization/PostProcessor.swift b/Sources/Fuzzilli/Minimization/PostProcessor.swift
@@ -84,7 +84,7 @@ struct MinimizationPostProcessor {
         for change in changes {
             // Either we're adding a new instruction (in which case we're replacing a nop inserted in step 1), or changing the number of inputs of an existing instruction.
             assert((code[change.index].op is Nop && !(change.newInstruction.op is Nop)) ||
-                   (code[change.index].op.name == change.newInstruction.op.name && code[change.index].numInputs != change.newInstruction.numInputs))
+                   (code[change.index].op.name == change.newInstruction.op.name && code[change.index].numInputs < change.newInstruction.numInputs))
             helper.tryReplacing(instructionAt: change.index, with: change.newInstruction, in: &code)
         }
 

Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,7 @@ struct MinimizationPostProcessor {`
`84`	`84`	`for change in changes {`
`85`	`85`	`// Either we're adding a new instruction (in which case we're replacing a nop inserted in step 1), or changing the number of inputs of an existing instruction.`
`86`	`86`	`assert((code[change.index].op is Nop && !(change.newInstruction.op is Nop)) \|\|`
`87`		`- (code[change.index].op.name == change.newInstruction.op.name && code[change.index].numInputs != change.newInstruction.numInputs))`
	`87`	`+ (code[change.index].op.name == change.newInstruction.op.name && code[change.index].numInputs < change.newInstruction.numInputs))`
`88`	`88`	`helper.tryReplacing(instructionAt: change.index, with: change.newInstruction, in: &code)`
`89`	`89`	`}`
`90`	`90`