Work around the f.arguments problem in dumpling mode

This works around false positives in connection with code referring
to `f.arguments` in differential fuzzing. We now suppress any access
to the `arguments` property and instead reject such samples.

This has only an effect in differential fuzzing and is a no-op
otherwise.

We don't really care if the receiver actually is a function,
and instead over-approximate this slightly. This might cover
weird other ways of transferring the arguments to another object
with `o.__proto__ = f`.

Bug: 490382714
Change-Id: Ia7e78a6708f4d0db4c1ba671cfd279db8f57b70e
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9102176
Commit-Queue: Michael Achenbach <machenbach@google.com>
Reviewed-by: Matthias Liedtke <mliedtke@google.com>

Author: mi-ac

Sources/Fuzzilli/Engines/FuzzEngine.swift

@@ -32,8 +32,17 @@ public class FuzzEngine: ComponentBase {
         fatalError("Must be implemented by child classes")
     }
 
-    final func execute(_ program: Program, withTimeout timeout: UInt32? = nil) -> ExecutionOutcome {
-        let program = postProcessor?.process(program, for: fuzzer) ?? program
+    final func execute(_ rawProgram: Program, withTimeout timeout: UInt32? = nil) -> ExecutionOutcome {
+        let program : Program
+        do {
+            // An optional post processor can reject a sample right away with
+            // the postProcessRejectionError.
+            program = try postProcessor?.process(rawProgram, for: fuzzer) ?? rawProgram
+        } catch InternalError.postProcessRejection {
+            return ExecutionOutcome.failed(1)
+        } catch {
+            fatalError("Unexpected error in post processor.")
+        }
 
         fuzzer.dispatchEvent(fuzzer.events.ProgramGenerated, data: program)
 

Sources/Fuzzilli/Engines/FuzzingPostProcessor.swift

@@ -16,5 +16,5 @@ import Foundation
 
 // A post-processor can be used to modify samples generated during fuzzing before executing them.
 public protocol FuzzingPostProcessor {
-    func process(_ program: Program, for fuzzer: Fuzzer) -> Program
+    func process(_ program: Program, for fuzzer: Fuzzer) throws -> Program
 }

Sources/Fuzzilli/Profiles/V8DumplingProfile.swift

@@ -154,5 +154,34 @@ let v8DumplingProfile = Profile(
 
     additionalEnumerations: [.gcTypeEnum, .gcExecutionEnum],
 
-    optionalPostProcessor: nil
+    optionalPostProcessor: DumplingFuzzingPostProcessor()
 )
+
+/// A post-processor for the Dumpling profile.
+///
+/// Work-around for differential fuzzing to avoid f.arguments.
+/// Or any access to "arguments" with a computed property. We just
+/// overapproximate this by checking for any string occurence of
+/// "arguments" and reject the sample.
+public struct DumplingFuzzingPostProcessor: FuzzingPostProcessor {
+    public func process(_ program: Program, for fuzzer: Fuzzer) throws -> Program {
+        for instr in program.code {
+            switch instr.op.opcode {
+            case .loadString(let op) where op.value == "arguments":
+                throw InternalError.postProcessRejection("\"arguments\" string")
+            case .getProperty(let op) where op.propertyName == "arguments":
+                throw InternalError.postProcessRejection("f.arguments access")
+            case .setProperty(let op) where op.propertyName == "arguments":
+                throw InternalError.postProcessRejection("f.arguments assignment")
+            case .updateProperty(let op) where op.propertyName == "arguments":
+                throw InternalError.postProcessRejection("f.arguments update")
+            case .deleteProperty(let op) where op.propertyName == "arguments":
+                throw InternalError.postProcessRejection("f.arguments deletion")
+            default:
+                break
+            }
+        }
+
+        return program
+    }
+}

Sources/Fuzzilli/Profiles/V8SandboxProfile.swift

@@ -15,7 +15,7 @@
 
 // A post-processor that inserts calls to the sandbox corruption functions (defined in the codeSuffix below) into the generated samples.
 fileprivate struct SandboxFuzzingPostProcessor: FuzzingPostProcessor {
-    func process(_ program: Fuzzilli.Program, for fuzzer: Fuzzer) -> Fuzzilli.Program {
+    func process(_ program: Program, for fuzzer: Fuzzer) throws -> Program {
         // We don't instrument every generated program since we still want the fuzzer to make progress towards
         // discovering more interestesting programs and adding them to the corpus. Corrupting objects in every
         // generated program might hamper that.

Sources/Fuzzilli/Util/Error.swift

@@ -23,3 +23,8 @@ public enum FuzzilliError: Error {
     case evaluatorStateImportError(String)
     case codeVerificationError(String)
 }
+
+// Simple error enum for internally handled errors, not displayed to the user.
+public enum InternalError: Error {
+    case postProcessRejection(String)
+}

Tests/FuzzilliTests/EngineTests.swift

@@ -48,4 +48,62 @@ class EngineTests: XCTestCase {
         XCTAssertEqual(mockPostProcessor.callCount, 3)
         XCTAssert(fuzzer.isStopped)
     }
+
+    // Test that certain usages of "arguments" are rejected by the Dumpling
+    // post processor.
+    func testDumplingPostProcessor() {
+        let fuzzer = makeMockFuzzer()
+        let processor = DumplingFuzzingPostProcessor()
+
+        let rejectedCases: [(ProgramBuilder) -> ()] = [
+            { b in
+                let f = b.buildPlainFunction(with: .parameters(n: 0)) { _ in }
+                b.getProperty("arguments", of: f)
+            },
+            { b in
+                let f = b.buildPlainFunction(with: .parameters(n: 0)) { _ in }
+                let i = b.loadInt(0)
+                b.setProperty("arguments", of: f, to: i)
+            },
+            { b in
+                let f = b.buildPlainFunction(with: .parameters(n: 0)) { _ in }
+                let i = b.loadInt(0)
+                b.updateProperty("arguments", of: f, with: i, using: BinaryOperator.Add)
+            },
+            { b in
+                let f = b.buildPlainFunction(with: .parameters(n: 0)) { _ in }
+                b.deleteProperty("arguments", of: f)
+            },
+            { b in
+                let f = b.buildPlainFunction(with: .parameters(n: 0)) { _ in }
+                let a = b.loadString("arguments")
+                b.getComputedProperty(a, of: f)
+            },
+        ]
+
+        for (i, rejectedCase) in rejectedCases.enumerated() {
+            let b = fuzzer.makeBuilder()
+            rejectedCase(b)
+            let program = b.finalize()
+            XCTAssertThrowsError(try processor.process(program, for: fuzzer), "test case \(i)")
+        }
+
+        for acceptedCase: (ProgramBuilder) -> () in [
+            { b in
+                let f = b.buildPlainFunction(with: .parameters(n: 0)) { _ in }
+                b.getProperty("not_arguments", of: f)
+            },
+            { b in
+                let f = b.buildPlainFunction(with: .parameters(n: 0)) { _ in }
+                let a = b.loadString("not_arguments")
+                b.getComputedProperty(a, of: f)
+            },
+        ] {
+
+            let b = fuzzer.makeBuilder()
+            acceptedCase(b)
+            let program = b.finalize()
+            _ = try! processor.process(program, for: fuzzer)
+        }
+    }
 }