[wasm] Migrate legacy try-catch to use wasm-gc signatures

Bug: 448860865
Change-Id: Ifd01ae66b862e844bfbdb781dac36b3a8ba2d0bd
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8956316
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Reviewed-by: Doga Yüksel <dyuksel@google.com>

Author: Liedtke

Sources/Fuzzilli/Base/ProgramBuilder.swift

@@ -4072,49 +4072,70 @@ public class ProgramBuilder {
             return Array(b.emit(WasmEndTryTable(outputTypes: signature.outputTypes), withInputs: results).outputs)
         }
 
-        public func wasmBuildLegacyTry(with signature: WasmSignature, args: [Variable], body: (Variable, [Variable]) -> Void, catchAllBody: ((Variable) -> Void)? = nil) {
-            let instr = b.emit(WasmBeginTry(with: signature), withInputs: args, types: signature.parameterTypes)
-            body(instr.innerOutput(0), Array(instr.innerOutputs(1...)))
-            if let catchAllBody = catchAllBody {
-                let instr = b.emit(WasmBeginCatchAll(inputTypes: signature.outputTypes))
+        // Create a legacy try-catch with a void block signature. Mostly a convenience helper for
+        // test cases.
+        public func wasmBuildLegacyTryVoid(
+                body: (Variable) -> Void,
+                catchClauses: [(tag: Variable, body: (Variable, Variable, [Variable]) -> Void)] = [],
+                catchAllBody: ((Variable) -> Void)? = nil) {
+            let signature = [] => []
+            let signatureDef = b.wasmDefineAdHocSignatureType(signature: signature)
+            let instr = b.emit(WasmBeginTry(
+                parameterCount: 0), withInputs: [signatureDef], types: [.wasmTypeDef()])
+            assert(instr.innerOutputs.count == 1)
+            body(instr.innerOutput(0))
+            for (tag, generator) in catchClauses {
+                b.reportErrorIf(!b.type(of: tag).isWasmTagType,
+                    "Expected tag misses the WasmTagType extension for variable \(tag), typed \(b.type(of: tag)).")
+                let instr = b.emit(WasmBeginCatch(
+                        blockOutputCount: signature.outputTypes.count,
+                        labelParameterCount:  b.type(of: tag).wasmTagType!.parameters.count),
+                    withInputs: [signatureDef, tag],
+                    types: [.wasmTypeDef(), .object(ofGroup: "WasmTag")] + signature.outputTypes)
+                generator(instr.innerOutput(0), instr.innerOutput(1), Array(instr.innerOutputs(2...)))
+            }
+            if let catchAllBody {
+                let instr = b.emit(WasmBeginCatchAll(blockOutputCount: 0), withInputs: [signatureDef])
                 catchAllBody(instr.innerOutput(0))
             }
-            b.emit(WasmEndTry())
+            b.emit(WasmEndTry(blockOutputCount: 0), withInputs: [signatureDef])
         }
 
         // The catchClauses expect a list of (tag, block-generator lambda).
         // The lambda's inputs are the block label, the exception label (for rethrowing) and the
         // tag arguments.
         @discardableResult
-        public func wasmBuildLegacyTryWithResult(with signature: WasmSignature, args: [Variable],
+        public func wasmBuildLegacyTryWithResult(
+                signature: WasmSignature,
+                signatureDef: Variable,
+                args: [Variable],
                 body: (Variable, [Variable]) -> [Variable],
-                catchClauses: [(tag: Variable, body: (Variable, Variable, [Variable]) -> [Variable])],
+                catchClauses: [(tag: Variable, body: (Variable, Variable, [Variable]) -> [Variable])] = [],
                 catchAllBody: ((Variable) -> [Variable])? = nil) -> [Variable] {
-            let instr = b.emit(WasmBeginTry(with: signature), withInputs: args, types: signature.parameterTypes)
+            let parameterCount = signature.parameterTypes.count
+            let instr = b.emit(WasmBeginTry(parameterCount: parameterCount),
+                withInputs: [signatureDef] + args,
+                types: [.wasmTypeDef()] + signature.parameterTypes)
             var result = body(instr.innerOutput(0), Array(instr.innerOutputs(1...)))
             for (tag, generator) in catchClauses {
                 b.reportErrorIf(!b.type(of: tag).isWasmTagType,
                     "Expected tag misses the WasmTagType extension for variable \(tag), typed \(b.type(of: tag)).")
-                let instr = b.emit(WasmBeginCatch(with: b.type(of: tag).wasmTagType!.parameters => signature.outputTypes),
-                    withInputs: [tag] + result,
-                    types: [.object(ofGroup: "WasmTag")] + signature.outputTypes)
+                let instr = b.emit(WasmBeginCatch(
+                        blockOutputCount: signature.outputTypes.count,
+                        labelParameterCount:  b.type(of: tag).wasmTagType!.parameters.count),
+                    withInputs: [signatureDef, tag] + result,
+                    types: [.wasmTypeDef(), .object(ofGroup: "WasmTag")] + signature.outputTypes)
                 result = generator(instr.innerOutput(0), instr.innerOutput(1), Array(instr.innerOutputs(2...)))
             }
             if let catchAllBody = catchAllBody {
-                let instr = b.emit(WasmBeginCatchAll(inputTypes: signature.outputTypes), withInputs: result, types: signature.outputTypes)
+                let instr = b.emit(WasmBeginCatchAll(blockOutputCount: signature.outputTypes.count),
+                    withInputs: [signatureDef] + result,
+                    types: [.wasmTypeDef()] + signature.outputTypes)
                 result = catchAllBody(instr.innerOutput(0))
             }
-            return Array(b.emit(WasmEndTry(outputTypes: signature.outputTypes), withInputs: result, types: signature.outputTypes).outputs)
-        }
-
-        // Build a legacy catch block without a result type. Note that this may only be placed into
-        // try blocks that also don't have a result type. (Use wasmBuildLegacyTryWithResult to
-        // create a catch block with a result value.)
-        public func WasmBuildLegacyCatch(tag: Variable, body: ((Variable, Variable, [Variable]) -> Void)) {
-            b.reportErrorIf(!b.type(of: tag).isWasmTagType,
-                "Expected tag misses the WasmTagType extension for variable \(tag), typed \(b.type(of: tag)).")
-            let instr = b.emit(WasmBeginCatch(with: b.type(of: tag).wasmTagType!.parameters => []), withInputs: [tag], types: [.object(ofGroup: "WasmTag")])
-            body(instr.innerOutput(0), instr.innerOutput(1), Array(instr.innerOutputs(2...)))
+            return Array(b.emit(WasmEndTry(blockOutputCount: signature.outputTypes.count),
+                withInputs: [signatureDef] + result,
+                types: [.wasmTypeDef()] + signature.outputTypes).outputs)
         }
 
         public func WasmBuildThrow(tag: Variable, inputs: [Variable]) {
@@ -4948,14 +4969,13 @@ public class ProgramBuilder {
             break
         case .beginWasmFunction(let op):
             activeWasmModule!.functions.append(WasmFunction(forBuilder: self, withSignature: op.signature))
-        case .wasmBeginTry(let op):
-            activeWasmModule!.blockSignatures.push(op.signature)
+        case .wasmBeginTry(_):
+            break
         case .wasmBeginTryDelegate(let op):
             activeWasmModule!.blockSignatures.push(op.signature)
         case .wasmBeginTryTable(let op):
             activeWasmModule!.blockSignatures.push(op.signature)
-        case .wasmEndTry(_),
-             .wasmEndTryDelegate(_),
+        case .wasmEndTryDelegate(_),
              .wasmEndTryTable(_):
             activeWasmModule!.blockSignatures.pop()
         case .wasmDefineAdHocModuleSignatureType(_):

Sources/Fuzzilli/CodeGen/CodeGeneratorWeights.swift

@@ -321,7 +321,6 @@ public let codeGeneratorWeights = [
     "WasmLoopGenerator":                        8,
     "WasmLoopWithSignatureGenerator":           8,
     "WasmLegacyTryCatchGenerator":              8,
-    "WasmLegacyTryCatchWithResultGenerator":    8,
     "WasmLegacyTryDelegateGenerator":           8,
     "WasmThrowGenerator":                       2,
     "WasmLegacyRethrowGenerator":               10,

Sources/Fuzzilli/CodeGen/WasmCodeGenerators.swift

@@ -1404,46 +1404,21 @@ public let WasmCodeGenerators: [CodeGenerator] = [
         },
     ]),
 
-    // TODO Turn this into a multi-part Generator
-    CodeGenerator("WasmLegacyTryCatchGenerator", inContext: .single(.wasmFunction)) {
-        b in
-        let function = b.currentWasmModule.currentWasmFunction
-        // Choose a few random wasm values as arguments if available.
-        let args = b.randomWasmBlockArguments(upTo: 5)
-        let parameters = args.map(b.type)
-        let tags = (0..<Int.random(in: 0...5)).map { _ in
-            b.findVariable { b.type(of: $0).isWasmTagType }
-        }.filter { $0 != nil }.map { $0! }
-        let recursiveCallCount = 2 + tags.count
-        function.wasmBuildLegacyTry(with: parameters => [], args: args) {
-            label, args in
-            b.buildRecursive(n: 4)
-            for (i, tag) in tags.enumerated() {
-                function.WasmBuildLegacyCatch(tag: tag) { _, _, _ in
-                    b.buildRecursive(n: 4)
-                }
-            }
-        } catchAllBody: { label in
-            b.buildRecursive(n: 4)
-        }
-    },
-
     // TODO split this into a multi-part Generator.
-    CodeGenerator(
-        "WasmLegacyTryCatchWithResultGenerator", inContext: .single(.wasmFunction)
-    ) { b in
+    CodeGenerator("WasmLegacyTryCatchGenerator", inContext: .single(.wasmFunction)) { b in
         let function = b.currentWasmModule.currentWasmFunction
         // Choose a few random wasm values as arguments if available.
-        let args = b.randomWasmBlockArguments(upTo: 5)
+        let args = b.randomWasmBlockArguments(upTo: 5, allowingGcTypes: true)
         let parameters = args.map(b.type)
         let tags = (0..<Int.random(in: 0...5)).map { _ in
             b.findVariable { b.type(of: $0).isWasmTagType }
         }.filter { $0 != nil }.map { $0! }
         let outputTypes = b.randomWasmBlockOutputTypes(upTo: 3)
         let signature = parameters => outputTypes
+        let signatureDef = b.wasmDefineAdHocSignatureType(signature: signature)
         let recursiveCallCount = 2 + tags.count
         function.wasmBuildLegacyTryWithResult(
-            with: signature, args: args,
+            signature: signature, signatureDef: signatureDef, args: args,
             body: { label, args in
                 b.buildRecursive(n: 4)
                 return outputTypes.map(function.findOrGenerateWasmVar)

Sources/Fuzzilli/FuzzIL/Instruction.swift

@@ -1410,21 +1410,20 @@ extension Instruction: ProtobufConvertible {
                 }
             case .wasmBeginTry(let op):
                 $0.wasmBeginTry = Fuzzilli_Protobuf_WasmBeginTry.with {
-                    $0.parameterTypes = op.signature.parameterTypes.map(ILTypeToWasmTypeEnum)
-                    $0.outputTypes = op.signature.outputTypes.map(ILTypeToWasmTypeEnum)
+                    $0.parameterCount = Int32(op.numInputs - 1)
                 }
             case .wasmBeginCatchAll(let op):
                 $0.wasmBeginCatchAll = Fuzzilli_Protobuf_WasmBeginCatchAll.with {
-                    $0.inputTypes = op.inputTypes.map(ILTypeToWasmTypeEnum)
+                    $0.blockOutputCount = Int32(op.numInputs - 1)
                 }
             case .wasmBeginCatch(let op):
                 $0.wasmBeginCatch = Fuzzilli_Protobuf_WasmBeginCatch.with {
-                    $0.parameterTypes = op.signature.parameterTypes.map(ILTypeToWasmTypeEnum)
-                    $0.outputTypes = op.signature.outputTypes.map(ILTypeToWasmTypeEnum)
+                    $0.blockOutputCount = Int32(op.blockOutputCount)
+                    $0.labelParameterCount = Int32(op.labelParameterCount)
                 }
             case .wasmEndTry(let op):
                 $0.wasmEndTry = Fuzzilli_Protobuf_WasmEndTry.with {
-                    $0.outputTypes = op.outputTypes.map(ILTypeToWasmTypeEnum)
+                    $0.blockOutputCount = Int32(op.numOutputs)
                 }
             case .wasmBeginTryDelegate(let op):
                 $0.wasmBeginTryDelegate = Fuzzilli_Protobuf_WasmBeginTryDelegate.with {
@@ -2470,17 +2469,14 @@ extension Instruction: ProtobufConvertible {
         case .wasmEndTryTable(let p):
             op = WasmEndTryTable(outputTypes: p.outputTypes.map(WasmTypeEnumToILType))
         case .wasmBeginTry(let p):
-            let parameters = p.parameterTypes.map(WasmTypeEnumToILType)
-            let outputs = p.outputTypes.map(WasmTypeEnumToILType)
-            op = WasmBeginTry(with: parameters => outputs)
+            op = WasmBeginTry(parameterCount: Int(p.parameterCount))
         case .wasmBeginCatchAll(let p):
-            op = WasmBeginCatchAll(inputTypes: p.inputTypes.map(WasmTypeEnumToILType))
+            op = WasmBeginCatchAll(blockOutputCount: Int(p.blockOutputCount))
         case .wasmBeginCatch(let p):
-            let parameters = p.parameterTypes.map(WasmTypeEnumToILType)
-            let outputs = p.outputTypes.map(WasmTypeEnumToILType)
-            op = WasmBeginCatch(with: parameters => outputs)
+            op = WasmBeginCatch(blockOutputCount: Int(p.blockOutputCount),
+                                labelParameterCount: Int(p.labelParameterCount))
         case .wasmEndTry(let p):
-            op = WasmEndTry(outputTypes: p.outputTypes.map(WasmTypeEnumToILType))
+            op = WasmEndTry(blockOutputCount: Int(p.blockOutputCount))
         case .wasmBeginTryDelegate(let p):
             let parameters = p.parameterTypes.map(WasmTypeEnumToILType)
             let outputs = p.outputTypes.map(WasmTypeEnumToILType)

Sources/Fuzzilli/FuzzIL/JSTyper.swift

@@ -856,24 +856,44 @@ public struct JSTyper: Analyzer {
                 }
             case .wasmEndTryTable(let op):
                 wasmTypeEndBlock(instr, op.outputTypes)
-            case .wasmBeginTry(let op):
-                wasmTypeBeginBlock(instr, op.signature)
-            case .wasmBeginCatchAll(let op):
-                setType(of: instr.innerOutputs.first!, to: .label(op.inputTypes))
-            case .wasmBeginCatch(let op):
-                let tagType = ILType.label(op.signature.outputTypes)
-                setType(of: instr.innerOutput(0), to: tagType)
-                let definingInstruction = defUseAnalyzer.definition(of: instr.input(0))
-                dynamicObjectGroupManager.addWasmTag(withType: type(of: instr.input(0)), forDefinition: definingInstruction, forVariable: instr.input(0))
+            case .wasmBeginTry(_):
+            let signature = type(of: instr.input(0)).wasmFunctionSignatureDefSignature
+                wasmTypeBeginBlock(instr, signature)
+            case .wasmBeginCatchAll(_):
+                let signature = type(of: instr.input(0)).wasmFunctionSignatureDefSignature
+                setType(of: instr.innerOutputs.first!, to: .label(signature.outputTypes))
+            case .wasmBeginCatch(_):
+                let blockSignature = type(of: instr.input(0)).wasmFunctionSignatureDefSignature
+                // Type the label (used for branch instructions).
+                setType(of: instr.innerOutput(0), to: .label(blockSignature.outputTypes))
+                // Register the tag (Wasm exception) in the dynamicObjectGroupManager as being used
+                // by this Wasm module.
+                let tag = instr.input(1)
+                let definingInstruction = defUseAnalyzer.definition(of: tag)
+                dynamicObjectGroupManager.addWasmTag(withType: type(of: tag),
+                    forDefinition: definingInstruction, forVariable: tag)
+                // The second inner output is the exception label which is used for rethrowing the
+                // exception with the legacy exception handling proposal. (This is similar to the
+                // exnref in the standard exception handling spec.)
                 setType(of: instr.innerOutput(1), to: .exceptionLabel)
-                for (innerOutput, paramType) in zip(instr.innerOutputs.dropFirst(2), op.signature.parameterTypes) {
+                // Type the tag parameters.
+                guard let labelParameters = type(of: instr.input(1)).wasmTagType?.parameters else {
+                    // TODO(mliedtke): I believe that sooner or later we will run into this fatal
+                    // error. A tag can be defined in JavaScript and then be used in Wasm. Later on
+                    // the varaible defining the tag can be reassigned to with a different type,
+                    // loosening the inferred type information suddenly not being a tag any more.
+                    fatalError("Input into WasmBeginCatch not a tag type, actual "
+                        + "\(type(of: instr.input(1))), defined in \(definingInstruction)")
+                }
+                for (innerOutput, paramType) in zip(instr.innerOutputs.dropFirst(2), labelParameters) {
                     setType(of: innerOutput, to: paramType)
                 }
-                for (output, outputType) in zip(instr.outputs, op.signature.outputTypes) {
+                for (output, outputType) in zip(instr.outputs, blockSignature.outputTypes) {
                     setType(of: output, to: outputType)
                 }
-            case .wasmEndTry(let op):
-                wasmTypeEndBlock(instr, op.outputTypes)
+            case .wasmEndTry(_):
+                let blockSignature = type(of: instr.input(0)).wasmFunctionSignatureDefSignature
+                wasmTypeEndBlock(instr, blockSignature.outputTypes)
             case .wasmBeginTryDelegate(let op):
                 wasmTypeBeginBlock(instr, op.signature)
             case .wasmEndTryDelegate(let op):