Added support for finally blocks (googleprojectzero#196)

Author: amarekano

Sources/Fuzzilli/Core/CodeGenerators.swift

@@ -444,9 +444,25 @@ public let CodeGenerators: [CodeGenerator] = [
         b.beginTry() {
             b.generateRecursive()
         }
-        b.beginCatch() { _ in
-            b.generateRecursive()
-        }
+        withEqualProbability({
+            // try-catch-finally
+            b.beginCatch() { _ in
+                b.generateRecursive()
+            }
+            b.beginFinally() {
+                b.generateRecursive()
+            }
+        }, {
+            // try-catch
+            b.beginCatch() { _ in
+                b.generateRecursive()
+            }
+        }, {
+            // try-finally
+            b.beginFinally() {
+                b.generateRecursive()
+            }
+        })
         b.endTryCatch()
     },
 

Sources/Fuzzilli/Core/ProgramBuilder.swift

@@ -1261,6 +1261,11 @@ public class ProgramBuilder {
         body(exception)
     }
 
+    public func beginFinally(_ body: () -> Void) {
+        perform(BeginFinally())
+        body()
+    }
+
     public func endTryCatch() {
         perform(EndTryCatch())
     }

Sources/Fuzzilli/FuzzIL/AbstractInterpreter.swift

@@ -70,6 +70,7 @@ public struct AbstractInterpreter {
             state.mergeStates(typeChanges: &typeChanges)
         case is BeginTry,
              is BeginCatch,
+             is BeginFinally,
              is EndTryCatch:
             break
         case is BeginWith,

Sources/Fuzzilli/FuzzIL/Instruction.swift

@@ -450,6 +450,8 @@ extension Instruction: ProtobufConvertible {
                 $0.beginTry = Fuzzilli_Protobuf_BeginTry()
             case is BeginCatch:
                 $0.beginCatch = Fuzzilli_Protobuf_BeginCatch()
+            case is BeginFinally:
+                $0.beginFinally = Fuzzilli_Protobuf_BeginFinally()
             case is EndTryCatch:
                 $0.endTryCatch = Fuzzilli_Protobuf_EndTryCatch()
             case is ThrowException:
@@ -665,6 +667,8 @@ extension Instruction: ProtobufConvertible {
             op = BeginTry()
         case .beginCatch(_):
             op = BeginCatch()
+        case .beginFinally(_):
+            op = BeginFinally()
         case .endTryCatch(_):
             op = EndTryCatch()
         case .throwException(_):

Sources/Fuzzilli/FuzzIL/Operations.swift

@@ -840,6 +840,12 @@ class BeginCatch: ControlFlowOperation {
     }
 }
 
+class BeginFinally: ControlFlowOperation {
+    init() {
+        super.init(numInputs: 0, attributes: [.isBlockBegin, .isBlockEnd])
+    }
+}
+
 class EndTryCatch: ControlFlowOperation {
     init() {
         super.init(numInputs: 0, attributes: [.isBlockEnd])

Sources/Fuzzilli/FuzzIL/Semantics.swift

@@ -125,8 +125,10 @@ extension Operation {
         case is BeginForOf:
             return endOp is EndForOf
         case is BeginTry:
-            return endOp is BeginCatch
+            return endOp is BeginCatch || endOp is BeginFinally
         case is BeginCatch:
+            return endOp is BeginFinally || endOp is EndTryCatch
+        case is BeginFinally:
             return endOp is EndTryCatch
         case is BeginCodeString:
             return endOp is EndCodeString

Sources/Fuzzilli/Lifting/FuzzILLifter.swift

@@ -311,6 +311,11 @@ public class FuzzILLifter: Lifter {
             w.emit("BeginCatch -> \(instr.innerOutput)")
             w.increaseIndentionLevel()
 
+        case is BeginFinally:
+            w.decreaseIndentionLevel()
+            w.emit("BeginFinally")
+            w.increaseIndentionLevel()
+
         case is EndTryCatch:
             w.decreaseIndentionLevel()
             w.emit("EndTryCatch")

Sources/Fuzzilli/Lifting/JavaScriptLifter.swift

@@ -520,6 +520,11 @@ public class JavaScriptLifter: Lifter {
                 w.emit("} catch(\(instr.innerOutput)) {")
                 w.increaseIndentionLevel()
 
+            case is BeginFinally:
+                w.decreaseIndentionLevel()
+                w.emit("} finally {")
+                w.increaseIndentionLevel()
+
             case is EndTryCatch:
                 w.decreaseIndentionLevel()
                 w.emit("}")

Sources/Fuzzilli/Minimization/BlockReducer.swift

@@ -26,7 +26,7 @@ struct BlockReducer: Reducer {
                 reduceLoop(loop: group.block(0), in: &code, with: verifier)
 
             case is BeginTry:
-                reduceTryCatch(tryCatch: group, in: &code, with: verifier)
+                reduceTryCatchFinally(tryCatch: group, in: &code, with: verifier)
 
             case is BeginIf:
                 // We reduce ifs simply by removing the whole block group.
@@ -115,10 +115,10 @@ struct BlockReducer: Reducer {
         reduceGenericBlockGroup(codestring, in: &code, with: verifier)
     }
 
-    private func reduceTryCatch(tryCatch: BlockGroup, in code: inout Code, with verifier: ReductionVerifier) {
-        // We first try to remove only the try-catch block instructions.
+    private func reduceTryCatchFinally(tryCatch: BlockGroup, in code: inout Code, with verifier: ReductionVerifier) {
+        // We first try to remove only the try-catch-finally block instructions.
         // If that doesn't work, then we try to remove the try block including
-        // its last instruction but keepp the body of the catch block.
+        // its last instruction but keep the body of the catch and/or finally block.
         // If the body isn't required, it will be removed by the
         // other reducers. On the other hand, this successfully
         // reduces code like
@@ -128,35 +128,40 @@ struct BlockReducer: Reducer {
         //         throw 42;
         //     } catch {
         //         do_something_important2();
+        //     } finally {
+        //         do_something_important3();
         //     }
         //
         // to
         //
         //     do_something_important1();
         //     do_something_important2();
+        //     do_something_important3();
         //
 
         var candidates = [Int]()
 
-        candidates.append(tryCatch[0].index)
-        candidates.append(tryCatch[1].index)
-        candidates.append(tryCatch[2].index)
+        for i in 0...tryCatch.numBlocks {
+            candidates.append(tryCatch[i].index)
+        }
 
         if verifier.tryNopping(candidates, in: &code) {
             return
         }
 
+        var removedLastTryBlockInstruction = false
         // Find the last instruction in try block and try removing that as well.
         for i in stride(from: tryCatch[1].index - 1, to: tryCatch[0].index, by: -1) {
             if !(code[i].op is Nop) {
                 if !code[i].isBlock {
                     candidates.append(i)
+                    removedLastTryBlockInstruction = true
                 }
                 break
             }
         }
 
-        if candidates.count == 4 && verifier.tryNopping(candidates, in: &code) {
+        if removedLastTryBlockInstruction && verifier.tryNopping(candidates, in: &code) {
             return
         }
 
@@ -168,15 +173,16 @@ struct BlockReducer: Reducer {
         //             const v17 = Math(v16,v16);
         //         }
         //      } catch {
+        //      } finally {
         //      }
         //
-        if candidates.count == 4 {
+        if removedLastTryBlockInstruction {
             candidates.removeLast()
         }
 
-        // Find last instruction in try block
+        // Remove all instructions in the body of the try block
         for i in stride(from: tryCatch[1].index - 1, to: tryCatch[0].index, by: -1) {
-            if !(tryCatch.code[i].op is Nop) {
+            if !(code[i].op is Nop) {
                 candidates.append(i)
             }
         }

Sources/Fuzzilli/Protobuf/operations.pb.swift

@@ -1213,6 +1213,16 @@ public struct Fuzzilli_Protobuf_BeginCatch {
   public init() {}
 }
 
+public struct Fuzzilli_Protobuf_BeginFinally {
+  // SwiftProtobuf.Message conformance is added in an extension below. See the
+  // `Message` and `Message+*Additions` files in the SwiftProtobuf library for
+  // methods supported on all messages.
+
+  public var unknownFields = SwiftProtobuf.UnknownStorage()
+
+  public init() {}
+}
+
 public struct Fuzzilli_Protobuf_EndTryCatch {
   // SwiftProtobuf.Message conformance is added in an extension below. See the
   // `Message` and `Message+*Additions` files in the SwiftProtobuf library for
@@ -3414,6 +3424,25 @@ extension Fuzzilli_Protobuf_BeginCatch: SwiftProtobuf.Message, SwiftProtobuf._Me
   }
 }
 
+extension Fuzzilli_Protobuf_BeginFinally: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
+  public static let protoMessageName: String = _protobuf_package + ".BeginFinally"
+  public static let _protobuf_nameMap = SwiftProtobuf._NameMap()
+
+  public mutating func decodeMessage<D: SwiftProtobuf.Decoder>(decoder: inout D) throws {
+    while let _ = try decoder.nextFieldNumber() {
+    }
+  }
+
+  public func traverse<V: SwiftProtobuf.Visitor>(visitor: inout V) throws {
+    try unknownFields.traverse(visitor: &visitor)
+  }
+
+  public static func ==(lhs: Fuzzilli_Protobuf_BeginFinally, rhs: Fuzzilli_Protobuf_BeginFinally) -> Bool {
+    if lhs.unknownFields != rhs.unknownFields {return false}
+    return true
+  }
+}
+
 extension Fuzzilli_Protobuf_EndTryCatch: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
   public static let protoMessageName: String = _protobuf_package + ".EndTryCatch"
   public static let _protobuf_nameMap = SwiftProtobuf._NameMap()