[temporal] Add support for generating options bags

Temporal (and Intl, and some new Wasm APIs) uses a fair number of
"options bags"; objects with a bunch of optional, typically enumerated/integral
fields.

Currently the fuzzer knows when such a type has been generated, but can
only generate these types by stumbling upon them. This adds an
OptionsBag type that is optimized for representing these; and a code
generator that is capable of generating them.

Bug: 439921647
Change-Id: I6a6a6964e1f4fb9a52d975c20a9a2630d5827eb9
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8532481
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Manish Goregaokar <manishearth@google.com>

Author: Manishearth

Sources/Fuzzilli/Base/ProgramBuilder.swift

@@ -691,6 +691,13 @@ public class ProgramBuilder {
                     }
                 }
 
+                // If we have a producing generator, we aren't going to get this type from elsewhere
+                // so try and generate it using the generator in most cases
+                let producingGenerator = self.fuzzer.environment.getProducingGenerator(ofType: type);
+                if let producingGenerator {
+                    return producingGenerator(self)
+                }
+
                 let producingMethods = self.fuzzer.environment.getProducingMethods(ofType: type)
                 let producingProperties = self.fuzzer.environment.getProducingProperties(ofType: type)
                 let globalProperties = producingProperties.filter() {(group: String, property: String) in

Sources/Fuzzilli/Environment/JavaScriptEnvironment.swift

@@ -289,8 +289,14 @@ public class JavaScriptEnvironment: ComponentBase {
     public private(set) var builtinProperties = Set<String>()
     public private(set) var builtinMethods = Set<String>()
 
+
+    // Something that can generate a variable
+    public typealias EnvironmentValueGenerator = (ProgramBuilder) -> Variable
+
     private var builtinTypes: [String: ILType] = [:]
     private var groups: [String: ObjectGroup] = [:]
+    // Producing generators, keyed on `type.group`
+    private var producingGenerators: [String: EnvironmentValueGenerator] = [:]
     private var producingMethods: [ILType: [(group: String, method: String)]] = [:]
     private var producingProperties: [ILType: [(group: String, property: String)]] = [:]
     private var subtypes: [ILType: [ILType]] = [:]
@@ -381,6 +387,9 @@ public class JavaScriptEnvironment: ComponentBase {
             registerObjectGroup(group)
         }
 
+        registerOptionsBag(.jsTemporalDifferenceSettingOrRoundTo)
+        registerOptionsBag(.jsTemporalToStringSettings)
+        registerOptionsBag(.jsTemporalOverflowSettings)
 
         // Register builtins that should be available for fuzzing.
         // Here it is easy to selectively disable/enable some APIs for fuzzing by
@@ -494,6 +503,14 @@ public class JavaScriptEnvironment: ComponentBase {
         return self.groups.keys.contains(name)
     }
 
+    // Add a generator that produces an object of the provided `type`.
+    //
+    // This is for groups that are never generated as return types of other objects; so we register
+    // a generator that can be called.
+    public func addProducingGenerator(forType type: ILType, with generator: @escaping EnvironmentValueGenerator) {
+        producingGenerators[type.group!] = generator
+    }
+
     private func addProducingMethod(forType type: ILType, by method: String, on group: String) {
         if producingMethods[type] == nil {
         producingMethods[type] = []
@@ -587,6 +604,11 @@ public class JavaScriptEnvironment: ComponentBase {
             }
     }
 
+    public func registerOptionsBag(_ bag: OptionsBag) {
+        registerObjectGroup(bag.group)
+        addProducingGenerator(forType: bag.group.instanceType, with: { b in b.createOptionsBag(bag) })
+    }
+
     public func type(ofBuiltin builtinName: String) -> ILType {
         if let type = builtinTypes[builtinName] {
             return type
@@ -645,6 +667,12 @@ public class JavaScriptEnvironment: ComponentBase {
         return array
     }
 
+    // For ObjectGroups, get a generator that is registered as being able to produce this
+    // ObjectGroup.
+    public func getProducingGenerator(ofType type: ILType) -> EnvironmentValueGenerator? {
+        type.group.flatMap {producingGenerators[$0]}
+    }
+
     public func getProducingProperties(ofType type: ILType) -> [(group: String, property: String)] {
         guard let array = producingProperties[type] else {
             return []
@@ -702,6 +730,27 @@ public struct ObjectGroup {
 
 }
 
+// Some APIs take an "options bag", a list of options like {foo: "something", bar: "something", baz: 1}
+//
+// It is useful to be able to represent simple options bags so that we can efficiently codegen them
+public struct OptionsBag {
+    // The type of each property, not including `| .undefined`.
+    // We may extend this once we start supporting more complex bags
+    public var properties: [String: ILType]
+    // An ObjectGroup representing this bag
+    public var group: ObjectGroup
+
+    public init(name: String, properties: [String: ILType]) {
+        self.properties = properties
+        let properties = properties.mapValues {
+            // This list can be expanded over time as long as OptionsBagGenerator supports this
+            assert($0.isEnumeration || $0.Is(.number) || $0.Is(.integer), "Found unsupported option type \($0) in options bag \(name)")
+            return $0 | .undefined;
+        }
+        self.group = ObjectGroup(name: name, instanceType: nil, properties: properties, overloads: [:])
+    }
+}
+
 // Types of builtin objects, functions, and values.
 //
 // Most objects have a number of common fields, such as .constructor or the various methods defined on the object prototype.
@@ -1886,7 +1935,7 @@ public extension ObjectGroup {
             "subtract": [jsTemporalDurationLike] => .jsTemporalInstant,
             "until": [jsTemporalInstantLike, .opt(jsTemporalDifferenceSettings)] => .jsTemporalDuration,
             "since": [jsTemporalInstantLike, .opt(jsTemporalDifferenceSettings)] => .jsTemporalDuration,
-            "round": [jsTemporalRoundTo] => .jsTemporalInstant,
+            "round": [.plain(jsTemporalRoundTo)] => .jsTemporalInstant,
             "equals": [jsTemporalInstantLike] => .boolean,
             "toString": [.opt(jsTemporalToStringSettings)] => .string,
             "toJSON": [] => .string,
@@ -1936,7 +1985,7 @@ public extension ObjectGroup {
             "abs": [] => .jsTemporalDuration,
             "add": [jsTemporalDurationLike] => .jsTemporalDuration,
             "subtract": [jsTemporalDurationLike] => .jsTemporalDuration,
-            "round": [jsTemporalRoundTo] => .jsTemporalDuration,
+            "round": [jsTemporalDurationRoundTo] => .jsTemporalDuration,
             "total": [jsTemporalDurationTotalOf] => .jsTemporalDuration,
             "toString": [.opt(jsTemporalToStringSettings)] => .string,
             "toJSON": [] => .string,
@@ -1975,7 +2024,7 @@ public extension ObjectGroup {
             "with": [.plain(jsTemporalPlainTimeLikeObject.instanceType), .opt(jsTemporalOverflowSettings)] => .jsTemporalPlainTime,
             "until": [.plain(jsTemporalPlainTimeLike), .opt(jsTemporalDifferenceSettings)] => .jsTemporalDuration,
             "since": [.plain(jsTemporalPlainTimeLike), .opt(jsTemporalDifferenceSettings)] => .jsTemporalDuration,
-            "round": [jsTemporalRoundTo] => .jsTemporalPlainTime,
+            "round": [.plain(jsTemporalRoundTo)] => .jsTemporalPlainTime,
             "equals": [.plain(jsTemporalPlainTimeLike)] => .boolean,
             "toString": [.opt(jsTemporalToStringSettings)] => .string,
             "toJSON": [] => .string,
@@ -2117,12 +2166,77 @@ public extension ObjectGroup {
     fileprivate static let jsTemporalTimeZoneLike = Parameter.string
 
     // Options objects
-    // TODO(manishearth, 439921647) fill in options objects
-    fileprivate static let jsTemporalDifferenceSettings = ILType.jsAnything
-    fileprivate static let jsTemporalRoundTo = Parameter.jsAnything
+    fileprivate static let jsTemporalDifferenceSettings = OptionsBag.jsTemporalDifferenceSettingOrRoundTo.group.instanceType
+    // roundTo accepts a subset of fields compared to differenceSettings; we merge the two bag types but retain separate
+    // variables for clarity in the signatures above.
+    fileprivate static let jsTemporalRoundTo = OptionsBag.jsTemporalDifferenceSettingOrRoundTo.group.instanceType
+    fileprivate static let jsTemporalToStringSettings = OptionsBag.jsTemporalToStringSettings.group.instanceType
+    fileprivate static let jsTemporalOverflowSettings = OptionsBag.jsTemporalOverflowSettings.group.instanceType
+    // TODO(manishearth, 439921647) These are tricky and need other Temporal types
     fileprivate static let jsTemporalDurationRoundTo = Parameter.jsAnything
     fileprivate static let jsTemporalDurationTotalOf = Parameter.jsAnything
+    // This is huge and comes from Intl, not Temporal
+    // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Intl/DateTimeFormat/DateTimeFormat#parameters
     fileprivate static let jsTemporalToLocaleStringSettings = ILType.jsAnything
-    fileprivate static let jsTemporalToStringSettings = ILType.jsAnything
-    fileprivate static let jsTemporalOverflowSettings = ILType.jsAnything
+}
+
+extension OptionsBag {
+    // Individual enums
+    fileprivate static let jsTemporalUnitEnum = ILType.enumeration(ofName: "temporalUnit", withValues: ["auto", "year", "month", "week", "day", "hour", "minute", "second", "millisecond", "microsecond", "nanosecond", "auto", "years", "months", "weeks", "days", "hours", "minutes", "seconds", "milliseconds", "microseconds", "nanoseconds"])
+    fileprivate static let jsTemporalRoundingModeEnum = ILType.enumeration(ofName: "temporalRoundingMode", withValues: ["ceil", "floor", "expand", "trunc", "halfCeil", "halfFloor", "halfExpand", "halfTrunc", "halfEven"])
+    fileprivate static let jsTemporalShowCalendarEnum = ILType.enumeration(ofName: "temporalShowCalendar", withValues: ["auto", "always", "never", "critical"])
+    fileprivate static let jsTemporalShowOffsetEnum = ILType.enumeration(ofName: "temporalShowOffset", withValues: ["auto", "never"])
+    fileprivate static let jsTemporalShowTimeZoneEnum = ILType.enumeration(ofName: "temporalShowOfTimeZone", withValues: ["auto", "never", "critical"])
+
+    // differenceSettings and roundTo are mostly the same, with differenceSettings accepting an additional largestUnit
+    // note that the Duration roundTo option is different
+    static let jsTemporalDifferenceSettingOrRoundTo = OptionsBag(
+        name: "TemporalDifferenceSettingsObject",
+        properties: [
+            "smallestUnit": jsTemporalUnitEnum,
+            "largestUnit": jsTemporalUnitEnum,
+            "roundingMode": jsTemporalRoundingModeEnum,
+            "roundingIncrement": .integer,
+        ])
+
+    // Technically some of these parameters are only read by ZonedDateTime; but they're
+    // otherwise largely shared
+    static let jsTemporalToStringSettings = OptionsBag(
+        name: "TemporalToStringSettingsObject",
+        properties: [
+            "calendarName": jsTemporalShowCalendarEnum,
+            "fractionalSecondDigits": .number,
+            "offset": jsTemporalShowOffsetEnum,
+            "timeZoneName": jsTemporalShowTimeZoneEnum,
+            "roundingMode": jsTemporalRoundingModeEnum,
+            "smallestUnit": jsTemporalUnitEnum,
+        ])
+
+    static let jsTemporalOverflowSettings = OptionsBag(
+        name: "jsTemporalOverflowSettingsObject",
+        properties: [
+            "overflow": ILType.enumeration(ofName: "temporalOverflow", withValues: ["constrain", "reject"]),
+        ])
+}
+
+// Some APIs accept ObjectGroups that are not produced by other APIs,
+// so we instead register a generator that allows the fuzzer a greater chance of generating
+// one when needed.
+//
+// These can be registered on the environment with addProducingGenerator()
+
+fileprivate extension ProgramBuilder {
+    @discardableResult
+    func createOptionsBag(_ bag: OptionsBag) -> Variable {
+        // We run .filter() to pick a subset of fields, but we generally want to set as many as possible
+        // and let the mutator prune things
+        let dict: [String : Variable] = bag.properties.filter {_ in probability(0.8)}.mapValues {
+            if $0.isEnumeration {
+                return loadString(chooseUniform(from: $0.enumValues))
+            } else {
+                return findOrGenerateType($0)
+            }
+        }
+        return createObject(with: dict)
+    }
 }

Tests/FuzzilliTests/JSTyperTests.swift

@@ -1718,4 +1718,41 @@ class JSTyperTests: XCTestCase {
         let wasmModule = b.construct(wasmModuleConstructor) // In theory this needs arguments.
         XCTAssert(b.type(of: wasmModule).Is(.object(ofGroup: "WebAssembly.Module")))
     }
+
+    func testProducingGenerators() {
+        // Make a simple object
+        let mockEnum = ILType.enumeration(ofName: "mockField", withValues: ["mockValue"]);
+        let mockObject = ObjectGroup(
+            name: "MockObject",
+            instanceType: nil,
+            properties: [
+                "mockField" : mockEnum
+            ],
+            methods: [:]
+        )
+
+        // Some things to keep track of how the generator was called
+        var callCount = 0
+        var returnedVar: Variable? = nil
+        // A simple generator
+        func generate(builder: ProgramBuilder) -> Variable {
+            callCount += 1
+            let val = builder.loadString("mockValue")
+            let variable = builder.createObject(with: ["mockField": val])
+            returnedVar = variable
+            return variable
+        }
+        let fuzzer = makeMockFuzzer()
+        fuzzer.environment.registerObjectGroup(mockObject)
+        fuzzer.environment.addProducingGenerator(forType: mockObject.instanceType, with: generate)
+        let b = fuzzer.makeBuilder()
+        b.buildPrefix()
+
+        // Try to get it to invoke the generator
+        let variable = b.findOrGenerateType(mockObject.instanceType)
+        // Test that the generator was invoked
+        XCTAssertEqual(callCount, 1)
+        // Test that the returned variable matches the generated one
+        XCTAssertEqual(variable, returnedVar)
+    }
 }