[wasm] Migrate try-table to use wasm-gc signatures

Bug: 448860865
Change-Id: I01de000a5ae5fae47634ca64edad7dfd9d028695
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8956318
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Reviewed-by: Doga Yüksel <dyuksel@google.com>

Author: Liedtke

Sources/Fuzzilli/Base/ProgramBuilder.swift

@@ -4067,9 +4067,13 @@ public class ProgramBuilder {
                     }
                 }
             #endif
-            let instr = b.emit(WasmBeginTryTable(with: signature, catches: catches), withInputs: args)
+            let signatureDef = b.wasmDefineAdHocSignatureType(signature: signature)
+            let instr = b.emit(
+                WasmBeginTryTable(parameterCount: signature.parameterTypes.count, catches: catches),
+                withInputs: [signatureDef] + args)
             let results = body(instr.innerOutput(0), Array(instr.innerOutputs(1...)))
-            return Array(b.emit(WasmEndTryTable(outputTypes: signature.outputTypes), withInputs: results).outputs)
+            return Array(b.emit(WasmEndTryTable(outputCount: signature.outputTypes.count),
+                withInputs: [signatureDef] + results).outputs)
         }
 
         // Create a legacy try-catch with a void block signature. Mostly a convenience helper for
@@ -4977,13 +4981,10 @@ public class ProgramBuilder {
             activeWasmModule!.functions.append(WasmFunction(forBuilder: self, withSignature: op.signature))
         case .wasmBeginTry(_),
              .wasmEndTryDelegate(_),
-             .wasmBeginTryDelegate(_):
-            break
-        case .wasmBeginTryTable(let op):
-            activeWasmModule!.blockSignatures.push(op.signature)
-        case .wasmEndTryTable(_):
-            activeWasmModule!.blockSignatures.pop()
-        case .wasmDefineAdHocModuleSignatureType(_):
+             .wasmBeginTryDelegate(_),
+             .wasmBeginTryTable(_),
+             .wasmEndTryTable(_),
+             .wasmDefineAdHocModuleSignatureType(_):
             break
 
         default:

Sources/Fuzzilli/CodeGen/WasmCodeGenerators.swift

@@ -1695,7 +1695,7 @@ public let WasmCodeGenerators: [CodeGenerator] = [
                         : (withExnRef ? .Ref : .NoRef)
                 }
 
-                var tryArgs = b.randomWasmBlockArguments(upTo: 5)
+                var tryArgs = b.randomWasmBlockArguments(upTo: 5, allowingGcTypes: true)
                 let tryParameters = tryArgs.map { b.type(of: $0) }
                 let tryOutputTypes = b.randomWasmBlockOutputTypes(upTo: 5)
                 tryArgs += zip(tags, labels).map { tag, label in

Sources/Fuzzilli/FuzzIL/Instruction.swift

@@ -1400,13 +1400,12 @@ extension Instruction: ProtobufConvertible {
                 }
             case .wasmBeginTryTable(let op):
                 $0.wasmBeginTryTable = Fuzzilli_Protobuf_WasmBeginTryTable.with {
-                    $0.parameterTypes = op.signature.parameterTypes.map(ILTypeToWasmTypeEnum)
-                    $0.outputTypes = op.signature.outputTypes.map(ILTypeToWasmTypeEnum)
+                    $0.parameterCount = Int32(op.parameterCount)
                     $0.catches = op.catches.map(convertWasmCatch)
                 }
             case .wasmEndTryTable(let op):
                 $0.wasmEndTryTable = Fuzzilli_Protobuf_WasmEndTryTable.with {
-                    $0.outputTypes = op.outputTypes.map(ILTypeToWasmTypeEnum)
+                    $0.outputCount = Int32(op.numOutputs)
                 }
             case .wasmBeginTry(let op):
                 $0.wasmBeginTry = Fuzzilli_Protobuf_WasmBeginTry.with {
@@ -2461,12 +2460,10 @@ extension Instruction: ProtobufConvertible {
         case .wasmEndLoop(let p):
             op = WasmEndLoop(outputCount: Int(p.outputCount))
         case .wasmBeginTryTable(let p):
-            let parameters = p.parameterTypes.map(WasmTypeEnumToILType)
-            let outputs = p.outputTypes.map(WasmTypeEnumToILType)
             let catches = p.catches.map(convertProtoWasmCatchKind)
-            op = WasmBeginTryTable(with: parameters => outputs, catches: catches)
+            op = WasmBeginTryTable(parameterCount: Int(p.parameterCount), catches: catches)
         case .wasmEndTryTable(let p):
-            op = WasmEndTryTable(outputTypes: p.outputTypes.map(WasmTypeEnumToILType))
+            op = WasmEndTryTable(outputCount: Int(p.outputCount))
         case .wasmBeginTry(let p):
             op = WasmBeginTry(parameterCount: Int(p.parameterCount))
         case .wasmBeginCatchAll(let p):

Sources/Fuzzilli/FuzzIL/JSTyper.swift

@@ -846,16 +846,18 @@ public struct JSTyper: Analyzer {
             case .wasmEndLoop(_):
                 let signature = type(of: instr.input(0)).wasmFunctionSignatureDefSignature
                 wasmTypeEndBlock(instr, signature.outputTypes)
-            case .wasmBeginTryTable(let op):
-                wasmTypeBeginBlock(instr, op.signature)
+            case .wasmBeginTryTable(_):
+                let signature = type(of: instr.input(0)).wasmFunctionSignatureDefSignature
+                wasmTypeBeginBlock(instr, signature)
                 instr.inputs.forEach { input in
                     if type(of: input).isWasmTagType {
                         let definingInstruction = defUseAnalyzer.definition(of: input)
                         dynamicObjectGroupManager.addWasmTag(withType: type(of: input), forDefinition: definingInstruction, forVariable: input)
                     }
                 }
-            case .wasmEndTryTable(let op):
-                wasmTypeEndBlock(instr, op.outputTypes)
+            case .wasmEndTryTable(_):
+                let signature = type(of: instr.input(0)).wasmFunctionSignatureDefSignature
+                wasmTypeEndBlock(instr, signature.outputTypes)
             case .wasmBeginTry(_):
             let signature = type(of: instr.input(0)).wasmFunctionSignatureDefSignature
                 wasmTypeBeginBlock(instr, signature)

Sources/Fuzzilli/FuzzIL/WasmOperations.swift

@@ -1351,25 +1351,27 @@ final class WasmBeginTryTable: WasmOperation {
     }
 
     override var opcode: Opcode { .wasmBeginTryTable(self) }
-    let signature: WasmSignature
     let catches: [CatchKind]
 
-    init(with signature: WasmSignature, catches: [CatchKind]) {
-        self.signature = signature
+    init(parameterCount: Int, catches: [CatchKind]) {
         self.catches = catches
         let inputTagCount = catches.count {$0 == .Ref || $0 == .NoRef}
         let inputLabelCount = catches.count
-        super.init(numInputs: signature.parameterTypes.count + inputLabelCount + inputTagCount , numInnerOutputs: signature.parameterTypes.count + 1, attributes: [.isBlockStart, .propagatesSurroundingContext], requiredContext: [.wasmFunction])
+        super.init(numInputs: 1 + parameterCount + inputLabelCount + inputTagCount,
+            numInnerOutputs: parameterCount + 1,
+            attributes: [.isBlockStart, .propagatesSurroundingContext],
+            requiredContext: [.wasmFunction])
     }
+
+    var parameterCount: Int {numInnerOutputs - 1}
 }
 
 final class WasmEndTryTable: WasmOperation {
     override var opcode: Opcode { .wasmEndTryTable(self) }
-    let outputTypes: [ILType]
 
-    init(outputTypes: [ILType]) {
-        self.outputTypes = outputTypes
-        super.init(numInputs: outputTypes.count, numOutputs: outputTypes.count, attributes: [.isBlockEnd, .resumesSurroundingContext], requiredContext: [.wasmFunction])
+    init(outputCount: Int) {
+        super.init(numInputs: 1 + outputCount, numOutputs: outputCount,
+            attributes: [.isBlockEnd, .resumesSurroundingContext], requiredContext: [.wasmFunction])
     }
 }
 

Sources/Fuzzilli/Lifting/FuzzILLifter.swift

@@ -1114,10 +1114,10 @@ public class FuzzILLifter: Lifter {
 
         case .wasmBeginTryTable(let op):
             let args = instr.inputs.map(lift)
-            let blockArgs = args.prefix(op.signature.parameterTypes.count).joined(separator: ", ")
-            w.emit("WasmBeginTryTable (\(op.signature)) [\(blockArgs)] -> L:\(instr.innerOutput(0)) [\(liftCallArguments(instr.innerOutputs(1...)))]")
+            let blockArgs = args.prefix(1 + op.parameterCount).joined(separator: ", ")
+            w.emit("WasmBeginTryTable [\(blockArgs)] -> L:\(instr.innerOutput(0)) [\(liftCallArguments(instr.innerOutputs(1...)))]")
             w.increaseIndentionLevel(by: 2)
-            var inputIndex =  op.signature.parameterTypes.count
+            var inputIndex =  1 + op.parameterCount
             op.catches.forEach { kind in
                 if kind == .Ref || kind == .NoRef {
                     w.emit("catching \(kind) \(args[inputIndex]) to \(args[inputIndex + 1])")

Sources/Fuzzilli/Lifting/WasmLifter.swift

@@ -1248,8 +1248,7 @@ public class WasmLifter {
             self.currentFunction!.labelBranchDepthMapping[instr.innerOutput(0)] = self.currentFunction!.variableAnalyzer.wasmBranchDepth - 1
             // Needs typer analysis
             return true
-        case .wasmBeginTryTable(let op):
-            registerSignature(op.signature)
+        case .wasmBeginTryTable(_):
             self.currentFunction!.labelBranchDepthMapping[instr.innerOutput(0)] = self.currentFunction!.variableAnalyzer.wasmBranchDepth
             // Needs typer analysis
             return true
@@ -1912,7 +1911,8 @@ public class WasmLifter {
             let signatureDesc = typer.getTypeDescription(of: wasmInstruction.input(0))
             return Data([0x03] + Leb128.unsignedEncode(typeDescToIndex[signatureDesc]!))
         case .wasmBeginTryTable(let op):
-            var inputIndex = op.signature.parameterTypes.count
+            let signatureDesc = typer.getTypeDescription(of: wasmInstruction.input(0))
+            var inputIndex = 1 + op.parameterCount
             let catchTable: Data = try op.catches.map {
                     switch $0 {
                     case .Ref, .NoRef:
@@ -1928,7 +1928,7 @@ public class WasmLifter {
                     }
                 }.reduce(Data(), +)
             return [0x1F]
-                + Leb128.unsignedEncode(signatureIndexMap[op.signature]!)
+                + Leb128.unsignedEncode(typeDescToIndex[signatureDesc]!)
                 + Leb128.unsignedEncode(op.catches.count)
                 + catchTable
         case .wasmBeginTry(_):

Sources/Fuzzilli/Protobuf/operations.pb.swift

@@ -5193,9 +5193,7 @@ public struct Fuzzilli_Protobuf_WasmBeginTryTable: Sendable {
   // `Message` and `Message+*Additions` files in the SwiftProtobuf library for
   // methods supported on all messages.
 
-  public var parameterTypes: [Fuzzilli_Protobuf_WasmILType] = []
-
-  public var outputTypes: [Fuzzilli_Protobuf_WasmILType] = []
+  public var parameterCount: Int32 = 0
 
   public var catches: [Fuzzilli_Protobuf_WasmCatchKind] = []
 
@@ -5209,7 +5207,7 @@ public struct Fuzzilli_Protobuf_WasmEndTryTable: Sendable {
   // `Message` and `Message+*Additions` files in the SwiftProtobuf library for
   // methods supported on all messages.
 
-  public var outputTypes: [Fuzzilli_Protobuf_WasmILType] = []
+  public var outputCount: Int32 = 0
 
   public var unknownFields = SwiftProtobuf.UnknownStorage()
 
@@ -13788,38 +13786,33 @@ extension Fuzzilli_Protobuf_WasmEndLoop: SwiftProtobuf.Message, SwiftProtobuf._M
 
 extension Fuzzilli_Protobuf_WasmBeginTryTable: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
   public static let protoMessageName: String = _protobuf_package + ".WasmBeginTryTable"
-  public static let _protobuf_nameMap = SwiftProtobuf._NameMap(bytecode: "\0\u{1}parameterTypes\0\u{1}outputTypes\0\u{1}catches\0")
+  public static let _protobuf_nameMap = SwiftProtobuf._NameMap(bytecode: "\0\u{1}parameterCount\0\u{1}catches\0")
 
   public mutating func decodeMessage<D: SwiftProtobuf.Decoder>(decoder: inout D) throws {
     while let fieldNumber = try decoder.nextFieldNumber() {
       // The use of inline closures is to circumvent an issue where the compiler
       // allocates stack space for every case branch when no optimizations are
       // enabled. https://github.com/apple/swift-protobuf/issues/1034
       switch fieldNumber {
-      case 1: try { try decoder.decodeRepeatedMessageField(value: &self.parameterTypes) }()
-      case 2: try { try decoder.decodeRepeatedMessageField(value: &self.outputTypes) }()
-      case 3: try { try decoder.decodeRepeatedEnumField(value: &self.catches) }()
+      case 1: try { try decoder.decodeSingularInt32Field(value: &self.parameterCount) }()
+      case 2: try { try decoder.decodeRepeatedEnumField(value: &self.catches) }()
       default: break
       }
     }
   }
 
   public func traverse<V: SwiftProtobuf.Visitor>(visitor: inout V) throws {
-    if !self.parameterTypes.isEmpty {
-      try visitor.visitRepeatedMessageField(value: self.parameterTypes, fieldNumber: 1)
-    }
-    if !self.outputTypes.isEmpty {
-      try visitor.visitRepeatedMessageField(value: self.outputTypes, fieldNumber: 2)
+    if self.parameterCount != 0 {
+      try visitor.visitSingularInt32Field(value: self.parameterCount, fieldNumber: 1)
     }
     if !self.catches.isEmpty {
-      try visitor.visitPackedEnumField(value: self.catches, fieldNumber: 3)
+      try visitor.visitPackedEnumField(value: self.catches, fieldNumber: 2)
     }
     try unknownFields.traverse(visitor: &visitor)
   }
 
   public static func ==(lhs: Fuzzilli_Protobuf_WasmBeginTryTable, rhs: Fuzzilli_Protobuf_WasmBeginTryTable) -> Bool {
-    if lhs.parameterTypes != rhs.parameterTypes {return false}
-    if lhs.outputTypes != rhs.outputTypes {return false}
+    if lhs.parameterCount != rhs.parameterCount {return false}
     if lhs.catches != rhs.catches {return false}
     if lhs.unknownFields != rhs.unknownFields {return false}
     return true
@@ -13828,29 +13821,29 @@ extension Fuzzilli_Protobuf_WasmBeginTryTable: SwiftProtobuf.Message, SwiftProto
 
 extension Fuzzilli_Protobuf_WasmEndTryTable: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
   public static let protoMessageName: String = _protobuf_package + ".WasmEndTryTable"
-  public static let _protobuf_nameMap = SwiftProtobuf._NameMap(bytecode: "\0\u{1}outputTypes\0")
+  public static let _protobuf_nameMap = SwiftProtobuf._NameMap(bytecode: "\0\u{1}outputCount\0")
 
   public mutating func decodeMessage<D: SwiftProtobuf.Decoder>(decoder: inout D) throws {
     while let fieldNumber = try decoder.nextFieldNumber() {
       // The use of inline closures is to circumvent an issue where the compiler
       // allocates stack space for every case branch when no optimizations are
       // enabled. https://github.com/apple/swift-protobuf/issues/1034
       switch fieldNumber {
-      case 1: try { try decoder.decodeRepeatedMessageField(value: &self.outputTypes) }()
+      case 1: try { try decoder.decodeSingularInt32Field(value: &self.outputCount) }()
       default: break
       }
     }
   }
 
   public func traverse<V: SwiftProtobuf.Visitor>(visitor: inout V) throws {
-    if !self.outputTypes.isEmpty {
-      try visitor.visitRepeatedMessageField(value: self.outputTypes, fieldNumber: 1)
+    if self.outputCount != 0 {
+      try visitor.visitSingularInt32Field(value: self.outputCount, fieldNumber: 1)
     }
     try unknownFields.traverse(visitor: &visitor)
   }
 
   public static func ==(lhs: Fuzzilli_Protobuf_WasmEndTryTable, rhs: Fuzzilli_Protobuf_WasmEndTryTable) -> Bool {
-    if lhs.outputTypes != rhs.outputTypes {return false}
+    if lhs.outputCount != rhs.outputCount {return false}
     if lhs.unknownFields != rhs.unknownFields {return false}
     return true
   }

Sources/Fuzzilli/Protobuf/operations.proto

@@ -1260,13 +1260,12 @@ enum WasmCatchKind {
 }
 
 message WasmBeginTryTable {
-  repeated WasmILType parameterTypes = 1;
-  repeated WasmILType outputTypes = 2;
-  repeated WasmCatchKind catches = 3;
+  int32 parameterCount = 1;
+  repeated WasmCatchKind catches = 2;
 }
 
 message WasmEndTryTable {
-  repeated WasmILType outputTypes = 1;
+  int32 outputCount = 1;
 }
 
 message WasmBeginTry {