Implement Minimization Post-Processing

The new MinimizationPostProcessor runs at the end of minimization and
attempts to add certain features - which are deemed useful for future
code mutations - back to the program as long as they don't alter the
interesting behaviour. For example, it attempts to add return statements
at the end of functions and add arguments to function calls.

Author: Samuel Groß

Sources/Fuzzilli/FuzzIL/Instruction.swift

@@ -77,6 +77,11 @@ public struct Instruction {
         return op.firstVariadicInput
     }
 
+    /// Whether this instruction has any variadic inputs.
+    public var hasAnyVariadicInputs: Bool {
+        return firstVariadicInput < numInputs
+    }
+
     /// Whether this instruction has any outputs.
     public var hasOutputs: Bool {
         return numOutputs + numInnerOutputs > 0

Sources/Fuzzilli/Minimization/BlockReducer.swift

@@ -14,7 +14,7 @@
 
 /// Reducer to remove unecessary block groups.
 struct BlockReducer: Reducer {
-    func reduce(_ code: inout Code, with tester: ReductionTester) {
+    func reduce(_ code: inout Code, with helper: MinimizationHelper) {
         for group in Blocks.findAllBlockGroups(in: code) {
             switch group.begin.op {
             case is BeginWhileLoop,
@@ -24,37 +24,37 @@ struct BlockReducer: Reducer {
                  is BeginForOfLoop,
                  is BeginForOfWithDestructLoop:
                 assert(group.numBlocks == 1)
-                reduceLoop(loop: group.block(0), in: &code, with: tester)
+                reduceLoop(loop: group.block(0), in: &code, with: helper)
 
             case is BeginTry:
-                reduceTryCatchFinally(tryCatch: group, in: &code, with: tester)
+                reduceTryCatchFinally(tryCatch: group, in: &code, with: helper)
 
             case is BeginIf:
                 // We reduce ifs simply by removing the whole block group.
                 // This works OK since minimization is a fixpoint iteration,
                 // so if only one branch is required, the other one will
                 // eventually be empty.
-                reduceGenericBlockGroup(group, in: &code, with: tester)
+                reduceGenericBlockGroup(group, in: &code, with: helper)
 
             case is BeginSwitch:
-                reduceBeginSwitch(group, in: &code, with: tester)
+                reduceBeginSwitch(group, in: &code, with: helper)
 
             case is BeginSwitchCase,
                  is BeginSwitchDefaultCase:
                  // These instructions are handled in reduceBeginSwitch.
                  continue
 
             case is BeginWith:
-                reduceGenericBlockGroup(group, in: &code, with: tester)
+                reduceGenericBlockGroup(group, in: &code, with: helper)
 
             case is BeginAnyFunction:
-                reduceFunction(group, in: &code, with: tester)
+                reduceFunction(group, in: &code, with: helper)
 
             case is BeginCodeString:
-                reduceCodeString(group, in: &code, with: tester)
+                reduceCodeString(group, in: &code, with: helper)
 
             case is BeginBlockStatement:
-                reduceGenericBlockGroup(group, in: &code, with: tester)
+                reduceGenericBlockGroup(group, in: &code, with: helper)
 
             case is BeginClass:
                 // TODO we need a custom reduceClass here that will also attempt to replace the class output variable
@@ -65,15 +65,15 @@ struct BlockReducer: Reducer {
                 //        ...
                 //     EndClass
                 //     v42 <- Construct v0
-                reduceGenericBlockGroup(group, in: &code, with: tester)
+                reduceGenericBlockGroup(group, in: &code, with: helper)
 
             default:
                 fatalError("Unknown block group: \(group.begin.op.name)")
             }
         }
     }
 
-    private func reduceLoop(loop: Block, in code: inout Code, with tester: ReductionTester) {
+    private func reduceLoop(loop: Block, in code: inout Code, with helper: MinimizationHelper) {
         assert(loop.begin.isLoop)
         assert(loop.end.isLoop)
 
@@ -93,12 +93,12 @@ struct BlockReducer: Reducer {
             }
         }
 
-        tester.tryNopping(candidates, in: &code)
+        helper.tryNopping(candidates, in: &code)
     }
 
-    private func reduceGenericBlockGroup(_ group: BlockGroup, in code: inout Code, with tester: ReductionTester) {
+    private func reduceGenericBlockGroup(_ group: BlockGroup, in code: inout Code, with helper: MinimizationHelper) {
         var candidates = group.excludingContent().map({ $0.index })
-        if tester.tryNopping(candidates, in: &code) {
+        if helper.tryNopping(candidates, in: &code) {
             // Success!
             return
         }
@@ -121,19 +121,19 @@ struct BlockReducer: Reducer {
         // can be removed independently, since they have data dependencies on each other. As such,
         // the only option is to remove the entire block, including its content.
         candidates = group.includingContent().map { $0.index }
-        tester.tryNopping(candidates, in: &code)
+        helper.tryNopping(candidates, in: &code)
     }
 
     /// Try to reduce a BeginSwitch/EndSwitch Block.
     /// (1) reduce it by aggressively trying to remove the whole thing.
     /// (2) reduce it by removing the BeginSwitch(Default)Case/EndSwitchCase instructions but keeping the content.
     /// (3) reduce it by removing individual BeginSwitchCase/EndSwitchCase blocks.
-    private func reduceBeginSwitch(_ group: BlockGroup, in code: inout Code, with tester: ReductionTester) {
+    private func reduceBeginSwitch(_ group: BlockGroup, in code: inout Code, with helper: MinimizationHelper) {
         assert(group.begin.op is BeginSwitch)
 
         var candidates = group.includingContent().map { $0.index }
 
-        if tester.tryNopping(candidates, in: &code) {
+        if helper.tryNopping(candidates, in: &code) {
             // (1)
             // We successfully removed the whole switch statement.
             return
@@ -159,7 +159,7 @@ struct BlockReducer: Reducer {
             instructionIdx += 1
         }
 
-        if tester.tryNopping(candidates, in: &code) {
+        if helper.tryNopping(candidates, in: &code) {
             // (2)
             // We successfully removed the switch case while keeping the
             // content inside.
@@ -171,11 +171,11 @@ struct BlockReducer: Reducer {
             // currently do not have a way of generating them.
             if block.begin.op is BeginSwitchDefaultCase { continue }
             // (3) Try to remove the cases here.
-            tester.tryNopping(Array(block.head...block.tail), in: &code)
+            helper.tryNopping(Array(block.head...block.tail), in: &code)
         }
     }
 
-    private func reduceFunction(_ function: BlockGroup, in code: inout Code, with tester: ReductionTester) {
+    private func reduceFunction(_ function: BlockGroup, in code: inout Code, with helper: MinimizationHelper) {
         assert(function.begin.op is BeginAnyFunction)
         assert(function.end.op is EndAnyFunction)
 
@@ -194,10 +194,10 @@ struct BlockReducer: Reducer {
         //
         // So that the calls to the function can be removed by a subsequent reducer if only the body is important.
         // But its likely not worth the effort as the InliningReducer will do a better job at solving this.
-        reduceGenericBlockGroup(function, in: &code, with: tester)
+        reduceGenericBlockGroup(function, in: &code, with: helper)
     }
 
-    private func reduceCodeString(_ codestring: BlockGroup, in code: inout Code, with tester: ReductionTester) {
+    private func reduceCodeString(_ codestring: BlockGroup, in code: inout Code, with helper: MinimizationHelper) {
         assert(codestring.begin.op is BeginCodeString)
         assert(codestring.end.op is EndCodeString)
 
@@ -208,16 +208,16 @@ struct BlockReducer: Reducer {
         var replacements = [(Int, Instruction)]()
         replacements.append((codestring.head, Instruction(LoadString(value: ""), output: codestring.begin.output)))
         replacements.append((codestring.tail, Instruction(Nop())))
-        if tester.tryReplacements(replacements, in: &code) {
+        if helper.tryReplacements(replacements, in: &code) {
             // Success!
             return
         }
 
         // If unsuccessful, default to generic block reduction
-        reduceGenericBlockGroup(codestring, in: &code, with: tester)
+        reduceGenericBlockGroup(codestring, in: &code, with: helper)
     }
 
-    private func reduceTryCatchFinally(tryCatch: BlockGroup, in code: inout Code, with tester: ReductionTester) {
+    private func reduceTryCatchFinally(tryCatch: BlockGroup, in code: inout Code, with helper: MinimizationHelper) {
         assert(tryCatch.begin.op is BeginTry)
         assert(tryCatch.end.op is EndTryCatchFinally)
 
@@ -228,7 +228,7 @@ struct BlockReducer: Reducer {
             candidates.append(tryCatch[i].index)
         }
 
-        if tester.tryNopping(candidates, in: &code) {
+        if helper.tryNopping(candidates, in: &code) {
             return
         }
 
@@ -266,7 +266,7 @@ struct BlockReducer: Reducer {
             }
         }
 
-        if removedLastTryBlockInstruction && tester.tryNopping(candidates, in: &code) {
+        if removedLastTryBlockInstruction && helper.tryNopping(candidates, in: &code) {
             return
         }
 
@@ -293,10 +293,10 @@ struct BlockReducer: Reducer {
             }
         }
 
-        tester.tryNopping(candidates, in: &code)
+        helper.tryNopping(candidates, in: &code)
 
         // Finally, fall back to generic block group reduction, which will attempt to remove the
         // entire try-catch block including its content
-        reduceGenericBlockGroup(tryCatch, in: &code, with: tester)
+        reduceGenericBlockGroup(tryCatch, in: &code, with: helper)
     }
 }

Sources/Fuzzilli/Minimization/GenericInstructionReducer.swift

@@ -14,13 +14,13 @@
 
 /// Removes simple instructions from a program if they are not required.
 struct GenericInstructionReducer: Reducer {
-    func reduce(_ code: inout Code, with tester: ReductionTester) {
+    func reduce(_ code: inout Code, with helper: MinimizationHelper) {
         for instr in code.reversed() {
             if !instr.isSimple || instr.op is Nop {
                 continue
             }
 
-            tester.tryNopping(instructionAt: instr.index, in: &code)
+            helper.tryNopping(instructionAt: instr.index, in: &code)
         }
     }
 }

Sources/Fuzzilli/Minimization/InliningReducer.swift

@@ -14,12 +14,12 @@
 
 /// Attempts to inline functions at their callsite. This reducer is necessary to prevent deep nesting of functions.
 struct InliningReducer: Reducer {
-    func reduce(_ code: inout Code, with tester: ReductionTester) {
+    func reduce(_ code: inout Code, with helper: MinimizationHelper) {
         var candidates = identifyInlineableFunctions(in: code)
         while !candidates.isEmpty {
             let funcIndex = candidates.removeLast()
             let newCode = inline(functionAt: funcIndex, in: code)
-            if tester.test(newCode) {
+            if helper.test(newCode) {
                 code = newCode
                 // Inlining changes the program so we need to redo our analysis.
                 // In particular, instruction are reordered and variables are renamed. Further, there may now also be new inlining candidates, for example

Sources/Fuzzilli/Minimization/ReductionTester.swift renamed to Sources/Fuzzilli/Minimization/MinimizationHelper.swift

@@ -12,23 +12,23 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-/// A ReductionTester tests whether a reducton is valid and doesn't alter the important aspects of a program.
-class ReductionTester {
+/// The MinimizationHelper provides functions for testing whether a code change alters the programs interesting behaviour. It also provides access to the fuzzer instance for executing programs or other tasks.
+class MinimizationHelper {
     var totalReductions = 0
     var failedReductions = 0
     var didReduce = false
 
+    /// Fuzzer instance to schedule execution of programs on.
+    let fuzzer: Fuzzer
+
     /// The aspects of the program to preserve during minimization.
     private let aspects: ProgramAspects
 
-    /// Fuzzer instance to schedule execution of programs on.
-    private let fuzzer: Fuzzer
-
     /// Whether we are running on the fuzzer queue (synchronous minimization) or not (asynchronous minimization).
     private let runningOnFuzzerQueue: Bool
 
     /// The minimizer can select instructions that should be kept regardless of whether they are important or not. This set tracks those instructions.
-    private let instructionsToKeep: Set<Int>
+    private var instructionsToKeep: Set<Int>
 
     init(for aspects: ProgramAspects, of fuzzer: Fuzzer, keeping instructionsToKeep: Set<Int>, runningOnFuzzerQueue: Bool) {
         self.aspects = aspects
@@ -37,6 +37,18 @@ class ReductionTester {
         self.runningOnFuzzerQueue = runningOnFuzzerQueue
     }
 
+    func performOnFuzzerQueue(_ task: () -> Void) {
+        if runningOnFuzzerQueue {
+            return task()
+        } else {
+            return fuzzer.sync(do: task)
+        }
+    }
+
+    func clearInstructionsToKeep() {
+        instructionsToKeep.removeAll()
+    }
+
     /// Test a reduction and return true if the reduction was Ok, false otherwise.
     func test(_ code: Code) -> Bool {
         // Reducers are allowed to nop instructions without verifying whether their outputs are used.
@@ -49,15 +61,10 @@ class ReductionTester {
 
         // Run the modified program and see if the patch changed its behaviour
         var stillHasAspects = false
-        func executeAndEvaluate() {
+        performOnFuzzerQueue {
             let execution = fuzzer.execute(Program(with: code), withTimeout: fuzzer.config.timeout * 2)
             stillHasAspects = fuzzer.evaluator.hasAspects(execution, aspects)
         }
-        if runningOnFuzzerQueue {
-            executeAndEvaluate()
-        } else {
-            fuzzer.sync(do: executeAndEvaluate)
-        }
 
         if stillHasAspects {
             didReduce = true
@@ -78,7 +85,6 @@ class ReductionTester {
         }
 
         let origInstr = code[index]
-        assert(!(origInstr.op is Nop))
         code[index] = newInstr
 
         let result = test(code)
@@ -91,6 +97,29 @@ class ReductionTester {
         return result
     }
 
+    @discardableResult
+    func tryInserting(_ newInstr: Instruction, at index: Int, in code: inout Code) -> Bool {
+        // Inserting instructions will invalidate the instructionsToKeep list, so that list must be empty here.
+        assert(instructionsToKeep.isEmpty)
+
+        // For simplicity, just build a copy of the input code here. This logic is not particularly performance sensitive.
+        var newCode = Code()
+        for instr in code {
+            if instr.index == index {
+                newCode.append(newInstr)
+            }
+            newCode.append(instr)
+        }
+
+        let result = test(newCode)
+
+        if result {
+            code = newCode
+        }
+
+        return result
+    }
+
     /// Remove the instruction at the given index if it does not negatively influence the programs previous behaviour.
     @discardableResult
     func tryNopping(instructionAt index: Int, in code: inout Code) -> Bool {
@@ -149,5 +178,5 @@ protocol Reducer {
     /// Attempt to reduce the given program in some way and return the result.
     ///
     /// The returned program can have non-contiguous variable names but must otherwise be valid.
-    func reduce(_ code: inout Code, with tester: ReductionTester)
+    func reduce(_ code: inout Code, with tester: MinimizationHelper)
 }