Improve corpus import fixup further

With the preceeding change, we can now import failing programs by
wrapping them in a big try-catch statement. This is somewhat
inefficient, however, as we may end up with samples where a lot of the
code is never executed (because an exception is thrown early on). This
change now adds additional logic to improve that and ensure that as much
code as possible will also be executed at runtime. Specifically, the
fixup algorithm when importing programs now works like this:

1. We first try to replace known test functions (such as `assertEquals`)
   with a dummy function as these test functions aren't available
   outside the testing environment. This now replaces a mechanism in the
   compiler that would also try to remove calls to these functions.

2. If the first attempt fails, we'll then attempt to insert try-catch
   blocks around individual instructions. For that, we first enable all
   guardable operations (which will cause them to be wrapped in
   try-catch), then perform one round of fixup during which all
   unecessary guards will be disabled again. As a result, only those
   try-catch block that are necessary will stay in the imported program.

3. Only if the previous attempts fail do we now insert one big try-catch
   statement around the entire program.

Author: Samuel Groß

Sources/FuzzILTool/main.swift

@@ -24,20 +24,6 @@ let jsSuffix = ""
 let jsLifter = JavaScriptLifter(prefix: jsPrefix, suffix: jsSuffix, ecmaVersion: ECMAScriptVersion.es6)
 let fuzzILLifter = FuzzILLifter()
 
-// Default list of functions that are filtered out during compilation. These are functions that may be used in testcases but which do not influence the test's behaviour and so should be omitted for fuzzing.
-// The functions can use the wildcard '*' character as _last_ character, in which case a prefix match will be performed.
-let filteredFunctionsForCompiler = [
-    // Functions used in V8's test suite
-    "assert*",
-    "print*",
-    // Functions used in Mozilla's test suite
-    "startTest",
-    "enterFunc",
-    "exitFunc",
-    "report*",
-    "options*",
-]
-
 // Loads a serialized FuzzIL program from the given file
 func loadProgram(from path: String) throws -> Program {
     let data = try Data(contentsOf: URL(fileURLWithPath: path))
@@ -188,7 +174,7 @@ else if args.has("--compile") {
         exit(-1)
     }
 
-    let compiler = JavaScriptCompiler(deletingCallTo: filteredFunctionsForCompiler)
+    let compiler = JavaScriptCompiler()
     let program: Program
     do {
         program = try compiler.compile(ast)

Sources/Fuzzilli/Compiler/Compiler.swift

@@ -27,22 +27,11 @@ public class JavaScriptCompiler {
         case unsupportedFeatureError(String)
     }
 
-    public init(deletingCallTo filteredFunctions: [String] = []) {
-        self.filteredFunctions = filteredFunctions
-    }
+    public init() {}
 
     /// The compiled code.
     private var code = Code()
 
-    /// A list of function names or prefixes (e.g. `assert*`) which should be deleted from the output program.
-    /// The function calls can in general only be removed if their return value isn't used, and so currently they are only
-    /// removed if they make up a full ExpressionStatement, in which case the entire statement is ignored.
-    /// This functionality is useful to remove calls to functions such as `assert*` or `print*` from tests
-    /// as those are not useful for fuzzing.
-    /// The function names may contain the wildcard character `*`, but _only_ as last character, in which case
-    /// a prefix match will be performed instead of a string comparison.
-    private let filteredFunctions: [String]
-
     /// The environment is used to determine if an identifier identifies a builtin object.
     /// TODO we should probably use the correct target environment, with any additional builtins etc. here. But for now, we just manually add `gc` since that's relatively common.
     private var environment = JavaScriptEnvironment(additionalBuiltins: ["gc": .function()])
@@ -82,11 +71,6 @@ public class JavaScriptCompiler {
     }
 
     private func compileStatement(_ node: StatementNode) throws {
-        let shouldIgnoreStatement = try performStatementFiltering(node)
-        guard !shouldIgnoreStatement else {
-            return
-        }
-
         guard let stmt = node.statement else {
             throw CompilerError.invalidASTError("missing concrete statement in statement node")
         }
@@ -1239,40 +1223,6 @@ public class JavaScriptCompiler {
         return (variables, spreads)
     }
 
-    /// Determine whether the given statement should be filtered out.
-    ///
-    /// Currently this function only performs function call filtering based on the `filteredFunctions` array.
-    private func performStatementFiltering(_ statement: StatementNode) throws -> Bool {
-        guard case .expressionStatement(let expressionStatement) = statement.statement else { return false }
-        guard case .callExpression(let callExpression) = expressionStatement.expression.expression else { return false }
-        guard case .identifier(let identifier) = callExpression.callee.expression else { return false }
-
-        let functionName = identifier.name
-        var shouldIgnore = false
-        for filteredFunction in filteredFunctions {
-            if filteredFunction.last == "*" {
-                if functionName.starts(with: filteredFunction.dropLast()) {
-                    shouldIgnore = true
-                }
-            } else {
-                assert(!filteredFunction.contains("*"))
-                if functionName == filteredFunction {
-                    shouldIgnore = true
-                }
-            }
-        }
-
-        if shouldIgnore {
-            // Still generate code for the arguments.
-            // For example, we may still want to emit the function call for something like `assertEq(f(), 42);`
-            for arg in callExpression.arguments {
-                try compileExpression(arg)
-            }
-        }
-
-        return shouldIgnore
-    }
-
     private func reset() {
         code = Code()
         scopes.removeAll()

Sources/Fuzzilli/Execution/Execution.swift

@@ -41,6 +41,14 @@ public enum ExecutionOutcome: CustomStringConvertible, Equatable, Hashable {
             return false
         }
     }
+
+    public func isFailure() -> Bool {
+        if case .failed = self {
+            return true
+        } else {
+            return false
+        }
+    }
 }
 
 /// The result of executing a program.

Sources/Fuzzilli/FuzzIL/JsOperations.swift

@@ -55,6 +55,90 @@ class GuardableOperation: JsOperation {
         self.isGuarded = isGuarded
         super.init(numInputs: numInputs, numOutputs: numOutputs, numInnerOutputs: numInnerOutputs, firstVariadicInput: firstVariadicInput, attributes: attributes, requiredContext: requiredContext)
     }
+
+    // Helper functions to enable guards.
+    // If the given operation already has guarding enabled, then this function does
+    // nothing and simply returns the input. Otherwise it creates a copy of the
+    // operations which has guarding enabled.
+    static func enableGuard(of operation: GuardableOperation) -> GuardableOperation {
+        if operation.isGuarded {
+            return operation
+        }
+        switch operation.opcode {
+        case .getProperty(let op):
+            return GetProperty(propertyName: op.propertyName, isGuarded: true)
+        case .deleteProperty(let op):
+            return DeleteProperty(propertyName: op.propertyName, isGuarded: true)
+        case .getElement(let op):
+            return GetElement(index: op.index, isGuarded: true)
+        case .deleteElement(let op):
+            return DeleteElement(index: op.index, isGuarded: true)
+        case .getComputedProperty:
+            return GetComputedProperty(isGuarded: true)
+        case .deleteComputedProperty:
+            return DeleteComputedProperty(isGuarded: true)
+        case .callFunction(let op):
+            return CallFunction(numArguments: op.numArguments, isGuarded: true)
+        case .callFunctionWithSpread(let op):
+            return CallFunctionWithSpread(numArguments: op.numArguments, spreads: op.spreads, isGuarded: true)
+        case .construct(let op):
+            return Construct(numArguments: op.numArguments, isGuarded: true)
+        case .constructWithSpread(let op):
+            return ConstructWithSpread(numArguments: op.numArguments, spreads: op.spreads, isGuarded: true)
+        case .callMethod(let op):
+            return CallMethod(methodName: op.methodName, numArguments: op.numArguments, isGuarded: true)
+        case .callMethodWithSpread(let op):
+            return CallMethodWithSpread(methodName: op.methodName, numArguments: op.numArguments, spreads: op.spreads, isGuarded: true)
+        case .callComputedMethod(let op):
+            return CallComputedMethod(numArguments: op.numArguments, isGuarded: true)
+        case .callComputedMethodWithSpread(let op):
+            return CallComputedMethodWithSpread(numArguments: op.numArguments, spreads: op.spreads, isGuarded: true)
+        default:
+            fatalError("All guardable operations should be handled")
+        }
+    }
+
+    // Helper functions to disable guards.
+    // If the given operation already has guarding disabled, then this function does
+    // nothing and simply returns the input. Otherwise it creates a copy of the
+    // operations which has guarding disabled.
+    static func disableGuard(of operation: GuardableOperation) -> GuardableOperation {
+        if !operation.isGuarded {
+            return operation
+        }
+        switch operation.opcode {
+        case .getProperty(let op):
+            return GetProperty(propertyName: op.propertyName, isGuarded: false)
+        case .deleteProperty(let op):
+            return DeleteProperty(propertyName: op.propertyName, isGuarded: false)
+        case .getElement(let op):
+            return GetElement(index: op.index, isGuarded: false)
+        case .deleteElement(let op):
+            return DeleteElement(index: op.index, isGuarded: false)
+        case .getComputedProperty:
+            return GetComputedProperty(isGuarded: false)
+        case .deleteComputedProperty:
+            return DeleteComputedProperty(isGuarded: false)
+        case .callFunction(let op):
+            return CallFunction(numArguments: op.numArguments, isGuarded: false)
+        case .callFunctionWithSpread(let op):
+            return CallFunctionWithSpread(numArguments: op.numArguments, spreads: op.spreads, isGuarded: false)
+        case .construct(let op):
+            return Construct(numArguments: op.numArguments, isGuarded: false)
+        case .constructWithSpread(let op):
+            return ConstructWithSpread(numArguments: op.numArguments, spreads: op.spreads, isGuarded: false)
+        case .callMethod(let op):
+            return CallMethod(methodName: op.methodName, numArguments: op.numArguments, isGuarded: false)
+        case .callMethodWithSpread(let op):
+            return CallMethodWithSpread(methodName: op.methodName, numArguments: op.numArguments, spreads: op.spreads, isGuarded: false)
+        case .callComputedMethod(let op):
+            return CallComputedMethod(numArguments: op.numArguments, isGuarded: false)
+        case .callComputedMethodWithSpread(let op):
+            return CallComputedMethodWithSpread(numArguments: op.numArguments, spreads: op.spreads, isGuarded: false)
+        default:
+            fatalError("All guardable operations should be handled")
+        }
+    }
 }
 
 final class LoadInteger: JsOperation {