Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow arbitrary expressions in object and class fields #490

Open
saelo opened this issue Dec 31, 2024 · 0 comments
Open

Allow arbitrary expressions in object and class fields #490

saelo opened this issue Dec 31, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@saelo
Copy link
Collaborator

saelo commented Dec 31, 2024

Currently FuzzIL's object literals and class definitions to not allow executing arbitrary expressions for property values and computed property names. Instead, these operations simply require an existing input:

BeginObjectLiteral
    ObjectLiteralAddComputedProperty v3, v27
EndObjectLiteral

As such, the values need to be computed first, and so during compilation, code such as

let o = {
  [Symbol.toPrimitive]: function () { return this.foo; },
  foo: "bar" + "baz",
};

Becomes

function f0() {
    return this.foo;
}
const v4 = Symbol.toPrimitive;
const v7 = "bar" + "baz";
const o8 = {
    [v4]: f0,
    "foo": v7,
};

While somewhat harder to read, this is semantically identical. However, there are cases where this behavior is observable, for example with a test case such as:

class X {
    static i = 0;
    static j = X.i + 1;
}
console.log(X);

Moreover, there have been bugs in the past where it was necessary to compute expressions inside class/object literals. While Fuzzilli is not the ideal fuzzer for such types of bugs, adding support for these features would still help find similar bugs in the future.

I think the proper way to support this would be by converting the single instructions into block instructions such as

BeginObjectLiteral
    BeginObjectLiteralComputedPropertyName
        v11 <- CreateNamedVariable "Symbol"
        v12 <- GetProperty v11, "toPrimitive"
    BeginObjectLiteralComputedPropertyValue v12
        v13 <- BeginPlainFunction
            ...
        EndPlainFunction
    EndObjectLiteralComputedProperty v13
EndObjectLiteral

Which would then lift to

let o = {
    [Symbol.toPrimitive]: function() { ... },
};

This is adds a bit of bloat, but on the other hand is really flexible and allows us to perform any computation in these contexts. We already support lifting into a "single-expression" context so we can reuse all of that logic in the lifter, and so this change should mostly just affect the FuzzIL operations.
@saelo saelo added the enhancement New feature or request label Dec 31, 2024
saelo pushed a commit that referenced this issue Jan 10, 2025
Allow object literals to be inlined
434e6e8 
This change adds some logic to allow object literals to be inlined if
they are "simple" (e.g. empty or just containing a few properties). This
is mostly just for aesthetical reasons. In the future, we should
consider allowing other expressions to be inlined into object literals,
but that will likely require changes to FuzzIL itself. See also
#490

Change-Id: Ic3cc8dfbcea660badb4f174739193873f0642946
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/7934466
Commit-Queue: Samuel Groß <[email protected]>
Reviewed-by: Carl Smith <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@saelo