Proto commits in RUB-SysSec/JIT-Picker

These 48 commits are when the Protocol Buffers files have changed:

2022-10-10

Add differential testing

The documentation is generated from this commit.

2022-10-05

Remove runtime type collection support This feature is essentially replaced by the ExplorationMutator which also uses runtime type information but instead of forwarding it to Fuzzilli (which then later on selects actions to perform based on the type), it directly selects a "useful" action to perform. This is a lot simpler and easier to maintain as the complexity is contained in a single mutator instead of being spread throughout the codebase.

2022-10-03

Implement ExplorationMutator Quoting from the documentation: This mutator does the following: 1. it inserts Explore operations for random existing variables in the program to be mutated 2. It executes the resulting (temporary) program. The Explore operations will be lifted to a sequence of code that inspects the variable at runtime (using features like 'typeof' and 'Object.getOwnPropertyNames' in JavaScript) and selects a "useful" operation to perform on it (e.g. load a property, call a method, ...), then reports back what it did 3. the mutator processes the output of step 2 and replaces some of the Explore mutations with the concrete action that was selected at runtime. All other Explore operations are discarded. The result is a program that performs useful actions on some of the existing variables even without statically knowing their type. The resulting program is also deterministic and "JIT friendly" as it no longer relies on any kind of runtime object inspection.

2022-08-03

Make operation names and ProgramBuilder methods more consistent Now, for a simple operation OperationXYZ, the ProgramBuilder will generally have a method opXYZ(...), while for block operations BeginBlockXYZ and EndBlockXYZ, it will have a buildBlockXYZ(...) method with ensures that the begin and end operations always match.

2022-07-27

Compute correctness and timeout rate over last 1000 samples Now that we do initial corpus generation with a different fuzzing engine, these statistics are somewhat skewed, at least during early fuzzing. Computing them over the last 1000 samples mitigates that.

Split call/construct operations into plain and spreading variants Spreading operations are not very "mutation friendly" since spreading rarely causes new interesting behaviour and will frequently cause invalid programs as only iterable objects can be spread. Therefore we now split up the CallFunction, Construct, CallMethod, and CallComputedMethod into "plain" versions and spreading versions which have the "WithSpread" suffix.

2022-07-26

Implement minimization and mutation of variadic instructions With this change, the Minimizer is now able to remove variadic inputs from instructions and the OperationMutations is able to add variadic inputs to them. To measure the impact of this, the average size of programs added to the corpus is now inlcluded in the statistics.

2022-02-15

Replace Types with Parameters in Function Signatures (#314)

2022-01-05

Add DestructObject and DestructObjectAndReassign operations (#309)

2022-01-04

simplify switch statement generation (#216)

2021-12-17

CallSuperConstructor now supports spread arguments (#302)

2021-12-16

Add array destruct support to ForOf (#303)

2021-11-21

Add DestructArray and DestructArrayAndReassign operations (#300)

2021-11-19

Add binary operation variants for StoreProperty, StoreElement, StoreComputedProperty and StoreSuperProperty (#296)

2021-09-10

Implement LoadThis and LoadArguments operations (#262)

CallMethod, CallComputedMethod and Construct now support Spread Elements (#238)

2021-09-09

Implements a strict-mode toggle for Function operations (#242)

2021-06-24

add support for template literals (#208)

2021-06-23

Add support for switch statements (#207)

Add assignment operators (#204)

2021-06-21

Add support for conditional operator (#205)

2021-06-09

Add CallComputedMethod operation (#200)

2021-06-02

Added support for finally blocks (#196)

2020-12-03

Added "fuzzer overhead" to statistics This represents the fraction of the total time that is not spent executing code in the target engine. It includes the time spent for things such as worker synchronization, restarting the target process after crashes or timeouts, lifting FuzzIL to the target language, performing mutations etc.

2020-11-30

Improved shutdown logic

2020-11-09

Implemented JavaScript Classes

2020-09-18

Added inspection capabilities Currently, there are two inspection modes: History: When enabled, Fuzzilli will store the history of all programs that are added to the corpus in .fuzzil.history files. The history includes detailed information about every mutations performed on the sample and includes the program's code after every intermediate step (e.g. every execution of a mutator). Types: When enabled, Fuzzilli will output type all available type information for the programs that it writes to disk in the form of comments.

Cache duplicate types in the protobuf format

2020-09-17

Cache program types (#147)

2020-09-09

Collect runtime types per instruction (#133)

2020-08-26

Added unary pre and post increment and decrement operators

Remove Phis Now, every variable can be reassigned by a Reassign operation, without having to be explicitly marked as a "reassignable" variable. Also, the new Dup instruction can now be used to duplicate a variable.

2020-08-21

Add support for Async Generators (#118)

2020-08-20

Support Block Statement generation (#116)

Do-While loops now have the header inputs in BeginDoWhileLoop instead of EndDoWhileLoop This removes the somewhat arbitrary restriction that inputs to block ends have to come from the outer scope, which then allowed removal of various bits of code. Also, this cleans up block and block group related code a bit by moving the algorithms into the Blocks class as static methods while making them accessible via the Program class.

2020-08-19

Unary ops (#114)

2020-08-18

Eval generator (#97)

2020-08-17

Save runtime type collection statistics (#110)

2020-07-29

Collect basic runtime types and send them to Fuzzilli (#99)

2020-07-27

Added support for async arrow functions (#96)

2020-07-23

Removes optional from type protobuf

2020-07-03

Fuzzilli now appends the content of stderr to crashing programs as comment

implemented RegExp literals

2020-06-30

implemented bigint support

2020-06-29

Added new function types to FuzzIL Generators and async functions are now supported.

implemented support for arrow functions

Added Exponentiation and Unsigned RightShift operator

2020-06-26

FuzzIL now uses Protobufs as serialization format This seems to roughly speed up encoding + decoding of Programs by a factor of 8, while reducing the size of the encoded data roughly by a factor of 4.