Permalink
Please
sign in to comment.
Browse files
A new type system for Fuzzilli
This commit consists of three different parts: 1. A new type system (see FuzzIL/TypeSystem.swift). The goal of this type system is to be as simple as possible while still being able to express all (relevant) operations that can be performed on a JS value. As such, the type system e.g. has to be able to express that a value can be called as a function or constructed with the 'new' keyword, or that it is an object with a set of properties and methods. It also has to express that something is e.g. both an object with methods and properties and a function that can be called. Finally, it has to be able to express that a variable can be one of several types (e.g. because the variable is written to again, or because different properties are assigned in conditionally executing branches). The type system is based on union types, with a notion of "merged" types to express that a value is two or more types at the same time. 2. A static model of the JS environment (see Core/JavaScriptEnvironment.swift). This model stores the types of all (relevant) entities that are available in a default JS environment: builtin objects, constructors, functions etc. as well as property types and method signatures. 3. An abstract intepreter that can perform lightweight interpretation of FuzzIL code to compute static type information. For that purpose it interacts with the environment to obtain type information for various builtins. This change should allow code generators to generate better code as they now have more information about e.g. available methods or properties at hand. On the other hand, the new features can be disabled by setting Configuration.useAbstractInterpretation to false and thus turning off most of the new logic of the abstract interpreter. This will leave most variable types at .unknown, thus "emulating" the old behaviour.
- Loading branch information
Showing
with
3,964 additions
and 319 deletions.
- +15 −2 Sources/Fuzzilli/Configuration.swift
- +54 −58 Sources/Fuzzilli/Core/CodeGenerators.swift
- +74 −0 Sources/Fuzzilli/Core/Environment.swift
- +832 −32 Sources/Fuzzilli/Core/JavaScriptEnvironment.swift
- +83 −19 Sources/Fuzzilli/Core/ProgramBuilder.swift
- +358 −0 Sources/Fuzzilli/FuzzIL/AbstractInterpreter.swift
- +0 −82 Sources/Fuzzilli/FuzzIL/Analyzer.swift
- +5 −3 Sources/Fuzzilli/FuzzIL/Instruction.swift
- +9 −6 Sources/Fuzzilli/FuzzIL/Operations.swift
- +6 −2 Sources/Fuzzilli/FuzzIL/Program.swift
- +845 −24 Sources/Fuzzilli/FuzzIL/TypeSystem.swift
- +3 −3 Sources/Fuzzilli/Fuzzer.swift
- +14 −4 Sources/Fuzzilli/Lifting/JavaScriptLifter.swift
- +17 −1 Sources/Fuzzilli/Lifting/Lifter.swift
- +13 −6 Sources/Fuzzilli/Lifting/ScriptWriter.swift
- +1 −1 Sources/Fuzzilli/Modules/NetworkSync.swift
- +5 −6 Sources/Fuzzilli/Modules/Storage.swift
- +1 −1 Sources/Fuzzilli/Mutators/InputMutator.swift
- +1 −1 Sources/Fuzzilli/Mutators/InsertionMutator.swift
- +3 −3 Sources/Fuzzilli/Mutators/JITStressMutator.swift
- +7 −7 Sources/Fuzzilli/Mutators/OperationMutator.swift
- +34 −7 Sources/Fuzzilli/Util/VariableMap.swift
- +11 −7 Sources/FuzzilliCli/Profiles/JSCProfile.swift
- +1 −3 Sources/FuzzilliCli/Profiles/Profile.swift
- +8 −5 Sources/FuzzilliCli/Profiles/SpidermonkeyProfile.swift
- +5 −5 Sources/FuzzilliCli/Profiles/V8Profile.swift
- +7 −15 Sources/FuzzilliCli/Settings.swift
- +13 −0 Sources/FuzzilliCli/TerminalUI.swift
- +12 −3 Sources/FuzzilliCli/main.swift
- +1 −1 Tests/FuzzilliTests/InliningTest.swift
- +417 −0 Tests/FuzzilliTests/InterpreterTest.swift
- +81 −6 Tests/FuzzilliTests/MockFuzzer.swift
- +2 −1 Tests/FuzzilliTests/ProgramSerializationTest.swift
- +937 −0 Tests/FuzzilliTests/TypeSystemTest.swift
- +17 −1 Tests/FuzzilliTests/VariableMapTest.swift
- +72 −4 Tests/FuzzilliTests/XCTestManifests.swift
Oops, something went wrong.
0 comments on commit
01da262