Add BindFunction to bind receiver and arguments

Bug: 408162715
Change-Id: I0dcce2908f87b50c578c3ac0b54122b7d6f0bb6e
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8432040
Commit-Queue: Matthias Liedtke <[email protected]>
Reviewed-by: Carl Smith <[email protected]>

Author: Liedtke

Sources/Fuzzilli/Base/ProgramBuilder.swift

@@ -2623,6 +2623,11 @@ public class ProgramBuilder {
         return emit(BindMethod(methodName: name), withInputs: [object]).output
     }
 
+    @discardableResult
+    public func bindFunction(_ fct: Variable, boundArgs arguments: [Variable]) -> Variable {
+        return emit(BindFunction(numInputs: arguments.count + 1), withInputs: [fct] + arguments).output
+    }
+
     @discardableResult
     public func callComputedMethod(_ name: Variable, on object: Variable, withArgs arguments: [Variable] = [], guard isGuarded: Bool = false) -> Variable {
         return emit(CallComputedMethod(numArguments: arguments.count, isGuarded: isGuarded), withInputs: [object, name] + arguments).output

Sources/Fuzzilli/CodeGen/CodeGeneratorWeights.swift

@@ -139,6 +139,8 @@ public let codeGeneratorWeights = [
     "SuperMethodCallGenerator":                 20,
     "UnboundFunctionCallGenerator":             10,
     "UnboundFunctionApplyGenerator":            10,
+    "UnboundFunctionBindGenerator":             10,
+    "FunctionBindGenerator":                    10,
 
     // These will only be used inside class methods, and only if private properties were previously declared in that class.
     "PrivatePropertyRetrievalGenerator":        30,

Sources/Fuzzilli/CodeGen/CodeGenerators.swift

@@ -1149,8 +1149,6 @@ public let CodeGenerators: [CodeGenerator] = [
         b.callMethod("call", on: f, withArgs: [receiver] + arguments, guard: needGuard)
     },
 
-    // TODO(mliedtke): Add operation and type inference for a BindFunction which binds a receiver
-    // and an arbitrary amount of function arguments.
     CodeGenerator("UnboundFunctionApplyGenerator", inputs: .preferred(.unboundFunction())) { b, f in
         let arguments = b.randomArguments(forCalling: f)
         let fctType = b.type(of: f)
@@ -1162,6 +1160,22 @@ public let CodeGenerators: [CodeGenerator] = [
         b.callMethod("apply", on: f, withArgs: [receiver, b.createArray(with: arguments)], guard: needGuard)
     },
 
+    CodeGenerator("UnboundFunctionBindGenerator", inputs: .required(.unboundFunction())) { b, f in
+        let arguments = b.randomArguments(forCalling: f)
+        let fctType = b.type(of: f)
+        let receiver = b.randomVariable(forUseAs: fctType.receiver ?? .object())
+        let boundArgs = [receiver] + arguments
+        b.bindFunction(f, boundArgs: Array(boundArgs[0..<Int.random(in: 0...boundArgs.count)]))
+    },
+
+    CodeGenerator("FunctionBindGenerator", inputs: .required(.function())) { b, f in
+        let arguments = b.randomArguments(forCalling: f)
+        let fctType = b.type(of: f)
+        let receiver = b.randomVariable(forUseAs: .object())
+        let boundArgs = [receiver] + arguments
+        b.bindFunction(f, boundArgs: Array(boundArgs[0..<Int.random(in: 0...boundArgs.count)]))
+    },
+
     CodeGenerator("SubroutineReturnGenerator", inContext: .subroutine, inputs: .one) { b, val in
         assert(b.context.contains(.subroutine))
         if probability(0.9) {

Sources/Fuzzilli/FuzzIL/Instruction.swift

@@ -1069,6 +1069,8 @@ extension Instruction: ProtobufConvertible {
                 $0.wrapSuspending = Fuzzilli_Protobuf_WrapSuspending()
             case .bindMethod(let op):
                 $0.bindMethod = Fuzzilli_Protobuf_BindMethod.with { $0.methodName = op.methodName }
+            case .bindFunction(_):
+                $0.bindFunction = Fuzzilli_Protobuf_BindFunction()
             case .print(_):
                 fatalError("Print operations should not be serialized")
             // Wasm Operations
@@ -2115,6 +2117,8 @@ extension Instruction: ProtobufConvertible {
             op = WrapSuspending()
         case .bindMethod(let p):
             op = BindMethod(methodName: p.methodName)
+        case .bindFunction(_):
+            op = BindFunction(numInputs: inouts.count - 1)
         case .print(_):
             fatalError("Should not deserialize a Print instruction!")
 

Sources/Fuzzilli/FuzzIL/JSTyper.swift

@@ -1724,6 +1724,24 @@ public struct JSTyper: Analyzer {
             let newParameters = [Parameter.plain(.object())] + signature.parameters
             set(instr.output, .function(newParameters => signature.outputType))
 
+        case .bindFunction(_):
+            let inputType = type(ofInput: 0)
+            if let signature = inputType.signature {
+                if instr.inputs.count == 1 {
+                    set(instr.output, inputType)
+                } else {
+                    // We only bind any actual parameters if the BindFunction operation has more
+                    // than 2 inputs(instr.inputs.count - 2) as the first input is the function
+                    // on which we call .bind() and the second input is the receiver, so the bind
+                    // only replaces the existing receiver.
+                    let start = min(instr.inputs.count - 2, signature.parameters.count)
+                    let params = Array(signature.parameters[start..<signature.parameters.count])
+                    set(instr.output, .function(params => signature.outputType))
+                }
+            } else {
+                set(instr.output, .jsAnything)
+            }
+
         case .wasmBeginTypeGroup(_):
             startTypeGroup()
 

Sources/Fuzzilli/FuzzIL/JsOperations.swift

@@ -2466,6 +2466,14 @@ class BindMethod: JsOperation {
     }
 }
 
+class BindFunction: JsOperation {
+    override var opcode: Opcode { .bindFunction(self) }
+
+    init(numInputs: Int) {
+        super.init(numInputs: numInputs, numOutputs: 1, firstVariadicInput: 1,
+            attributes: [.isVariadic], requiredContext: .javascript)
+    }
+}
 
 // This instruction is used to create strongly typed WasmGlobals in the JS world that can be imported by a WasmModule.
 class CreateWasmGlobal: JsOperation {

Sources/Fuzzilli/FuzzIL/Opcodes.swift

@@ -216,6 +216,7 @@ enum Opcode {
     case wrapPromising(WrapPromising)
     case wrapSuspending(WrapSuspending)
     case bindMethod(BindMethod)
+    case bindFunction(BindFunction)
 
     // Wasm opcodes
     case consti64(Consti64)

Sources/Fuzzilli/Lifting/FuzzILLifter.swift

@@ -795,6 +795,10 @@ public class FuzzILLifter: Lifter {
         case .bindMethod(_):
             w.emit("\(output()) <- BindMethod \(input(0))")
 
+        case .bindFunction(_):
+            let inputs = instr.inputs.map(lift).joined(separator: ", ")
+            w.emit("\(output()) <- BindFunction \(inputs)")
+
         // Wasm Instructions
 
         case .beginWasmFunction(let op):

Sources/Fuzzilli/Lifting/JavaScriptLifter.swift

@@ -1435,6 +1435,12 @@ public class JavaScriptLifter: Lifter {
                 let LET = w.varKeyword
                 w.emit("\(LET) \(V) = Function.prototype.call.bind(\(OBJECT).\(op.methodName));")
 
+            case .bindFunction(_):
+                let V = w.declare(instr.output)
+                let function = input(0)
+                let args = inputs.dropFirst()
+                w.emit("\(w.varKeyword) \(V) = \(function).bind(\(liftCallArguments(args)));")
+
             case .beginWasmModule:
                 wasmCodeStarts = instr.index
                 assert(wasmInstructions.isEmpty)

Sources/Fuzzilli/Minimization/VariadicInputReducer.swift

@@ -69,6 +69,8 @@ struct VariadicInputReducer: Reducer {
                     newOp = CallPrivateMethod(methodName: op.methodName, numArguments: op.numArguments - 1)
                 case .callSuperMethod(let op):
                     newOp = CallSuperMethod(methodName: op.methodName, numArguments: op.numArguments - 1)
+                case .bindFunction(let op):
+                    newOp = BindFunction(numInputs: op.numInputs - 1)
                 case .createTemplateString(let op):
                     newOp = CreateTemplateString(parts: op.parts.dropLast())
                 case .wasmEndTypeGroup(_):