Implement a new Splicing Algorithm

Splicing refers to the process of taking a subset of the instructions of
one program and inserting them into another program, possibly connecting
their data-flows together. Splicing must always produce a valid program.
In particular, all input variables used by the spliced instructions must
be available, and the instructions must exist in the correct context
(e.g. a BeginSwitchCase must only occur inside a BeginSwitch).

The new splicing algorithm achieves this and runs in linear time.
Its main features include:
- Computation of data-flow dependencies between instructions to
  determine which instructions to splice
- Probabilistic remapping of some variables to existing and "compatible"
  variables in the host program to connect the dataflows of the programs
- The ability to splice instructions with special context requirements.
  For example, it can (only) splice an Await instruction if there is an
  open async function in the host program
- The ability to to splice into restricted contexts. For example, it can
  splice a SwitchCase block from one program into a Switch block in
  another program

See the many tests in ProgramBuilderTest.swift for examples and the
comments in ProgramBuilder.swift for an explanation of the algorithm.

Author: Samuel Groß

Sources/Fuzzilli/Core/ProgramBuilder.swift

@@ -221,7 +221,7 @@ public struct Instruction {
     /// BeginSwitch/EndSwitch Blocks. See BeginSwitchCase.
     public var skipsSurroundingContext: Bool {
         assert(isBlockStart)
-        return op.attributes.contains(.skipsSurroundingContext)
+        return op.attributes.contains(.resumesSurroundingContext)
     }
 
     /// Whether this instruction is an internal instruction that should not "leak" into

Sources/Fuzzilli/FuzzIL/Instruction.swift

@@ -1162,7 +1162,7 @@ class BeginSwitch: JsOperation {
 
 class BeginSwitchCase: JsOperation {
     init() {
-        super.init(numInputs: 1, numOutputs: 0, attributes: [.isBlockStart, .skipsSurroundingContext], requiredContext: [.switchBlock], contextOpened: [.switchCase])
+        super.init(numInputs: 1, numOutputs: 0, attributes: [.isBlockStart, .resumesSurroundingContext], requiredContext: [.switchBlock], contextOpened: [.switchCase, .javascript])
     }
 }
 
@@ -1171,7 +1171,7 @@ class BeginSwitchCase: JsOperation {
 /// such that, if necessary, the BeginSwitch/EndSwitch reducer can remove the whole switch case altogether.
 class BeginSwitchDefaultCase: JsOperation {
     init() {
-        super.init(numInputs: 0, numOutputs: 0, attributes: [.isBlockStart, .skipsSurroundingContext], requiredContext: [.switchBlock], contextOpened: [.switchCase])
+        super.init(numInputs: 0, numOutputs: 0, attributes: [.isBlockStart, .resumesSurroundingContext], requiredContext: [.switchBlock], contextOpened: [.switchCase, .javascript])
     }
 }
 

Sources/Fuzzilli/FuzzIL/JsOperations.swift

@@ -100,10 +100,9 @@ public class Operation {
         static let isVariadic          = Attributes(rawValue: 1 << 9)
         // The operation propagates the surrounding context.
         static let propagatesSurroundingContext = Attributes(rawValue: 1 << 10)
-        // The instruction starts an empty context, but the surrounding context
-        // is propagated into child blocks of this instruction. This is useful
-        // for example for BeginSwitch and BeginSwitchCase.
-        static let skipsSurroundingContext = Attributes(rawValue: 1 << 11)
+        // The instruction resumes the context from before its parent context.
+        // This is useful for example for BeginSwitch and BeginSwitchCase.
+        static let resumesSurroundingContext = Attributes(rawValue: 1 << 11)
     }
 }
 

Sources/Fuzzilli/FuzzIL/Operation.swift

@@ -27,7 +27,7 @@ extension Operation {
         case is CallFunction,
              is CallMethod,
              is CallComputedMethod:
-             // We assume that a constructor doesn't modify its arguments when called
+             // We assume that a constructor doesn't modify its arguments when called.
             return true
         case is StoreProperty,
              is StoreElement,
@@ -37,6 +37,10 @@ extension Operation {
              is DeleteComputedProperty,
              is DeleteElement:
             return inputIdx == 0
+        case is BeginWhileLoop,
+             is BeginDoWhileLoop:
+            // We assume that loops mutate their run value (but, somewhat arbitrarily, not the value that it is compared against).
+            return inputIdx == 0
         default:
             return false
         }
@@ -72,7 +76,7 @@ extension Instruction {
     }
 
     /// Returns true if this operation could mutate any of the given input variables when executed.
-    func mayMutate(_ vars: VariableSet) -> Bool {
+    func mayMutate(anyOf vars: VariableSet) -> Bool {
         for (idx, input) in inputs.enumerated() {
             if vars.contains(input) {
                 if op.mayMutate(input: idx) {

Sources/Fuzzilli/FuzzIL/Semantics.swift

@@ -161,6 +161,16 @@ public struct VariableSet: Hashable, Codable {
         return result
     }
 
+    /// Returns true if this set is a subset of the provided set.
+    public func isSubset(of other: VariableSet) -> Bool {
+        for (i, w) in words.enumerated() {
+            if i >= other.words.count || w & other.words[i] != w {
+                return false
+            }
+        }
+        return true
+    }
+
     /// Returns true if this set and the provided set have no variables in common.
     public func isDisjoint(with other: VariableSet) -> Bool {
         for (i, w) in other.words.enumerated() {
@@ -171,7 +181,7 @@ public struct VariableSet: Hashable, Codable {
         return true
     }
 
-    /// Returns true if this and the provided set have no variables in common.
+    /// Returns true if this set and the provided set have no variables in common.
     public func isDisjoint<S: Sequence>(with other: S) -> Bool where S.Element == Variable {
         for v in other {
             if contains(v) {