Add simple mechanism to share data between stubs in a code generator

Bug: 445356784
Change-Id: I4a8f93b9a65f0df23c028287c908d38e7f23befc
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8707582
Reviewed-by: Michael Achenbach <machenbach@google.com>
Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Michael Achenbach <machenbach@google.com>

Author: Liedtke

Sources/Fuzzilli/Base/ProgramBuilder.swift

@@ -19,6 +19,38 @@ import Foundation
 /// This provides methods for constructing and appending random
 /// instances of the different kinds of operations in a program.
 public class ProgramBuilder {
+
+    /// Runtime data used by code generators to share data between different stubs inside the same
+    /// code generator. It is strictly required that all pushed values are also popped again in the
+    /// same code generator.
+    public class GeneratorRuntimeData {
+        private var data = [String : Stack<Variable>]()
+
+        public func push(_ key: String, _ value: Variable) {
+            data[key, default: .init()].push(value)
+        }
+
+        public func pop(_ key: String) -> Variable {
+            assert(data[key] != nil)
+            return data[key]!.pop()
+        }
+
+        // Fetch the most recent value for this key and push it back.
+        public func popAndPush(_ key: String) -> Variable {
+            assert(data[key] != nil)
+            return data[key]!.top
+        }
+
+        func reset() {
+            #if DEBUG
+            for (key, value) in data {
+                assert(value.isEmpty, "Stale entries for runtime data '\(key)'")
+            }
+            #endif
+            data.removeAll(keepingCapacity: false)
+        }
+    }
+
     /// The fuzzer instance for which this builder is active.
     public let fuzzer: Fuzzer
 
@@ -147,6 +179,9 @@ public class ProgramBuilder {
     /// The remaining CodeGenerators to call as part of a building / CodeGen step, these will "clean up" the state and fix the contexts.
     public var scheduled: Stack<GeneratorStub> = Stack()
 
+    // Runtime data that can be shared between different stubs within a CodeGenerator.
+    var runtimeData = GeneratorRuntimeData()
+
     /// Stack of active switch blocks.
     private var activeSwitchBlocks = Stack<SwitchBlock>()
 
@@ -214,6 +249,7 @@ public class ProgramBuilder {
         activeObjectLiterals.removeAll()
         activeClassDefinitions.removeAll()
         buildLog?.reset()
+        runtimeData.reset()
     }
 
     /// Finalizes and returns the constructed program, then resets this builder so it can be reused for building another program.
@@ -2075,7 +2111,7 @@ public class ProgramBuilder {
 
         var numberOfGeneratedInstructions = 0
 
-        // calculate all input requirements of this CodeGenerator.
+        // Calculate all input requirements of this CodeGenerator.
         let inputTypes = Set(generator.parts.reduce([]) { res, gen in
             return res + gen.inputs.types
         })

Sources/Fuzzilli/CodeGen/CodeGenerator.swift

@@ -381,4 +381,4 @@ extension CodeGenerator: CustomStringConvertible {
         let names = self.parts.map { $0.name }
         return names.joined(separator: ",")
     }
-}
+}

Sources/Fuzzilli/CodeGen/WasmCodeGenerators.swift

@@ -1277,25 +1277,34 @@ public let WasmCodeGenerators: [CodeGenerator] = [
             },
         ]),
 
-    // TODO: think about how we can turn this into a mulit-part Generator
-    CodeGenerator("WasmLoopGenerator", inContext: .single(.wasmFunction)) { b in
-        let function = b.currentWasmModule.currentWasmFunction
-        let loopCtr = function.consti32(10)
-
-        function.wasmBuildLoop(with: [] => []) { label, args in
-            let result = function.wasmi32BinOp(
+    CodeGenerator(
+        "WasmLoopGenerator",
+        [
+            GeneratorStub(
+                "WasmBeginLoopGenerator",
+                inContext: .single(.wasmFunction),
+                provides: [.wasmFunction]
+            ) { b in
+                let function = b.currentWasmModule.currentWasmFunction
+                let loopCtr = function.consti32(10)
+                b.runtimeData.push("loopCounter", loopCtr)
+                b.emit(WasmBeginLoop(with: [] => []))
+                // Increase loop counter.
+                let result = function.wasmi32BinOp(
                 loopCtr, function.consti32(1), binOpKind: .Sub)
-            function.wasmReassign(variable: loopCtr, to: result)
-
-            b.buildRecursive(n: defaultCodeGenerationAmount)
-
-            // Backedge of loop, we continue if it is not equal to zero.
-            let isNotZero = function.wasmi32CompareOp(
-                loopCtr, function.consti32(0), using: .Ne)
-            function.wasmBranchIf(
-                isNotZero, to: label, hint: b.randomWasmBranchHint())
-        }
-    },
+                function.wasmReassign(variable: loopCtr, to: result)
+            },
+            GeneratorStub(
+                "WasmEndLoopGenerator",
+                inContext: .single(.wasmFunction)
+            ) { b in
+                let function = b.currentWasmModule.currentWasmFunction
+                let loopCtr = b.runtimeData.pop("loopCounter")
+                // Backedge of loop, we continue if it is not equal to zero.
+                let isNotZero = function.wasmi32CompareOp(loopCtr, function.consti32(0), using: .Ne)
+                b.emit(WasmEndLoop(outputTypes: []))
+            },
+        ]),
 
     CodeGenerator("WasmLoopWithSignatureGenerator", inContext: .single(.wasmFunction)) {
         b in

Sources/Fuzzilli/Util/MockFuzzer.swift

@@ -82,7 +82,7 @@ class MockEvaluator: ProgramEvaluator {
 }
 
 /// Create a fuzzer instance usable for testing.
-public func makeMockFuzzer(config maybeConfiguration: Configuration? = nil, engine maybeEngine: FuzzEngine? = nil, runner maybeRunner: ScriptRunner? = nil, environment maybeEnvironment: JavaScriptEnvironment? = nil, evaluator maybeEvaluator: ProgramEvaluator? = nil, corpus maybeCorpus: Corpus? = nil, codeGenerators additionalCodeGenerators : [(CodeGenerator, Int)] = [], queue: DispatchQueue? = nil) -> Fuzzer {
+public func makeMockFuzzer(config maybeConfiguration: Configuration? = nil, engine maybeEngine: FuzzEngine? = nil, runner maybeRunner: ScriptRunner? = nil, environment maybeEnvironment: JavaScriptEnvironment? = nil, evaluator maybeEvaluator: ProgramEvaluator? = nil, corpus maybeCorpus: Corpus? = nil, codeGenerators additionalCodeGenerators : [(CodeGenerator, Int)] = [], queue: DispatchQueue? = nil, overwriteGenerators: WeightedList<CodeGenerator>? = nil) -> Fuzzer {
     // The configuration of this fuzzer.
     let configuration = maybeConfiguration ?? Configuration(logLevel: .warning)
 
@@ -115,7 +115,7 @@ public func makeMockFuzzer(config maybeConfiguration: Configuration? = nil, engi
     let minimizer = Minimizer()
 
     // Use all builtin CodeGenerators
-    let codeGenerators = WeightedList<CodeGenerator>(
+    let codeGenerators = overwriteGenerators ?? WeightedList<CodeGenerator>(
         (CodeGenerators + WasmCodeGenerators).map {
             guard let weight = codeGeneratorWeights[$0.name] else {
                 fatalError("Missing weight for CodeGenerator \($0.name) in CodeGeneratorWeights.swift")

Sources/FuzzilliCli/main.swift

@@ -172,8 +172,8 @@ if let raw_timeout = args.string(for: "--timeout") {
         guard let upper = UInt32(parts[1]) else {
             configError("The upper bound for --timeout must be an integer")
         }
-        guard lower < upper else {
-            configError("The --timeout=lower,upper boundaries must adhere to lower < upper")
+        guard lower <= upper else {
+            configError("The --timeout=lower,upper boundaries must adhere to lower <= upper")
         }
         timeout = Timeout.interval(lower, upper)
     } else {

Tests/FuzzilliTests/ProgramBuilderTest.swift

@@ -3049,3 +3049,110 @@ class ProgramBuilderTests: XCTestCase {
         }
     }
 }
+
+class ProgramBuilderRuntimeDataTests: XCTestCase {
+    func runFuzzerWithGenerator(_ generator: CodeGenerator) -> String {
+        let fuzzer = makeMockFuzzer(overwriteGenerators: WeightedList([(generator, 1)]))
+        let b = fuzzer.makeBuilder()
+
+        let syntheticGenerator = b.assembleSyntheticGenerator(for: generator)
+        XCTAssertNotNil(syntheticGenerator)
+        let numInstructions = b.complete(generator: syntheticGenerator!, withBudget: 3)
+        XCTAssertGreaterThan(numInstructions, 0)
+
+        let program = b.finalize()
+        return fuzzer.lifter.lift(program)
+    }
+
+    func testNested() {
+        let loopGenerator = CodeGenerator("TestDoWhileLoop", [
+            GeneratorStub("BeginLoop") { b in
+                let loopVar = b.loadInt(0)
+                b.runtimeData.push("loopVar", loopVar)
+                b.emit(BeginDoWhileLoopBody())
+            },
+            GeneratorStub("EndLoop") { b in
+                let loopVar = b.runtimeData.pop("loopVar")
+                b.unary(.PreInc, loopVar)
+                b.emit(BeginDoWhileLoopHeader())
+                let cond = b.compare(loopVar, with: b.loadInt(3), using: .lessThan)
+                b.emit(EndDoWhileLoop(), withInputs: [cond])
+            }
+        ])
+        XCTAssertEqual(
+            runFuzzerWithGenerator(loopGenerator),
+            """
+            let v0 = 0;
+            do {
+                let v1 = 0;
+                do {
+                    ++v1;
+                } while (v1 < 3)
+                ++v0;
+            } while (v0 < 3)
+
+            """)
+    }
+
+    func testMultiLabel() {
+        var counter: Int64 = 0
+        let defineAndAddGenerator = CodeGenerator("TestMultiLabel", [
+            GeneratorStub("Define") { b in
+                b.runtimeData.push("first", b.loadInt(counter))
+                counter += 1
+                b.runtimeData.push("second", b.loadInt(counter))
+                counter += 1
+                b.runtimeData.push("third", b.loadInt(counter))
+                counter += 1
+            },
+            GeneratorStub("Add") { b in
+                // The order in which the different lables are popped doesn't matter.
+                let third = b.runtimeData.pop("third")
+                let first = b.runtimeData.pop("first")
+                let second = b.runtimeData.pop("second")
+                b.binary(b.binary(first, second, with: .Add), third, with: .Add)
+            }
+        ])
+        XCTAssertEqual(
+            runFuzzerWithGenerator(defineAndAddGenerator),
+            """
+            (3 + 4) + 5;
+            (0 + 1) + 2;
+
+            """)
+    }
+
+    func testPassOn() {
+        var counter: Int64 = 10
+        let defineAndAddGenerator = CodeGenerator("TestPassOn", [
+            GeneratorStub("Define") { b in
+                let value = b.loadInt(counter)
+                b.runtimeData.push("value", value)
+                b.binary(value, b.loadInt(0), with: .Add)
+                counter += 1
+            },
+            GeneratorStub("AddOne") { b in
+                let value = b.runtimeData.popAndPush("value")
+                b.binary(value, b.loadInt(1), with: .Add)
+            },
+            GeneratorStub("SubOne") { b in
+                let value = b.runtimeData.pop("value")
+                b.binary(value, b.loadInt(1), with: .Sub)
+            },
+        ])
+        XCTAssertEqual(
+            runFuzzerWithGenerator(defineAndAddGenerator),
+            """
+            10 + 0;
+            11 + 0;
+            11 + 1;
+            11 - 1;
+            10 + 1;
+            12 + 0;
+            12 + 1;
+            12 - 1;
+            10 - 1;
+
+            """)
+    }
+}