Improve class-definition generation

Previously there were two code generators for classes, the
ClassDefinitionGenerator and the WeirdClassGenerator.

The former was still an old-style generator, so it could not be
scheduled for any of the ~20 generators that require the
classDefinition context.

So all such generators scheduled the WeirdClassGenerator, which
forced a simple method as superclass, which in return doesn't contain
any interesting code as in e.g. the ObjectConstructorGenerator.

This change unifies the two class generators as one new-style
generator. The generator provides the classDefinition context, so it
can be scheduled for parts of classes. It also produces a
constructor() (unlike the WeirdClassGenerator), so it can be
scheduled for generators that require constructor()-type input.

Bug: 446632644
Change-Id: I7313dae3998cdd0ff488779debeca7c6ab333fc9
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8705459
Commit-Queue: Michael Achenbach <machenbach@google.com>
Reviewed-by: Matthias Liedtke <mliedtke@google.com>

Author: mi-ac

Sources/Fuzzilli/CodeGen/CodeGeneratorWeights.swift

@@ -192,7 +192,6 @@ public let codeGeneratorWeights = [
     "PrototypeOverwriteGenerator":              10,
     "CallbackPropertyGenerator":                10,
     "MethodCallWithDifferentThisGenerator":     5,
-    "WeirdClassGenerator":                      10,
     "ProxyGenerator":                           10,
     "LengthChangeGenerator":                    5,
     "ElementKindChangeGenerator":               5,

Sources/Fuzzilli/CodeGen/CodeGenerators.swift

@@ -367,39 +367,46 @@ public let CodeGenerators: [CodeGenerator] = [
         }
     },
 
-    CodeGenerator("ClassDefinitionGenerator", produces: [.constructor()]) { b in
-        // Possibly pick a superclass. The superclass must be a constructor (or null), otherwise a type error will be raised at runtime.
-        var superclass: Variable? = nil
-        if probability(0.5) && b.hasVisibleVariables {
-            superclass = b.randomVariable(ofType: .constructor())
-        }
-
-        // If there are no visible variables, create some random number- or string values first, so they can be used for example as property values.
-        if !b.hasVisibleVariables {
-            for _ in 0..<3 {
-                withEqualProbability(
-                    {
-                        b.loadInt(b.randomInt())
-                    },
-                    {
-                        b.loadFloat(b.randomFloat())
-                    },
-                    {
-                        b.loadString(b.randomString())
-                    })
-            }
-        }
-
-        // Create the class.
-        let c = b.buildClassDefinition(withSuperclass: superclass, isExpression: probability(0.3)) { cls in
-            b.buildRecursive(n: defaultCodeGenerationAmount)
-        }
+    CodeGenerator(
+        "ClassDefinitionGenerator",
+        [
+            GeneratorStub(
+                "ClassDefinitionBeginGenerator",
+                produces: [.constructor()],
+                provides: [.classDefinition]
+            ) { b in
+                // Possibly pick a superclass.
+                // The superclass must be a constructor (or null).
+                var superclass: Variable? = nil
+                if probability(0.4) && b.hasVisibleVariables {
+                    superclass = b.randomVariable(ofType: .constructor())
+                } else if probability(0.2) {
+                    superclass = b.buildPlainFunction(with: .parameters(n: 1)) {
+                        args in
+                        b.doReturn(b.randomJsVariable())
+                    }
+                }
+                let inputs = superclass != nil ? [superclass!] : []
+                let cls = b.emit(BeginClassDefinition(
+                        hasSuperclass: superclass != nil,
+                        isExpression: probability(0.3)),
+                    withInputs: inputs).output
+                b.runtimeData.push("class", cls)
+            },
+            GeneratorStub(
+                "ClassDefinitionEndGenerator",
+                inContext: .single(.classDefinition)
+            ) { b in
+                b.emit(EndClassDefinition())
 
-        // And construct a few instances of it.
-        for _ in 0..<Int.random(in: 1...4) {
-            b.construct(c, withArgs: b.randomArguments(forCalling: c))
-        }
-    },
+                // Construct a few instances of the class.
+                let cls = b.runtimeData.pop("class")
+                for _ in 0..<Int.random(in: 0...4) {
+                    b.construct(cls, withArgs: b.randomArguments(forCalling: cls))
+                }
+            },
+        ]
+    ),
 
     CodeGenerator("TrivialFunctionGenerator", produces: [.function()]) { b in
         // Generating more than one function has a fairly high probability of generating
@@ -2485,31 +2492,6 @@ public let CodeGenerators: [CodeGenerator] = [
         b.callMethod("construct", on: reflect, withArgs: arguments)
     },
 
-    CodeGenerator(
-        "WeirdClassGenerator",
-        [
-            GeneratorStub(
-                "WeirdClassBeginGenerator",
-                provides: [.classDefinition]
-            ) { b in
-                // See basically https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Classes/Private_class_fields#examples
-                let base = b.buildPlainFunction(with: .parameters(n: 1)) {
-                    args in
-                    b.doReturn(b.randomJsVariable())
-                }
-                b.emit(
-                    BeginClassDefinition(hasSuperclass: true, isExpression: probability(0.3)),
-                    withInputs: [base])
-            },
-            GeneratorStub(
-                "WeirdClassGenerator",
-                inContext: .single(.classDefinition)
-            ) { b in
-                b.emit(EndClassDefinition())
-            },
-        ]
-    ),
-
     CodeGenerator("ProxyGenerator", inputs: .preferred(.object())) {
         b, target in
         var candidates = Set([

Sources/Fuzzilli/FuzzIL/JSTyper.swift

@@ -1118,7 +1118,11 @@ public struct JSTyper: Analyzer {
 
             dynamicObjectGroupManager.createNewClass(withSuperType: superType, propertyMap: propertySuperTypeMap, methodMap: methodSuperTypeMap, superConstructorType: superConstructorType, forOutput: instr.output)
 
-            set(instr.output, .jsAnything)         // Treat the class variable as unknown until we have fully analyzed the class definition
+            // We only know here that this is going to be a constructor() type.
+            // On endClassDefinition below, the exact type is refined. But we
+            // need to already set this broader type here, so that begin-
+            // generator stubs can claim they produce a constructor().
+            set(instr.output, .constructor())
         case .endClassDefinition:
             let (instanceType, classDefinition) = dynamicObjectGroupManager.finalizeClass()
             set(classDefinition.output, classDefinition.objectGroup.instanceType + .constructor(classDefinition.constructorParameters => instanceType))