Refactoring - helper for Symbol properties

Also canonically hide the intermediate variable used for "Symbol" as
done in some of the existing use cases.

Bug: 446634535
Change-Id: I00794d4120057ef7e096ca913f827f8872d6ce41
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8646836
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Michael Achenbach <machenbach@google.com>

Author: mi-ac

Sources/Fuzzilli/Base/ProgramBuilder.swift

@@ -3131,6 +3131,15 @@ public class ProgramBuilder {
         return emit(CreateNamedAsyncDisposableVariable(name), withInputs: [initialValue]).output
     }
 
+    @discardableResult
+    public func createSymbolProperty(_ name: String) -> Variable {
+        let Symbol = createNamedVariable(forBuiltin: "Symbol")
+        // The Symbol constructor is just a "side effect" and probably
+        // shouldn't be used by following generators.
+        hide(Symbol)
+        return getProperty(name, of: Symbol)
+    }
+
     @discardableResult
     public func eval(_ string: String, with arguments: [Variable] = [], hasOutput: Bool = false) -> Variable? {
         let instr = emit(Eval(string, numArguments: arguments.count, hasOutput: hasOutput), withInputs: arguments)

Sources/Fuzzilli/CodeGen/CodeGenerators.swift

@@ -426,8 +426,7 @@ public let CodeGenerators: [CodeGenerator] = [
         "DisposableVariableGenerator", inContext: .single(.subroutine), inputs: .one
     ) { b, val in
         assert(b.context.contains(.subroutine))
-        let dispose = b.getProperty(
-            "dispose", of: b.createNamedVariable(forBuiltin: "Symbol"))
+        let dispose = b.createSymbolProperty("dispose")
         let disposableVariable = b.buildObjectLiteral { obj in
             obj.addProperty("value", as: val)
             obj.addComputedMethod(dispose, with: .parameters(n: 0)) { args in
@@ -442,8 +441,7 @@ public let CodeGenerators: [CodeGenerator] = [
         inputs: .one
     ) { b, val in
         assert(b.context.contains(.asyncFunction))
-        let asyncDispose = b.getProperty(
-            "asyncDispose", of: b.createNamedVariable(forBuiltin: "Symbol"))
+        let asyncDispose = b.createSymbolProperty("asyncDispose")
         let asyncDisposableVariable = b.buildObjectLiteral { obj in
             obj.addProperty("value", as: val)
             obj.addComputedMethod(asyncDispose, with: .parameters(n: 0)) {
@@ -2672,22 +2670,17 @@ public let CodeGenerators: [CodeGenerator] = [
     CodeGenerator(
         "WellKnownPropertyLoadGenerator", inputs: .preferred(.object())
     ) { b, obj in
-        let Symbol = b.createNamedVariable(forBuiltin: "Symbol")
-        // The Symbol constructor is just a "side effect" of this generator and probably shouldn't be used by following generators.
-        b.hide(Symbol)
-        let name = chooseUniform(from: JavaScriptEnvironment.wellKnownSymbols)
-        let propertyName = b.getProperty(name, of: Symbol)
+        let propertyName = b.createSymbolProperty(
+            chooseUniform(from: JavaScriptEnvironment.wellKnownSymbols))
         let needGuard = b.type(of: obj).MayBe(.nullish)
         b.getComputedProperty(propertyName, of: obj, guard: needGuard)
     },
 
     CodeGenerator(
         "WellKnownPropertyStoreGenerator", inputs: .preferred(.object())
     ) { b, obj in
-        let Symbol = b.createNamedVariable(forBuiltin: "Symbol")
-        b.hide(Symbol)
-        let name = chooseUniform(from: JavaScriptEnvironment.wellKnownSymbols)
-        let propertyName = b.getProperty(name, of: Symbol)
+        let propertyName = b.createSymbolProperty(
+            chooseUniform(from: JavaScriptEnvironment.wellKnownSymbols))
         let val = b.randomJsVariable()
         b.setComputedProperty(propertyName, of: obj, to: val)
     },
@@ -2937,9 +2930,7 @@ public let CodeGenerators: [CodeGenerator] = [
                     }
                 }
             } else {
-                let toPrimitive = b.getProperty(
-                    "toPrimitive",
-                    of: b.createNamedVariable(forBuiltin: "Symbol"))
+                let toPrimitive = b.createSymbolProperty("toPrimitive")
                 imitation = b.buildObjectLiteral { obj in
                     obj.addComputedMethod(toPrimitive, with: .parameters(n: 0))
                     { _ in
@@ -3081,9 +3072,7 @@ public let CodeGenerators: [CodeGenerator] = [
     },
 
     CodeGenerator("IteratorGenerator", produces: [.iterable]) { b in
-        let Symbol = b.createNamedVariable(forBuiltin: "Symbol")
-        b.hide(Symbol)
-        let iteratorSymbol = b.getProperty("iterator", of: Symbol)
+        let iteratorSymbol = b.createSymbolProperty("iterator")
         b.hide(iteratorSymbol)
         let iterableObject = b.buildObjectLiteral { obj in
             obj.addComputedMethod(iteratorSymbol, with: .parameters(n: 0)) {

Tests/FuzzilliTests/LifterTest.swift

@@ -518,7 +518,7 @@ class LifterTests: XCTestCase {
         let null = b.loadNull()
         let v4 = b.binary(v3, v1, with: .Add)
         let otherObject = b.createNamedVariable(forBuiltin: "SomeObject")
-        let toPrimitive = b.getProperty("toPrimitive", of: b.createNamedVariable(forBuiltin: "Symbol"))
+        let toPrimitive = b.createSymbolProperty("toPrimitive")
         b.buildObjectLiteral { obj in
             obj.addProperty("p1", as: v1)
             obj.addProperty("__proto__", as: null)
@@ -653,9 +653,7 @@ class LifterTests: XCTestCase {
         let two = b.loadInt(2)
         let baz = b.loadString("baz")
         let baz42 = b.binary(baz, i, with: .Add)
-        let toPrimitive = b.getProperty(
-            "toPrimitive",
-            of: b.createNamedVariable(forBuiltin: "Symbol"))
+        let toPrimitive = b.createSymbolProperty("toPrimitive")
         let sm = b.loadString("sm")
         let C = b.buildClassDefinition() { cls in
             cls.addInstanceProperty("foo")
@@ -1827,8 +1825,7 @@ class LifterTests: XCTestCase {
         let b = fuzzer.makeBuilder()
 
         let s = b.loadString("Hello World")
-        let Symbol = b.createNamedVariable(forBuiltin: "Symbol")
-        let iterator = b.getProperty("iterator", of: Symbol)
+        let iterator = b.createSymbolProperty("iterator")
         let r = b.callComputedMethod(iterator, on: s)
         b.callMethod("next", on: r)
 
@@ -3168,7 +3165,10 @@ class LifterTests: XCTestCase {
         let f = b.buildPlainFunction(with: .parameters(n: 0)) { args in
             let v1 = b.loadInt(1)
             let v2 = b.loadInt(42)
-            let dispose = b.getProperty("dispose", of: b.createNamedVariable(forBuiltin: "Symbol"));
+            let numVariables = b.numberOfVisibleVariables
+            let dispose = b.createSymbolProperty("dispose");
+            // Test that the intermediate variable for "Symbol" stays hidden.
+            XCTAssertEqual(b.numberOfVisibleVariables, numVariables + 1)
             let disposableVariable = b.buildObjectLiteral { obj in
                 obj.addProperty("value", as: v1)
                 obj.addComputedMethod(dispose, with: .parameters(n:0)) { args in
@@ -3220,7 +3220,7 @@ class LifterTests: XCTestCase {
         let f = b.buildAsyncFunction(with: .parameters(n: 0)) { args in
             let v1 = b.loadInt(1)
             let v2 = b.loadInt(42)
-            let asyncDispose = b.getProperty("asyncDispose", of: b.createNamedVariable(forBuiltin: "Symbol"))
+            let asyncDispose = b.createSymbolProperty("asyncDispose")
             let asyncDisposableVariable = b.buildObjectLiteral { obj in
                 obj.addProperty("value", as: v1)
                 obj.addComputedMethod(asyncDispose, with: .parameters(n:0)) { args in