googleprojectzero · carl-smith · Mar 5, 2024 · Feb 22, 2024 · 0xedward · Feb 22, 2024
diff --git a/Sources/FuzzilliCli/Profiles/DuktapeProfile.swift b/Sources/FuzzilliCli/Profiles/DuktapeProfile.swift
@@ -54,5 +54,7 @@ let duktapeProfile = Profile(
 
     ],
 
+    additionalObjectGroups: [],
+
     optionalPostProcessor: nil
 )
diff --git a/Sources/FuzzilliCli/Profiles/JSCProfile.swift b/Sources/FuzzilliCli/Profiles/JSCProfile.swift
@@ -115,5 +115,7 @@ let jscProfile = Profile(
         "ensureArrayStorage"  : .function([] => .anything),
     ],
 
+    additionalObjectGroups: [],
+
     optionalPostProcessor: nil
 )
diff --git a/Sources/FuzzilliCli/Profiles/JerryscriptProfile.swift b/Sources/FuzzilliCli/Profiles/JerryscriptProfile.swift
@@ -50,5 +50,7 @@ let jerryscriptProfile = Profile(
         "placeholder"       : .function([] => .undefined),
     ],
 
+    additionalObjectGroups: [],
+
     optionalPostProcessor: nil
 )
diff --git a/Sources/FuzzilliCli/Profiles/Profile.swift b/Sources/FuzzilliCli/Profiles/Profile.swift
@@ -35,6 +35,7 @@ struct Profile {
     let disabledMutators: [String]
 
     let additionalBuiltins: [String: ILType]
+    let additionalObjectGroups: [ObjectGroup]
 
     // An optional post-processor that is executed for every sample generated for fuzzing and can modify it.
     let optionalPostProcessor: FuzzingPostProcessor?

diff --git a/Sources/FuzzilliCli/Profiles/QjsProfile.swift b/Sources/FuzzilliCli/Profiles/QjsProfile.swift
@@ -47,5 +47,7 @@ let qjsProfile = Profile(
         "placeholder"         : .function([] => .undefined)
     ],
 
+    additionalObjectGroups: [],
+
     optionalPostProcessor: nil
 )
diff --git a/Sources/FuzzilliCli/Profiles/QtjsProfile.swift b/Sources/FuzzilliCli/Profiles/QtjsProfile.swift
@@ -59,5 +59,7 @@ let qtjsProfile = Profile(
         "gc"                : .function([] => .undefined),
     ],
 
+    additionalObjectGroups: [],
+
     optionalPostProcessor: nil
 )
diff --git a/Sources/FuzzilliCli/Profiles/Serenity.swift b/Sources/FuzzilliCli/Profiles/Serenity.swift
@@ -43,5 +43,7 @@ let serenityProfile = Profile(
         "gc": .function([] => .undefined)
     ],
 
+    additionalObjectGroups: [],
+
     optionalPostProcessor: nil
 )
diff --git a/Sources/FuzzilliCli/Profiles/SpidermonkeyProfile.swift b/Sources/FuzzilliCli/Profiles/SpidermonkeyProfile.swift
@@ -106,5 +106,7 @@ let spidermonkeyProfile = Profile(
 
     ],
 
+    additionalObjectGroups: [],
+
     optionalPostProcessor: nil
 )
diff --git a/Sources/FuzzilliCli/Profiles/V8HoleFuzzingProfile.swift b/Sources/FuzzilliCli/Profiles/V8HoleFuzzingProfile.swift
@@ -102,5 +102,6 @@ let v8HoleFuzzingProfile = Profile(
         "d8"                                            : .object(),
         "Worker"                                        : .constructor([.anything, .object()] => .object(withMethods: ["postMessage","getMessage"])),
     ],
+    additionalObjectGroups: [],
     optionalPostProcessor: nil
 )
diff --git a/Sources/FuzzilliCli/Profiles/V8Profile.swift b/Sources/FuzzilliCli/Profiles/V8Profile.swift
@@ -598,5 +598,7 @@ let v8Profile = Profile(
         "Worker"                                        : .constructor([.anything, .object()] => .object(withMethods: ["postMessage","getMessage"])),
     ],
 
+    additionalObjectGroups: [],
+
     optionalPostProcessor: nil
 )
diff --git a/Sources/FuzzilliCli/Profiles/XSProfile.swift b/Sources/FuzzilliCli/Profiles/XSProfile.swift
@@ -50,5 +50,7 @@ let xsProfile = Profile(
         "placeholder"         : .function([] => .undefined),
     ],
 
+    additionalObjectGroups: [],
+
     optionalPostProcessor: nil
 )
diff --git a/Sources/FuzzilliCli/main.swift b/Sources/FuzzilliCli/main.swift
@@ -438,7 +438,13 @@ func makeFuzzer(with configuration: Configuration) -> Fuzzer {
     }
 
     // The environment containing available builtins, property names, and method names.
-    let environment = JavaScriptEnvironment(additionalBuiltins: profile.additionalBuiltins, additionalObjectGroups: [])
+    let environment = JavaScriptEnvironment(additionalBuiltins: profile.additionalBuiltins, additionalObjectGroups: profile.additionalObjectGroups)
+    if !profile.additionalBuiltins.isEmpty {
+        logger.verbose("Loaded additional builtins from profile: \(profile.additionalBuiltins.map { $0.key })")
+    }
+    if !profile.additionalObjectGroups.isEmpty {
+        logger.verbose("Loaded additional ObjectGroups from profile: \(profile.additionalObjectGroups.map { $0.name })")
-        logger.verbose("Loaded additional builtins from profile: \(profile.additionalBuiltins.map { $0.key })")
-    }
-    if !profile.additionalObjectGroups.isEmpty {
-        logger.verbose("Loaded additional ObjectGroups from profile: \(profile.additionalObjectGroups.map { $0.name })")
+        logger.info("Loaded additional builtins from profile: \(profile.additionalBuiltins.map { $0.key })")
+    }
+    if !profile.additionalObjectGroups.isEmpty {
+        logger.info("Loaded additional ObjectGroups from profile: \(profile.additionalObjectGroups.map { $0.name })")
-        logger.verbose("Loaded additional builtins from profile: \(profile.additionalBuiltins.map { $0.key })")
-    }
-    if !profile.additionalObjectGroups.isEmpty {
-        logger.verbose("Loaded additional ObjectGroups from profile: \(profile.additionalObjectGroups.map { $0.name })")
+        logger.info("Loaded additional builtins from profile: \(profile.additionalBuiltins.map { $0.key })")
+    }
+    if !profile.additionalObjectGroups.isEmpty {
+        logger.info("Loaded additional ObjectGroups from profile: \(profile.additionalObjectGroups.map { $0.name })")
+    }
 
     // A lifter to translate FuzzIL programs to JavaScript.
     let lifter = JavaScriptLifter(prefix: profile.codePrefix,

diff --git a/Targets/README.md b/Targets/README.md
@@ -71,4 +71,5 @@ Once a profile has been made, it also needs to be added to the list in [Profile.
 - `additionalProgramTemplates`: Additional [program templates](../Docs/HowFuzzilliWorks.md#program-templates) for the fuzzer to generate programs from. Examples for ProgramTemplates can be found in [ProgramTemplates.swift](../Sources/Fuzzilli/CodeGen/ProgramTemplates.swift)
 - `disabledCodeGenerators`: List of code generators to disable. The current list of code generators is in [CodeGenerators.swift](../Sources/Fuzzilli/CodeGen/CodeGenerators.swift) with their respective weights in [CodeGeneratorWeights.swift](../Sources/Fuzzilli/CodeGen/CodeGeneratorsWeights.swift).
 - `disabledMutators`: List of mutators to disable, in other words, the mutators in this list will not be selected to mutate input during the fuzzing loop. The current list of enabled mutators is in [FuzzilliCli/main.swift](../Sources/FuzzilliCli/main.swift)
-- `additionalBuiltins`: Additional unique builtins for the JS engine. The list does not have to be exhaustive, but should include functionality likely to cause bugs. An example would be a function that triggers garbage collection. 
+- `additionalBuiltins`: Additional unique builtins for the JS engine. The list does not have to be exhaustive, but should include functionality likely to cause bugs. An example would be a function that triggers garbage collection. 
+- `additionalObjectGroups`: Additional unique [ObjectGroup](../Sources/Fuzzilli/Environment/JavaScriptEnvironment.swift)s for the JS engine. Examples for ObjectGroups can be found in [JavaScriptEnvironment.swift](../Sources/Fuzzilli/Environment/JavaScriptEnvironment.swift)
-Original file line number
+Diff line change
@@ Expand Up / @@ -54,5 +54,7 @@ let duktapeProfile = Profile( @@
         ],
+        additionalObjectGroups: [],
         optionalPostProcessor: nil
     )