[wasm] Introduce WasmDefineAdHocModuleSignatureType

Similar to commit 72dd5d7 but on a wasm
module level instead of inside a wasm function.
This is a conservative workaround to ensure that we don't lose any
chances of emitting operations that previously used static ILTypes but
will depend on a signature input for the migration to wasm-gc.

Bug: 448860865
Change-Id: Ife60126cabb8c49a0493736603611b9b2dd3e67b
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8938986
Reviewed-by: Doga Yüksel <dyuksel@google.com>
Commit-Queue: Matthias Liedtke <mliedtke@google.com>

Author: Liedtke

Sources/Fuzzilli/Base/ProgramBuilder.swift

@@ -4615,6 +4615,29 @@ public class ProgramBuilder {
         return params => returnTypes
     }
 
+    public func randomWasmGcSignature() -> (signature: WasmSignature, indexTypes: [Variable]) {
+        let typeCount = Int.random(in: 0...10)
+        let returnCount = Int.random(in: 0...typeCount)
+        let parameterCount = typeCount - returnCount
+
+        var indexTypes: [Variable] = []
+        let chooseType = {
+            if let elementType = self.randomVariable(ofType: .wasmTypeDef()), probability(0.25) {
+                let nullability =
+                    self.type(of: elementType).wasmTypeDefinition!.description == .selfReference
+                    || probability(0.5)
+                indexTypes.append(elementType)
+                return ILType.wasmRef(.Index(), nullability: nullability)
+            } else {
+                // TODO(mliedtke): Extend list with abstract heap types.
+                return chooseUniform(from: [.wasmi32, .wasmi64, .wasmf32, .wasmf64, .wasmSimd128])
+            }
+        }
+        let signature = (0..<parameterCount).map {_ in chooseType()}
+                        => (0..<returnCount).map {_ in chooseType()}
+        return (signature, indexTypes)
+    }
+
     public func randomWasmBlockOutputTypes(upTo n: Int) -> [ILType] {
         // TODO(mliedtke): This should allow more types as well as non-nullable references for all
         // abstract heap types. To be able to emit them, generateRandomWasmVar() needs to be able
@@ -4694,12 +4717,12 @@ public class ProgramBuilder {
     }
 
     /// Like wasmDefineSignatureType but instead of within a type group this defines a signature
-    /// type directly inside a wasm function.
+    /// type directly inside a wasm function or wasm module.
     /// This takes a signature with resolved index types for ease-of-use (meaning it accepts full
     /// index reference types directly inside the signature).
     @discardableResult
-    func wasmDefineAdHocSignatureType(signature: WasmSignature) -> Variable {
-        let indexTypes = (signature.parameterTypes + signature.outputTypes)
+    func wasmDefineAdHocSignatureType(signature: WasmSignature, indexTypes: [Variable]? = nil) -> Variable {
+        let indexTypes = indexTypes ?? (signature.parameterTypes + signature.outputTypes)
                 .filter {$0.Is(.anyIndexRef)}
                 .map(getWasmTypeDef)
         let cleanIndexTypes = {(type: ILType) -> ILType in
@@ -4709,7 +4732,12 @@ public class ProgramBuilder {
         }
         let signature = signature.parameterTypes.map(cleanIndexTypes)
             => signature.outputTypes.map(cleanIndexTypes)
-        return emit(WasmDefineAdHocSignatureType(signature: signature), withInputs: indexTypes).output
+        if context.contains(.wasmFunction) {
+            return emit(WasmDefineAdHocSignatureType(signature: signature), withInputs: indexTypes).output
+        } else {
+            assert(context.contains(.wasm))
+            return emit(WasmDefineAdHocModuleSignatureType(signature: signature), withInputs: indexTypes).output
+        }
     }
 
     @discardableResult
@@ -4930,6 +4958,8 @@ public class ProgramBuilder {
              .wasmEndTryDelegate(_),
              .wasmEndTryTable(_):
             activeWasmModule!.blockSignatures.pop()
+        case .wasmDefineAdHocModuleSignatureType(_):
+            break
 
         default:
             assert(!instr.op.requiredContext.contains(.objectLiteral))

Sources/Fuzzilli/CodeGen/CodeGeneratorWeights.swift

@@ -263,6 +263,7 @@ public let codeGeneratorWeights = [
     "WasmGlobalLoadGenerator":                  2,
     "WasmReassignmentGenerator":                2,
     "WasmDefineTagGenerator":                   4,
+    "WasmAdHocModuleSignature":                 2,
 
     // Primitive Value Generators
     "WasmLoadi32Generator":                     4,

Sources/Fuzzilli/CodeGen/WasmCodeGenerators.swift

@@ -1601,6 +1601,15 @@ public let WasmCodeGenerators: [CodeGenerator] = [
         function.wasmBuildThrowRef(exception: exception)
     },
 
+    CodeGenerator(
+        "WasmAdHocModuleSignature",
+        inContext: .single(.wasm),
+        producesComplex: [.init(.wasmTypeDef(), .IsWasmFunction)]
+    ) { b in
+        let (signature, indexTypes) = b.randomWasmGcSignature()
+        b.wasmDefineAdHocSignatureType(signature: signature, indexTypes: indexTypes)
+    },
+
     CodeGenerator(
         "WasmDefineTagGenerator", inContext: .single(.wasm),
         produces: [.object(ofGroup: "WasmTag")]

Sources/Fuzzilli/FuzzIL/Instruction.swift

@@ -1553,6 +1553,11 @@ extension Instruction: ProtobufConvertible {
                     $0.parameterTypes = op.signature.parameterTypes.map(ILTypeToWasmTypeEnum)
                     $0.outputTypes = op.signature.outputTypes.map(ILTypeToWasmTypeEnum)
                 }
+            case .wasmDefineAdHocModuleSignatureType(let op):
+                $0.wasmDefineAdHocModuleSignatureType = Fuzzilli_Protobuf_WasmDefineAdHocModuleSignatureType.with {
+                    $0.parameterTypes = op.signature.parameterTypes.map(ILTypeToWasmTypeEnum)
+                    $0.outputTypes = op.signature.outputTypes.map(ILTypeToWasmTypeEnum)
+                }
             case .wasmDefineSignatureType(let op):
                 $0.wasmDefineSignatureType = Fuzzilli_Protobuf_WasmDefineSignatureType.with {
                     $0.parameterTypes = op.signature.parameterTypes.map(ILTypeToWasmTypeEnum)
@@ -2565,6 +2570,8 @@ extension Instruction: ProtobufConvertible {
             op = WasmDefineSignatureType(signature: p.parameterTypes.map(WasmTypeEnumToILType) => p.outputTypes.map(WasmTypeEnumToILType))
         case .wasmDefineAdHocSignatureType(let p):
             op = WasmDefineAdHocSignatureType(signature: p.parameterTypes.map(WasmTypeEnumToILType) => p.outputTypes.map(WasmTypeEnumToILType))
+        case .wasmDefineAdHocModuleSignatureType(let p):
+            op = WasmDefineAdHocModuleSignatureType(signature: p.parameterTypes.map(WasmTypeEnumToILType) => p.outputTypes.map(WasmTypeEnumToILType))
         case .wasmDefineStructType(let p):
             op = WasmDefineStructType(fields: p.fields.map { field in
                 return WasmDefineStructType.Field(type: WasmTypeEnumToILType(field.type), mutability: field.mutability)

Sources/Fuzzilli/FuzzIL/JSTyper.swift

@@ -939,6 +939,11 @@ public struct JSTyper: Analyzer {
                 addSignatureType(def: instr.output, signature: op.signature, inputs: instr.inputs)
                 finishTypeGroup()
                 registerWasmTypeDef(instr.output)
+            case .wasmDefineAdHocModuleSignatureType(let op):
+                startTypeGroup()
+                addSignatureType(def: instr.output, signature: op.signature, inputs: instr.inputs)
+                finishTypeGroup()
+                registerWasmTypeDef(instr.output)
             default:
                 if instr.numInnerOutputs + instr.numOutputs != 0 {
                     fatalError("Missing typing of outputs for \(instr.op.opcode)")

Sources/Fuzzilli/FuzzIL/Opcodes.swift

@@ -367,4 +367,5 @@ enum Opcode {
     case wasmStructNew(WasmStructNew)
     case wasmRefEq(WasmRefEq)
     case wasmRefTest(WasmRefTest)
+    case wasmDefineAdHocModuleSignatureType(WasmDefineAdHocModuleSignatureType)
 }

Sources/Fuzzilli/FuzzIL/WasmOperations.swift

@@ -2433,3 +2433,20 @@ final class WasmDefineAdHocSignatureType: WasmOperation {
         super.init(numInputs: numInputs, numOutputs: 1, requiredContext: [.wasmFunction])
     }
 }
+
+// Same as WasmDefineAdHocSignatureType but not on the .wasmFunction context but .wasm (module).
+// This is needed in cases where we aren't in the JS context any more but need a Wasm signature.
+// TODO(mliedtke): We should explore alternative options. Right now this is a much better compromise
+// than failing often to generate operations that require a signature, e.g. something simple like a
+// Wasm function.
+final class WasmDefineAdHocModuleSignatureType: WasmOperation {
+    override var opcode: Opcode { .wasmDefineAdHocModuleSignatureType(self) }
+    let signature: WasmSignature
+
+    init(signature: WasmSignature) {
+        self.signature = signature
+        let numInputs = (signature.outputTypes + signature.parameterTypes).map {
+            $0.requiredInputCount() }.reduce(0) { $0 + $1 }
+        super.init(numInputs: numInputs, numOutputs: 1, requiredContext: [.wasm])
+    }
+}

Sources/Fuzzilli/Lifting/FuzzILLifter.swift

@@ -1367,6 +1367,10 @@ public class FuzzILLifter: Lifter {
             let inputs = instr.inputs.map(lift).joined(separator: ", ")
             w.emit("\(output()) <- WasmDefineAdHocSignatureType(\(op.signature)) [\(inputs)]")
 
+        case .wasmDefineAdHocModuleSignatureType(let op):
+            let inputs = instr.inputs.map(lift).joined(separator: ", ")
+            w.emit("\(output()) <- WasmDefineAdHocModuleSignatureType(\(op.signature)) [\(inputs)]")
+
         case .wasmDefineArrayType(let op):
             let typeInput = op.elementType.requiredInputCount() == 1 ? " \(input(0))" : ""
             w.emit("\(output()) <- WasmDefineArrayType \(op.elementType) mutability=\(op.mutability)\(typeInput)")

Sources/Fuzzilli/Lifting/JavaScriptLifter.swift

@@ -1774,6 +1774,7 @@ public class JavaScriptLifter: Lifter {
                  .wasmEndTypeGroup(_),
                  .wasmDefineSignatureType(_),
                  .wasmDefineAdHocSignatureType(_),
+                 .wasmDefineAdHocModuleSignatureType(_),
                  .wasmDefineArrayType(_),
                  .wasmDefineStructType(_),
                  .wasmDefineForwardOrSelfReference(_),

Sources/Fuzzilli/Lifting/WasmLifter.swift

@@ -1224,7 +1224,12 @@ public class WasmLifter {
         }
     }
 
-    /// This function updates the internal state of the lifter before actually emitting code to the wasm module. This should be invoked before we try to get the corresponding bytes for the Instruction
+    /// This function updates the internal state of the lifter before actually emitting code to the
+    /// wasm module. This should be invoked before we try to get the corresponding bytes for the
+    /// Instruction.
+    /// Returns true if the instruction requires emitting code into the module's code section (which
+    /// means it is true for almost all instructions appearing inside a wasm function and false for
+    /// all instructions outside of a wasm function like a Wasm memory definition).
     private func updateLifterState(wasmInstruction instr: Instruction) -> Bool {
         // Make sure that we actually have a Wasm operation here.
         assert(instr.op is WasmOperation)
@@ -1321,6 +1326,8 @@ public class WasmLifter {
             assert(self.exports.contains(where: {
                 $0.isTag && $0.getDefInstr()!.output == instr.output
             }))
+        case .wasmDefineAdHocModuleSignatureType(_):
+            break
         default:
             return true
         }