Refactor of for-in and for-of loops. Makes each type of loop a seperate instruction in FuzzIL

Author: TobiasWienand

Sources/Fuzzilli/Base/ProgramBuilder.swift

@@ -2488,19 +2488,31 @@ public class ProgramBuilder {
         emit(EndForLoop())
     }
 
-    public func buildForInLoop(_ obj: Variable, _ body: (Variable) -> ()) {
-        let i = emit(BeginForInLoop(), withInputs: [obj]).innerOutput
+    public func buildPlainForInLoop(_ obj: Variable, _ body: (Variable) -> ()) {
+        let i = emit(BeginPlainForInLoop(), withInputs: [obj]).innerOutput
         body(i)
         emit(EndForInLoop())
     }
 
-    public func buildForOfLoop(_ obj: Variable, _ body: (Variable) -> ()) {
-        let i = emit(BeginForOfLoop(), withInputs: [obj]).innerOutput
+    public func buildForInLoopWithReassignment(_ obj: Variable, _ existingVar: Variable, _ body: () -> ()) {
+        emit(BeginForInLoopWithReassignment(), withInputs: [obj, existingVar])
+        body()
+        emit(EndForInLoop())
+    }
+
+    public func buildPlainForOfLoop(_ obj: Variable, _ body: (Variable) -> ()) {
+        let i = emit(BeginPlainForOfLoop(), withInputs: [obj]).innerOutput
         body(i)
         emit(EndForOfLoop())
     }
 
-    public func buildForOfLoop(_ obj: Variable, selecting indices: [Int64], hasRestElement: Bool = false, _ body: ([Variable]) -> ()) {
+    public func buildForOfLoopWithReassignment(_ obj: Variable, _ existingVar: Variable, _ body: () -> ()) {
+        emit(BeginForOfLoopWithReassignment(), withInputs: [obj, existingVar])
+        body()
+        emit(EndForOfLoop())
+    }
+
+    public func buildForOfLoopWithDestruct(_ obj: Variable, selecting indices: [Int64], hasRestElement: Bool = false, _ body: ([Variable]) -> ()) {
         let instr = emit(BeginForOfLoopWithDestruct(indices: indices, hasRestElement: hasRestElement), withInputs: [obj])
         body(Array(instr.innerOutputs))
         emit(EndForOfLoop())

Sources/Fuzzilli/CodeGen/CodeGeneratorWeights.swift

@@ -158,8 +158,10 @@ public let codeGeneratorWeights = [
     "DoWhileLoopGenerator":                     15,
     "SimpleForLoopGenerator":                   10,
     "ComplexForLoopGenerator":                  10,
-    "ForInLoopGenerator":                       10,
-    "ForOfLoopGenerator":                       10,
+    "PlainForInLoopGenerator":                  8,
+    "ForInLoopWithReassignmentGenerator":       2,
+    "PlainForOfLoopGenerator":                  8,
+    "ForOfLoopWithReassignmentGenerator":       2,
     "ForOfWithDestructLoopGenerator":           3,
     "RepeatLoopGenerator":                      10,
     "SwitchCaseBreakGenerator":                 5,

Sources/Fuzzilli/CodeGen/CodeGenerators.swift

@@ -1366,14 +1366,29 @@ public let CodeGenerators: [CodeGenerator] = [
         }
     },
 
-    RecursiveCodeGenerator("ForInLoopGenerator", inputs: .preferred(.object())) { b, obj in
-        b.buildForInLoop(obj) { _ in
+    RecursiveCodeGenerator("PlainForInLoopGenerator", inputs: .preferred(.object())) { b, obj in
+        b.buildPlainForInLoop(obj) { _ in
             b.buildRecursive()
         }
     },
 
-    RecursiveCodeGenerator("ForOfLoopGenerator", inputs: .preferred(.iterable)) { b, obj in
-        b.buildForOfLoop(obj) { _ in
+    RecursiveCodeGenerator("ForInLoopWithReassignmentGenerator", inputs: .preferred(.object())) { b, obj in
+        // use a pre-declared variable as the iterator variable (i.e., reassign it)
+        let existing = b.randomVariable()
+        b.buildForInLoopWithReassignment(obj, existing) {
+            b.buildRecursive()
+        }
+    },
+
+    RecursiveCodeGenerator("PlainForOfLoopGenerator", inputs: .preferred(.iterable)) { b, obj in
+        b.buildPlainForOfLoop(obj) { _ in
+            b.buildRecursive()
+        }
+    },
+
+    RecursiveCodeGenerator("ForOfLoopWithReassignmentGenerator", inputs: .preferred(.iterable)) { b, obj in
+        let existing = b.randomVariable()
+        b.buildForOfLoopWithReassignment(obj, existing) {
             b.buildRecursive()
         }
     },
@@ -1390,7 +1405,7 @@ public let CodeGenerators: [CodeGenerator] = [
             indices = [0]
         }
 
-        b.buildForOfLoop(obj, selecting: indices, hasRestElement: probability(0.2)) { _ in
+        b.buildForOfLoopWithDestruct(obj, selecting: indices, hasRestElement: probability(0.2)) { _ in
             b.buildRecursive()
         }
     },

Sources/Fuzzilli/Compiler/Compiler.swift

@@ -423,7 +423,7 @@ public class JavaScriptCompiler {
                 guard !variableDeclarator.hasValue else {
                     throw CompilerError.invalidNodeError("Expected no initial value for the variable declared in a for-in loop")
                 } 
-                let loopVar = emit(BeginForInLoop(), withInputs: [obj]).innerOutput
+                let loopVar = emit(BeginPlainForInLoop(), withInputs: [obj]).innerOutput
                 try enterNewScope {
                     map(variableDeclarator.name, to: loopVar)
                     try compileBody(forInLoop.body)
@@ -435,7 +435,7 @@ public class JavaScriptCompiler {
                     // TODO instead of throwing an error, we should create a global property with the identifier name
                     throw CompilerError.unsupportedFeatureError("Identifier '\(identifier.name)' not found for for-in loop.")
                 }
-                emit(BeginForInLoop(usesPredeclaredIterator: true), withInputs: [obj, loopVar])
+                emit(BeginForInLoopWithReassignment(), withInputs: [obj, loopVar])
                 try enterNewScope {
                     try compileBody(forInLoop.body)
                 }
@@ -451,7 +451,7 @@ public class JavaScriptCompiler {
                 guard !variableDeclarator.hasValue else {
                     throw CompilerError.invalidNodeError("Expected no initial value for the variable declared in a for-of loop")
                 } 
-                let loopVar = emit(BeginForOfLoop(), withInputs: [obj]).innerOutput
+                let loopVar = emit(BeginPlainForOfLoop(), withInputs: [obj]).innerOutput
                 try enterNewScope {
                     map(variableDeclarator.name, to: loopVar)
                     try compileBody(forOfLoop.body)
@@ -463,7 +463,7 @@ public class JavaScriptCompiler {
                     // TODO instead of throwing an error, we should create a global property with the identifier name
                     throw CompilerError.unsupportedFeatureError("Identifier '\(identifier.name)' not found for for-of loop.")
                 }
-                emit(BeginForOfLoop(usesPredeclaredIterator: true), withInputs: [obj, loopVar])
+                emit(BeginForOfLoopWithReassignment(), withInputs: [obj, loopVar])
                 try enterNewScope {
                     try compileBody(forOfLoop.body)
                 }

Sources/Fuzzilli/FuzzIL/Instruction.swift

@@ -790,16 +790,16 @@ extension Instruction: ProtobufConvertible {
                 $0.beginForLoopBody = Fuzzilli_Protobuf_BeginForLoopBody()
             case .endForLoop:
                 $0.endForLoop = Fuzzilli_Protobuf_EndForLoop()
-            case .beginForInLoop(let op):
-                $0.beginForInLoop = Fuzzilli_Protobuf_BeginForInLoop.with { protobufOp in
-                    protobufOp.usesPredeclaredIterator = op.usesPredeclaredIterator
-                }
+            case .beginPlainForInLoop:
+                $0.beginPlainForInLoop = Fuzzilli_Protobuf_BeginPlainForInLoop()
+            case .beginForInLoopWithReassignment:
+                $0.beginForInLoopWithReassignment = Fuzzilli_Protobuf_BeginForInLoopWithReassignment()
             case .endForInLoop:
                 $0.endForInLoop = Fuzzilli_Protobuf_EndForInLoop()
-            case .beginForOfLoop(let op):
-                $0.beginForOfLoop = Fuzzilli_Protobuf_BeginForOfLoop.with { protobufOp in
-                    protobufOp.usesPredeclaredIterator = op.usesPredeclaredIterator
-                }
+            case .beginPlainForOfLoop:
+                $0.beginPlainForOfLoop = Fuzzilli_Protobuf_BeginPlainForOfLoop()
+            case .beginForOfLoopWithReassignment:
+                $0.beginForOfLoopWithReassignment = Fuzzilli_Protobuf_BeginForOfLoopWithReassignment()
             case .beginForOfLoopWithDestruct(let op):
                 $0.beginForOfLoopWithDestruct = Fuzzilli_Protobuf_BeginForOfLoopWithDestruct.with {
                     $0.indices = op.indices.map({ Int32($0) })
@@ -1216,14 +1216,21 @@ extension Instruction: ProtobufConvertible {
             op = BeginForLoopBody(numLoopVariables: inouts.count)
         case .endForLoop:
             op = EndForLoop()
-        case .beginForInLoop(let p):
-            op = BeginForInLoop(usesPredeclaredIterator: p.usesPredeclaredIterator)
+        case .beginPlainForInLoop:
+            op = BeginPlainForInLoop()
+        case .beginForInLoopWithReassignment:
+            op = BeginForInLoopWithReassignment()
         case .endForInLoop:
             op = EndForInLoop()
-        case .beginForOfLoop(let p):
-            op = BeginForOfLoop(usesPredeclaredIterator: p.usesPredeclaredIterator)
+        case .beginPlainForOfLoop:
+            op = BeginPlainForOfLoop()
+        case .beginForOfLoopWithReassignment:
+            op = BeginForOfLoopWithReassignment()
         case .beginForOfLoopWithDestruct(let p):
-            op = BeginForOfLoopWithDestruct(indices: p.indices.map({ Int64($0) }), hasRestElement: p.hasRestElement_p)
+            op = BeginForOfLoopWithDestruct(
+                indices: p.indices.map({ Int64($0) }),
+                hasRestElement: p.hasRestElement_p
+            )
         case .endForOfLoop:
             op = EndForOfLoop()
         case .beginRepeatLoop(let p):

Sources/Fuzzilli/FuzzIL/JSTyper.swift

@@ -283,8 +283,10 @@ public struct JSTyper: Analyzer {
         case .endForLoop:
             state.endGroupOfConditionallyExecutingBlocks(typeChanges: &typeChanges)
         case .beginWhileLoopBody,
-             .beginForInLoop,
-             .beginForOfLoop,
+             .beginPlainForInLoop,
+             .beginForInLoopWithReassignment,
+             .beginPlainForOfLoop,
+             .beginForOfLoopWithReassignment,
              .beginForOfLoopWithDestruct,
              .beginRepeatLoop,
              .beginCodeString:
@@ -793,19 +795,17 @@ public struct JSTyper: Analyzer {
             assert(inputTypes.count == instr.numInnerOutputs)
             zip(instr.innerOutputs, inputTypes).forEach({ set($0, $1) })
 
-        case .beginForInLoop:
-            if instr.numInputs == 2 {
-                set(instr.input(1), .string) // Iterator is declared beforehand
-            } else {
-                set(instr.innerOutput, .string) // Iterator is declared in the function header
-            }
+        case .beginPlainForInLoop:
+            set(instr.innerOutput, .string)
 
-        case .beginForOfLoop:
-            if instr.numInputs == 2 {
-                set(instr.input(1), .anything)
-            } else {
-                set(instr.innerOutput, .anything)
-            }
+        case .beginForInLoopWithReassignment:
+            set(instr.input(1), .string)
+
+        case .beginPlainForOfLoop:
+            set(instr.innerOutput, .anything)
+
+        case .beginForOfLoopWithReassignment:
+            set(instr.input(1), .anything)
 
         case .beginForOfLoopWithDestruct:
             for v in instr.innerOutputs {

Sources/Fuzzilli/FuzzIL/JsOperations.swift

@@ -1964,19 +1964,17 @@ final class EndForLoop: JsOperation {
     }
 }
 
-final class BeginForInLoop: JsOperation {
-    override var opcode: Opcode { .beginForInLoop(self) }
-
-    let usesPredeclaredIterator: Bool
+final class BeginPlainForInLoop: JsOperation {
+    override var opcode: Opcode { .beginPlainForInLoop(self) }
+    init() {
+        super.init(numInputs: 1, numInnerOutputs: 1, attributes: [.isBlockStart, .propagatesSurroundingContext], contextOpened: [.javascript, .loop])
+    }
+}
 
-    init(usesPredeclaredIterator: Bool = false) {
-        self.usesPredeclaredIterator = usesPredeclaredIterator
-        super.init(
-            numInputs: usesPredeclaredIterator ? 2 : 1,
-            numInnerOutputs: usesPredeclaredIterator ? 0 : 1,
-            attributes: [.isBlockStart, .propagatesSurroundingContext],
-            contextOpened: [.javascript, .loop]
-        )
+final class BeginForInLoopWithReassignment: JsOperation {
+    override var opcode: Opcode { .beginForInLoopWithReassignment(self) }
+    init() {
+        super.init(numInputs: 2, numInnerOutputs: 0, attributes: [.isBlockStart, .propagatesSurroundingContext], contextOpened: [.javascript, .loop])
     }
 }
 
@@ -1988,20 +1986,17 @@ final class EndForInLoop: JsOperation {
     }
 }
 
-final class BeginForOfLoop: JsOperation {
-    override var opcode: Opcode { .beginForOfLoop(self) }
-
-
-    let usesPredeclaredIterator: Bool
+final class BeginPlainForOfLoop: JsOperation {
+    override var opcode: Opcode { .beginPlainForOfLoop(self) }
+    init() {
+        super.init(numInputs: 1, numInnerOutputs: 1, attributes: [.isBlockStart, .propagatesSurroundingContext], contextOpened: [.javascript, .loop])
+    }
+}
 
-    init(usesPredeclaredIterator: Bool = false) {
-        self.usesPredeclaredIterator = usesPredeclaredIterator
-        super.init(
-            numInputs: usesPredeclaredIterator ? 2 : 1,
-            numInnerOutputs: usesPredeclaredIterator ? 0 : 1,
-            attributes: [.isBlockStart, .propagatesSurroundingContext],
-            contextOpened: [.javascript, .loop]
-        )
+final class BeginForOfLoopWithReassignment: JsOperation {
+    override var opcode: Opcode { .beginForOfLoopWithReassignment(self) }
+    init() {
+        super.init(numInputs: 2, numInnerOutputs: 0, attributes: [.isBlockStart, .propagatesSurroundingContext], contextOpened: [.javascript, .loop])
     }
 }
 

Sources/Fuzzilli/FuzzIL/Opcodes.swift

@@ -176,9 +176,11 @@ enum Opcode {
     case beginForLoopAfterthought(BeginForLoopAfterthought)
     case beginForLoopBody(BeginForLoopBody)
     case endForLoop(EndForLoop)
-    case beginForInLoop(BeginForInLoop)
+    case beginPlainForInLoop(BeginPlainForInLoop)
+    case beginForInLoopWithReassignment(BeginForInLoopWithReassignment)
     case endForInLoop(EndForInLoop)
-    case beginForOfLoop(BeginForOfLoop)
+    case beginPlainForOfLoop(BeginPlainForOfLoop)
+    case beginForOfLoopWithReassignment(BeginForOfLoopWithReassignment)
     case beginForOfLoopWithDestruct(BeginForOfLoopWithDestruct)
     case endForOfLoop(EndForOfLoop)
     case beginRepeatLoop(BeginRepeatLoop)

Sources/Fuzzilli/FuzzIL/Semantics.swift

@@ -54,10 +54,10 @@ extension Operation {
         case .destructArrayAndReassign,
              .destructObjectAndReassign:
             return inputIdx != 0
-        case .beginForInLoop(let op):
-            return op.usesPredeclaredIterator && inputIdx == 1
-        case .beginForOfLoop(let op):
-            return op.usesPredeclaredIterator && inputIdx == 1
+        case .beginForInLoopWithReassignment:
+            return inputIdx == 1
+        case .beginForOfLoopWithReassignment:
+            return inputIdx == 1
         default:
             return false
         }
@@ -210,9 +210,11 @@ extension Operation {
             return endOp is BeginForLoopBody
         case .beginForLoopBody:
             return endOp is EndForLoop
-        case .beginForInLoop:
+        case .beginPlainForInLoop,
+             .beginForInLoopWithReassignment:
             return endOp is EndForInLoop
-        case .beginForOfLoop,
+        case .beginPlainForOfLoop,
+             .beginForOfLoopWithReassignment,
              .beginForOfLoopWithDestruct:
             return endOp is EndForOfLoop
         case .beginRepeatLoop:

Sources/Fuzzilli/Lifting/FuzzILLifter.swift

@@ -666,24 +666,24 @@ public class FuzzILLifter: Lifter {
             w.decreaseIndentionLevel()
             w.emit("EndForLoop")
 
-        case .beginForInLoop:
-            if instr.numInputs == 2 {
-                w.emit("BeginForInLoop \(input(0)) -> \(input(1))")  // Iterator is declared beforehand
-            } else {
-                w.emit("BeginForInLoop \(input(0)) -> \(innerOutput())")  // Iterator is declared in the function header
-            }
+        case .beginPlainForInLoop:
+            w.emit("BeginPlainForInLoop \(input(0)) -> \(innerOutput())")
+            w.increaseIndentionLevel()
+
+        case .beginForInLoopWithReassignment:
+            w.emit("BeginForInLoopWithReassignment \(input(0)) -> \(input(1))")
             w.increaseIndentionLevel()
 
         case .endForInLoop:
             w.decreaseIndentionLevel()
             w.emit("EndForInLoop")
 
-        case .beginForOfLoop:
-            if instr.numInputs == 2 {
-                w.emit("BeginForOfLoop \(input(0)) -> \(input(1))")
-            } else {
-                w.emit("BeginForOfLoop \(input(0)) -> \(innerOutput())")
-            }
+        case .beginPlainForOfLoop:
+            w.emit("BeginPlainForOfLoop \(input(0)) -> \(innerOutput())")
+            w.increaseIndentionLevel()
+
+        case .beginForOfLoopWithReassignment:
+            w.emit("BeginForOfLoopWithReassignment \(input(0)) -> \(input(1))")
             w.increaseIndentionLevel()
 
         case .beginForOfLoopWithDestruct(let op):