search

ExpoSEJS / ExpoSE

A Dynamic Symbolic Execution (DSE) engine for JavaScript. ExpoSE is highly scalable, compatible with recent JavaScript standards, and supports symbolic modelling of strings and regular expressions.
MIT License
183 stars 36 forks source link

Infinite Call Loop #90

Open cl0udz opened 4 years ago

cl0udz commented 4 years ago

Recently I am trying to analyze some modules with ExpoSE. Since ExpoSE is based on jalangi2, I have to use babel to downgrade modules that are not compatible with jalangi2. Then I found the bug. Some test scripts cannot work correctly with ExpoSE.

Take consono as an example. It will infinitely call the following functions when running with ExpoSE.

[?] Entering anonymous near (/home/james/nodejs/ExpoSE/node_modules/core-js/internals/fix-regexp-well-known-symbol-logic.js:116:7:116:75)
[?] TODO: IsNative Uncached
[?] Entering anonymous near (/home/james/nodejs/ExpoSE/node_modules/core-js/modules/es.string.replace.js:38:3:98:4)
[?] TODO: IsNative Uncached
[?] Entering anonymous near (/home/james/nodejs/ExpoSE/node_modules/core-js/internals/fix-regexp-well-known-symbol-logic.js:94:41:105

The command I executed is EXPOSE_PRINT_PATHS=1 EXPOSE_LOG_LEVEL=3 ./expoSE target/TestConsono/TestConsono.js.

In case you need the testcase, I've uploaded it to the following repo. https://github.com/cl0udz/bug-poc

jawline commented 4 years ago

Thanks for the report.

It looks like the method used to concretize calls to native methods is getting stuck in a loop https://github.com/ExpoSEJS/ExpoSE/blob/master/Analyser/src/Utilities/IsNative.js. Unfortunately, there is no great way we've found of handling concretization in these cases for JS

I'll take a look and see if there's anything I can do for this case.

(One thing to note - we maintain a modified version of Jalangi with Babel built-in. You shouldn't need to manually transpile it.)

jawline commented 4 years ago

Hi @cl0udz,

I'm taking another look at this bug now (It's been forever, sorry!). I can't seem to reproduce the same error on my system, instead I'm getting a parser failure due to a missing corejs library. Could you tell me which git commit of ExpoSE you used to get this issue.

cl0udz commented 4 years ago

Sorry for the late reply. I was busy with another project but finally, I've fixed the bug now. Actually the problem is that babel may modify some native functions used by ExpoSE(e.g. JSON.stringify). This will cause infinite recursive calls when analyzing the module. I'll send a pull request in several days.

jawline commented 4 years ago

Oh awesome, that's great. Thanks!