Skip to content

Commit 2ec7c0d

Browse files
LiedtkeV8-internal LUCI CQ
Liedtke
authored and
V8-internal LUCI CQ
committed
[environment] Add some more builtins
- Proxy.revocabale - Promise.withResolvers - Number.parseFloat - Number.parseInt - Object.groupBy - Object.hasOwn Bug: 487347678 Change-Id: I67c3c1c0b0d517dc61cc8a26c69031b81cf9eccc Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9058838 Reviewed-by: Danylo Mocherniuk <mdanylo@google.com> Commit-Queue: Danylo Mocherniuk <mdanylo@google.com>
1 parent 31a2df5 commit 2ec7c0d

1 file changed

Lines changed: 20 additions & 4 deletions

File tree

Sources/Fuzzilli/Environment/JavaScriptEnvironment.swift

Lines changed: 20 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -405,6 +405,7 @@ public class JavaScriptEnvironment: ComponentBase {
405405
registerObjectGroup(.jsObjectConstructor)
406406
registerObjectGroup(.jsPromiseConstructor)
407407
registerObjectGroup(.jsPromisePrototype)
408+
registerObjectGroup(.jsProxyConstructor)
408409
registerObjectGroup(.jsArrayConstructor)
409410
registerObjectGroup(.jsStringConstructor)
410411
registerObjectGroup(.jsStringPrototype)
@@ -1165,7 +1166,7 @@ public extension ILType {
11651166
}
11661167

11671168
/// Type of the JavaScript Object constructor builtin.
1168-
static let jsObjectConstructor = .functionAndConstructor([.jsAnything...] => .object()) + .object(ofGroup: "ObjectConstructor", withProperties: ["prototype"], withMethods: ["assign", "fromEntries", "getOwnPropertyDescriptor", "getOwnPropertyDescriptors", "getOwnPropertyNames", "getOwnPropertySymbols", "is", "preventExtensions", "seal", "create", "defineProperties", "defineProperty", "freeze", "getPrototypeOf", "setPrototypeOf", "isExtensible", "isFrozen", "isSealed", "keys", "entries", "values"])
1169+
static let jsObjectConstructor = .functionAndConstructor([.jsAnything...] => .object()) + .object(ofGroup: "ObjectConstructor", withProperties: ["prototype"], withMethods: ["assign", "fromEntries", "getOwnPropertyDescriptor", "getOwnPropertyDescriptors", "getOwnPropertyNames", "getOwnPropertySymbols", "is", "preventExtensions", "seal", "create", "defineProperties", "defineProperty", "freeze", "getPrototypeOf", "setPrototypeOf", "isExtensible", "isFrozen", "isSealed", "keys", "entries", "values", "groupBy", "hasOwn"])
11691170

11701171
/// Type of the JavaScript Array constructor builtin.
11711172
static let jsArrayConstructor = .functionAndConstructor([.integer] => .jsArray) + .object(ofGroup: "ArrayConstructor", withProperties: ["prototype"], withMethods: ["from", "fromAsync", "of", "isArray"])
@@ -1180,7 +1181,7 @@ public extension ILType {
11801181
static let jsBooleanConstructor = ILType.functionAndConstructor([.jsAnything] => .boolean) + .object(ofGroup: "BooleanConstructor", withProperties: ["prototype"], withMethods: [])
11811182

11821183
/// Type of the JavaScript Number constructor builtin.
1183-
static let jsNumberConstructor = ILType.functionAndConstructor([.jsAnything] => .number) + .object(ofGroup: "NumberConstructor", withProperties: ["prototype", "EPSILON", "MAX_SAFE_INTEGER", "MAX_VALUE", "MIN_SAFE_INTEGER", "MIN_VALUE", "NaN", "NEGATIVE_INFINITY", "POSITIVE_INFINITY"], withMethods: ["isNaN", "isFinite", "isInteger", "isSafeInteger"])
1184+
static let jsNumberConstructor = ILType.functionAndConstructor([.jsAnything] => .number) + .object(ofGroup: "NumberConstructor", withProperties: ["prototype", "EPSILON", "MAX_SAFE_INTEGER", "MAX_VALUE", "MIN_SAFE_INTEGER", "MIN_VALUE", "NaN", "NEGATIVE_INFINITY", "POSITIVE_INFINITY"], withMethods: ["isNaN", "isFinite", "isInteger", "isSafeInteger", "parseFloat", "parseInt"])
11841185

11851186
/// Type of the JavaScript Symbol constructor builtin.
11861187
static let jsSymbolConstructor = ILType.function([.string] => .jsSymbol) + .object(ofGroup: "SymbolConstructor", withProperties: JavaScriptEnvironment.wellKnownSymbols, withMethods: ["for", "keyFor"])
@@ -1231,10 +1232,10 @@ public extension ILType {
12311232
static let jsDataViewConstructor = ILType.constructor([.plain(.jsArrayBuffer), .opt(.integer), .opt(.integer)] => .jsDataView) + .object(ofGroup: "DataViewConstructor", withProperties: ["prototype"])
12321233

12331234
/// Type of the JavaScript Promise constructor builtin.
1234-
static let jsPromiseConstructor = ILType.constructor([.function()] => .jsPromise) + .object(ofGroup: "PromiseConstructor", withProperties: ["prototype"], withMethods: ["resolve", "reject", "all", "any", "race", "allSettled", "try"])
1235+
static let jsPromiseConstructor = ILType.constructor([.function()] => .jsPromise) + .object(ofGroup: "PromiseConstructor", withProperties: ["prototype"], withMethods: ["resolve", "reject", "all", "any", "race", "allSettled", "try", "withResolvers"])
12351236

12361237
/// Type of the JavaScript Proxy constructor builtin.
1237-
static let jsProxyConstructor = ILType.constructor([.object(), .object()] => .jsAnything)
1238+
static let jsProxyConstructor = ILType.constructor([.object(), .object()] => .jsAnything) + .object(ofGroup: "ProxyConstructor", withProperties: [], withMethods: ["revocable"])
12381239

12391240
/// Type of the JavaScript Map constructor builtin.
12401241
static let jsMapConstructor = ILType.constructor([.object()] => .jsMap) + .object(ofGroup: "MapConstructor", withProperties: ["prototype"], withMethods: ["groupBy"])
@@ -1700,6 +1701,16 @@ public extension ObjectGroup {
17001701
]
17011702
)
17021703

1704+
static let jsProxyConstructor = ObjectGroup(
1705+
name: "ProxyConstructor",
1706+
constructorPath: "Proxy",
1707+
instanceType: .jsProxyConstructor,
1708+
properties: [:],
1709+
methods: [
1710+
"revocable": [.object(), .object()] => .object(withProperties: ["proxy", "revoke"])
1711+
]
1712+
)
1713+
17031714
static let jsMapPrototype = createPrototypeObjectGroup(jsMaps,
17041715
constructor: .jsMapConstructor)
17051716

@@ -2095,6 +2106,7 @@ public extension ObjectGroup {
20952106
"race" : [.jsPromise...] => .jsPromise,
20962107
"allSettled" : [.jsPromise...] => .jsPromise,
20972108
"try" : [.function(), .jsAnything...] => .jsPromise,
2109+
"withResolvers": [] => .object(withProperties: ["promise", "resolve", "reject"]),
20982110
]
20992111
)
21002112

@@ -2199,6 +2211,8 @@ public extension ObjectGroup {
21992211
"seal" : [.object()] => .object(),
22002212
"setPrototypeOf" : [.object(), .object()] => .object(),
22012213
"values" : [.object()] => .jsArray,
2214+
"groupBy" : [.iterable, .function()] => .object(),
2215+
"hasOwn" : [.object(), .oneof(.jsString, .jsSymbol)] => .boolean,
22022216
]
22032217
)
22042218

@@ -2369,6 +2383,8 @@ public extension ObjectGroup {
23692383
"isFinite" : [.jsAnything] => .boolean,
23702384
"isInteger" : [.jsAnything] => .boolean,
23712385
"isSafeInteger" : [.jsAnything] => .boolean,
2386+
"parseFloat" : [.string] => .float,
2387+
"parseInt" : [.string] => .integer,
23722388
]
23732389
)
23742390

0 commit comments

Comments
 (0)