From 49449fbd812efe00dfc7583156af44cad1d66bfa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Samuel=20Gro=C3=9F?= <saelo@google.com>
Date: Tue, 15 Aug 2023 10:12:48 +0200
Subject: [PATCH] Handle invalid property names gracefully in ProbingMutator

Instead of just assert()ing that the name is valid, explicitly check for
that and log an error if an invalid property name is observed.

Drive-by: exclude Protobuf/gen_programproto.py in Package.swift to
fix compiler warnings.
---
 Package.swift                                  |  3 ++-
 Sources/Fuzzilli/Mutators/ProbingMutator.swift | 18 ++++++++++++++----
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/Package.swift b/Package.swift
index cb5825ad6..71a398d75 100644
--- a/Package.swift
+++ b/Package.swift
@@ -46,9 +46,10 @@ let package = Package(
                     "libreprl",
                     "libcoverage"],
                 exclude: [
-                    "Protobuf/sync.proto",
+                    "Protobuf/gen_programproto.py",
                     "Protobuf/operations.proto",
                     "Protobuf/program.proto",
+                    "Protobuf/sync.proto",
                     "Protobuf/README.md"],
                 resources: [
                     // The ast.proto file is required by the node.js parser
diff --git a/Sources/Fuzzilli/Mutators/ProbingMutator.swift b/Sources/Fuzzilli/Mutators/ProbingMutator.swift
index 4cefd8110..09fbccc2d 100644
--- a/Sources/Fuzzilli/Mutators/ProbingMutator.swift
+++ b/Sources/Fuzzilli/Mutators/ProbingMutator.swift
@@ -186,7 +186,7 @@ public class ProbingMutator: RuntimeAssistedMutator {
         let propertyIsStored = result.stores.keys.contains(propertyName)
 
         // Install the property, either as regular property or as a property accessor.
-        let property = parsePropertyName(propertyName)
+        guard let property = parsePropertyName(propertyName) else { return }
         if probability(0.8) {
             installRegularProperty(property, on: obj, using: b)
         } else {
@@ -208,7 +208,7 @@ public class ProbingMutator: RuntimeAssistedMutator {
 
         switch property {
         case .regular(let name):
-            assert(name.rangeOfCharacter(from: .whitespacesAndNewlines) == nil)
+            assert(isValidPropertyName(name))
             b.setProperty(name, of: obj, to: value)
         case .element(let index):
             b.setElement(index, of: obj, to: value)
@@ -253,7 +253,7 @@ public class ProbingMutator: RuntimeAssistedMutator {
 
         switch property {
         case .regular(let name):
-            assert(name.rangeOfCharacter(from: .whitespacesAndNewlines) == nil)
+            assert(isValidPropertyName(name))
             b.configureProperty(name, of: obj, usingFlags: PropertyFlags.random(), as: config)
         case .element(let index):
             b.configureElement(index, of: obj, usingFlags: PropertyFlags.random(), as: config)
@@ -308,7 +308,12 @@ public class ProbingMutator: RuntimeAssistedMutator {
         }
     }
 
-    private func parsePropertyName(_ propertyName: String) -> Property {
+    private func isValidPropertyName(_ name: String) -> Bool {
+        // Currently only property names containing whitespaces or newlines are invalid.
+        return name.rangeOfCharacter(from: .whitespacesAndNewlines) == nil
+    }
+
+    private func parsePropertyName(_ propertyName: String) -> Property? {
         // Anything that parses as an Int64 is an element index.
         if let index = Int64(propertyName) {
             return .element(index)
@@ -323,6 +328,11 @@ public class ProbingMutator: RuntimeAssistedMutator {
         }
 
         // Everything else is a regular property name.
+        guard isValidPropertyName(propertyName) else {
+            // Invalid property names should have been filtered out on the JavaScript side, so receiving them here is an error.
+            logger.error("Received invalid property name: \(propertyName)")
+            return nil
+        }
         return .regular(propertyName)
     }