googleprojectzero
Lifting Problem from FuzzIL to JS
This code
seed.js
try {
a = 1;
let a = 2; // ReferenceError (dynamic)
} catch (error) {
console.log("Test 1 successful");
}
get's translated from Fuzzilli to
lifted.js
try {
a = 1;
} catch(e2) {
console.log("Test 1 successful");
}
Therefore "Test 1 successful" will not be printed. Probably not a big issue but I thought it would be worth documenting
Thanks for raising this! Right, I think this is another example of where we cause miscompilation because we rename variables during compilation. In the future, if things like that bother us enough, we could expand FuzzIL's support for named variables and then have two compilation modes: (1) the regular compilation mode where we rename variables and (2) a fallback mode where we keep all the variable names and emit a lot of LoadNamedVariable, DefineNamedVariable etc. operations. We'd prefer (1) as the samples are better to mutate (because they don't have all the named variable operations that somewhat hide the data flow), but if we believe that renaming variables will alter the programs behavior, then we'd use (2). Other cases where variables names are important is when features like eval are used. There are probably many more examples...
