[wasm] Use wasm-gc signatures for wasm functions

While this changes the IL to emit wasm-gc signatures for the functions,
it doesn't yet actually allow using wasm-gc types in them.
A few places (WasmDefineTable and WasmCallIndirect /
WasmReturnCallIndirect) still need to be adapted to allow wasm-gc types
before we can actually allow indexed wasm-gc types in function
signatures.

Bug: 445356784
Change-Id: I5715f584cfa5ee664f957a28e28bf80b6f3cdd9e
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9115296
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Reviewed-by: Manos Koukoutos <manoskouk@google.com>

Author: Liedtke

Sources/Fuzzilli/Base/ProgramBuilder.swift

@@ -3495,11 +3495,14 @@ public class ProgramBuilder {
         private let b: ProgramBuilder
         let signature: WasmSignature
         let jsSignature: Signature
+        let signatureDef: Variable
 
-        public init(forBuilder b: ProgramBuilder, withSignature signature: WasmSignature) {
+        public init(forBuilder b: ProgramBuilder, signatureDef: Variable) {
+            assert(b.type(of: signatureDef).Is(.wasmTypeDef()))
             self.b = b
-            self.signature = signature
+            self.signature = b.type(of: signatureDef).wasmFunctionSignatureDefSignature
             self.jsSignature = convertWasmSignatureToJsSignature(signature)
+            self.signatureDef = signatureDef
         }
 
         // Wasm Instructions
@@ -4500,9 +4503,16 @@ public class ProgramBuilder {
         // TODO: distinguish between exported and non-exported functions
         @discardableResult
         public func addWasmFunction(with signature: WasmSignature, _ body: (WasmFunction, Variable, [Variable]) -> [Variable]) -> Variable {
-            let instr = b.emit(BeginWasmFunction(signature: signature))
+            let signatureDef = b.wasmDefineAdHocSignatureType(signature: signature)
+            return addWasmFunction(signature: signatureDef, body)
+        }
+
+        @discardableResult
+        public func addWasmFunction(signature: Variable, _ body: (WasmFunction, Variable, [Variable]) -> [Variable]) -> Variable {
+            let signatureType = b.type(of: signature).wasmFunctionSignatureDefSignature
+            let instr = b.emit(BeginWasmFunction(parameterCount: signatureType.parameterTypes.count), withInputs: [signature])
             let results = body(currentWasmFunction, instr.innerOutput(0), Array(instr.innerOutputs(1...)))
-            return b.emit(EndWasmFunction(signature: signature), withInputs: results).output
+            return b.emit(EndWasmFunction(outputCount: signatureType.outputTypes.count), withInputs: [signature] + results, types: [.wasmTypeDef()] + signatureType.outputTypes).output
         }
 
         @discardableResult
@@ -5022,8 +5032,8 @@ public class ProgramBuilder {
             break
         case .wasmDefineTag(_):
             break
-        case .beginWasmFunction(let op):
-            activeWasmModule!.functions.append(WasmFunction(forBuilder: self, withSignature: op.signature))
+        case .beginWasmFunction(_):
+            activeWasmModule!.functions.append(WasmFunction(forBuilder: self, signatureDef: instr.input(0)))
         case .wasmBeginTry(_),
              .wasmEndTryDelegate(_),
              .wasmBeginTryDelegate(_),

Sources/Fuzzilli/CodeGen/WasmCodeGenerators.swift

@@ -1276,23 +1276,25 @@ public let WasmCodeGenerators: [CodeGenerator] = [
                 provides: [.wasmFunction]
             ) { b in
                 let module = b.currentWasmModule
+                // TODO(mliedtke): Support index wasm-gc types in the signature. This requires the
+                // WasmDefineTable operation to track their types in a way that is compatible with
+                // wasm-gc types. Similarly, WasmCallIndirect and WasmReturnCallIndirect need to be
+                // adapted to use wasm-gc signatures.
                 let functionSignature = b.randomWasmSignature()
-                b.emit(BeginWasmFunction(signature: functionSignature))
+                let signatureDef = b.wasmDefineAdHocSignatureType(signature: functionSignature)
+                b.emit(BeginWasmFunction(parameterCount: functionSignature.parameterTypes.count), withInputs: [signatureDef])
             },
             GeneratorStub(
                 "WasmFunctionEndGenerator",
                 inContext: .single(.wasmFunction),
                 produces: [.wasmFunctionDef()]
             ) { b in
                 let function = b.currentWasmFunction
-                let results = function.signature.outputTypes.map {
-                    b.randomVariable(ofType: $0) ?? b.currentWasmFunction
-                        .generateRandomWasmVar(ofType: $0)!
-                }
+                let results = function.signature.outputTypes.map(function.findOrGenerateWasmVar)
 
                 b.emit(
-                    EndWasmFunction(signature: function.signature),
-                    withInputs: results)
+                    EndWasmFunction(outputCount: results.count),
+                    withInputs: [function.signatureDef] + results)
             },
         ]),
 

Sources/Fuzzilli/FuzzIL/Instruction.swift

@@ -1373,13 +1373,11 @@ extension Instruction: ProtobufConvertible {
                 $0.wasmDropDataSegment = Fuzzilli_Protobuf_WasmDropDataSegment()
             case .beginWasmFunction(let op):
                 $0.beginWasmFunction = Fuzzilli_Protobuf_BeginWasmFunction.with {
-                    $0.parameterTypes = op.signature.parameterTypes.map(ILTypeToWasmTypeEnum)
-                    $0.outputTypes = op.signature.outputTypes.map(ILTypeToWasmTypeEnum)
+                    $0.parameterCount = Int32(op.parameterCount)
                 }
             case .endWasmFunction(let op):
                 $0.endWasmFunction = Fuzzilli_Protobuf_EndWasmFunction.with {
-                    $0.parameterTypes = op.signature.parameterTypes.map(ILTypeToWasmTypeEnum)
-                    $0.outputTypes = op.signature.outputTypes.map(ILTypeToWasmTypeEnum)
+                    $0.outputCount = Int32(op.outputCount)
                 }
             case .wasmBeginBlock(let op):
                 $0.wasmBeginBlock = Fuzzilli_Protobuf_WasmBeginBlock.with {
@@ -2441,13 +2439,9 @@ extension Instruction: ProtobufConvertible {
         case .wasmDropDataSegment(_):
             op = WasmDropDataSegment()
         case .beginWasmFunction(let p):
-            let parameters = p.parameterTypes.map(WasmTypeEnumToILType)
-            let outputs = p.outputTypes.map(WasmTypeEnumToILType)
-            op = BeginWasmFunction(signature: parameters => outputs)
+            op = BeginWasmFunction(parameterCount: Int(p.parameterCount))
         case .endWasmFunction(let p):
-            let parameters = p.parameterTypes.map(WasmTypeEnumToILType)
-            let outputs = p.outputTypes.map(WasmTypeEnumToILType)
-            op = EndWasmFunction(signature: parameters => outputs)
+            op = EndWasmFunction(outputCount: Int(p.outputCount))
         case .wasmBeginBlock(let p):
             op = WasmBeginBlock(parameterCount: Int(p.parameterCount))
         case .wasmEndBlock(let p):

Sources/Fuzzilli/FuzzIL/JSTyper.swift

@@ -812,11 +812,13 @@ public struct JSTyper: Analyzer {
                 let definingInstruction = defUseAnalyzer.definition(of: instr.input(1))
                 // Here we query the typer for the signature of the instruction as that is the correct "JS" Signature instead of taking the call-site specific converted wasm signature.
                 dynamicObjectGroupManager.addWasmFunction(withSignature: type(of: instr.input(1)).signature ?? Signature.forUnknownFunction, forDefinition: definingInstruction, forVariable: instr.input(1))
-            case .beginWasmFunction(let op):
-                wasmTypeBeginBlock(instr, op.signature)
-            case .endWasmFunction(let op):
-                setType(of: instr.output, to: .wasmFunctionDef(op.signature))
-                dynamicObjectGroupManager.addWasmFunction(withSignature: ProgramBuilder.convertWasmSignatureToJsSignature(op.signature), forDefinition: instr, forVariable: instr.output)
+            case .beginWasmFunction(_):
+                let signature = type(of: instr.input(0)).wasmFunctionSignatureDefSignature
+                wasmTypeBeginBlock(instr, signature)
+            case .endWasmFunction(_):
+                let signature = type(of: instr.input(0)).wasmFunctionSignatureDefSignature
+                setType(of: instr.output, to: .wasmFunctionDef(signature))
+                dynamicObjectGroupManager.addWasmFunction(withSignature: ProgramBuilder.convertWasmSignatureToJsSignature(signature), forDefinition: instr, forVariable: instr.output)
             case .wasmSelect(_):
                 setType(of: instr.output, to: type(of: instr.input(0)))
             case .wasmBeginBlock(_):

Sources/Fuzzilli/FuzzIL/WasmOperations.swift

@@ -1552,22 +1552,22 @@ final class WasmReassign: WasmOperation {
 
 final class BeginWasmFunction: WasmOperation {
     override var opcode: Opcode { .beginWasmFunction(self) }
-    public let signature: WasmSignature
 
-    init(signature: WasmSignature) {
-        self.signature = signature
-        super.init(numInnerOutputs: 1 + signature.parameterTypes.count, attributes: [.isBlockStart], requiredContext: [.wasm], contextOpened: [.wasmFunction])
+    init(parameterCount: Int) {
+        super.init(numInputs: 1, numInnerOutputs: 1 + parameterCount, attributes: [.isBlockStart], requiredContext: [.wasm], contextOpened: [.wasmFunction])
     }
+
+    var parameterCount: Int { numInnerOutputs - 1 }
 }
 
 final class EndWasmFunction: WasmOperation {
     override var opcode: Opcode { .endWasmFunction(self) }
-    let signature: WasmSignature
 
-    init(signature: WasmSignature) {
-        self.signature = signature
-        super.init(numInputs: signature.outputTypes.count, numOutputs: 1, attributes: [.isBlockEnd], requiredContext: [.wasmFunction])
+    init(outputCount: Int) {
+        super.init(numInputs: 1 + outputCount, numOutputs: 1, attributes: [.isBlockEnd], requiredContext: [.wasmFunction])
     }
+
+    var outputCount: Int { numInputs - 1 }
 }
 
 /// This class is used to indicate nops in the wasm world, this makes handling of minimization much easier.

Sources/Fuzzilli/Lifting/FuzzILLifter.swift

@@ -830,9 +830,9 @@ public class FuzzILLifter: Lifter {
 
         // Wasm Instructions
 
-        case .beginWasmFunction(let op):
+        case .beginWasmFunction(_):
             // TODO(cffsmith): do this properly?
-            w.emit("BeginWasmFunction (\(op.signature)) -> L:\(instr.innerOutput(0)) [\(liftCallArguments(instr.innerOutputs(1...)))]")
+            w.emit("BeginWasmFunction \(input(0)) -> L:\(instr.innerOutput(0)) [\(liftCallArguments(instr.innerOutputs(1...)))]")
             w.increaseIndentionLevel()
 
         case .endWasmFunction:

Sources/Fuzzilli/Lifting/WasmLifter.swift

@@ -1287,8 +1287,9 @@ public class WasmLifter {
             // Just analyze the instruction but do nothing else here.
             // This lets the typer know that we can skip this instruction without breaking any analysis.
             break
-        case .beginWasmFunction(let op):
-            let functionInfo = FunctionInfo(op.signature, Data(), for: self, withArguments: Array(instr.innerOutputs))
+        case .beginWasmFunction(_):
+            let signature = typer.type(of: instr.input(0)).wasmFunctionSignatureDefSignature
+            let functionInfo = FunctionInfo(signature, Data(), for: self, withArguments: Array(instr.innerOutputs))
             self.exports.append(.function(functionInfo))
             // Set the current active function as we are *actively* in it.
             currentFunction = functionInfo

Sources/Fuzzilli/Protobuf/operations.pb.swift

@@ -4180,9 +4180,7 @@ public struct Fuzzilli_Protobuf_BeginWasmFunction: Sendable {
   // `Message` and `Message+*Additions` files in the SwiftProtobuf library for
   // methods supported on all messages.
 
-  public var parameterTypes: [Fuzzilli_Protobuf_WasmILType] = []
-
-  public var outputTypes: [Fuzzilli_Protobuf_WasmILType] = []
+  public var parameterCount: Int32 = 0
 
   public var unknownFields = SwiftProtobuf.UnknownStorage()
 
@@ -4194,9 +4192,7 @@ public struct Fuzzilli_Protobuf_EndWasmFunction: Sendable {
   // `Message` and `Message+*Additions` files in the SwiftProtobuf library for
   // methods supported on all messages.
 
-  public var parameterTypes: [Fuzzilli_Protobuf_WasmILType] = []
-
-  public var outputTypes: [Fuzzilli_Protobuf_WasmILType] = []
+  public var outputCount: Int32 = 0
 
   public var unknownFields = SwiftProtobuf.UnknownStorage()
 
@@ -11689,69 +11685,59 @@ extension Fuzzilli_Protobuf_WasmILType: SwiftProtobuf.Message, SwiftProtobuf._Me
 
 extension Fuzzilli_Protobuf_BeginWasmFunction: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
   public static let protoMessageName: String = _protobuf_package + ".BeginWasmFunction"
-  public static let _protobuf_nameMap = SwiftProtobuf._NameMap(bytecode: "\0\u{1}parameterTypes\0\u{1}outputTypes\0")
+  public static let _protobuf_nameMap = SwiftProtobuf._NameMap(bytecode: "\0\u{1}parameterCount\0")
 
   public mutating func decodeMessage<D: SwiftProtobuf.Decoder>(decoder: inout D) throws {
     while let fieldNumber = try decoder.nextFieldNumber() {
       // The use of inline closures is to circumvent an issue where the compiler
       // allocates stack space for every case branch when no optimizations are
       // enabled. https://github.com/apple/swift-protobuf/issues/1034
       switch fieldNumber {
-      case 1: try { try decoder.decodeRepeatedMessageField(value: &self.parameterTypes) }()
-      case 2: try { try decoder.decodeRepeatedMessageField(value: &self.outputTypes) }()
+      case 1: try { try decoder.decodeSingularInt32Field(value: &self.parameterCount) }()
       default: break
       }
     }
   }
 
   public func traverse<V: SwiftProtobuf.Visitor>(visitor: inout V) throws {
-    if !self.parameterTypes.isEmpty {
-      try visitor.visitRepeatedMessageField(value: self.parameterTypes, fieldNumber: 1)
-    }
-    if !self.outputTypes.isEmpty {
-      try visitor.visitRepeatedMessageField(value: self.outputTypes, fieldNumber: 2)
+    if self.parameterCount != 0 {
+      try visitor.visitSingularInt32Field(value: self.parameterCount, fieldNumber: 1)
     }
     try unknownFields.traverse(visitor: &visitor)
   }
 
   public static func ==(lhs: Fuzzilli_Protobuf_BeginWasmFunction, rhs: Fuzzilli_Protobuf_BeginWasmFunction) -> Bool {
-    if lhs.parameterTypes != rhs.parameterTypes {return false}
-    if lhs.outputTypes != rhs.outputTypes {return false}
+    if lhs.parameterCount != rhs.parameterCount {return false}
     if lhs.unknownFields != rhs.unknownFields {return false}
     return true
   }
 }
 
 extension Fuzzilli_Protobuf_EndWasmFunction: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
   public static let protoMessageName: String = _protobuf_package + ".EndWasmFunction"
-  public static let _protobuf_nameMap = SwiftProtobuf._NameMap(bytecode: "\0\u{1}parameterTypes\0\u{1}outputTypes\0")
+  public static let _protobuf_nameMap = SwiftProtobuf._NameMap(bytecode: "\0\u{1}outputCount\0")
 
   public mutating func decodeMessage<D: SwiftProtobuf.Decoder>(decoder: inout D) throws {
     while let fieldNumber = try decoder.nextFieldNumber() {
       // The use of inline closures is to circumvent an issue where the compiler
       // allocates stack space for every case branch when no optimizations are
       // enabled. https://github.com/apple/swift-protobuf/issues/1034
       switch fieldNumber {
-      case 1: try { try decoder.decodeRepeatedMessageField(value: &self.parameterTypes) }()
-      case 2: try { try decoder.decodeRepeatedMessageField(value: &self.outputTypes) }()
+      case 1: try { try decoder.decodeSingularInt32Field(value: &self.outputCount) }()
       default: break
       }
     }
   }
 
   public func traverse<V: SwiftProtobuf.Visitor>(visitor: inout V) throws {
-    if !self.parameterTypes.isEmpty {
-      try visitor.visitRepeatedMessageField(value: self.parameterTypes, fieldNumber: 1)
-    }
-    if !self.outputTypes.isEmpty {
-      try visitor.visitRepeatedMessageField(value: self.outputTypes, fieldNumber: 2)
+    if self.outputCount != 0 {
+      try visitor.visitSingularInt32Field(value: self.outputCount, fieldNumber: 1)
     }
     try unknownFields.traverse(visitor: &visitor)
   }
 
   public static func ==(lhs: Fuzzilli_Protobuf_EndWasmFunction, rhs: Fuzzilli_Protobuf_EndWasmFunction) -> Bool {
-    if lhs.parameterTypes != rhs.parameterTypes {return false}
-    if lhs.outputTypes != rhs.outputTypes {return false}
+    if lhs.outputCount != rhs.outputCount {return false}
     if lhs.unknownFields != rhs.unknownFields {return false}
     return true
   }

Sources/Fuzzilli/Protobuf/operations.proto

@@ -929,13 +929,11 @@ message WasmILType {
 }
 
 message BeginWasmFunction {
-  repeated WasmILType parameterTypes = 1;
-  repeated WasmILType outputTypes = 2;
+  int32 parameterCount = 1;
 }
 
 message EndWasmFunction {
-  repeated WasmILType parameterTypes = 1;
-  repeated WasmILType outputTypes = 2;
+  int32 outputCount = 1;
 }
 
 message WasmJsCall {

Tests/FuzzilliTests/MinimizerTest.swift

@@ -1592,7 +1592,7 @@ class MinimizerTests: XCTestCase {
                     } catchAllBody: { label in
                         function.wasmReturn(function.consti64(-1))
                     }
-                    return [function.consti32(-1)]
+                    return [function.consti64(-1)]
                 }
             }
 
@@ -1602,7 +1602,7 @@ class MinimizerTests: XCTestCase {
                     function.wasmBuildLegacyTryVoid { label in
                         function.wasmReturn(function.consti64(42))
                     }
-                    return [function.consti32(-1)]
+                    return [function.consti64(-1)]
                 }
             }
         }
@@ -1628,7 +1628,7 @@ class MinimizerTests: XCTestCase {
                                 function.wasmReturn(val)
                             }),
                             (tag: irrelevantTag, body: { _, _, _ in })])
-                    return [function.consti32(-1)]
+                    return [function.consti64(-1)]
                 }
             }
 
@@ -1642,7 +1642,7 @@ class MinimizerTests: XCTestCase {
                         }, catchClauses: [(tag: tag, body: { _, _, _ in
                             function.wasmReturn(function.consti64(42))
                         })])
-                    return [function.consti32(-1)]
+                    return [function.consti64(-1)]
                 }
             }
         }
@@ -1659,15 +1659,15 @@ class MinimizerTests: XCTestCase {
                                 evaluator.nextInstructionIsImportant(in: b)
                                 function.wasmReturn(val)
                         }, catchClauses: [(tag: tag, body: { _, _, _ in function.wasmUnreachable() })])
-                    return [function.consti32(-1)]
+                    return [function.consti64(-1)]
                 }
             }
 
         } minified: { b in
             return b.buildWasmModule { wasmModule in
                 wasmModule.addWasmFunction(with: [] => [.wasmi64]) { function, _, _ in
                         function.wasmReturn(function.consti64(42))
-                        return [function.consti32(-1)]
+                        return [function.consti64(-1)]
                 }
             }
         }