Make it possible to import .js files that throw an exception

Samuel Groß · Samuel Groß · commit b5aeee807e14 · 2024-12-10T15:40:37.000+01:00
Previously, we wouldn't import those files as we require all samples in
the corpus to execute successfully. With this change, we simply try to
wrap all failing programs in a big try-catch block during corpus import,
then try importing them again. In the future we could improve this
mechanism to for example determine exactly which instruction causes the
exception and then either remove this instruction or wrap (only) it in a
try-catch. But for now, this simple change already allows us to import
~30% more programs from V8's regression tests.

Drive-By: add some more functions to filteredFunctionsForCompiler.
diff --git a/Sources/FuzzILTool/main.swift b/Sources/FuzzILTool/main.swift
@@ -27,10 +27,15 @@ let fuzzILLifter = FuzzILLifter()
 // Default list of functions that are filtered out during compilation. These are functions that may be used in testcases but which do not influence the test's behaviour and so should be omitted for fuzzing.
 // The functions can use the wildcard '*' character as _last_ character, in which case a prefix match will be performed.
 let filteredFunctionsForCompiler = [
+    // Functions used in V8's test suite
     "assert*",
     "print*",
+    // Functions used in Mozilla's test suite
+    "startTest",
     "enterFunc",
-    "startTest"
+    "exitFunc",
+    "report*",
+    "options*",
 ]
 
 // Loads a serialized FuzzIL program from the given file
diff --git a/Sources/Fuzzilli/Fuzzer.swift b/Sources/Fuzzilli/Fuzzer.swift
@@ -641,18 +641,36 @@ public class Fuzzer {
 
         case .corpusImport:
             assert(!currentCorpusImportJob.isFinished)
-            let program = currentCorpusImportJob.nextProgram()
+            var program = currentCorpusImportJob.nextProgram()
 
             if currentCorpusImportJob.numberOfProgramsImportedSoFar % 500 == 0 {
                 logger.info("Corpus import progress: imported \(currentCorpusImportJob.numberOfProgramsImportedSoFar) of \(currentCorpusImportJob.totalNumberOfProgramsToImport) programs")
             }
 
-            let outcome = importProgram(program, origin: .corpusImport(mode: currentCorpusImportJob.importMode))
+            var outcome = importProgram(program, origin: .corpusImport(mode: currentCorpusImportJob.importMode))
+            if case .failed = outcome {
+                // Wrap the entire program in a try-catch block and retry.
+                // TODO we could be a lot smarter here. For example, we could instrument the program to determine
+                // exactly which instruction causes the exception to be thrown, and then either delete that
+                // instruction or wrap just that instruction in try-catch.
+                let b = makeBuilder()
+                b.buildTryCatchFinally(tryBody: {
+                    b.adopting(from: program) {
+                        for instr in program.code {
+                            b.adopt(instr)
+                        }
+                    }
+                }, catchBody: { _ in })
+                program = b.finalize()
+                currentCorpusImportJob.notifyProgramNeededFixup()
+                outcome = importProgram(program, origin: .corpusImport(mode: currentCorpusImportJob.importMode))
+            }
             currentCorpusImportJob.notifyImportOutcome(outcome)
 
             if currentCorpusImportJob.isFinished {
                 logger.info("Corpus import finished:")
                 logger.info("\(currentCorpusImportJob.numberOfProgramsThatExecutedSuccessfullyDuringImport)/\(currentCorpusImportJob.totalNumberOfProgramsToImport) programs executed successfully during import")
+                logger.info("\(currentCorpusImportJob.numberOfProgramsThatNeededFixup)/\(currentCorpusImportJob.totalNumberOfProgramsToImport) programs needed fixup during import (wrapping in try-catch)")
                 logger.info("\(currentCorpusImportJob.numberOfProgramsThatTimedOutDuringImport)/\(currentCorpusImportJob.totalNumberOfProgramsToImport) programs timed out during import")
                 logger.info("\(currentCorpusImportJob.numberOfProgramsThatFailedDuringImport)/\(currentCorpusImportJob.totalNumberOfProgramsToImport) programs failed to execute during import")
                 logger.info("Corpus now contains \(corpus.size) programs")
@@ -799,6 +817,7 @@ public class Fuzzer {
         private(set) var numberOfProgramsThatFailedDuringImport = 0
         private(set) var numberOfProgramsThatTimedOutDuringImport = 0
         private(set) var numberOfProgramsThatExecutedSuccessfullyDuringImport = 0
+        private(set) var numberOfProgramsThatNeededFixup = 0
 
         init(corpus: [Program], mode: CorpusImportMode) {
             self.corpusToImport = corpus.reversed()         // Programs are taken from the end.
@@ -830,6 +849,10 @@ public class Fuzzer {
             }
         }
 
+        mutating func notifyProgramNeededFixup() {
+            numberOfProgramsThatNeededFixup += 1
+        }
+
         func progress() -> Double {
             let numberOfProgramsToImport = Double(totalNumberOfProgramsToImport)
             let numberOfProgramsAlreadyImported = Double(numberOfProgramsImportedSoFar)
