Fix invalid code gen in configuration generators

This patch adds checks to prevent the writable property flag or value
property from being set at the same time that there are getters or
setters.
Currently, the configureProperty and configureElement generators often
generate invalid programs which raise the following exception:

TypeError: Invalid property descriptor. Cannot both specify accessors
and a value or writable attribute

This happens usually because the property flags, which include the
writable property bit (bit 0), are set to a random 8 bit integer.

Bug: 40272934
Change-Id: I3e9ce83a12c6e384064a4f430230f504d177b159
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8543776
Commit-Queue: Hendrik Wüthrich <whendrik@google.com>
Reviewed-by: Hendrik Wüthrich <whendrik@google.com>
Reviewed-by: Matthias Liedtke <mliedtke@google.com>

Author: whendrik-cmd

Sources/Fuzzilli/CodeGen/CodeGenerators.swift

@@ -1014,14 +1014,14 @@ public let CodeGenerators: [CodeGenerator] = [
             b.configureProperty(propertyName, of: obj, usingFlags: PropertyFlags.random(), as: .value(b.randomJsVariable()))
         }, {
             guard let getterFunc = b.randomVariable(ofType: .function()) else { return }
-            b.configureProperty(propertyName, of: obj, usingFlags: PropertyFlags.random(), as: .getter(getterFunc))
+            b.configureProperty(propertyName, of: obj, usingFlags: PropertyFlags.randomWithoutWritable(), as: .getter(getterFunc))
         }, {
             guard let setterFunc = b.randomVariable(ofType: .function()) else { return }
-            b.configureProperty(propertyName, of: obj, usingFlags: PropertyFlags.random(), as: .setter(setterFunc))
+            b.configureProperty(propertyName, of: obj, usingFlags: PropertyFlags.randomWithoutWritable(), as: .setter(setterFunc))
         }, {
             guard let getterFunc = b.randomVariable(ofType: .function()) else { return }
             guard let setterFunc = b.randomVariable(ofType: .function()) else { return }
-            b.configureProperty(propertyName, of: obj, usingFlags: PropertyFlags.random(), as: .getterSetter(getterFunc, setterFunc))
+            b.configureProperty(propertyName, of: obj, usingFlags: PropertyFlags.randomWithoutWritable(), as: .getterSetter(getterFunc, setterFunc))
         })
     },
 
@@ -1056,14 +1056,14 @@ public let CodeGenerators: [CodeGenerator] = [
             b.configureElement(index, of: obj, usingFlags: PropertyFlags.random(), as: .value(b.randomJsVariable()))
         }, {
             guard let getterFunc = b.randomVariable(ofType: .function()) else { return }
-            b.configureElement(index, of: obj, usingFlags: PropertyFlags.random(), as: .getter(getterFunc))
+            b.configureElement(index, of: obj, usingFlags: PropertyFlags.randomWithoutWritable(), as: .getter(getterFunc))
         }, {
             guard let setterFunc = b.randomVariable(ofType: .function()) else { return }
-            b.configureElement(index, of: obj, usingFlags: PropertyFlags.random(), as: .setter(setterFunc))
+            b.configureElement(index, of: obj, usingFlags: PropertyFlags.randomWithoutWritable(), as: .setter(setterFunc))
         }, {
             guard let getterFunc = b.randomVariable(ofType: .function()) else { return }
             guard let setterFunc = b.randomVariable(ofType: .function()) else { return }
-            b.configureElement(index, of: obj, usingFlags: PropertyFlags.random(), as: .getterSetter(getterFunc, setterFunc))
+            b.configureElement(index, of: obj, usingFlags: PropertyFlags.randomWithoutWritable(), as: .getterSetter(getterFunc, setterFunc))
         })
     },
 
@@ -1098,14 +1098,14 @@ public let CodeGenerators: [CodeGenerator] = [
             b.configureComputedProperty(propertyName, of: obj, usingFlags: PropertyFlags.random(), as: .value(b.randomJsVariable()))
         }, {
             guard let getterFunc = b.randomVariable(ofType: .function()) else { return }
-            b.configureComputedProperty(propertyName, of: obj, usingFlags: PropertyFlags.random(), as: .getter(getterFunc))
+            b.configureComputedProperty(propertyName, of: obj, usingFlags: PropertyFlags.randomWithoutWritable(), as: .getter(getterFunc))
         }, {
             guard let setterFunc = b.randomVariable(ofType: .function()) else { return }
-            b.configureComputedProperty(propertyName, of: obj, usingFlags: PropertyFlags.random(), as: .setter(setterFunc))
+            b.configureComputedProperty(propertyName, of: obj, usingFlags: PropertyFlags.randomWithoutWritable(), as: .setter(setterFunc))
         }, {
             guard let getterFunc = b.randomVariable(ofType: .function()) else { return }
             guard let setterFunc = b.randomVariable(ofType: .function()) else { return }
-            b.configureComputedProperty(propertyName, of: obj, usingFlags: PropertyFlags.random(), as: .getterSetter(getterFunc, setterFunc))
+            b.configureComputedProperty(propertyName, of: obj, usingFlags: PropertyFlags.randomWithoutWritable(), as: .getterSetter(getterFunc, setterFunc))
         })
     },
 

Sources/Fuzzilli/FuzzIL/JsOperations.swift

@@ -1061,6 +1061,10 @@ public struct PropertyFlags: OptionSet {
     public static func random() -> PropertyFlags {
         return PropertyFlags(rawValue: UInt8.random(in: 0..<8))
     }
+
+    public static func randomWithoutWritable() -> PropertyFlags {
+        return PropertyFlags(rawValue: UInt8.random(in: 0..<8) & 0b1111_1110)
+    }
 }
 
 enum PropertyType: CaseIterable {