fuzzilli icon indicating copy to clipboard operation
fuzzilli copied to clipboard

Published 20 hours ago verified publisher icon googleprojectzero

GenerateCallArguments doesn't ensure diversity

Open turnerrocks1 opened this issue 3 years ago • 1 comments

Per se to https://github.com/googleprojectzero/fuzzilli/blob/7ac136b3ba6fccae03fe754425c7f475fcbb64c4/Sources/Fuzzilli/Core/ProgramTemplates.swift#L156

It was already a TODO to check whether they was actually different well it came to my attention after checking multiple corpuses that it doesn't such example include : I've annoted in the code below where the template call corresponds.

Ex 1. function placeholder(){} function main() { function v0(v1,v2,v3) { <-- func definition here const v5 = new Object(); const v7 = new Array(v2); const v8 = v7[65535]; let v9 = 0; do { const v11 = qx04LUYLIS${v8}-2147483647${v9}cyhbgjoaP2; let v12 = 1000.0; let v13 = Uint16Array; const v14 = new Object(); const v15 = class V15 extends v13 { constructor(v17) { [v12,v16,v13] = v14; } setPrototypeOf(v19,v20) { } }; const v21 = v9++; } while (v9 < 1); return v8; } const v23 = new Object(); v23.p = v0; v23.o = Object; v23.d = v0; v23.b = Object; const v26 = new Array(1684852773); const v27 = v0(v23,1684852773,v26); <--- initialargs for (let v31 = 0; v31 < 100; v31++) { const v32 = v0(v23,1684852773,v26); <----optimo args still the same } const v33 = v0(v23,1684852773,v26); <---- triggered args still the same fullGC(); } noDFG(main); noFTL(main); main();

Ex 2. function placeholder(){} function main() { function v0(v1,v2,v3,v4) { <---- func definition const v5 = {"a":v2,"e":v4,"toString":v3}; const v8 = new Array(2); const v9 = v8[263521675]; return v0; } const v12 = new Array(263521675); const v15 = {"a":1073741824n,"n":Array,"o":Array}; const v16 = v0(v12,"V9BOSJLXPm",1073741824n,v15); <---- initial let v17 = 0; for (let v20 = v17; v20 < 100; v20++) { const v21 = v0(v12,"V9BOSJLXPm",1073741824n,v15); <-----optimo args } const v22 = v0(v12,"V9BOSJLXPm",1073741824n,v15); <------ triggered const v23 = {"e":263521675,"length":"V9BOSJLXPm","toString":100}; while (v17 < 7) { if (7) { const v25 = {}; if (v25) { } else { let v26 = 0; const v27 = v26++; const v28 = v26++; function v29(v30,v31) { } } } else { const v32 = null; } const v33 = v17++; } const v34 = v0(v15,"V9BOSJLXPm",1073741824n,v12); <----- probably happened due to mutator or etc as this don't follow the type confusion template fullGC(); } noDFG(main); noFTL(main); main();

I have plenty more other corpus happening in similar fashion.

turnerrocks1 avatar Sep 18 '22 02:09 turnerrocks1

Yeah I guess that makes sense, generateCallArguments will try to find values of the required type, and if there's only one of them in the program it will always use the same value. We'll probably be redesigning the type system and type instantiation code soon-ish, then we can take a stab at solving this issue as well. Thanks for the report and examples!

saelo avatar Sep 20 '22 09:09 saelo

This should now be fixed, we're now using a different approach that no longer requires generateCallArguments: https://github.com/googleprojectzero/fuzzilli/commit/2cb6bebda61ffb2c81509c5a5dfab9421c0d70a5

saelo avatar Apr 03 '23 08:04 saelo