[wasm] Fix WasmTypeGroupReducer to expose all unremoved types

While the WasmTypeGroupReducer shall remove all inputs which are not
used from the WasmEndTypeGroup (so that these types can be removed in a
following iteration), it should still expose all types which are used
inside the type group, so that the JSTyper still continues to handle
them correctly.

This will hopefully fix the current crashes we are observing for types
missing the linkage from a wasm index reference type to the
corresponding type definition variable in the JSTyper.

Bug: 475996631
Change-Id: I571a44fabee3f302c8f53fad14d6f62263d0a8ca
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8935617
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Reviewed-by: Michael Achenbach <machenbach@google.com>
Auto-Submit: Matthias Liedtke <mliedtke@google.com>

Author: Liedtke

Sources/Fuzzilli/Minimization/WasmTypeGroupReducer.swift

@@ -22,12 +22,24 @@ struct WasmTypeGroupReducer: Reducer {
                 uses[input]? += 1
             }
 
+
+            guard instr.op is WasmTypeOperation else { continue }
+            // Define the usages for all WasmTypeOperation so that we also count usages of a type
+            // inside a type group (i.e. by other type operations).
+            for output in instr.outputs {
+                uses[output] = 0
+            }
+
             // For now, we only consider EndTypeGroup instructions.
             guard case .wasmEndTypeGroup = instr.op.opcode else  { continue }
 
             candidates.append(instr.index)
-            for output in instr.outputs {
-                uses[output] = 0
+            for (input, output) in zip(instr.inputs, instr.outputs) {
+                // Subtract 1 as the input in the WasmEndTypeGroup itself is not a reason to keep
+                // the type. However, if the type is used inside the type group, it also needs to be
+                // exposed by the type group. Right now the JSTyper requires that all types defined
+                // in a type group are exposed by their WasmEndTypeGroup instruction.
+                uses[output]! += uses[input]! - 1
             }
         }
 

Tests/FuzzilliTests/MinimizerTest.swift

@@ -2126,6 +2126,55 @@ class MinimizerTests: XCTestCase {
 
     }
 
+    func testWasmTypeGroupTypeOnlyUsedInDependency() throws {
+        let evaluator = EvaluatorForMinimizationTests()
+        let fuzzer = makeMockFuzzer(evaluator: evaluator)
+        let b = fuzzer.makeBuilder()
+
+        // Build input program to be minimized.
+        do {
+            let typeGroup = b.wasmDefineTypeGroup {
+                // This signature is only used by the structType which is exposed from this type
+                // group and then used in the struct.new_default inside the wasm function. Still,
+                // due to this indirect usage it must still be kept alive.
+                let signature = b.wasmDefineSignatureType(signature: [.wasmi32] => [.wasmi32], indexTypes: [])
+                let structType = b.wasmDefineStructType(fields: [.init(type: .wasmRef(.Index(), nullability: true), mutability: true)], indexTypes: [signature])
+                return [signature, structType]
+            }
+
+            b.buildWasmModule { wasmModule in
+                wasmModule.addWasmFunction(with: [] => [.wasmAnyRef()]) { function, label, args in
+                    evaluator.nextInstructionIsImportant(in: b)
+                    return [function.wasmStructNewDefault(structType: typeGroup[1])]
+                }
+            }
+        }
+        let originalProgram = b.finalize()
+
+        // Build expected output program.
+        do {
+            let typeGroup = b.wasmDefineTypeGroup {
+                let signature = b.wasmDefineSignatureType(signature: [.wasmi32] => [.wasmi32], indexTypes: [])
+                let structType = b.wasmDefineStructType(fields: [.init(type: .wasmRef(.Index(), nullability: true), mutability: true)], indexTypes: [signature])
+                return [signature, structType]
+            }
+
+            b.buildWasmModule { wasmModule in
+                wasmModule.addWasmFunction(with: [] => [.wasmAnyRef()]) { function, label, args in
+                    return [function.wasmStructNewDefault(structType: typeGroup[1])]
+                }
+            }
+        }
+        let expectedProgram = b.finalize()
+
+        // Perform minimization and check that the two programs are equal.
+        let actualProgram = minimize(originalProgram, with: fuzzer)
+        XCTAssertEqual(expectedProgram, actualProgram,
+            "Expected:\n\(FuzzILLifter().lift(expectedProgram.code))\n\n" +
+            "Actual:\n\(FuzzILLifter().lift(actualProgram.code))")
+    }
+
+
     func testWasmTypeGroupNestedTypesAndTypeGroupDependencies() throws {
         let evaluator = EvaluatorForMinimizationTests()
         let fuzzer = makeMockFuzzer(evaluator: evaluator)