[types] Add enum type

Enums (called enumerations, to avoid a conflict with the swift keyword
"enum") are implemented as strings with a TypeExtension. The list of all
possible values of the enum are encoded in the "properties" field of the
TypeExtension.

Additionally, ProgramBuilder.findOrGenerateType is extended to only pick
the allowed values in case the requested type is an enumeration.

Change-Id: Ic9021314b9b884daffb6f47468032051755369fd
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/7970028
Reviewed-by: Carl Smith <[email protected]>
Commit-Queue: Andreas Haas <[email protected]>

Author: gahaas

Sources/Fuzzilli/Base/ProgramBuilder.swift

@@ -562,7 +562,7 @@ public class ProgramBuilder {
     }
 
     private func generateTypeInternal(_ type: ILType) -> Variable {
-        if probability(0.9) {
+        if probability(0.9) && !type.isEnumeration {
             if let existingVariable = randomVariable(ofTypeOrSubtype: type) {
                 return existingVariable
             }
@@ -581,7 +581,11 @@ public class ProgramBuilder {
         // TODO: Not sure how we should handle merge types, e.g. .string + .object(...).
         let typeGenerators: [(ILType, () -> Variable)] = [
             (.integer, { return self.loadInt(self.randomInt()) }),
-            (.string, { return self.loadString(self.randomString()) }),
+            (.string, {
+                if type.isEnumeration {
+                    return self.loadString(type.enumValues.randomElement()!)
+                }
+                return self.loadString(self.randomString()) }),
             (.boolean, { return self.loadBool(probability(0.5)) }),
             (.bigint, { return self.loadBigInt(self.randomInt()) }),
             (.float, { return self.loadFloat(self.randomFloat()) }),

Sources/Fuzzilli/FuzzIL/TypeSystem.swift

@@ -151,6 +151,12 @@ public struct ILType: Hashable {
         return ILType(definiteType: .object, ext: ext)
     }
 
+    /// Constructs an enum type, which is a string with a limited set of allowed values.
+    public static func enumeration(ofName name: String, withValues values: [String]) -> ILType {
+        let ext = TypeExtension(group: name, properties: Set(values), methods: Set(), signature: nil, wasmExt: nil)
+        return ILType(definiteType: .string, ext: ext)
+    }
+
     /// An object for which it is not known what properties or methods it has, if any.
     public static let unknownObject: ILType = .object()
 
@@ -369,6 +375,10 @@ public struct ILType: Hashable {
         return Is(.constructor()) ? ext?.signature : nil
     }
 
+    public var isEnumeration : Bool {
+        return Is(.string) && ext != nil
+    }
+
     public var group: String? {
         return ext?.group
     }
@@ -425,6 +435,10 @@ public struct ILType: Hashable {
         return ext?.properties ?? Set()
     }
 
+    public var enumValues: Set<String> {
+        return properties
+    }
+
     public var methods: Set<String> {
         return ext?.methods ?? Set()
     }

Sources/FuzzilliCli/Profiles/V8Profile.swift

@@ -94,16 +94,12 @@ fileprivate let WorkerGenerator = RecursiveCodeGenerator("WorkerGenerator") { b
 fileprivate let GcGenerator = CodeGenerator("GcGenerator") { b in
     let gc = b.createNamedVariable(forBuiltin: "gc")
 
-    // Do minor GCs more frequently.
-    let type = b.loadString(probability(0.25) ? "major" : "minor")
-    // If the execution type is 'async', gc() returns a Promise, we currently
-    // do not really handle other than typing the return of gc to .undefined |
-    // .jsPromise. One could either chain a .then or create two wrapper
-    // functions that are differently typed such that fuzzilli always knows
-    // what the type of the return value is.
-    let execution = b.loadString(probability(0.5) ? "sync" : "async")
-    b.callFunction(gc, withArgs: [b.createObject(with: ["type": type, "execution": execution])])
-}
+    // `gc()` takes a `type` parameter. If the value is 'async', gc() returns a
+    // Promise. We currently do not really handle this other than typing the
+    // return of gc to .undefined | .jsPromise. One could either chain a .then
+    // or create two wrapper functions that are differently typed such that
+    // fuzzilli always knows what the type of the return value is.
+    b.callFunction(gc, withArgs: b.findOrGenerateArguments(forSignature: b.fuzzer.environment.type(ofBuiltin: "gc").signature!)) }
 
 fileprivate let WasmStructGenerator = CodeGenerator("WasmStructGenerator") { b in
     b.eval("%WasmStruct()", hasOutput: true);
@@ -427,6 +423,9 @@ public extension ILType {
     static let jsD8FastCAPI = ILType.object(ofGroup: "D8FastCAPI", withProperties: [], withMethods: ["throw_no_fallback", "add_32bit_int"])
 
     static let jsD8FastCAPIConstructor = ILType.constructor(Signature(expects: [], returns: ILType.jsD8FastCAPI))
+
+    static let gcTypeEnum = ILType.enumeration(ofName: "gcType", withValues: ["minor", "major"])
+    static let gcExecutionEnum = ILType.enumeration(ofName: "gcExecution", withValues: ["async", "sync"])
 }
 
 let jsD8 = ObjectGroup(name: "D8", instanceType: .jsD8, properties: ["test" : .jsD8Test], methods: [:])
@@ -438,6 +437,13 @@ let jsD8FastCAPI = ObjectGroup(name: "D8FastCAPI", instanceType: .jsD8FastCAPI,
                  "add_32bit_int": Signature(expects: [Parameter.plain(ILType.integer), Parameter.plain(ILType.integer)], returns: ILType.integer)
     ])
 
+let gcOptions = ObjectGroup(
+    name: "GCOptions",
+    instanceType: .object(ofGroup: "GCOptions", withProperties: ["type", "execution"], withMethods: []),
+    properties: ["type": .gcTypeEnum,
+                 "execution": .gcExecutionEnum],
+    methods: [:])
+
 let fastCallables : [(group: ILType, method: String)] = [
     (group: .jsD8FastCAPI, method: "throw_no_fallback"),
     (group: .jsD8FastCAPI, method: "add_32bit_int"),
@@ -733,12 +739,12 @@ let v8Profile = Profile(
     disabledMutators: [],
 
     additionalBuiltins: [
-        "gc"                                            : .function([] => (.undefined | .jsPromise)),
+        "gc"                                            : .function([.opt(gcOptions.instanceType)] => (.undefined | .jsPromise)),
         "d8"                                            : .jsD8,
         "Worker"                                        : .constructor([.anything, .object()] => .object(withMethods: ["postMessage","getMessage"])),
     ],
 
-    additionalObjectGroups: [jsD8, jsD8Test, jsD8FastCAPI],
+    additionalObjectGroups: [jsD8, jsD8Test, jsD8FastCAPI, gcOptions],
 
     optionalPostProcessor: nil
 )

Tests/FuzzilliTests/ProgramBuilderTest.swift

@@ -2605,4 +2605,28 @@ class ProgramBuilderTests: XCTestCase {
     XCTAssert(b.type(of: obj).Is(type3))
     }
 
+    func testFindOrGenerateTypeEnum() {
+        let allowedValues = ["hello", "world", "foo", "bar"]
+
+        let enumType = ILType.enumeration(ofName: "myEnum", withValues: allowedValues)
+        let env = JavaScriptEnvironment()
+        let config = Configuration(logLevel: .error)
+        let fuzzer = makeMockFuzzer(config: config, environment: env)
+        let b = fuzzer.makeBuilder()
+        b.buildPrefix()
+        // Get a random variable and then change the type
+
+        let obj = b.findOrGenerateType(enumType)
+        XCTAssert(b.type(of: obj).Is(.string))
+        let program = b.finalize()
+        var analyzer = DefUseAnalyzer(for: program)
+        analyzer.analyze()
+        let instruction = analyzer.definition(of: obj)
+        switch instruction.op.opcode {
+            case .loadString(let value):
+              XCTAssert(allowedValues.contains(value.value))
+            default:
+              XCTAssert(false)
+        }
+    }
 }