Samuel Groß
Samuel Groß
In https://github.com/googleprojectzero/fuzzilli/commit/c1a3848b0cdc713b40a326bb76f791066128837e we had to change `FunctionSignature` literals to look like this: ```swift let sig = [.plain(.integer), .opt(.string), .rest(.anything)] => .integer ``` since they now contain a `Parameter` struct instead...
Currently we have both `.anything` (a "proper" union type of all available types) and `.unknown` (a pseudo basic type expressing that we don't know the actual type). This causes lots...
FuzzIL's representation of loops is oversimplified and cannot express the fact that more or less arbitrary computations can be performed in the loop header. This might, however, be interesting for...
There should be a more generic version of `LoadFromScope` and `StoreToScope` to be able to represent code such as the one shown in https://github.com/googleprojectzero/fuzzilli/issues/221 or in general any code where...
As noted [here](https://github.com/googleprojectzero/fuzzilli/issues/235#issuecomment-888965906), a lot of test cases generated by Fuzzilli contain empty blocks. This probably happens for a number of reasons, but in any case it's likely detrimental to...
Since commit 1408aab353b3a7f54b5a4e1b4471e054d615adcf, Fuzzilli computes and displays the "fuzzer overhead", i.e. the fraction of time that is *not* spent executing JavaScript code in the target engine. Normal values seem to...
It would be great to have a way to write tests for the [Minimizer](https://github.com/googleprojectzero/fuzzilli/tree/main/Sources/Fuzzilli/Minimization) to catch issues such as the one fixed with https://github.com/googleprojectzero/fuzzilli/commit/555021d1b9f73d0201ca1629b8be482d0422cd2d earlier.
The AbstractInterpreter currently assumes that the [result of binary logical operators is a .boolean](https://github.com/googleprojectzero/fuzzilli/blob/87e9142747dd76387ca9d0c8d02acf3a78c5196c/Sources/Fuzzilli/FuzzIL/AbstractInterpreter.swift#L430). While that probably seems intuitive, that's not how JavaScript works: ```JavaScript let a = 0 ||...
After commit https://github.com/googleprojectzero/fuzzilli/commit/87ee22bad2ac3bafbc8db13d5bfb7ea3c25fc39c we are now [able to determine whether an instruction can be replaced (folded) with an existing one](https://github.com/googleprojectzero/fuzzilli/blob/87ee22bad2ac3bafbc8db13d5bfb7ea3c25fc39c/Sources/Fuzzilli/FuzzIL/Semantics.swift#L92 ). This would allow implementing a simple minimization pass which...
The [HowFuzzilliWorks](https://github.com/googleprojectzero/fuzzilli/blob/master/Docs/HowFuzzilliWorks.md) document describes how I currently believe the HybridEngine should eventually work (feedback on that very welcome!). The current implementation already supports some of these features, but not everything...