Fix DestructArray simplification logic

Change the loop condition to compare the iteration index against 'indices.count - 1' instead of 'indices.last!'.

Also added regression test testDestructuringSimplificationWithRest, which reproduces the original bug using sparse indices with 'lastIsRest' set to true, ensuring that DestructArray is simplified into GetElement and a residual DestructArray for the rest elements.

Change-Id: Ic630615bb85231d703046be4dc669e4314927db2
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9027276
Reviewed-by: Matthias Liedtke <mliedtke@google.com>
Auto-Submit: Dominik Klemba <tacet@google.com>
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Reviewed-by: Michael Achenbach <machenbach@google.com>

Author: Dominik Klemba

Sources/Fuzzilli/Minimization/InstructionSimplifier.swift

@@ -143,7 +143,7 @@ struct InstructionSimplifier: Reducer {
 
                 let outputs = Array(instr.outputs)
                 for (i, idx) in op.indices.enumerated() {
-                    if i == op.indices.last! && op.lastIsRest {
+                    if i == op.indices.count - 1 && op.lastIsRest {
                         newCode.append(Instruction(DestructArray(indices: [idx], lastIsRest: true), output: outputs.last!, inputs: [instr.input(0)]))
                     } else {
                         newCode.append(Instruction(GetElement(index: idx, isGuarded: false), output: outputs[i], inputs: [instr.input(0)]))

Tests/FuzzilliTests/MinimizerTest.swift

@@ -1434,6 +1434,39 @@ class MinimizerTests: XCTestCase {
         XCTAssertEqual(expectedProgram, actualProgram)
     }
 
+    func testDestructuringSimplificationWithRest() {
+        let evaluator = EvaluatorForMinimizationTests()
+        let fuzzer = makeMockFuzzer(evaluator: evaluator)
+        let b = fuzzer.makeBuilder()
+
+        // Build input program to be minimized.
+        var o = b.createNamedVariable(forBuiltin: "TheArray")
+        let vars = b.destruct(o, selecting: [0, 2], lastIsRest: true)
+
+        var print = b.createNamedVariable(forBuiltin: "print")
+        evaluator.nextInstructionIsImportant(in: b)
+        b.callFunction(print, withArgs: [vars[0], vars[1]])
+
+        let originalProgram = b.finalize()
+
+        // Build expected output program.
+        o = b.createNamedVariable(forBuiltin: "TheArray")
+        let e0 = b.getElement(0, of: o)
+        let restVars = b.destruct(o, selecting: [2], lastIsRest: true)
+
+        print = b.createNamedVariable(forBuiltin: "print")
+        b.callFunction(print, withArgs: [e0, restVars[0]])
+
+        let expectedProgram = b.finalize()
+
+        // See testDestructuringSimplification2 for why these are marked important.
+        evaluator.operationIsImportant(DestructArray.self)
+        evaluator.operationIsImportant(GetElement.self)
+
+        let actualProgram = minimize(originalProgram, with: fuzzer)
+        XCTAssertEqual(actualProgram, expectedProgram)
+    }
+
     func testVariableDeduplication() {
         let evaluator = EvaluatorForMinimizationTests()
         let fuzzer = makeMockFuzzer(evaluator: evaluator)