From 49a2ac6ecf46d738f060bf6e9d97b2b63ce1fbec Mon Sep 17 00:00:00 2001
From: Vadim Afanasyev <vadim.afanasyev@huawei.com>
Date: Mon, 3 Jun 2024 21:04:29 +0800
Subject: [PATCH] Added OHOS Stack API support to Fuzzilli

---
 .../Environment/ArkTSEnvironment.swift        | 34 ---------------
 Sources/FuzzilliCli/Profiles/ArkProfile.swift | 43 +++++++++++++++++--
 Sources/FuzzilliCli/Profiles/Profile.swift    | 19 ++++++++
 Sources/FuzzilliCli/main.swift                |  2 +-
 4 files changed, 59 insertions(+), 39 deletions(-)
 delete mode 100644 Sources/Fuzzilli/Environment/ArkTSEnvironment.swift

diff --git a/Sources/Fuzzilli/Environment/ArkTSEnvironment.swift b/Sources/Fuzzilli/Environment/ArkTSEnvironment.swift
deleted file mode 100644
index b3d5caa..0000000
--- a/Sources/Fuzzilli/Environment/ArkTSEnvironment.swift
+++ /dev/null
@@ -1,34 +0,0 @@
-public class ArkTSEnvironment: JavaScriptEnvironment {
-    public override init(additionalBuiltins: [String: ILType] = [:], additionalObjectGroups: [ObjectGroup] = []) {
-        var mutableAdditionalObjectGroups = additionalObjectGroups
-        mutableAdditionalObjectGroups.append(ArkTSEnvironment.arkTSStacks)
-
-        var mutableAdditionalBuiltins = additionalBuiltins
-        mutableAdditionalBuiltins["Stack"] = ArkTSEnvironment.arkTSStackConstructor
-
-        super.init(additionalBuiltins: mutableAdditionalBuiltins, additionalObjectGroups: mutableAdditionalObjectGroups)
-    }
-
-    /// Type of a ArkTS Stack object.
-    static let arkTSStack = ILType.iterable + ILType.object(ofGroup: "Stack", withProperties: ["length"], withMethods: ["push", "pop", "peek", "locate", "forEach", "isEmpty"])
-
-    /// Type of the ArkTS Stack constructor builtin.
-    static let arkTSStackConstructor = ILType.constructor([] => arkTSStack)
-
-    /// ObjectGroup modelling ArkTS Stack objects
-    static let arkTSStacks = ObjectGroup(
-        name: "Stack",
-        instanceType: arkTSStack,
-        properties: [
-            "length"  : .number,
-        ],
-        methods: [
-            "push"    : [.anything] => .anything,
-            "pop"     : [] => .anything,
-            "peek"    : [] => .anything,
-            "locate"  : [.anything] => .number,
-            "forEach" : [.function([.anything, .opt(.number), .opt(arkTSStack)] => .undefined), .opt(.object())] => .undefined,
-            "isEmpty" : [] => .boolean,
-        ]
-    )
-}
diff --git a/Sources/FuzzilliCli/Profiles/ArkProfile.swift b/Sources/FuzzilliCli/Profiles/ArkProfile.swift
index 1387cec..886a19d 100644
--- a/Sources/FuzzilliCli/Profiles/ArkProfile.swift
+++ b/Sources/FuzzilliCli/Profiles/ArkProfile.swift
@@ -25,6 +25,34 @@ fileprivate let RunNearStackLimitGenerator = CodeGenerator("RunNearStackLimitGen
     b.callFunction(fun, withArgs: [f])
 }
 
+fileprivate let StackGenerator = ValueGenerator("StackGenerator") { b, n in
+    let constructor = b.loadBuiltin("Stack")
+    b.construct(constructor)
+}
+
+/// Type of a ArkTS Stack object.
+fileprivate let arkTSStack = ILType.iterable + ILType.object(ofGroup: "Stack", withProperties: ["length"], withMethods: ["push", "pop", "peek", "locate", "forEach", "isEmpty"])
+
+/// Type of the ArkTS Stack constructor builtin.
+fileprivate let arkTSStackConstructor = ILType.constructor([] => arkTSStack)
+
+/// ObjectGroup modelling ArkTS Stack objects
+fileprivate let arkTSStacks = ObjectGroup(
+    name: "Stack",
+    instanceType: arkTSStack,
+    properties: [
+        "length"  : .number,
+    ],
+    methods: [
+        "push"    : [.anything] => .anything,
+        "pop"     : [] => .anything,
+        "peek"    : [] => .anything,
+        "locate"  : [.anything] => .number,
+        "forEach" : [.function([.anything, .opt(.number), .opt(arkTSStack)] => .undefined), .opt(.object())] => .undefined,
+        "isEmpty" : [] => .boolean,
+    ]
+)
+
 let arkProfile = Profile(
     processArgs: { randomize in
         var args = [
@@ -38,9 +66,12 @@ let arkProfile = Profile(
     
     maxExecsBeforeRespawn: 10000,
     
-    timeout: 10_000,
+    timeout: 176400,
     
     codePrefix: """
+                let arkPrivate = globalThis.ArkPrivate;
+                arkPrivate.Load(arkPrivate.Stack);
+
                 function bgc() {
                     for(let i=0; i<0x10000; i+=1) {new String();}
                     let a = new Array(0x10000);
@@ -61,9 +92,10 @@ let arkProfile = Profile(
     
     additionalCodeGenerators: [
         (PrintGenerator,                40),
-        (RunNearStackLimitGenerator,     5)
+        (RunNearStackLimitGenerator,     5),
+        (StackGenerator,                20),
     ],
-    
+
     additionalProgramTemplates: WeightedList<ProgramTemplate>([]),
     
     disabledCodeGenerators: [
@@ -73,7 +105,6 @@ let arkProfile = Profile(
     disabledMutators: [
         "ExplorationMutator",
         "ProbingMutator",
-        
     ],
     
     additionalBuiltins: [
@@ -82,7 +113,11 @@ let arkProfile = Profile(
         "arkPrint"                                         : .function([] => .undefined),
         "sgc"                                              : .function([] => .undefined),
         "bgc"                                              : .function([] => .undefined),
+        "Stack"                                            : arkTSStackConstructor,
+    ],
 
+    additionalObjectGroups: [
+        arkTSStacks,
     ],
 
     optionalPostProcessor: nil
diff --git a/Sources/FuzzilliCli/Profiles/Profile.swift b/Sources/FuzzilliCli/Profiles/Profile.swift
index 468cf48..ac81ea9 100644
--- a/Sources/FuzzilliCli/Profiles/Profile.swift
+++ b/Sources/FuzzilliCli/Profiles/Profile.swift
@@ -35,9 +35,28 @@ struct Profile {
     let disabledMutators: [String]
 
     let additionalBuiltins: [String: ILType]
+    let additionalObjectGroups: [ObjectGroup]
 
     // An optional post-processor that is executed for every sample generated for fuzzing and can modify it.
     let optionalPostProcessor: FuzzingPostProcessor?
+
+    init(processArgs: @escaping (_ randomize: Bool) -> [String], processEnv: [String : String], maxExecsBeforeRespawn: Int, timeout: Int, codePrefix: String, codeSuffix: String, ecmaVersion: ECMAScriptVersion, crashTests: [String], additionalCodeGenerators: [(CodeGenerator, Int)], additionalProgramTemplates: WeightedList<ProgramTemplate>, disabledCodeGenerators: [String], disabledMutators: [String], additionalBuiltins: [String: ILType], additionalObjectGroups: [ObjectGroup] = [], optionalPostProcessor: FuzzingPostProcessor? = nil) {
+        self.processArgs = processArgs
+        self.processEnv = processEnv
+        self.maxExecsBeforeRespawn = maxExecsBeforeRespawn
+        self.timeout = timeout
+        self.codePrefix = codePrefix
+        self.codeSuffix = codeSuffix
+        self.ecmaVersion = ecmaVersion
+        self.crashTests = crashTests
+        self.additionalCodeGenerators = additionalCodeGenerators
+        self.additionalProgramTemplates = additionalProgramTemplates
+        self.disabledCodeGenerators = disabledCodeGenerators
+        self.disabledMutators = disabledMutators
+        self.additionalBuiltins = additionalBuiltins
+        self.additionalObjectGroups = additionalObjectGroups
+        self.optionalPostProcessor = optionalPostProcessor
+    }
 }
 
 let profiles = [
diff --git a/Sources/FuzzilliCli/main.swift b/Sources/FuzzilliCli/main.swift
index 98a9787..6e21a6a 100644
--- a/Sources/FuzzilliCli/main.swift
+++ b/Sources/FuzzilliCli/main.swift
@@ -438,7 +438,7 @@ func makeFuzzer(with configuration: Configuration) -> Fuzzer {
     }
 
     // The environment containing available builtins, property names, and method names.
-    let environment = JavaScriptEnvironment(additionalBuiltins: profile.additionalBuiltins, additionalObjectGroups: [])
+    let environment = JavaScriptEnvironment(additionalBuiltins: profile.additionalBuiltins, additionalObjectGroups: profile.additionalObjectGroups)
 
     // A lifter to translate FuzzIL programs to JavaScript.
     let lifter = JavaScriptLifter(prefix: profile.codePrefix,
-- 
Gitee