Make setProperty a GuardableOperation

This patch makes setProperty inherit from GuardableOperation instead of
JsOperation and adds guards in CodeGenerators using setProperty to
prevent invalid programs.

Bug: 40272934
Change-Id: Ib2d54fa42da6e4d17caf039d1e489472f079e497
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8543120
Reviewed-by: Hendrik Wüthrich <whendrik@google.com>
Commit-Queue: Hendrik Wüthrich <whendrik@google.com>
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Auto-Submit: Hendrik Wüthrich <whendrik@google.com>

Author: whendrik-cmd

Sources/Fuzzilli/Base/ProgramBuilder.swift

@@ -2314,8 +2314,8 @@ public class ProgramBuilder {
         return emit(GetProperty(propertyName: name, isGuarded: isGuarded), withInputs: [object]).output
     }
 
-    public func setProperty(_ name: String, of object: Variable, to value: Variable) {
-        emit(SetProperty(propertyName: name), withInputs: [object, value])
+    public func setProperty(_ name: String, of object: Variable, to value: Variable, guard isGuarded: Bool = false) {
+        emit(SetProperty(propertyName: name, isGuarded: isGuarded), withInputs: [object, value])
     }
 
     public func updateProperty(_ name: String, of object: Variable, with value: Variable, using op: BinaryOperator) {

Sources/Fuzzilli/CodeGen/CodeGenerators.swift

@@ -980,8 +980,9 @@ public let CodeGenerators: [CodeGenerator] = [
         assert(propertyType == .jsAnything || b.type(of: obj).properties.contains(propertyName))
         let value = b.randomVariable(forUseAs: propertyType)
 
-        // TODO: (here and below) maybe wrap in try catch if obj may be nullish?
-        b.setProperty(propertyName, of: obj, to: value)
+        let needGuard = b.type(of: obj).MayBe(.nullish)
+
+        b.setProperty(propertyName, of: obj, to: value, guard: needGuard)
     },
 
     CodeGenerator("PropertyUpdateGenerator", inputs: .preferred(.object())) { b, obj in
@@ -1655,13 +1656,15 @@ public let CodeGenerators: [CodeGenerator] = [
     },
 
     CodeGenerator("PrototypeOverwriteGenerator", inputs: .preferred(.object(), .object())) { b, obj, proto in
-        b.setProperty("__proto__", of: obj, to: proto)
+        let needGuard = b.type(of: obj).MayBe(.nullish)
+        b.setProperty("__proto__", of: obj, to: proto, guard: needGuard)
     },
 
     CodeGenerator("CallbackPropertyGenerator", inputs: .preferred(.object(), .function())) { b, obj, callback in
         // TODO add new callbacks like Symbol.toPrimitive?
         let propertyName = chooseUniform(from: ["valueOf", "toString"])
-        b.setProperty(propertyName, of: obj, to: callback)
+        let needGuard = b.type(of: obj).MayBe(.nullish)
+        b.setProperty(propertyName, of: obj, to: callback, guard: needGuard)
     },
 
     CodeGenerator("MethodCallWithDifferentThisGenerator", inputs: .preferred(.object(), .object())) { b, obj, this in
@@ -1724,7 +1727,9 @@ public let CodeGenerators: [CodeGenerator] = [
             // (Probably) grow
             newLength = b.loadInt(b.randomIndex())
         }
-        b.setProperty("length", of: obj, to: newLength)
+
+        let needGuard = b.type(of: obj).MayBe(.nullish)
+        b.setProperty("length", of: obj, to: newLength, guard: needGuard)
     },
 
     // Tries to change the element kind of an array

Sources/Fuzzilli/Compiler/Compiler.swift

@@ -691,7 +691,7 @@ public class JavaScriptCompiler {
                     if let op = assignmentOperator {
                         emit(UpdateProperty(propertyName: name, operator: op), withInputs: [object, rhs])
                     } else {
-                        emit(SetProperty(propertyName: name), withInputs: [object, rhs])
+                        emit(SetProperty(propertyName: name, isGuarded: memberExpression.isOptional), withInputs: [object, rhs])
                     }
                 case .expression(let expr):
                     if case .numberLiteral(let literal) = expr.expression, let index = Int64(exactly: literal.value) {

Sources/Fuzzilli/FuzzIL/Instruction.swift

@@ -708,7 +708,10 @@ extension Instruction: ProtobufConvertible {
                     $0.isGuarded = op.isGuarded
                 }
             case .setProperty(let op):
-                $0.setProperty = Fuzzilli_Protobuf_SetProperty.with { $0.propertyName = op.propertyName }
+                $0.setProperty = Fuzzilli_Protobuf_SetProperty.with {
+                    $0.propertyName = op.propertyName
+                    $0.isGuarded = op.isGuarded
+                }
             case .updateProperty(let op):
                 $0.updateProperty = Fuzzilli_Protobuf_UpdateProperty.with {
                     $0.propertyName = op.propertyName
@@ -1920,7 +1923,7 @@ extension Instruction: ProtobufConvertible {
         case .getProperty(let p):
             op = GetProperty(propertyName: p.propertyName, isGuarded: p.isGuarded)
         case .setProperty(let p):
-            op = SetProperty(propertyName: p.propertyName)
+            op = SetProperty(propertyName: p.propertyName, isGuarded: p.isGuarded)
         case .updateProperty(let p):
             op = UpdateProperty(propertyName: p.propertyName, operator: try convertEnum(p.op, BinaryOperator.allCases))
         case .deleteProperty(let p):

Sources/Fuzzilli/FuzzIL/JsOperations.swift

@@ -69,6 +69,8 @@ class GuardableOperation: JsOperation {
             return GetProperty(propertyName: op.propertyName, isGuarded: true)
         case .deleteProperty(let op):
             return DeleteProperty(propertyName: op.propertyName, isGuarded: true)
+        case .setProperty(let op):
+            return SetProperty(propertyName: op.propertyName, isGuarded: true)
         case .getElement(let op):
             return GetElement(index: op.index, isGuarded: true)
         case .deleteElement(let op):
@@ -111,6 +113,8 @@ class GuardableOperation: JsOperation {
             return GetProperty(propertyName: op.propertyName, isGuarded: false)
         case .deleteProperty(let op):
             return DeleteProperty(propertyName: op.propertyName, isGuarded: false)
+        case .setProperty(let op):
+            return SetProperty(propertyName: op.propertyName, isGuarded: false)
         case .getElement(let op):
             return GetElement(index: op.index, isGuarded: false)
         case .deleteElement(let op):
@@ -1012,14 +1016,14 @@ final class GetProperty: GuardableOperation {
     }
 }
 
-final class SetProperty: JsOperation {
+final class SetProperty: GuardableOperation {
     override var opcode: Opcode { .setProperty(self) }
 
     let propertyName: String
 
-    init(propertyName: String) {
+    init(propertyName: String, isGuarded: Bool) {
         self.propertyName = propertyName
-        super.init(numInputs: 2, attributes: .isMutable)
+        super.init(isGuarded: isGuarded, numInputs: 2, attributes: .isMutable)
     }
 }
 

Sources/Fuzzilli/Lifting/FuzzILLifter.swift

@@ -328,7 +328,8 @@ public class FuzzILLifter: Lifter {
             w.emit("\(output()) <- \(opcode) \(input(0)), '\(op.propertyName)'")
 
         case .setProperty(let op):
-            w.emit("SetProperty \(input(0)), '\(op.propertyName)', \(input(1))")
+            let opcode = op.isGuarded ? "SetProperty (guarded)" : "SetProperty"
+            w.emit("\(opcode) \(input(0)), '\(op.propertyName)', \(input(1))")
 
         case .updateProperty(let op):
             w.emit("UpdateProperty \(input(0)), '\(op.op.token)', \(input(1))")

Sources/Fuzzilli/Mutators/FixupMutator.swift

@@ -147,6 +147,9 @@ public class FixupMutator: RuntimeAssistedMutator {
             case .deleteProperty(let op):
                 maybeFixup(instr, performing: .DeleteProperty, guarded: op.isGuarded, withInputs: [.argument(index: 0), .string(value: op.propertyName)], with: b)
 
+            case .setProperty(let op):
+                maybeFixup(instr, performing: .SetProperty, guarded: op.isGuarded, withInputs: [.argument(index: 0), .string(value: op.propertyName)], with: b)
+
             case .getElement(let op):
                 maybeFixup(instr, performing: .GetProperty, guarded: op.isGuarded, withInputs: [.argument(index: 0), .int(value: op.index)], with: b)
 

Sources/Fuzzilli/Mutators/OperationMutator.swift

@@ -117,8 +117,8 @@ public class OperationMutator: BaseInstructionMutator {
             newOp = CreateArrayWithSpread(spreads: spreads)
         case .getProperty(let op):
             newOp = GetProperty(propertyName: b.randomPropertyName(), isGuarded: op.isGuarded)
-        case .setProperty(_):
-            newOp = SetProperty(propertyName: b.randomPropertyName())
+        case .setProperty(let op):
+            newOp = SetProperty(propertyName: b.randomPropertyName(), isGuarded: op.isGuarded)
         case .updateProperty(_):
             newOp = UpdateProperty(propertyName: b.randomPropertyName(), operator: chooseUniform(from: BinaryOperator.allCases))
         case .deleteProperty(let op):

Sources/Fuzzilli/Mutators/RuntimeAssistedMutator.swift

@@ -335,12 +335,11 @@ extension RuntimeAssistedMutator.Action {
                 b.getComputedProperty(property, of: o, guard: isGuarded)
             }
         case .SetProperty:
-            assert(!isGuarded)
             let o = try translateInput(0)
             let v = try translateInput(2)
             switch try getInput(1) {
             case .string(let propertyName):
-                b.setProperty(propertyName, of: o, to: v)
+                b.setProperty(propertyName, of: o, to: v, guard: isGuarded)
             case .int(let index):
                 b.setElement(index, of: o, to: v)
             default:

Sources/Fuzzilli/Protobuf/operations.pb.swift

@@ -2409,6 +2409,8 @@ public struct Fuzzilli_Protobuf_SetProperty: Sendable {
 
   public var propertyName: String = String()
 
+  public var isGuarded: Bool = false
+
   public var unknownFields = SwiftProtobuf.UnknownStorage()
 
   public init() {}
@@ -7744,7 +7746,7 @@ extension Fuzzilli_Protobuf_GetProperty: SwiftProtobuf.Message, SwiftProtobuf._M
 
 extension Fuzzilli_Protobuf_SetProperty: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
   public static let protoMessageName: String = _protobuf_package + ".SetProperty"
-  public static let _protobuf_nameMap = SwiftProtobuf._NameMap(bytecode: "\0\u{1}propertyName\0")
+  public static let _protobuf_nameMap = SwiftProtobuf._NameMap(bytecode: "\0\u{1}propertyName\0\u{1}isGuarded\0")
 
   public mutating func decodeMessage<D: SwiftProtobuf.Decoder>(decoder: inout D) throws {
     while let fieldNumber = try decoder.nextFieldNumber() {
@@ -7753,6 +7755,7 @@ extension Fuzzilli_Protobuf_SetProperty: SwiftProtobuf.Message, SwiftProtobuf._M
       // enabled. https://github.com/apple/swift-protobuf/issues/1034
       switch fieldNumber {
       case 1: try { try decoder.decodeSingularStringField(value: &self.propertyName) }()
+      case 2: try { try decoder.decodeSingularBoolField(value: &self.isGuarded) }()
       default: break
       }
     }
@@ -7762,11 +7765,15 @@ extension Fuzzilli_Protobuf_SetProperty: SwiftProtobuf.Message, SwiftProtobuf._M
     if !self.propertyName.isEmpty {
       try visitor.visitSingularStringField(value: self.propertyName, fieldNumber: 1)
     }
+    if self.isGuarded != false {
+      try visitor.visitSingularBoolField(value: self.isGuarded, fieldNumber: 2)
+    }
     try unknownFields.traverse(visitor: &visitor)
   }
 
   public static func ==(lhs: Fuzzilli_Protobuf_SetProperty, rhs: Fuzzilli_Protobuf_SetProperty) -> Bool {
     if lhs.propertyName != rhs.propertyName {return false}
+    if lhs.isGuarded != rhs.isGuarded {return false}
     if lhs.unknownFields != rhs.unknownFields {return false}
     return true
   }