fuzzilli icon indicating copy to clipboard operation
fuzzilli copied to clipboard

Published 20 hours ago verified publisher icon googleprojectzero

`generateVariable` unable to handle type unions

Open amarekano opened this issue 3 years ago • 1 comments

The following test intermittently fails with the following error:

Test Case 'ProgramBuilderTests.testTypeInstantiation' started at 2021-11-03 09:00:22.498
Fuzzilli/ProgramBuilder.swift:520: Assertion failed: Unexpected type encountered .integer | .object()

What follows is saelo's analysis of this issue:

I think the issue here is that generateType might generate e.g. a TypedArray from the JavaScriptEnvironment (that's correct), then generateVariable tries to call the corresponding constructor and attempts to obtain argument variables (that's also correct), but for TypedArrays, the constructor is defined to take .integer | .object(...):

https://github.com/googleprojectzero/fuzzilli/blob/1c33ac3cefb0771978a3f8f1185ac77fca703b14/Sources/Fuzzilli/Core/JavaScriptEnvironment.swift#L390

(also correct), but generateVariable can't yet handle type unions (that is, I think, the issue).

amarekano avatar Nov 12 '21 13:11 amarekano

This issue appears to happen elsewhere, too, not just during tests. During a fuzzing session with a debug build, I got this assertion failure: Fuzzilli/ProgramBuilder.swift:520: Assertion failed: Unexpected type encountered .integer | .float | .string

saelo avatar Jan 06 '22 08:01 saelo

This is now fixed since we no longer use generateVariable(): https://github.com/googleprojectzero/fuzzilli/commit/e264abb403c3c63b713d20c8649f0840a59a08cd

saelo avatar Apr 03 '23 08:04 saelo