Do ValueGeneration in the Splice- and CodeGenMutator.

Previously we would not do splicing or code generation if we don't have enough visible variables. With this change we can now do splicing and code generation more often, as we will now create some primitives before splicing or generation.
googleprojectzero · Mar 5, 2024 · db9aa6e · db9aa6e
1 parent 5f268e1
commit db9aa6e
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 14 deletions.
diff --git a/Sources/Fuzzilli/Mutators/CodeGenMutator.swift b/Sources/Fuzzilli/Mutators/CodeGenMutator.swift
@@ -15,7 +15,6 @@
 /// A mutator that generates new code at random positions in a program.
 public class CodeGenMutator: BaseInstructionMutator {
     private var deadCodeAnalyzer = DeadCodeAnalyzer()
-    private var variableAnalyzer = VariableAnalyzer()
     private let minVisibleVariables = 3
 
     public init() {
@@ -25,20 +24,19 @@ public class CodeGenMutator: BaseInstructionMutator {
 
     public override func beginMutation(of program: Program) {
         deadCodeAnalyzer = DeadCodeAnalyzer()
-        variableAnalyzer = VariableAnalyzer()
     }
 
     public override func canMutate(_ instr: Instruction) -> Bool {
         deadCodeAnalyzer.analyze(instr)
-        variableAnalyzer.analyze(instr)
-        // We can only generate code if there are some visible variables to use, and it only
-        // makes sense to generate code if we're not currently in dead code.
-        return variableAnalyzer.visibleVariables.count >= minVisibleVariables && !deadCodeAnalyzer.currentlyInDeadCode
+        // It only makes sense to generate code if we're not currently in dead code.
+        return !deadCodeAnalyzer.currentlyInDeadCode
     }
 
     public override func mutate(_ instr: Instruction, _ b: ProgramBuilder) {
         b.adopt(instr)
-        assert(b.numberOfVisibleVariables >= minVisibleVariables)
+        if b.numberOfVisibleVariables < minVisibleVariables {
+            b.buildPrefix()
+        }
         b.build(n: defaultCodeGenerationAmount, by: .generating)
     }
 }
diff --git a/Sources/Fuzzilli/Mutators/SpliceMutator.swift b/Sources/Fuzzilli/Mutators/SpliceMutator.swift
@@ -15,7 +15,6 @@
 /// A mutator that splices programs together.
 public class SpliceMutator: BaseInstructionMutator {
     private var deadCodeAnalyzer = DeadCodeAnalyzer()
-    private var variableAnalyzer = VariableAnalyzer()
     private let minVisibleVariables = 3
 
     public init() {
@@ -24,20 +23,22 @@ public class SpliceMutator: BaseInstructionMutator {
 
     public override func beginMutation(of program: Program) {
         deadCodeAnalyzer = DeadCodeAnalyzer()
-        variableAnalyzer = VariableAnalyzer()
     }
 
     public override func canMutate(_ instr: Instruction) -> Bool {
         deadCodeAnalyzer.analyze(instr)
-        variableAnalyzer.analyze(instr)
-        // Splicing benefits from having some visible variables to use as replacements for variables in the copied code,
-        // and it only makes sense to copy code if we're not currently in dead code.
-        return variableAnalyzer.visibleVariables.count >= minVisibleVariables && !deadCodeAnalyzer.currentlyInDeadCode
+        // It only makes sense to copy code if we're not currently in dead code.
+        return !deadCodeAnalyzer.currentlyInDeadCode
     }
 
     public override func mutate(_ instr: Instruction, _ b: ProgramBuilder) {
         b.adopt(instr)
-        assert(b.numberOfVisibleVariables >= minVisibleVariables)
+        // If we currently don't have enough visible variables, we will do some value generation.
+        // This is necessary because our splice implementation requires some visible variables although this is
+        // not strictly necessary for splicing itself (it helps for rewiring inputs).
+        if b.numberOfVisibleVariables < minVisibleVariables {
+            b.buildPrefix()
+        }
         b.build(n: defaultCodeGenerationAmount, by: .splicing)
     }
 }