diff --git a/Sources/FuzzilliCli/Profiles/DuktapeProfile.swift b/Sources/FuzzilliCli/Profiles/DuktapeProfile.swift index bfa7f0d2b..3be97d3b8 100644 --- a/Sources/FuzzilliCli/Profiles/DuktapeProfile.swift +++ b/Sources/FuzzilliCli/Profiles/DuktapeProfile.swift @@ -61,5 +61,7 @@ let duktapeProfile = Profile( ], + additionalObjectGroups: [], + optionalPostProcessor: nil ) diff --git a/Sources/FuzzilliCli/Profiles/JSCProfile.swift b/Sources/FuzzilliCli/Profiles/JSCProfile.swift index c629f2a3d..3f5aab062 100644 --- a/Sources/FuzzilliCli/Profiles/JSCProfile.swift +++ b/Sources/FuzzilliCli/Profiles/JSCProfile.swift @@ -125,5 +125,7 @@ let jscProfile = Profile( "ensureArrayStorage" : .function([] => .anything), ], + additionalObjectGroups: [], + optionalPostProcessor: nil ) diff --git a/Sources/FuzzilliCli/Profiles/JerryscriptProfile.swift b/Sources/FuzzilliCli/Profiles/JerryscriptProfile.swift index 2fdcab293..b000043f9 100644 --- a/Sources/FuzzilliCli/Profiles/JerryscriptProfile.swift +++ b/Sources/FuzzilliCli/Profiles/JerryscriptProfile.swift @@ -57,5 +57,7 @@ let jerryscriptProfile = Profile( "placeholder" : .function([] => .undefined), ], + additionalObjectGroups: [], + optionalPostProcessor: nil ) diff --git a/Sources/FuzzilliCli/Profiles/Profile.swift b/Sources/FuzzilliCli/Profiles/Profile.swift index 8b370c93b..5041f0f6e 100644 --- a/Sources/FuzzilliCli/Profiles/Profile.swift +++ b/Sources/FuzzilliCli/Profiles/Profile.swift @@ -34,6 +34,7 @@ struct Profile { let disabledMutators: [String] let additionalBuiltins: [String: ILType] + let additionalObjectGroups: [ObjectGroup] // An optional post-processor that is executed for every sample generated for fuzzing and can modify it. let optionalPostProcessor: FuzzingPostProcessor? diff --git a/Sources/FuzzilliCli/Profiles/QjsProfile.swift b/Sources/FuzzilliCli/Profiles/QjsProfile.swift index 1b8f038ef..6bd8e60ec 100644 --- a/Sources/FuzzilliCli/Profiles/QjsProfile.swift +++ b/Sources/FuzzilliCli/Profiles/QjsProfile.swift @@ -55,5 +55,7 @@ let qjsProfile = Profile( "placeholder" : .function([] => .undefined) ], + additionalObjectGroups: [], + optionalPostProcessor: nil ) diff --git a/Sources/FuzzilliCli/Profiles/QtjsProfile.swift b/Sources/FuzzilliCli/Profiles/QtjsProfile.swift index 09c795bbd..d77968663 100644 --- a/Sources/FuzzilliCli/Profiles/QtjsProfile.swift +++ b/Sources/FuzzilliCli/Profiles/QtjsProfile.swift @@ -63,5 +63,7 @@ let qtjsProfile = Profile( "gc" : .function([] => .undefined), ], + additionalObjectGroups: [], + optionalPostProcessor: nil ) diff --git a/Sources/FuzzilliCli/Profiles/Serenity.swift b/Sources/FuzzilliCli/Profiles/Serenity.swift index 32ccef2fa..ac6f25e3a 100644 --- a/Sources/FuzzilliCli/Profiles/Serenity.swift +++ b/Sources/FuzzilliCli/Profiles/Serenity.swift @@ -50,5 +50,7 @@ let serenityProfile = Profile( "gc": .function([] => .undefined) ], + additionalObjectGroups: [], + optionalPostProcessor: nil ) diff --git a/Sources/FuzzilliCli/Profiles/SpidermonkeyProfile.swift b/Sources/FuzzilliCli/Profiles/SpidermonkeyProfile.swift index fa1f01866..65f94f412 100644 --- a/Sources/FuzzilliCli/Profiles/SpidermonkeyProfile.swift +++ b/Sources/FuzzilliCli/Profiles/SpidermonkeyProfile.swift @@ -116,5 +116,7 @@ let spidermonkeyProfile = Profile( ], + additionalObjectGroups: [], + optionalPostProcessor: nil ) diff --git a/Sources/FuzzilliCli/Profiles/V8HoleFuzzingProfile.swift b/Sources/FuzzilliCli/Profiles/V8HoleFuzzingProfile.swift index 3548d387c..29c41234a 100644 --- a/Sources/FuzzilliCli/Profiles/V8HoleFuzzingProfile.swift +++ b/Sources/FuzzilliCli/Profiles/V8HoleFuzzingProfile.swift @@ -115,5 +115,6 @@ let v8HoleFuzzingProfile = Profile( "d8" : .object(), "Worker" : .constructor([.anything, .object()] => .object(withMethods: ["postMessage","getMessage"])), ], + additionalObjectGroups: [], optionalPostProcessor: nil ) diff --git a/Sources/FuzzilliCli/Profiles/V8Profile.swift b/Sources/FuzzilliCli/Profiles/V8Profile.swift index 14f409017..402d728c4 100644 --- a/Sources/FuzzilliCli/Profiles/V8Profile.swift +++ b/Sources/FuzzilliCli/Profiles/V8Profile.swift @@ -614,5 +614,7 @@ let v8Profile = Profile( "Worker" : .constructor([.anything, .object()] => .object(withMethods: ["postMessage","getMessage"])), ], + additionalObjectGroups: [], + optionalPostProcessor: nil ) diff --git a/Sources/FuzzilliCli/Profiles/XSProfile.swift b/Sources/FuzzilliCli/Profiles/XSProfile.swift index 779942bd9..cab43046b 100644 --- a/Sources/FuzzilliCli/Profiles/XSProfile.swift +++ b/Sources/FuzzilliCli/Profiles/XSProfile.swift @@ -58,5 +58,7 @@ let xsProfile = Profile( "placeholder" : .function([] => .undefined), ], + additionalObjectGroups: [], + optionalPostProcessor: nil ) diff --git a/Sources/FuzzilliCli/main.swift b/Sources/FuzzilliCli/main.swift index ac9880c66..69d47daa3 100644 --- a/Sources/FuzzilliCli/main.swift +++ b/Sources/FuzzilliCli/main.swift @@ -438,7 +438,13 @@ func makeFuzzer(with configuration: Configuration) -> Fuzzer { } // The environment containing available builtins, property names, and method names. - let environment = JavaScriptEnvironment(additionalBuiltins: profile.additionalBuiltins, additionalObjectGroups: []) + let environment = JavaScriptEnvironment(additionalBuiltins: profile.additionalBuiltins, additionalObjectGroups: profile.additionalObjectGroups) + if !profile.additionalBuiltins.isEmpty { + logger.verbose("Loaded additional builtins from profile: \(profile.additionalBuiltins.map { $0.key })") + } + if !profile.additionalObjectGroups.isEmpty { + logger.verbose("Loaded additional ObjectGroups from profile: \(profile.additionalObjectGroups.map { $0.name })") + } // A lifter to translate FuzzIL programs to JavaScript. let lifter = JavaScriptLifter(prefix: profile.codePrefix, diff --git a/Targets/README.md b/Targets/README.md index 0b683de99..53a2b28c1 100644 --- a/Targets/README.md +++ b/Targets/README.md @@ -71,4 +71,5 @@ Once a profile has been made, it also needs to be added to the list in [Profile. - `additionalProgramTemplates`: Additional [program templates](../Docs/HowFuzzilliWorks.md#program-templates) for the fuzzer to generate programs from. Examples for ProgramTemplates can be found in [ProgramTemplates.swift](../Sources/Fuzzilli/CodeGen/ProgramTemplates.swift) - `disabledCodeGenerators`: List of code generators to disable. The current list of code generators is in [CodeGenerators.swift](../Sources/Fuzzilli/CodeGen/CodeGenerators.swift) with their respective weights in [CodeGeneratorWeights.swift](../Sources/Fuzzilli/CodeGen/CodeGeneratorsWeights.swift). - `disabledMutators`: List of mutators to disable, in other words, the mutators in this list will not be selected to mutate input during the fuzzing loop. The current list of enabled mutators is in [FuzzilliCli/main.swift](../Sources/FuzzilliCli/main.swift) -- `additionalBuiltins`: Additional unique builtins for the JS engine. The list does not have to be exhaustive, but should include functionality likely to cause bugs. An example would be a function that triggers garbage collection. \ No newline at end of file +- `additionalBuiltins`: Additional unique builtins for the JS engine. The list does not have to be exhaustive, but should include functionality likely to cause bugs. An example would be a function that triggers garbage collection. +- `additionalObjectGroups`: Additional unique [ObjectGroup](../Sources/Fuzzilli/Environment/JavaScriptEnvironment.swift)s for the JS engine. Examples for ObjectGroups can be found in [JavaScriptEnvironment.swift](../Sources/Fuzzilli/Environment/JavaScriptEnvironment.swift) \ No newline at end of file