Add ComputedSuperProperty instructions

Fuzzilli is now able to emit computed super property accesses. E.g.: super[foo()] = 42; or: let baz = super[bar()];
googleprojectzero · Nov 21, 2023 · 5696921 · 5696921
1 parent 4811845
commit 5696921
Show file tree

Hide file tree

Showing 14 changed files with 440 additions and 176 deletions.
diff --git a/Sources/Fuzzilli/Base/ProgramBuilder.swift b/Sources/Fuzzilli/Base/ProgramBuilder.swift
@@ -2198,6 +2198,15 @@ public class ProgramBuilder {
         emit(SetSuperProperty(propertyName: name), withInputs: [value])
     }
 
+    @discardableResult
+    public func getComputedSuperProperty(_ property: Variable) -> Variable {
+        return emit(GetComputedSuperProperty(), withInputs: [property]).output
+    }
+
+    public func setComputedSuperProperty(_ property: Variable, to value: Variable) {
+        emit(SetComputedSuperProperty(), withInputs: [property, value])
+    }
+
     public func updateSuperProperty(_ name: String, with value: Variable, using op: BinaryOperator) {
         emit(UpdateSuperProperty(propertyName: name, operator: op), withInputs: [value])
     }

diff --git a/Sources/Fuzzilli/CodeGen/CodeGeneratorWeights.swift b/Sources/Fuzzilli/CodeGen/CodeGeneratorWeights.swift
@@ -143,6 +143,8 @@ public let codeGeneratorWeights = [
     // These will only be used inside class- or object literal methods.
     "SuperPropertyRetrievalGenerator":          20,
     "SuperPropertyAssignmentGenerator":         20,
+    "ComputedSuperPropertyRetrievalGenerator":  20,
+    "ComputedSuperPropertyAssignmentGenerator": 20,
     "SuperPropertyUpdateGenerator":             10,
 
     "IfElseGenerator":                          10,

diff --git a/Sources/Fuzzilli/CodeGen/CodeGenerators.swift b/Sources/Fuzzilli/CodeGen/CodeGenerators.swift
@@ -1259,6 +1259,18 @@ public let CodeGenerators: [CodeGenerator] = [
         b.setSuperProperty(propertyName, to: b.randomVariable())
     },
 
+    CodeGenerator("ComputedSuperPropertyRetrievalGenerator", inContext: .method) { b in
+        let superType = b.currentSuperType()
+        let property = b.randomVariable()
+        b.getComputedSuperProperty(property)
+    },
+
+    CodeGenerator("ComputedSuperPropertyAssignmentGenerator", inContext: .method) { b in
+        let superType = b.currentSuperType()
+        let property = b.randomVariable()
+        b.setComputedSuperProperty(property, to: b.randomVariable())
+    },
+
     CodeGenerator("SuperPropertyUpdateGenerator", inContext: .method) { b in
         let superType = b.currentSuperType()
         let propertyName = superType.randomProperty() ?? b.randomCustomPropertyName()

diff --git a/Sources/Fuzzilli/FuzzIL/Instruction.swift b/Sources/Fuzzilli/FuzzIL/Instruction.swift
@@ -708,6 +708,10 @@ extension Instruction: ProtobufConvertible {
                 $0.getSuperProperty = Fuzzilli_Protobuf_GetSuperProperty.with { $0.propertyName = op.propertyName }
             case .setSuperProperty(let op):
                 $0.setSuperProperty = Fuzzilli_Protobuf_SetSuperProperty.with { $0.propertyName = op.propertyName }
+            case .getComputedSuperProperty(_):
+                $0.getComputedSuperProperty = Fuzzilli_Protobuf_GetComputedSuperProperty()
+            case .setComputedSuperProperty(_):
+                $0.setComputedSuperProperty = Fuzzilli_Protobuf_SetComputedSuperProperty()
             case .updateSuperProperty(let op):
                 $0.updateSuperProperty = Fuzzilli_Protobuf_UpdateSuperProperty.with {
                     $0.propertyName = op.propertyName
@@ -1137,6 +1141,10 @@ extension Instruction: ProtobufConvertible {
             op = GetSuperProperty(propertyName: p.propertyName)
         case .setSuperProperty(let p):
             op = SetSuperProperty(propertyName: p.propertyName)
+        case .getComputedSuperProperty(_):
+            op = GetComputedSuperProperty()
+        case .setComputedSuperProperty(_):
+            op = SetComputedSuperProperty()
         case .updateSuperProperty(let p):
             op = UpdateSuperProperty(propertyName: p.propertyName, operator: try convertEnum(p.op, BinaryOperator.allCases))
         case .explore(let p):

diff --git a/Sources/Fuzzilli/FuzzIL/JSTyper.swift b/Sources/Fuzzilli/FuzzIL/JSTyper.swift
@@ -626,6 +626,7 @@ public struct JSTyper: Analyzer {
             // For now we treat this as .anything
         case .getElement,
              .getComputedProperty,
+             .getComputedSuperProperty,
              .callComputedMethod,
              .callComputedMethodWithSpread:
             set(instr.output, .anything)

diff --git a/Sources/Fuzzilli/FuzzIL/JsOperations.swift b/Sources/Fuzzilli/FuzzIL/JsOperations.swift
@@ -1731,6 +1731,23 @@ final class SetSuperProperty: JsOperation {
     }
 }
 
+final class SetComputedSuperProperty: JsOperation {
+    override var opcode: Opcode { .setComputedSuperProperty(self) }
+
+    init() {
+        super.init(numInputs: 2, requiredContext: [.javascript, .method])
+    }
+}
+
+final class GetComputedSuperProperty: JsOperation {
+    override var opcode: Opcode { .getComputedSuperProperty(self) }
+
+    init() {
+        super.init(numInputs: 1, numOutputs: 1, requiredContext: [.javascript, .method])
+    }
+}
+
+
 final class UpdateSuperProperty: JsOperation {
     override var opcode: Opcode { .updateSuperProperty(self) }
 

diff --git a/Sources/Fuzzilli/FuzzIL/Opcodes.swift b/Sources/Fuzzilli/FuzzIL/Opcodes.swift
@@ -159,6 +159,8 @@ enum Opcode {
     case callPrivateMethod(CallPrivateMethod)
     case getSuperProperty(GetSuperProperty)
     case setSuperProperty(SetSuperProperty)
+    case getComputedSuperProperty(GetComputedSuperProperty)
+    case setComputedSuperProperty(SetComputedSuperProperty)
     case updateSuperProperty(UpdateSuperProperty)
     case beginIf(BeginIf)
     case beginElse(BeginElse)

diff --git a/Sources/Fuzzilli/Lifting/FuzzILLifter.swift b/Sources/Fuzzilli/Lifting/FuzzILLifter.swift
@@ -593,6 +593,12 @@ public class FuzzILLifter: Lifter {
         case .setSuperProperty(let op):
            w.emit("SetSuperProperty '\(op.propertyName)', \(input(0))")
 
+        case .getComputedSuperProperty(_):
+            w.emit("\(output()) <- GetComputedSuperProperty \(input(0))")
+
+        case .setComputedSuperProperty(_):
+            w.emit("SetComputedSuperProperty \(input(0)), \(input(1))")
+
         case .updateSuperProperty(let op):
             w.emit("UpdateSuperProperty '\(op.propertyName)', '\(op.op.token)', \(input(0))")
 

diff --git a/Sources/Fuzzilli/Lifting/JavaScriptLifter.swift b/Sources/Fuzzilli/Lifting/JavaScriptLifter.swift
@@ -993,6 +993,15 @@ public class JavaScriptLifter: Lifter {
                 let VALUE = input(0)
                 w.emit("super.\(PROPERTY) = \(VALUE);")
 
+            case .getComputedSuperProperty(_):
+                let expr = MemberExpression.new() + "super[" + input(0).text + "]"
+                w.assign(expr, to: instr.output)
+
+            case .setComputedSuperProperty(_):
+                let PROPERTY = input(0).text
+                let VALUE = input(1)
+                w.emit("super[\(PROPERTY)] = \(VALUE);")
+
             case .updateSuperProperty(let op):
                 let PROPERTY = op.propertyName
                 let VALUE = input(0)

diff --git a/Sources/Fuzzilli/Protobuf/operations.pb.swift b/Sources/Fuzzilli/Protobuf/operations.pb.swift
@@ -1981,6 +1981,26 @@ public struct Fuzzilli_Protobuf_SetSuperProperty {
   public init() {}
 }
 
+public struct Fuzzilli_Protobuf_GetComputedSuperProperty {
+  // SwiftProtobuf.Message conformance is added in an extension below. See the
+  // `Message` and `Message+*Additions` files in the SwiftProtobuf library for
+  // methods supported on all messages.
+
+  public var unknownFields = SwiftProtobuf.UnknownStorage()
+
+  public init() {}
+}
+
+public struct Fuzzilli_Protobuf_SetComputedSuperProperty {
+  // SwiftProtobuf.Message conformance is added in an extension below. See the
+  // `Message` and `Message+*Additions` files in the SwiftProtobuf library for
+  // methods supported on all messages.
+
+  public var unknownFields = SwiftProtobuf.UnknownStorage()
+
+  public init() {}
+}
+
 public struct Fuzzilli_Protobuf_UpdateSuperProperty {
   // SwiftProtobuf.Message conformance is added in an extension below. See the
   // `Message` and `Message+*Additions` files in the SwiftProtobuf library for
@@ -2625,6 +2645,8 @@ extension Fuzzilli_Protobuf_UpdatePrivateProperty: @unchecked Sendable {}
 extension Fuzzilli_Protobuf_CallPrivateMethod: @unchecked Sendable {}
 extension Fuzzilli_Protobuf_GetSuperProperty: @unchecked Sendable {}
 extension Fuzzilli_Protobuf_SetSuperProperty: @unchecked Sendable {}
+extension Fuzzilli_Protobuf_GetComputedSuperProperty: @unchecked Sendable {}
+extension Fuzzilli_Protobuf_SetComputedSuperProperty: @unchecked Sendable {}
 extension Fuzzilli_Protobuf_UpdateSuperProperty: @unchecked Sendable {}
 extension Fuzzilli_Protobuf_LoadNewTarget: @unchecked Sendable {}
 extension Fuzzilli_Protobuf_Explore: @unchecked Sendable {}
@@ -6633,6 +6655,44 @@ extension Fuzzilli_Protobuf_SetSuperProperty: SwiftProtobuf.Message, SwiftProtob
   }
 }
 
+extension Fuzzilli_Protobuf_GetComputedSuperProperty: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
+  public static let protoMessageName: String = _protobuf_package + ".GetComputedSuperProperty"
+  public static let _protobuf_nameMap = SwiftProtobuf._NameMap()
+
+  public mutating func decodeMessage<D: SwiftProtobuf.Decoder>(decoder: inout D) throws {
+    while let _ = try decoder.nextFieldNumber() {
+    }
+  }
+
+  public func traverse<V: SwiftProtobuf.Visitor>(visitor: inout V) throws {
+    try unknownFields.traverse(visitor: &visitor)
+  }
+
+  public static func ==(lhs: Fuzzilli_Protobuf_GetComputedSuperProperty, rhs: Fuzzilli_Protobuf_GetComputedSuperProperty) -> Bool {
+    if lhs.unknownFields != rhs.unknownFields {return false}
+    return true
+  }
+}
+
+extension Fuzzilli_Protobuf_SetComputedSuperProperty: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
+  public static let protoMessageName: String = _protobuf_package + ".SetComputedSuperProperty"
+  public static let _protobuf_nameMap = SwiftProtobuf._NameMap()
+
+  public mutating func decodeMessage<D: SwiftProtobuf.Decoder>(decoder: inout D) throws {
+    while let _ = try decoder.nextFieldNumber() {
+    }
+  }
+
+  public func traverse<V: SwiftProtobuf.Visitor>(visitor: inout V) throws {
+    try unknownFields.traverse(visitor: &visitor)
+  }
+
+  public static func ==(lhs: Fuzzilli_Protobuf_SetComputedSuperProperty, rhs: Fuzzilli_Protobuf_SetComputedSuperProperty) -> Bool {
+    if lhs.unknownFields != rhs.unknownFields {return false}
+    return true
+  }
+}
+
 extension Fuzzilli_Protobuf_UpdateSuperProperty: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
   public static let protoMessageName: String = _protobuf_package + ".UpdateSuperProperty"
   public static let _protobuf_nameMap: SwiftProtobuf._NameMap = [

diff --git a/Sources/Fuzzilli/Protobuf/operations.proto b/Sources/Fuzzilli/Protobuf/operations.proto
@@ -582,6 +582,12 @@ message SetSuperProperty {
     string propertyName = 1;
 }
 
+message GetComputedSuperProperty {
+}
+
+message SetComputedSuperProperty {
+}
+
 message UpdateSuperProperty {
     string propertyName = 1;
     BinaryOperator op = 2;