Add very simple pre-processing of programs that will be mutated

Samuel Groß · Samuel Groß · commit 3daf9c2fb112 · 2022-11-02T11:35:22.000+01:00
Now we insert a few trivial values (ints, floats, strings) at the start
of every program that we want to mutate in order to increase the number
of available variables and avoid code patterns like
    const v1 = {"foo": RegExp, "bar": RegExp, "baz": RegExp}
diff --git a/Sources/Fuzzilli/Core/MutationEngine.swift b/Sources/Fuzzilli/Core/MutationEngine.swift
@@ -46,7 +46,7 @@ public class MutationEngine: ComponentBase, FuzzEngine {
     /// as the intermediate results do not cause a runtime exception.
     public func fuzzOne(_ group: DispatchGroup) {
         var parent = fuzzer.corpus.randomElementForMutating()
-        var program = parent
+        var program = prepareForMutating(parent)
         for _ in 0..<numConsecutiveMutations {
             var mutator = fuzzer.mutators.randomElement()
             var mutated = false
@@ -75,4 +75,16 @@ public class MutationEngine: ComponentBase, FuzzEngine {
             }
         }
     }
+
+    /// Pre-processing of programs to facilitate mutations on them.
+    /// Currently, this only adds a few trivial instructions at the start of the program to increase the number of available values.
+    private func prepareForMutating(_ program: Program) -> Program {
+        let b = fuzzer.makeBuilder()
+        let valuesToGenerate = Int.random(in: 1...3)
+        for _ in 0..<valuesToGenerate {
+            b.run(chooseUniform(from: fuzzer.trivialCodeGenerators))
+        }
+        b.append(program)
+        return b.finalize()
+    }
 }
diff --git a/Sources/Fuzzilli/Core/ProgramBuilder.swift b/Sources/Fuzzilli/Core/ProgramBuilder.swift
@@ -1024,7 +1024,10 @@ public class ProgramBuilder {
             case .runningGenerators:
                 if !hasVisibleVariables {
                     // Can't run code generators if there are no visible variables, so generate some.
-                    run(chooseUniform(from: fuzzer.trivialCodeGenerators))
+                    let valuesToGenerate = Int.random(in: 1...3)
+                    for _ in 0..<valuesToGenerate {
+                        run(chooseUniform(from: fuzzer.trivialCodeGenerators))
+                    }
                     assert(hasVisibleVariables)
                 }
 
@@ -1051,7 +1054,7 @@ public class ProgramBuilder {
     }
 
     /// Runs a code generator in the current context.
-    private func run(_ generator: CodeGenerator) {
+    public func run(_ generator: CodeGenerator) {
         assert(generator.requiredContext.isSubset(of: context))
 
         var inputs: [Variable] = []
diff --git a/Sources/Fuzzilli/Fuzzer.swift b/Sources/Fuzzilli/Fuzzer.swift
@@ -105,18 +105,11 @@ public class Fuzzer {
     /// Fuzzer instances can be looked up from a dispatch queue through this key. See below.
     private static let dispatchQueueKey = DispatchSpecificKey<Fuzzer>()
 
-    /// List of CodeGenerators that don't require inputs and generate simple objects/values that can subsequently be used.
+    /// List of trivial CodeGenerators that don't require inputs and generate simple values that can subsequently be used.
     public let trivialCodeGenerators: [CodeGenerator] = [
             CodeGenerators.get("IntegerGenerator"),
             CodeGenerators.get("StringGenerator"),
-            CodeGenerators.get("BuiltinGenerator"),
-            CodeGenerators.get("RegExpGenerator"),
-            CodeGenerators.get("BigIntGenerator"),
             CodeGenerators.get("FloatGenerator"),
-            CodeGenerators.get("FloatArrayGenerator"),
-            CodeGenerators.get("IntArrayGenerator"),
-            CodeGenerators.get("TypedArrayGenerator"),
-            CodeGenerators.get("ObjectArrayGenerator"),
         ]
 
     /// Constructs a new fuzzer instance with the provided components.
