Add type information for prototype properties of most builtins

Bug: 408162715
Change-Id: Ie31469d93273f83c7b60ecc79549a2262f1ddf4b
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8432039
Reviewed-by: Carl Smith <[email protected]>
Commit-Queue: Matthias Liedtke <[email protected]>

Author: Liedtke

Sources/Fuzzilli/Environment/JavaScriptEnvironment.swift

@@ -330,19 +330,24 @@ public class JavaScriptEnvironment: ComponentBase {
 
         registerObjectGroup(.jsObjectConstructor)
         registerObjectGroup(.jsPromiseConstructor)
+        registerObjectGroup(.jsPromisePrototype)
         registerObjectGroup(.jsArrayConstructor)
         registerObjectGroup(.jsStringConstructor)
+        registerObjectGroup(.jsStringPrototype)
         registerObjectGroup(.jsSymbolConstructor)
         registerObjectGroup(.jsBigIntConstructor)
         registerObjectGroup(.jsBooleanConstructor)
         registerObjectGroup(.jsNumberConstructor)
         registerObjectGroup(.jsMathObject)
         registerObjectGroup(.jsDate)
         registerObjectGroup(.jsDateConstructor)
+        registerObjectGroup(.jsDatePrototype)
         registerObjectGroup(.jsJSONObject)
         registerObjectGroup(.jsReflectObject)
         registerObjectGroup(.jsArrayBufferConstructor)
+        registerObjectGroup(.jsArrayBufferPrototype)
         registerObjectGroup(.jsSharedArrayBufferConstructor)
+        registerObjectGroup(.jsSharedArrayBufferPrototype)
         for variant in ["Error", "EvalError", "RangeError", "ReferenceError", "SyntaxError", "TypeError", "AggregateError", "URIError", "SuppressedError"] {
             registerObjectGroup(.jsError(variant))
         }
@@ -885,6 +890,28 @@ public extension ILType {
     static let wasmTable = ILType.object(ofGroup: "WasmTable", withProperties: ["length"], withMethods: ["get", "grow", "set"])
 }
 
+public extension ObjectGroup {
+    // Creates an object group representing a "prototype" object on a built-in, like Date.prototype.
+    // These objects are somewhat special in JavaScript as they describe an object which has
+    // methods on them for which you shall not call them with the bound this as a receiver, e.g.
+    // `Date.prototype.getTime()` fails as `Date.prototype` is not a `Date`.
+    // Therefore the methods are registered as properties, so Fuzzilli doesn't generate calls for
+    // them. Instead Fuzzilli generates GetProperty operations for them which will then be typed as
+    // an `ILType.unboundFunction` which knows the required receiver type (in the example `Date`),
+    // so Fuzzilli can generate sequences like `Date.prototype.getTime.call(new Date())`.
+    static func createPrototypeObjectGroup(_ receiver: ObjectGroup) -> ObjectGroup {
+        let name = receiver.name + ".prototype"
+        let properties = Dictionary(uniqueKeysWithValues: receiver.methods.map {
+            ($0.0, ILType.unboundFunction($0.1.first, receiver: receiver.instanceType)) })
+        return ObjectGroup(
+            name: name,
+            instanceType: .object(ofGroup: name, withProperties: properties.map {$0.0}, withMethods: []),
+            properties: properties,
+            methods: [:]
+        )
+    }
+}
+
 // Type information for the object groups that we use to model the JavaScript runtime environment.
 // The general rules here are:
 //  * "output" type information (properties and return values) should be as precise as possible
@@ -1259,12 +1286,14 @@ public extension ObjectGroup {
         ]
     )
 
+    static let jsPromisePrototype = createPrototypeObjectGroup(jsPromises)
+
     /// ObjectGroup modelling the JavaScript Promise constructor builtin
     static let jsPromiseConstructor = ObjectGroup(
         name: "PromiseConstructor",
         instanceType: .jsPromiseConstructor,
         properties: [
-            "prototype" : .object()
+            "prototype" : jsPromisePrototype.instanceType
         ],
         methods: [
             "resolve"    : [.jsAnything] => .jsPromise,
@@ -1330,12 +1359,14 @@ public extension ObjectGroup {
         ]
     )
 
+    static let jsDatePrototype = createPrototypeObjectGroup(jsDate)
+
     /// ObjectGroup modelling the JavaScript Date constructor
     static let jsDateConstructor = ObjectGroup(
         name: "DateConstructor",
         instanceType: .jsDateConstructor,
         properties: [
-            "prototype" : .object()
+            "prototype" : jsDatePrototype.instanceType
         ],
         methods: [
             "UTC"   : [.number, .opt(.number), .opt(.number), .opt(.number), .opt(.number), .opt(.number), .opt(.number)] => .jsDate,
@@ -1391,32 +1422,38 @@ public extension ObjectGroup {
         ]
     )
 
+    static let jsArrayBufferPrototype = createPrototypeObjectGroup(jsArrayBuffers)
+
     static let jsArrayBufferConstructor = ObjectGroup(
         name: "ArrayBufferConstructor",
         instanceType: .jsArrayBufferConstructor,
         properties: [
-            "prototype" : .object()
+            "prototype" : jsArrayBufferPrototype.instanceType
         ],
         methods: [
             "isView" : [.jsAnything] => .boolean
         ]
     )
 
+    static let jsSharedArrayBufferPrototype = createPrototypeObjectGroup(jsSharedArrayBuffers)
+
     static let jsSharedArrayBufferConstructor = ObjectGroup(
         name: "SharedArrayBufferConstructor",
         instanceType: .jsSharedArrayBufferConstructor,
         properties: [
-            "prototype" : .object()
+            "prototype" : jsSharedArrayBufferPrototype.instanceType
         ],
         methods: [:]
     )
 
+    static let jsStringPrototype = createPrototypeObjectGroup(jsStrings)
+
     /// Object group modelling the JavaScript String constructor builtin
     static let jsStringConstructor = ObjectGroup(
         name: "StringConstructor",
         instanceType: .jsStringConstructor,
         properties: [
-            "prototype" : .object()
+            "prototype" : jsStringPrototype.instanceType
         ],
         methods: [
             "fromCharCode"  : [.jsAnything...] => .jsString,

Tests/FuzzilliTests/JSTyperTests.swift

@@ -1626,17 +1626,50 @@ class JSTyperTests: XCTestCase {
         XCTAssertEqual(b.type(of: reexportedJsTag), b.type(of: jsTag))
     }
 
-    func testArrayBuiltinPrototype() {
+    func testBuiltinPrototypes() {
         let fuzzer = makeMockFuzzer()
         let b = fuzzer.makeBuilder()
 
+        // Array.prototype
         let arrayBuiltin = b.createNamedVariable(forBuiltin: "Array")
         XCTAssert(b.type(of: arrayBuiltin).Is(.object(ofGroup: "ArrayConstructor")))
         let arrayProto = b.getProperty("prototype", of: arrayBuiltin)
         XCTAssert(b.type(of: arrayProto).Is(.object(ofGroup: "Array")))
         let signatures = b.methodSignatures(of: "indexOf", on: arrayProto)
         XCTAssertEqual([[.jsAnything, .opt(.integer)] => .integer], signatures)
         let indexOf = b.getProperty("indexOf", of: arrayProto)
-        XCTAssert(b.type(of: indexOf).Is(.unboundFunction([.jsAnything, .opt(.integer)] => .integer, receiver: .jsArray)))
+        XCTAssertEqual(b.type(of: indexOf), .unboundFunction([.jsAnything, .opt(.integer)] => .integer, receiver: .jsArray))
+
+        // Date.prototype
+        let dateBuiltin = b.createNamedVariable(forBuiltin: "Date")
+        XCTAssert(b.type(of: dateBuiltin).Is(.object(ofGroup: "DateConstructor")))
+        let dateProto = b.getProperty("prototype", of: dateBuiltin)
+        XCTAssert(b.type(of: dateProto).Is(.object(ofGroup: "Date.prototype")))
+        let getTime = b.getProperty("getTime", of: dateProto)
+        XCTAssertEqual(b.type(of: getTime), .unboundFunction([] => .number, receiver: .jsDate))
+
+        // Promise.prototype
+        let promiseBuiltin = b.createNamedVariable(forBuiltin: "Promise")
+        XCTAssert(b.type(of: promiseBuiltin).Is(.object(ofGroup: "PromiseConstructor")))
+        let promiseProto = b.getProperty("prototype", of: promiseBuiltin)
+        XCTAssert(b.type(of: dateProto).Is(.object(ofGroup: "Date.prototype")))
+        let then = b.getProperty("then", of: promiseProto)
+        XCTAssertEqual(b.type(of: then), .unboundFunction([.function()] => .jsPromise, receiver: .jsPromise))
+
+        // ArrayBuffer.prototype
+        let arrayBufferBuiltin = b.createNamedVariable(forBuiltin: "ArrayBuffer")
+        XCTAssert(b.type(of: arrayBufferBuiltin).Is(.object(ofGroup: "ArrayBufferConstructor")))
+        let arrayBufferProto = b.getProperty("prototype", of: arrayBufferBuiltin)
+        XCTAssert(b.type(of: arrayBufferProto).Is(.object(ofGroup: "ArrayBuffer.prototype")))
+        let resize = b.getProperty("resize", of: arrayBufferProto)
+        XCTAssertEqual(b.type(of: resize), .unboundFunction([.integer] => .undefined, receiver: .jsArrayBuffer))
+
+        // ArrayBuffer.prototype
+        let sharedArrayBufferBuiltin = b.createNamedVariable(forBuiltin: "SharedArrayBuffer")
+        XCTAssert(b.type(of: sharedArrayBufferBuiltin).Is(.object(ofGroup: "SharedArrayBufferConstructor")))
+        let sharedArrayBufferProto = b.getProperty("prototype", of: sharedArrayBufferBuiltin)
+        XCTAssert(b.type(of: sharedArrayBufferProto).Is(.object(ofGroup: "SharedArrayBuffer.prototype")))
+        let grow = b.getProperty("grow", of: sharedArrayBufferProto)
+        XCTAssertEqual(b.type(of: grow), .unboundFunction([.number] => .undefined, receiver: .jsSharedArrayBuffer))
     }
 }

Tests/FuzzilliTests/LifterTest.swift

@@ -3233,4 +3233,30 @@ class LifterTests: XCTestCase {
         let js = lifter.lift(mutatedProg)
         XCTAssertTrue(js.contains("Wasmlifting failed"))
     }
+
+    func testBuiltinPrototypeCall() {
+        let fuzzer = makeMockFuzzer()
+        let b = fuzzer.makeBuilder()
+
+        let dateBuiltin = b.createNamedVariable(forBuiltin: "Date")
+        XCTAssert(b.type(of: dateBuiltin).Is(.object(ofGroup: "DateConstructor")))
+        let dateProto = b.getProperty("prototype", of: dateBuiltin)
+        XCTAssert(b.type(of: dateProto).Is(.object(ofGroup: "Date.prototype")))
+        let getTime = b.getProperty("getTime", of: dateProto)
+        XCTAssertEqual(b.type(of: getTime), .unboundFunction([] => .number, receiver: .jsDate))
+        let date = b.construct(dateBuiltin)
+        XCTAssertEqual(b.type(of: date), .jsDate)
+        b.callMethod("call", on: getTime, withArgs: [date])
+
+        let program = b.finalize()
+        let actual = fuzzer.lifter.lift(program)
+
+        let expected = """
+        const v2 = Date.prototype.getTime;
+        const v3 = new Date();
+        v2.call(v3);
+
+        """
+        XCTAssertEqual(actual, expected)
+    }
 }