Add guards for possible invalid function calls

This patch adds an easy way for callers of randomVariable and randomArguments to know when the returned variables may not fulfill the given constraints. It also adds guards to various function calls if this is the case.

Bug: 40272934
Change-Id: Id5dbc944ea23a0fb6486b0abdb65f5b1a5d358d7
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8543123
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Hendrik Wüthrich <whendrik@google.com>

Author: whendrik-cmd

Sources/Fuzzilli/Base/ProgramBuilder.swift

@@ -804,12 +804,15 @@ public class ProgramBuilder {
     /// It's the caller's responsibility to check the type of the returned variable to avoid runtime exceptions if necessary. For example, if performing a
     /// property access, the returned variable should be checked if it `MayBe(.nullish)` in which case a property access would result in a
     /// runtime exception and so should be appropriately guarded against that.
+    /// This function also returns a boolean, `matches`. If matches is not true, it means that value being returned either `MayBe` the type requested, or
+    /// is a random JsVariable.
     ///
     /// If the variable must be of the specified type, use `randomVariable(ofType:)` instead.
-    public func randomVariable(forUseAs type: ILType) -> Variable {
+    public func randomVariable(forUseAsGuarded type: ILType) -> (variable: Variable, matches: Bool) {
         assert(type != .nothing)
 
         var result: Variable? = nil
+        var matches = true
 
         // Prefer variables that are known to have the requested type if there's a sufficient number of them.
         if probability(probabilityOfVariableSelectionTryingToFindAnExactMatch) {
@@ -820,13 +823,24 @@ public class ProgramBuilder {
         // In particular, this query will include all variable for which we don't know the type as they'll
         // be typed as .jsAnything. We usually expect to have a lot of candidates available for this query,
         // so we don't check the number of them upfront as we do for the above query.
+        // If findVariable(satisfying: { self.type(of: $0).Is(type) }) returned nil, we cannot be sure that
+        // the result matches the requested type, so we set matches to be false.
         if result == nil {
+            matches = false
             result = findVariable(satisfying: { self.type(of: $0).MayBe(type) })
         }
 
         // Worst case fall back to completely random variables. This should happen rarely, as we'll usually have
         // at least some variables of type .jsAnything.
-        return result ?? randomJsVariable()
+        return (result ?? randomJsVariable(), matches)
+    }
+
+    /// This function is a wrapper around `randomVariable(forUseAsGuarded type:)' which ignores the `matches`
+    /// value that it returns.
+    /// See the comment above the other function for details.
+    public func randomVariable(forUseAs type: ILType) -> Variable {
+        assert(type != .nothing)
+        return randomVariable(forUseAsGuarded: type).variable
     }
 
     /// Returns a random variable that is known to have the given type.
@@ -941,6 +955,29 @@ public class ProgramBuilder {
         return parameterTypes.map({ randomVariable(forUseAs: $0) })
     }
 
+    /// Find random variables to use as arguments for calling a function with the given parameters.
+    ///
+    /// If any of the arguments returned does not match the type of its corresponding parameter,
+    /// the boolean this function returns will be true. If everything matches, it will be false.
+    public func randomArguments(forCallingGuardableFunction function: Variable) -> (arguments: [Variable], allArgsMatch: Bool) {
+        let signature = type(of: function).signature ?? Signature.forUnknownFunction
+        let params = signature.parameters
+        assert(params.count == 0 || hasVisibleVariables)
+
+        let parameterTypes = ProgramBuilder.prepareArgumentTypes(forParameters: params)
+
+        var variables: [Variable] = []
+        var allArgsMatch = true
+        for type in parameterTypes {
+            let (variable, matches) = randomVariable(forUseAsGuarded: type)
+            variables.append(variable)
+            allArgsMatch = allArgsMatch && matches
+        }
+
+        return (variables, allArgsMatch)
+    }
+
+
     /// Converts the JS world signature into a Wasm world signature.
     /// In practice this means that we will try to map JS types to corresponding Wasm types.
     /// E.g. .number becomes .wasmf32, .bigint will become .wasmi64, etc.

Sources/Fuzzilli/CodeGen/CodeGenerators.swift

@@ -125,12 +125,12 @@ public let CodeGenerators: [CodeGenerator] = [
         let fctName = (useProperty ? prototypeType.properties : prototypeType.methods).randomElement()!
         let fct = b.getProperty(fctName, of: prototype)
         let fctType = b.type(of: fct)
-        let arguments = b.randomArguments(forCalling: fct)
+        let (arguments, matches) = b.randomArguments(forCallingGuardableFunction: fct)
         let receiverType = fctType.receiver ?? prototypeType
         let desiredReceiverType = fctType.receiver ?? prototypeType
         let receiver = b.randomVariable(forUseAs: desiredReceiverType)
         let needGuard = (!fctType.Is(.function()) && !fctType.Is(.unboundFunction()))
-            || !b.type(of: receiver).Is(receiverType)
+            || !b.type(of: receiver).Is(receiverType) || !matches
         if Bool.random() {
             b.callMethod("call", on: fct, withArgs: [receiver] + arguments, guard: needGuard)
         } else {
@@ -918,7 +918,8 @@ public let CodeGenerators: [CodeGenerator] = [
             b.buildRecursive()
             b.doReturn(b.randomJsVariable())
         }
-        b.callFunction(f, withArgs: b.randomArguments(forCalling: f))
+        let (arguments, matches) = b.randomArguments(forCallingGuardableFunction: f)
+        b.callFunction(f, withArgs: arguments, guard: !matches)
     },
 
     RecursiveCodeGenerator("StrictModeFunctionGenerator") { b in
@@ -929,7 +930,8 @@ public let CodeGenerators: [CodeGenerator] = [
             b.buildRecursive()
             b.doReturn(b.randomJsVariable())
         }
-        b.callFunction(f, withArgs: b.randomArguments(forCalling: f))
+        let (arguments, matches) = b.randomArguments(forCallingGuardableFunction: f)
+        b.callFunction(f, withArgs: arguments, guard: !matches)
     },
 
     RecursiveCodeGenerator("ArrowFunctionGenerator") { b in
@@ -952,7 +954,8 @@ public let CodeGenerators: [CodeGenerator] = [
             }
             b.doReturn(b.randomJsVariable())
         }
-        b.callFunction(f, withArgs: b.randomArguments(forCalling: f))
+        let (arguments, matches) = b.randomArguments(forCallingGuardableFunction: f)
+        b.callFunction(f, withArgs: arguments, guard: !matches)
     },
 
     RecursiveCodeGenerator("AsyncFunctionGenerator") { b in
@@ -961,7 +964,8 @@ public let CodeGenerators: [CodeGenerator] = [
             b.await(b.randomJsVariable())
             b.doReturn(b.randomJsVariable())
         }
-        b.callFunction(f, withArgs: b.randomArguments(forCalling: f))
+        let (arguments, matches) = b.randomArguments(forCallingGuardableFunction: f)
+        b.callFunction(f, withArgs: arguments, guard: !matches)
     },
 
     RecursiveCodeGenerator("AsyncArrowFunctionGenerator") { b in
@@ -986,7 +990,8 @@ public let CodeGenerators: [CodeGenerator] = [
             }
             b.doReturn(b.randomJsVariable())
         }
-        b.callFunction(f, withArgs: b.randomArguments(forCalling: f))
+        let (arguments, matches) = b.randomArguments(forCallingGuardableFunction: f)
+        b.callFunction(f, withArgs: arguments, guard: !matches)
     },
 
     CodeGenerator("PropertyRetrievalGenerator", inputs: .preferred(.object())) { b, obj in
@@ -1227,16 +1232,13 @@ public let CodeGenerators: [CodeGenerator] = [
     },
 
     CodeGenerator("FunctionCallGenerator", inputs: .preferred(.function())) { b, f in
-        let arguments = b.randomArguments(forCalling: f)
-        // TODO: we may also need guarding if the arguments aren't compatible with the expected ones
-        let needGuard = b.type(of: f).MayNotBe(.function())
-        b.callFunction(f, withArgs: arguments, guard: needGuard)
+        let (arguments, matches) = b.randomArguments(forCallingGuardableFunction: f)
+        b.callFunction(f, withArgs: arguments, guard: !matches)
     },
 
     CodeGenerator("ConstructorCallGenerator", inputs: .preferred(.constructor())) { b, c in
-        let arguments = b.randomArguments(forCalling: c)
-        // TODO: we may also need guarding if the arguments aren't compatible with the expected ones
-        let needGuard = b.type(of: c).MayNotBe(.constructor())
+        let (arguments, matches) = b.randomArguments(forCallingGuardableFunction: c)
+        let needGuard = b.type(of: c).MayNotBe(.constructor()) || !matches
         b.construct(c, withArgs: arguments, guard: needGuard)
     },
 
@@ -1261,22 +1263,20 @@ public let CodeGenerators: [CodeGenerator] = [
     },
 
     CodeGenerator("UnboundFunctionCallGenerator", inputs: .preferred(.unboundFunction())) { b, f in
-        let arguments = b.randomArguments(forCalling: f)
+        let (arguments, argsMatch) = b.randomArguments(forCallingGuardableFunction: f)
         let fctType = b.type(of: f)
-        // TODO: we may also need guarding if the arguments aren't compatible with the expected ones
-        let needGuard = fctType.MayNotBe(.unboundFunction())
-        let receiver = b.randomVariable(forUseAs: fctType.receiver ?? .object())
+        let (receiver, recMatches) = b.randomVariable(forUseAsGuarded: fctType.receiver ?? .object())
+        let needGuard = fctType.MayNotBe(.unboundFunction()) || !argsMatch || !recMatches
         // For simplicity we just hard-code the call function. If this was a separate IL
         // instruction, the JSTyper could infer the result type.
         b.callMethod("call", on: f, withArgs: [receiver] + arguments, guard: needGuard)
     },
 
     CodeGenerator("UnboundFunctionApplyGenerator", inputs: .preferred(.unboundFunction())) { b, f in
-        let arguments = b.randomArguments(forCalling: f)
+        let (arguments, argsMatch) = b.randomArguments(forCallingGuardableFunction: f)
         let fctType = b.type(of: f)
-        // TODO: we may also need guarding if the arguments aren't compatible with the expected ones
-        let needGuard = fctType.MayNotBe(.unboundFunction())
-        let receiver = b.randomVariable(forUseAs: fctType.receiver ?? .object())
+        let (receiver, recMatches) = b.randomVariable(forUseAsGuarded: fctType.receiver ?? .object())
+        let needGuard = fctType.MayNotBe(.unboundFunction()) || !argsMatch || !recMatches
         // For simplicity we just hard-code the apply function. If this was a separate IL
         // instruction, the JSTyper could infer the result type.
         b.callMethod("apply", on: f, withArgs: [receiver, b.createArray(with: arguments)], guard: needGuard)

Sources/FuzzilliCli/Profiles/V8CommonProfile.swift

@@ -254,22 +254,26 @@ public let MapTransitionFuzzer = ProgramTemplate("MapTransitionFuzzer") { b in
         }
 
         for _ in 0..<3 {
-            b.callFunction(f, withArgs: b.randomArguments(forCalling: f))
+            let (arguments, matches) = b.randomArguments(forCallingGuardableFunction: f)
+            b.callFunction(f, withArgs: arguments, guard: !matches)
         }
     }
     let functionCallGenerator = CodeGenerator("FunctionCall", inputs: .required(.function())) { b, f in
         assert(b.type(of: f).Is(.function()))
-        let rval = b.callFunction(f, withArgs: b.randomArguments(forCalling: f))
+        let (arguments, matches) = b.randomArguments(forCallingGuardableFunction: f)
+        let rval = b.callFunction(f, withArgs: arguments, guard: !matches)
     }
     let constructorCallGenerator = CodeGenerator("ConstructorCall", inputs: .required(.constructor())) { b, c in
         assert(b.type(of: c).Is(.constructor()))
-        let rval = b.construct(c, withArgs: b.randomArguments(forCalling: c))
+        let (arguments, matches) = b.randomArguments(forCallingGuardableFunction: c)
+        let rval = b.construct(c, withArgs: arguments, guard: !matches)
      }
     let functionJitCallGenerator = CodeGenerator("FunctionJitCall", inputs: .required(.function())) { b, f in
         assert(b.type(of: f).Is(.function()))
         let args = b.randomArguments(forCalling: f)
         b.buildRepeatLoop(n: 100) { _ in
-            b.callFunction(f, withArgs: args)
+            let (arguments, matches) = b.randomArguments(forCallingGuardableFunction: f)
+            b.callFunction(f, withArgs: arguments, guard: !matches)
         }
     }
 

Tests/FuzzilliTests/ProgramBuilderTest.swift

@@ -260,6 +260,46 @@ class ProgramBuilderTests: XCTestCase {
         XCTAssertEqual(b.randomVariable(preferablyNotOfType: .jsAnything), nil)
     }
 
+    func testVariableRetrieval4() {
+        // This testcase demonstrates the behavior of `b.randomVariable(forUseAsGuarded:)`
+        // This API behaves in the following way:
+        //  - If a variable that matches or subsumes the requested type was found, it
+        //    returns the variable, along with a boolean that is true.
+        //  - If no matching variable was found, it will return one whose type intersects
+        //    with the requested one, or a random variable. In either of these cases, the
+        //    returned boolean will be false.
+
+        let fuzzer = makeMockFuzzer()
+        let b = fuzzer.makeBuilder()
+
+        let obj = b.createObject(with: ["x": b.loadInt(1), "y": b.loadInt(2)])
+
+        // We created three visible variables before; obj and its two properties.
+        XCTAssertEqual(b.numberOfVisibleVariables, 3)
+
+        b.probabilityOfVariableSelectionTryingToFindAnExactMatch = 1.0
+
+        do { // Search with exact match.
+            let (foundVar, matches) = b.randomVariable(forUseAsGuarded: b.type(of: obj))
+            XCTAssertEqual(obj, foundVar)
+            XCTAssert(matches)
+        }
+        do { // Search for supertype.
+            let (foundVar, matches) = b.randomVariable(forUseAsGuarded: .object(withProperties: ["x"]))
+            XCTAssertEqual(obj, foundVar)
+            XCTAssert(matches)
+        }
+        do { // Search for subtype.
+            let (foundVar, matches) = b.randomVariable(forUseAsGuarded: .object(withProperties: ["x", "y", "z"]))
+            XCTAssertEqual(obj, foundVar)
+            XCTAssertFalse(matches)
+        }
+        do { // Search for unrelated type. We ignore the variable, since it's completely random.
+            let (_, matches) = b.randomVariable(forUseAsGuarded: .string)
+            XCTAssertFalse(matches)
+        }
+    }
+
     func testRandomVarableInternal() {
         let fuzzer = makeMockFuzzer()
         let b = fuzzer.makeBuilder()