search

shapesecurity / shift-fuzzer-js

generate random valid Shift format ASTs
http://shift-ast.org/fuzzer.html
Apache License 2.0
18 stars 4 forks source link

Fuzzer generates (and exports) duplicate bindings #2

Open bakkot opened 8 years ago

bakkot commented 8 years ago

Fixing this will involve tracking state in a more complex way

mightyiam commented 6 years ago

Search for the identifier interface:

"";
"ÇM";
do while (xjssresbmfgrw >>>= +2e308(false.return, .../us\,/muy, .../[\=-{{-\xf7-]+/u)) try {
  for (let yield in null) for (var m of true) debugger;
  while (typeof public) ;
  function* interface(mjuotsrsmm, stdh) {
    "lh";
    "use strict";
    "žÕ";
    "use strict";
    "0T";
    {}
  }
  n();
  while (93720752936264 && /(?:\*$)/imuy) with (x) debugger;
} catch ([]) {
  switch ("Ã") {
    default:
  }
  continue;
  try {} catch (yield) {}
} while (false);
class xtcrfpkksdgl {}
switch (function* (fumrcnukrlafjurp) {
  "";
  "6";
  "use strict";
  "!";
  if ({}) {
    try {} catch (t) {}
    try {} finally {}
    for (var d in 2e308) ;
    return;
  } else for (tci in typeof "6ví") throw new.target;
  -{o, n, "¿5ÎÛ": this, eval, eval};
}) {
  case false["ãú"] *= 2e308:
    for (this.if of class pfoekroxekyxymly extends `«ç+` {}) for (var arguments of 2e308) while (0) break;
    break;
    throw implements--;
  case true:
    let {} = [];
    function* a() {
      "";
      "";
      "´Eûl";
      "9";
      "";
      "use strict";
    }
    true;
    while (1969.89) for ([, , , , ...{}] of 2e308) (class {});
  case 2e308:
    try {
      try {} catch (f) {} finally {}
    } catch ([, ]) {}
    with ((null + .44)[/(?:[-\a-m-])/imu] = function (g = "q", interface = "", interface = null, package = "ÏñÄ", j = false) {
      "cšÎQ";
      "9{";
    }) debugger;
}
for (var static of (++ncn)(...void function bduxcjdqlicpbc(nyq, cndbbxrmmrkrodpm, wruxjugw) {
  "þeRÒk";
  "use strict";
  switch (true) {}
})) debugger;

This is causing a runtime error in shift-parser.

mightyiam commented 6 years ago

I had to handle this in my code:

export const getRandomAstThings = (): any => {
  let sourceCode: string = ''
  let timesFailed = 0
  let ast: any = null
  let locations: any
  while (ast === null) {
    try {
      sourceCode = getRandomSourceCode()
      const result = sourceCodeToAst(sourceCode) // https://github.com/shapesecurity/shift-fuzzer-js/issues/2
      ast = result.tree
      locations = result.locations
    } catch (error) {
      timesFailed++
      console.error(`source code parsing failed ${timesFailed} times.`)
    }
  }
  return { sourceCode, ast, locations }
}
bakkot commented 6 years ago

@mightyiam, yeah, the website has a similar hack. Though just the validator should be sufficient (or possibly validator + early error checker), and faster than reparsing if that's not something you're doing anyway.