Skip to content

Commit

Permalink
Implements robust break context identification and tests
Browse files Browse the repository at this point in the history
  • Loading branch information
@TobiasWienand
TobiasWienand committed Aug 23, 2024
1 parent aeed429 commit 1a1d3ed
Show file tree
Hide file tree
Showing 2 changed files with 51 additions and 0 deletions.
8 changes: 8 additions & 0 deletions Sources/Fuzzilli/FuzzIL/Analyzer.swift
View file
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,14 @@ struct ContextAnalyzer: Analyzer {

newContext.formUnion(contextStack.secondToTop)
}

// If we are in a loop, we don't want to propagate the switch context and vice versa.
if (instr.op.contextOpened.contains(.switchBlock) || instr.op.contextOpened.contains(.switchCase)) {
newContext.remove(.loop)
} else if (instr.op.contextOpened.contains(.loop)) {
newContext.remove(.switchBlock)
newContext.remove(.switchCase)
}
contextStack.push(newContext)
}
}
Expand Down
43 changes: 43 additions & 0 deletions Tests/FuzzilliTests/AnalyzerTest.swift
View file
Original file line number Diff line number Diff line change
Expand Up @@ -304,4 +304,47 @@ class AnalyzerTests: XCTestCase {

let _ = b.finalize()
}

func testBreakContext() {
let fuzzer = makeMockFuzzer()
let b = fuzzer.makeBuilder()

let case1 = b.loadInt(1337)
let case2 = b.loadInt(9001)

// Test case 1: switch -> loop -> switch
b.buildSwitch(on: case1) { outer_switch in
XCTAssertEqual(b.context, .switchBlock)
outer_switch.addCase(case1) {
XCTAssertEqual(b.context, [.javascript, .switchCase])
b.buildWhileLoop({ b.loadBool(true) }) {
XCTAssertEqual(b.context, [.javascript, .loop])
b.buildSwitch(on: case2) { inner_switch in
XCTAssertEqual(b.context, .switchBlock)
inner_switch.addCase(case2) {
XCTAssertEqual(b.context, [.javascript, .switchCase])
}
}
}
}
}
XCTAssertEqual(b.context, .javascript)

// Test case 2: loop -> switch -> loop
b.buildWhileLoop({ b.loadBool(true) }) {
XCTAssertEqual(b.context, [.javascript, .loop])
b.buildSwitch(on: case1) { swtch in
XCTAssertEqual(b.context, .switchBlock)
swtch.addCase(case1) {
XCTAssertEqual(b.context, [.javascript, .switchCase])
b.buildWhileLoop({ b.loadBool(true) }) {
XCTAssertEqual(b.context, [.javascript, .loop])
}
}
}
}
XCTAssertEqual(b.context, .javascript)

let _ = b.finalize()
}
}

0 comments on commit 1a1d3ed

Please sign in to comment.