XS code generators, object groups, etc #428
Conversation
This is the profile we use for XS with Fuzzilli. It includes code generators to stress unique aspects of the XS runtime. It has two ObjectGroups and several additional build-ins to fuzz Hardened JavaScript features. It also pulls in the RegExpFuzzerfrom V8.
| // swift run -c release FuzzilliCli --profile=xs --jobs=8 --storagePath=./results --resume --timeout=200 $MODDABLE/build/bin/mac/debug/xst | ||
|
|
||
| fileprivate let StressXSGC = CodeGenerator("StressXSGC", inputs: .required(.function())) { b, f in | ||
| guard b.type(of: f).Is(.function()) else { return } //@@ where did this come from?? |
There was a problem hiding this comment.
yes, I don't think you need this line here and in the other generators if you have inputs: .required(.function())
| b.callFunction(f, withArgs: arguments) | ||
| b.unary(.PostInc, index) | ||
| let result = b.callFunction(gc, withArgs: [index]) | ||
| b.buildIfElse(result, ifBody: { |
There was a problem hiding this comment.
You could build the if like we do it here:
fuzzilli/Sources/Fuzzilli/CodeGen/ProgramTemplates.swift
Lines 178 to 180 in 7c4ab31
| fileprivate let HardenGenerator = CodeGenerator("HardenGenerator", inputs: .required(.object())) { b, obj in | ||
| let harden = b.loadBuiltin("harden") | ||
|
|
||
| if (Int.random(in: 0...20) < 1) { |
There was a problem hiding this comment.
you can use probability(0.05) similar to here:
|
|
||
| if (Int.random(in: 0...20) < 1) { | ||
| let lockdown = b.loadBuiltin("lockdown") | ||
| b.callFunction(lockdown, withArgs: []) |
There was a problem hiding this comment.
No need to add the empty arguments here, we have a default argument for that. So you can call it like this:
b.callFunction(lockdown)
| options["loadNowHook"] = loadNowHook; | ||
| options["loadHook"] = loadHook; | ||
|
|
||
| if (Int.random(in: 0...100) < 50) { |
There was a problem hiding this comment.
same here, please use probability(0.5)
| } | ||
| */ | ||
|
|
||
| // This template fuzzes the RegExp engine. |
There was a problem hiding this comment.
I guess these comments are stale here / not relevant, so maybe just remove them?
| b.doReturn(resultVar) | ||
| } | ||
|
|
||
| b.eval("%SetForceSlowPath(false)"); |
There was a problem hiding this comment.
I think this should just fail to parse on XS? so maybe remove these b.eval calls (here, line 245 and line 247) that call our V8 internals?
| /// Type of a JavaScript Compartment object. | ||
| static let jsCompartment = ILType.object(ofGroup: "Compartment", withProperties: ["globalThis"], withMethods: ["evaluate", "import", "importNow" /* , "module" */]) | ||
|
|
||
| static let jsCompartmentConstructor = ILType.constructor([.function()] => .jsCompartment) + .object(ofGroup: "CompartmentConstructor", withProperties: ["prototype"], withMethods: []) |
There was a problem hiding this comment.
The signature for the constructor here does not match the signature you actually call in the CompartmentGenerator.
I think you want it to look something like this?
ILType.constructor([.object(), .object(), .object()] => .jsCompartment] ....
Where the objects are the endowmentsObject, the moduleMapObject and the OptionsObject?
|
|
||
| static let jsModuleSource = ILType.object(ofGroup: "ModuleSource", withProperties: ["bindings", "needsImport", "needsImportMeta"]) | ||
|
|
||
| static let jsModuleSourceConstructor = ILType.constructor([.function()] => .jsModuleSource) + .object(ofGroup: "ModuleSourceConstructor", withProperties: ["prototype"], withMethods: []) |
There was a problem hiding this comment.
Same here, I think you want it to be:
[.string] => .jsModuleSource
as the argument is a codestring?
| "placeholder" : .function([] => .undefined), | ||
|
|
||
| // hardened javascript | ||
| "Compartment" : .function([] => .jsCompartmentConstructor), |
There was a problem hiding this comment.
Same here as with the signatures in the object groups, please provide the types that these constructors expect.
|
@carl-smith, thanks for the thorough review. I'll try to get all that cleaned up. FWIW – XSProfile is an admittedly a bit messy. It has evolved over time while I've been learning a (little) bit about Swift and Fuzzilli APIs along the way. Despite the imperfections, it has been incredibly valuable in finding subtle issues in XS. Thanks so much for your work on this project. |
|
Closing. Replaced by #431. |
This is the profile we use for XS with Fuzzilli. It includes code generators to stress unique aspects of the XS runtime. It has two ObjectGroups and several additional build-ins to fuzz Hardened JavaScript features. It also pulls in the RegExpFuzzerfrom V8.