[wasm] Add WasmRefEq operation and generator

Doga Yüksel · V8-internal LUCI CQ · commit 6faf78762621 · 2026-01-19T00:58:48.000-08:00
Adds support for ref.eq instruction to be generated Bug: 474940922 Change-Id: I7b88ceffed5252878132406da30a570be01f13ad Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8933276 Reviewed-by: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Doga Yüksel <dyuksel@google.com>
diff --git a/Sources/Fuzzilli/Base/ProgramBuilder.swift b/Sources/Fuzzilli/Base/ProgramBuilder.swift
@@ -4374,6 +4374,12 @@ public class ProgramBuilder {
             return b.emit(WasmRefIsNull(), withInputs: [ref], types: [.wasmGenericRef]).output
         }
 
+        @discardableResult
+        // TODO(pawkra): Support shared references.
+        public func wasmRefEq(_ lhs: Variable, _ rhs: Variable) -> Variable {
+            return b.emit(WasmRefEq(), withInputs: [lhs, rhs], types: [.wasmEqRef(), .wasmEqRef()]).output
+        }
+
         @discardableResult
         public func wasmRefI31(_ number: Variable, shared: Bool = false) -> Variable {
             return b.emit(WasmRefI31(isShared: shared), withInputs: [number], types: [.wasmi32]).output
diff --git a/Sources/Fuzzilli/CodeGen/CodeGeneratorWeights.swift b/Sources/Fuzzilli/CodeGen/CodeGeneratorWeights.swift
@@ -371,6 +371,7 @@ public let codeGeneratorWeights = [
     "WasmStructSetGenerator":                   5,
     "WasmRefNullGenerator":                     5,
     "WasmRefIsNullGenerator":                   5,
+    "WasmRefEqGenerator":                       5,
     "WasmRefI31Generator":                      5,
     "WasmI31GetGenerator":                      5,
     "WasmAnyConvertExternGenerator":            5,
diff --git a/Sources/Fuzzilli/CodeGen/WasmCodeGenerators.swift b/Sources/Fuzzilli/CodeGen/WasmCodeGenerators.swift
@@ -312,6 +312,14 @@ public let WasmCodeGenerators: [CodeGenerator] = [
         b.currentWasmModule.currentWasmFunction.wasmRefIsNull(ref)
     },
 
+    CodeGenerator(
+        "WasmRefEqGenerator", inContext: .single(.wasmFunction),
+        inputs: .required(.wasmEqRef(), .wasmEqRef()),
+        produces: [.wasmi32]
+    ) { b, lhs, rhs in
+        b.currentWasmModule.currentWasmFunction.wasmRefEq(lhs, rhs)
+    },
+
     // TODO(pawkra): add shared variant.
     CodeGenerator("WasmRefI31Generator", inContext: .single(.wasmFunction), inputs: .required(.wasmi32)) { b, value in
         b.currentWasmModule.currentWasmFunction.wasmRefI31(value, shared: false)
diff --git a/Sources/Fuzzilli/FuzzIL/Instruction.swift b/Sources/Fuzzilli/FuzzIL/Instruction.swift
@@ -1617,6 +1617,8 @@ extension Instruction: ProtobufConvertible {
                 }
             case .wasmRefIsNull(_):
                 $0.wasmRefIsNull = Fuzzilli_Protobuf_WasmRefIsNull()
+            case .wasmRefEq(_):
+                $0.wasmRefEq = Fuzzilli_Protobuf_WasmRefEq()
             case .wasmRefI31(let op):
                 $0.wasmRefI31 = Fuzzilli_Protobuf_WasmRefI31.with {
                     $0.isShared = op.isShared
@@ -2599,6 +2601,8 @@ extension Instruction: ProtobufConvertible {
             op = p.hasType ? WasmRefNull(type: WasmTypeEnumToILType(p.type)) : WasmRefNull(type: nil)
         case .wasmRefIsNull(_):
             op = WasmRefIsNull()
+        case .wasmRefEq(_):
+            op = WasmRefEq()
         case .wasmRefI31(let p):
             op = WasmRefI31(isShared: p.isShared)
         case .wasmI31Get(let p):
diff --git a/Sources/Fuzzilli/FuzzIL/JSTyper.swift b/Sources/Fuzzilli/FuzzIL/JSTyper.swift
@@ -915,6 +915,8 @@ public struct JSTyper: Analyzer {
                 }
             case .wasmRefIsNull(_):
                 setType(of: instr.output, to: .wasmi32)
+            case .wasmRefEq(_):
+                setType(of: instr.output, to: .wasmi32)
             case .wasmRefI31(let op):
                 setType(of: instr.output, to: .wasmRefI31(shared: op.isShared))
             case .wasmI31Get(_):
diff --git a/Sources/Fuzzilli/FuzzIL/Opcodes.swift b/Sources/Fuzzilli/FuzzIL/Opcodes.swift
@@ -365,4 +365,5 @@ enum Opcode {
     case createNamedAsyncDisposableVariable(CreateNamedAsyncDisposableVariable)
     case wasmDefineAdHocSignatureType(WasmDefineAdHocSignatureType)
     case wasmStructNew(WasmStructNew)
+    case wasmRefEq(WasmRefEq)
 }
diff --git a/Sources/Fuzzilli/FuzzIL/WasmOperations.swift b/Sources/Fuzzilli/FuzzIL/WasmOperations.swift
@@ -2283,6 +2283,14 @@ class WasmRefIsNull: WasmOperation {
     }
 }
 
+class WasmRefEq: WasmOperation {
+    override var opcode: Opcode { .wasmRefEq(self) }
+
+    init() {
+        super.init(numInputs: 2, numOutputs: 1, requiredContext: [.wasmFunction])
+    }
+}
+
 class WasmRefI31: WasmOperation {
     override var opcode: Opcode { .wasmRefI31(self) }
     let isShared: Bool
diff --git a/Sources/Fuzzilli/Lifting/FuzzILLifter.swift b/Sources/Fuzzilli/Lifting/FuzzILLifter.swift
@@ -1330,6 +1330,9 @@ public class FuzzILLifter: Lifter {
         case .wasmRefIsNull(_):
             w.emit("\(output()) <- WasmRefIsNull \(input(0))")
 
+        case .wasmRefEq(_):
+            w.emit("\(output()) <- WasmRefEq \(input(0)) \(input(1))")
+
         case .wasmRefI31(_):
             w.emit("\(output()) <- WasmRefI31 \(input(0))")
 
diff --git a/Sources/Fuzzilli/Lifting/JavaScriptLifter.swift b/Sources/Fuzzilli/Lifting/JavaScriptLifter.swift
@@ -1789,6 +1789,7 @@ public class JavaScriptLifter: Lifter {
                  .wasmStructSet(_),
                  .wasmRefNull(_),
                  .wasmRefIsNull(_),
+                 .wasmRefEq(_),
                  .wasmRefI31(_),
                  .wasmI31Get(_),
                  .wasmAnyConvertExtern(_),
diff --git a/Sources/Fuzzilli/Lifting/WasmLifter.swift b/Sources/Fuzzilli/Lifting/WasmLifter.swift
@@ -2185,6 +2185,8 @@ public class WasmLifter {
             return try Data([0xD0]) + encodeHeapType(typer.type(of: wasmInstruction.output))
         case .wasmRefIsNull(_):
             return Data([0xD1])
+        case .wasmRefEq(_):
+            return Data([0xD3])
         case .wasmRefI31(let op):
             return Data([Prefix.GC.rawValue, op.isShared ? 0x1F : 0x1C])
         case .wasmI31Get(let op):
diff --git a/Sources/Fuzzilli/Mutators/OperationMutator.swift b/Sources/Fuzzilli/Mutators/OperationMutator.swift
@@ -728,7 +728,8 @@ public class OperationMutator: BaseInstructionMutator {
              .wasmDropElementSegment(_),
              .wasmTableInit(_),
              .wasmTableCopy(_),
-             .wasmStructNew(_):
+             .wasmStructNew(_),
+             .wasmRefEq(_):
              let mutability = instr.isOperationMutable ? "mutable" : "immutable"
              fatalError("Unexpected operation \(instr.op.opcode), marked as \(mutability)")
         }
diff --git a/Sources/Fuzzilli/Protobuf/operations.pb.swift b/Sources/Fuzzilli/Protobuf/operations.pb.swift
@@ -5924,6 +5924,16 @@ public struct Fuzzilli_Protobuf_WasmRefIsNull: Sendable {
   public init() {}
 }
 
+public struct Fuzzilli_Protobuf_WasmRefEq: Sendable {
+  // SwiftProtobuf.Message conformance is added in an extension below. See the
+  // `Message` and `Message+*Additions` files in the SwiftProtobuf library for
+  // methods supported on all messages.
+
+  public var unknownFields = SwiftProtobuf.UnknownStorage()
+
+  public init() {}
+}
+
 public struct Fuzzilli_Protobuf_WasmRefI31: Sendable {
   // SwiftProtobuf.Message conformance is added in an extension below. See the
   // `Message` and `Message+*Additions` files in the SwiftProtobuf library for
@@ -15442,6 +15452,25 @@ extension Fuzzilli_Protobuf_WasmRefIsNull: SwiftProtobuf.Message, SwiftProtobuf.
   }
 }
 
+extension Fuzzilli_Protobuf_WasmRefEq: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
+  public static let protoMessageName: String = _protobuf_package + ".WasmRefEq"
+  public static let _protobuf_nameMap = SwiftProtobuf._NameMap()
+
+  public mutating func decodeMessage<D: SwiftProtobuf.Decoder>(decoder: inout D) throws {
+    // Load everything into unknown fields
+    while try decoder.nextFieldNumber() != nil {}
+  }
+
+  public func traverse<V: SwiftProtobuf.Visitor>(visitor: inout V) throws {
+    try unknownFields.traverse(visitor: &visitor)
+  }
+
+  public static func ==(lhs: Fuzzilli_Protobuf_WasmRefEq, rhs: Fuzzilli_Protobuf_WasmRefEq) -> Bool {
+    if lhs.unknownFields != rhs.unknownFields {return false}
+    return true
+  }
+}
+
 extension Fuzzilli_Protobuf_WasmRefI31: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
   public static let protoMessageName: String = _protobuf_package + ".WasmRefI31"
   public static let _protobuf_nameMap = SwiftProtobuf._NameMap(bytecode: "\0\u{1}isShared\0")
diff --git a/Sources/Fuzzilli/Protobuf/operations.proto b/Sources/Fuzzilli/Protobuf/operations.proto
@@ -1563,6 +1563,9 @@ message WasmRefNull {
 message WasmRefIsNull {
 }
 
+message WasmRefEq {
+}
+
 message WasmRefI31 {
     bool isShared = 1;
 }
diff --git a/Sources/Fuzzilli/Protobuf/program.pb.swift b/Sources/Fuzzilli/Protobuf/program.pb.swift
diff --git a/Sources/Fuzzilli/Protobuf/program.proto b/Sources/Fuzzilli/Protobuf/program.proto
@@ -361,6 +361,7 @@ message Instruction {
         CreateNamedAsyncDisposableVariable createNamedAsyncDisposableVariable = 335;
         WasmDefineAdHocSignatureType wasmDefineAdHocSignatureType = 336;
         WasmStructNew wasmStructNew = 337;
+        WasmRefEq wasmRefEq = 338;
     }
 }
 
diff --git a/Tests/FuzzilliTests/WasmTests.swift b/Tests/FuzzilliTests/WasmTests.swift
@@ -4851,6 +4851,44 @@ class WasmGCTests: XCTestCase {
         try refNullAbstractTypes(sharedRef: false)
     }
 
+    func testRefEq() throws {
+        let runner = try GetJavaScriptExecutorOrSkipTest()
+        let liveTestConfig = Configuration(logLevel: .error, enableInspection: true)
+        let fuzzer = makeMockFuzzer(config: liveTestConfig, environment: JavaScriptEnvironment())
+        let b = fuzzer.makeBuilder()
+
+        let arrayType = b.wasmDefineTypeGroup {b.wasmDefineArrayType(elementType: .wasmi32, mutability: true)}[0]
+
+        let module = b.buildWasmModule { wasmModule in
+            wasmModule.addWasmFunction(with: [.wasmEqRef(), .wasmEqRef()] => [.wasmi32]) { function, label, args in
+                return [function.wasmRefEq(args[0], args[1])]
+            }
+            wasmModule.addWasmFunction(with: [] => [.wasmEqRef()]) { function, label, args in
+                return [function.wasmArrayNewFixed(arrayType: arrayType, elements: [])]
+            }
+        }
+
+        let exports = module.loadExports()
+        let outputFunc = b.createNamedVariable(forBuiltin: "output")
+
+        let array = b.callMethod(module.getExportedMethod(at: 1), on: exports, withArgs: [])
+        let otherArray = b.callMethod(module.getExportedMethod(at: 1), on: exports, withArgs: [])
+
+        let wasmRefEq = module.getExportedMethod(at: 0)
+        let cases = [
+            b.callMethod(wasmRefEq, on: exports, withArgs: [b.loadInt(1), b.loadInt(1)]),
+            b.callMethod(wasmRefEq, on: exports, withArgs: [b.loadInt(0), b.loadInt(1)]),
+            b.callMethod(wasmRefEq, on: exports, withArgs: [array, array]),
+            b.callMethod(wasmRefEq, on: exports, withArgs: [array, otherArray])
+        ]
+
+        for input in cases { b.callFunction(outputFunc, withArgs: [input]) }
+
+        let prog = b.finalize()
+        let jsProg = fuzzer.lifter.lift(prog)
+        testForOutput(program: jsProg, runner: runner, outputString: "1\n0\n1\n0\n")
+    }
+
     func i31Ref(shared: Bool) throws {
         let runner = try GetJavaScriptExecutorOrSkipTest(type: .any, withArguments: ["--experimental-wasm-shared"])
         let liveTestConfig = Configuration(logLevel: .error, enableInspection: true)

Original file line number	Diff line number	Diff line change
`@@ -915,6 +915,8 @@ public struct JSTyper: Analyzer {`
`915`	`915`	`}`
`916`	`916`	`case .wasmRefIsNull(_):`
`917`	`917`	`setType(of: instr.output, to: .wasmi32)`
	`918`	`+ case .wasmRefEq(_):`
	`919`	`+ setType(of: instr.output, to: .wasmi32)`
`918`	`920`	`case .wasmRefI31(let op):`
`919`	`921`	`setType(of: instr.output, to: .wasmRefI31(shared: op.isShared))`
`920`	`922`	`case .wasmI31Get(_):`
Original file line number	Diff line number	Diff line change
`@@ -365,4 +365,5 @@ enum Opcode {`
`365`	`365`	`case createNamedAsyncDisposableVariable(CreateNamedAsyncDisposableVariable)`
`366`	`366`	`case wasmDefineAdHocSignatureType(WasmDefineAdHocSignatureType)`
`367`	`367`	`case wasmStructNew(WasmStructNew)`
	`368`	`+ case wasmRefEq(WasmRefEq)`
`368`	`369`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2283,6 +2283,14 @@ class WasmRefIsNull: WasmOperation {`
`2283`	`2283`	`}`
`2284`	`2284`	`}`
`2285`	`2285`
	`2286`	`+class WasmRefEq: WasmOperation {`
	`2287`	`+ override var opcode: Opcode { .wasmRefEq(self) }`
	`2288`	`+`
	`2289`	`+ init() {`
	`2290`	`+ super.init(numInputs: 2, numOutputs: 1, requiredContext: [.wasmFunction])`
	`2291`	`+ }`
	`2292`	`+}`
	`2293`	`+`
`2286`	`2294`	`class WasmRefI31: WasmOperation {`
`2287`	`2295`	`override var opcode: Opcode { .wasmRefI31(self) }`
`2288`	`2296`	`let isShared: Bool`