[wasm] Migrate legacy try-delegate to use wasm-gc signatures

Bug: 448860865
Change-Id: I89bdc92e1757a68dec64da8a7ab90e7c397694eb
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8956317
Reviewed-by: Doga Yüksel <dyuksel@google.com>
Commit-Queue: Matthias Liedtke <mliedtke@google.com>

Author: Liedtke

Sources/Fuzzilli/Base/ProgramBuilder.swift

@@ -4153,18 +4153,24 @@ public class ProgramBuilder {
 
         public func wasmBuildLegacyTryDelegate(with signature: WasmSignature, args: [Variable], body: (Variable, [Variable]) -> Void, delegate: Variable) {
             assert(signature.outputTypes.isEmpty)
-            let instr = b.emit(WasmBeginTryDelegate(with: signature), withInputs: args, types: signature.parameterTypes)
+            let signatureDef = b.wasmDefineAdHocSignatureType(signature: signature)
+            let instr = b.emit(WasmBeginTryDelegate(parameterCount: signature.parameterTypes.count),
+                withInputs: [signatureDef] + args,
+                types: [.wasmTypeDef()] + signature.parameterTypes)
             body(instr.innerOutput(0), Array(instr.innerOutputs(1...)))
-            b.emit(WasmEndTryDelegate(), withInputs: [delegate])
+            b.emit(WasmEndTryDelegate(outputCount: 0), withInputs: [signatureDef, delegate])
         }
 
         @discardableResult
         public func wasmBuildLegacyTryDelegateWithResult(with signature: WasmSignature, args: [Variable], body: (Variable, [Variable]) -> [Variable], delegate: Variable) -> [Variable] {
-            let instr = b.emit(WasmBeginTryDelegate(with: signature), withInputs: args, types: signature.parameterTypes)
+            let signatureDef = b.wasmDefineAdHocSignatureType(signature: signature)
+            let instr = b.emit(WasmBeginTryDelegate(parameterCount: signature.parameterTypes.count),
+                withInputs: [signatureDef] + args,
+                types: [.wasmTypeDef()] + signature.parameterTypes)
             let results = body(instr.innerOutput(0), Array(instr.innerOutputs(1...)))
-            return Array(b.emit(WasmEndTryDelegate(outputTypes: signature.outputTypes),
-                withInputs: [delegate] + results,
-                types: [.anyLabel] + signature.outputTypes
+            return Array(b.emit(WasmEndTryDelegate(outputCount: signature.outputTypes.count),
+                withInputs: [signatureDef, delegate] + results,
+                types: [.wasmTypeDef(), .anyLabel] + signature.outputTypes
             ).outputs)
         }
 
@@ -4969,14 +4975,13 @@ public class ProgramBuilder {
             break
         case .beginWasmFunction(let op):
             activeWasmModule!.functions.append(WasmFunction(forBuilder: self, withSignature: op.signature))
-        case .wasmBeginTry(_):
+        case .wasmBeginTry(_),
+             .wasmEndTryDelegate(_),
+             .wasmBeginTryDelegate(_):
             break
-        case .wasmBeginTryDelegate(let op):
-            activeWasmModule!.blockSignatures.push(op.signature)
         case .wasmBeginTryTable(let op):
             activeWasmModule!.blockSignatures.push(op.signature)
-        case .wasmEndTryDelegate(_),
-             .wasmEndTryTable(_):
+        case .wasmEndTryTable(_):
             activeWasmModule!.blockSignatures.pop()
         case .wasmDefineAdHocModuleSignatureType(_):
             break

Sources/Fuzzilli/CodeGen/WasmCodeGenerators.swift

@@ -1444,7 +1444,7 @@ public let WasmCodeGenerators: [CodeGenerator] = [
     ) { b, label in
         let function = b.currentWasmModule.currentWasmFunction
         // Choose a few random wasm values as arguments if available.
-        let args = b.randomWasmBlockArguments(upTo: 5)
+        let args = b.randomWasmBlockArguments(upTo: 5, allowingGcTypes: true)
         let outputTypes = b.randomWasmBlockOutputTypes(upTo: 3)
         let parameters = args.map(b.type)
         function.wasmBuildLegacyTryDelegateWithResult(

Sources/Fuzzilli/FuzzIL/Instruction.swift

@@ -1427,12 +1427,11 @@ extension Instruction: ProtobufConvertible {
                 }
             case .wasmBeginTryDelegate(let op):
                 $0.wasmBeginTryDelegate = Fuzzilli_Protobuf_WasmBeginTryDelegate.with {
-                    $0.parameterTypes = op.signature.parameterTypes.map(ILTypeToWasmTypeEnum)
-                    $0.outputTypes = op.signature.outputTypes.map(ILTypeToWasmTypeEnum)
+                    $0.parameterCount = Int32(op.numInputs - 1)
                 }
             case .wasmEndTryDelegate(let op):
                 $0.wasmEndTryDelegate = Fuzzilli_Protobuf_WasmEndTryDelegate.with {
-                    $0.outputTypes = op.outputTypes.map(ILTypeToWasmTypeEnum)
+                    $0.outputCount = Int32(op.numOutputs)
                 }
             case .wasmThrow(_):
                 $0.wasmThrow = Fuzzilli_Protobuf_WasmThrow()
@@ -2478,11 +2477,9 @@ extension Instruction: ProtobufConvertible {
         case .wasmEndTry(let p):
             op = WasmEndTry(blockOutputCount: Int(p.blockOutputCount))
         case .wasmBeginTryDelegate(let p):
-            let parameters = p.parameterTypes.map(WasmTypeEnumToILType)
-            let outputs = p.outputTypes.map(WasmTypeEnumToILType)
-            op = WasmBeginTryDelegate(with: parameters => outputs)
+            op = WasmBeginTryDelegate(parameterCount: Int(p.parameterCount))
         case .wasmEndTryDelegate(let p):
-            op = WasmEndTryDelegate(outputTypes: p.outputTypes.map(WasmTypeEnumToILType))
+            op = WasmEndTryDelegate(outputCount: Int(p.outputCount))
         case .wasmThrow(_):
             op = WasmThrow(parameterCount: inouts.count - 1)
         case .wasmThrowRef(_):

Sources/Fuzzilli/FuzzIL/JSTyper.swift

@@ -894,10 +894,12 @@ public struct JSTyper: Analyzer {
             case .wasmEndTry(_):
                 let blockSignature = type(of: instr.input(0)).wasmFunctionSignatureDefSignature
                 wasmTypeEndBlock(instr, blockSignature.outputTypes)
-            case .wasmBeginTryDelegate(let op):
-                wasmTypeBeginBlock(instr, op.signature)
-            case .wasmEndTryDelegate(let op):
-                wasmTypeEndBlock(instr, op.outputTypes)
+            case .wasmBeginTryDelegate(_):
+                let blockSignature = type(of: instr.input(0)).wasmFunctionSignatureDefSignature
+                wasmTypeBeginBlock(instr, blockSignature)
+            case .wasmEndTryDelegate(_):
+                let blockSignature = type(of: instr.input(0)).wasmFunctionSignatureDefSignature
+                wasmTypeEndBlock(instr, blockSignature.outputTypes)
             case .wasmCallDirect(_):
                 let signature = type(of: instr.input(0)).wasmFunctionDefSignature!
                 for (output, outputType) in zip(instr.outputs, signature.outputTypes) {

Sources/Fuzzilli/FuzzIL/WasmOperations.swift

@@ -1445,24 +1445,26 @@ final class WasmEndTry: WasmOperation {
 /// A special try block that does not have any catch / catch_all handlers but ends with a delegate to handle the exception.
 final class WasmBeginTryDelegate: WasmOperation {
     override var opcode: Opcode { .wasmBeginTryDelegate(self) }
-    let signature: WasmSignature
 
-    init(with signature: WasmSignature) {
-        self.signature = signature
-        super.init(numInputs: signature.parameterTypes.count, numInnerOutputs: 1 + signature.parameterTypes.count, attributes: [.isBlockStart, .propagatesSurroundingContext], requiredContext: [.wasmFunction], contextOpened: [])
+    init(parameterCount: Int) {
+        // inputs: The signature and the arguments.
+        // innerOutputs: The label and the arguments.
+        super.init(numInputs: 1 + parameterCount, numInnerOutputs: 1 + parameterCount,
+            attributes: [.isBlockStart, .propagatesSurroundingContext],
+            requiredContext: [.wasmFunction])
     }
 }
 
 /// Delegates any exception thrown inside WasmBeginTryDelegate and this end to another block defined by the label.
 /// This can be a "proper" try block (in which case its catch blocks apply) or any other block like a loop or an if.
 final class WasmEndTryDelegate: WasmOperation {
     override var opcode: Opcode { .wasmEndTryDelegate(self) }
-    let outputTypes: [ILType]
 
-    init(outputTypes: [ILType] = []) {
-        self.outputTypes = outputTypes
-        // Inputs: 1 label to delegate an exception to plus all the outputs of the try block.
-        super.init(numInputs: 1 + outputTypes.count, numOutputs: outputTypes.count, attributes: [.isBlockEnd, .resumesSurroundingContext], requiredContext: [.wasmFunction])
+    init(outputCount: Int) {
+        // Inputs: The signature, the label to delegate an exception to plus all the outputs of the
+        // try block.
+        super.init(numInputs: 2 + outputCount, numOutputs: outputCount,
+            attributes: [.isBlockEnd, .resumesSurroundingContext], requiredContext: [.wasmFunction])
     }
 }
 

Sources/Fuzzilli/Lifting/FuzzILLifter.swift

@@ -1176,8 +1176,8 @@ public class FuzzILLifter: Lifter {
         case .wasmRethrow(_):
             w.emit("WasmRethrow \(instr.input(0))")
 
-        case .wasmBeginTryDelegate(let op):
-            w.emit("WasmBeginTryDelegate -> L:\(instr.innerOutput(0)) [\(liftCallArguments(instr.innerOutputs(1...)))] (\(op.signature))")
+        case .wasmBeginTryDelegate(_):
+            w.emit("WasmBeginTryDelegate -> L:\(instr.innerOutput(0)) [\(liftCallArguments(instr.innerOutputs(1...)))]")
             w.increaseIndentionLevel()
 
         case .wasmEndTryDelegate(_):

Sources/Fuzzilli/Lifting/WasmLifter.swift

@@ -1257,8 +1257,7 @@ public class WasmLifter {
             self.currentFunction!.labelBranchDepthMapping[instr.innerOutput(0)] = self.currentFunction!.variableAnalyzer.wasmBranchDepth
             // Needs typer analysis
             return true
-        case .wasmBeginTryDelegate(let op):
-            registerSignature(op.signature)
+        case .wasmBeginTryDelegate(_):
             self.currentFunction!.labelBranchDepthMapping[instr.innerOutput(0)] = self.currentFunction!.variableAnalyzer.wasmBranchDepth
             // Needs typer analysis
             return true
@@ -1935,8 +1934,9 @@ public class WasmLifter {
         case .wasmBeginTry(_):
             let signatureDesc = typer.getTypeDescription(of: wasmInstruction.input(0))
             return Data([0x06] + Leb128.unsignedEncode(typeDescToIndex[signatureDesc]!))
-        case .wasmBeginTryDelegate(let op):
-            return Data([0x06] + Leb128.unsignedEncode(getSignatureIndexStrict(op.signature)))
+        case .wasmBeginTryDelegate(_):
+            let signatureDesc = typer.getTypeDescription(of: wasmInstruction.input(0))
+            return Data([0x06] + Leb128.unsignedEncode(typeDescToIndex[signatureDesc]!))
         case .wasmBeginCatchAll(_):
             return Data([0x19])
         case .wasmBeginCatch(_):
@@ -1949,7 +1949,7 @@ public class WasmLifter {
             // Basically the same as EndBlock, just an explicit instruction.
             return Data([0x0B])
         case .wasmEndTryDelegate(_):
-            let branchDepth = try branchDepthFor(label: wasmInstruction.input(0))
+            let branchDepth = try branchDepthFor(label: wasmInstruction.input(1))
             // Mutation might make this EndTryDelegate branch to itself, which should not happen.
             if branchDepth < 0 {
                 throw WasmLifter.CompileError.invalidBranch

Sources/Fuzzilli/Protobuf/operations.pb.swift

@@ -5271,9 +5271,7 @@ public struct Fuzzilli_Protobuf_WasmBeginTryDelegate: Sendable {
   // `Message` and `Message+*Additions` files in the SwiftProtobuf library for
   // methods supported on all messages.
 
-  public var parameterTypes: [Fuzzilli_Protobuf_WasmILType] = []
-
-  public var outputTypes: [Fuzzilli_Protobuf_WasmILType] = []
+  public var parameterCount: Int32 = 0
 
   public var unknownFields = SwiftProtobuf.UnknownStorage()
 
@@ -5285,7 +5283,7 @@ public struct Fuzzilli_Protobuf_WasmEndTryDelegate: Sendable {
   // `Message` and `Message+*Additions` files in the SwiftProtobuf library for
   // methods supported on all messages.
 
-  public var outputTypes: [Fuzzilli_Protobuf_WasmILType] = []
+  public var outputCount: Int32 = 0
 
   public var unknownFields = SwiftProtobuf.UnknownStorage()
 
@@ -13985,64 +13983,59 @@ extension Fuzzilli_Protobuf_WasmEndTry: SwiftProtobuf.Message, SwiftProtobuf._Me
 
 extension Fuzzilli_Protobuf_WasmBeginTryDelegate: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
   public static let protoMessageName: String = _protobuf_package + ".WasmBeginTryDelegate"
-  public static let _protobuf_nameMap = SwiftProtobuf._NameMap(bytecode: "\0\u{1}parameterTypes\0\u{1}outputTypes\0")
+  public static let _protobuf_nameMap = SwiftProtobuf._NameMap(bytecode: "\0\u{1}parameterCount\0")
 
   public mutating func decodeMessage<D: SwiftProtobuf.Decoder>(decoder: inout D) throws {
     while let fieldNumber = try decoder.nextFieldNumber() {
       // The use of inline closures is to circumvent an issue where the compiler
       // allocates stack space for every case branch when no optimizations are
       // enabled. https://github.com/apple/swift-protobuf/issues/1034
       switch fieldNumber {
-      case 1: try { try decoder.decodeRepeatedMessageField(value: &self.parameterTypes) }()
-      case 2: try { try decoder.decodeRepeatedMessageField(value: &self.outputTypes) }()
+      case 1: try { try decoder.decodeSingularInt32Field(value: &self.parameterCount) }()
       default: break
       }
     }
   }
 
   public func traverse<V: SwiftProtobuf.Visitor>(visitor: inout V) throws {
-    if !self.parameterTypes.isEmpty {
-      try visitor.visitRepeatedMessageField(value: self.parameterTypes, fieldNumber: 1)
-    }
-    if !self.outputTypes.isEmpty {
-      try visitor.visitRepeatedMessageField(value: self.outputTypes, fieldNumber: 2)
+    if self.parameterCount != 0 {
+      try visitor.visitSingularInt32Field(value: self.parameterCount, fieldNumber: 1)
     }
     try unknownFields.traverse(visitor: &visitor)
   }
 
   public static func ==(lhs: Fuzzilli_Protobuf_WasmBeginTryDelegate, rhs: Fuzzilli_Protobuf_WasmBeginTryDelegate) -> Bool {
-    if lhs.parameterTypes != rhs.parameterTypes {return false}
-    if lhs.outputTypes != rhs.outputTypes {return false}
+    if lhs.parameterCount != rhs.parameterCount {return false}
     if lhs.unknownFields != rhs.unknownFields {return false}
     return true
   }
 }
 
 extension Fuzzilli_Protobuf_WasmEndTryDelegate: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
   public static let protoMessageName: String = _protobuf_package + ".WasmEndTryDelegate"
-  public static let _protobuf_nameMap = SwiftProtobuf._NameMap(bytecode: "\0\u{1}outputTypes\0")
+  public static let _protobuf_nameMap = SwiftProtobuf._NameMap(bytecode: "\0\u{1}outputCount\0")
 
   public mutating func decodeMessage<D: SwiftProtobuf.Decoder>(decoder: inout D) throws {
     while let fieldNumber = try decoder.nextFieldNumber() {
       // The use of inline closures is to circumvent an issue where the compiler
       // allocates stack space for every case branch when no optimizations are
       // enabled. https://github.com/apple/swift-protobuf/issues/1034
       switch fieldNumber {
-      case 1: try { try decoder.decodeRepeatedMessageField(value: &self.outputTypes) }()
+      case 1: try { try decoder.decodeSingularInt32Field(value: &self.outputCount) }()
       default: break
       }
     }
   }
 
   public func traverse<V: SwiftProtobuf.Visitor>(visitor: inout V) throws {
-    if !self.outputTypes.isEmpty {
-      try visitor.visitRepeatedMessageField(value: self.outputTypes, fieldNumber: 1)
+    if self.outputCount != 0 {
+      try visitor.visitSingularInt32Field(value: self.outputCount, fieldNumber: 1)
     }
     try unknownFields.traverse(visitor: &visitor)
   }
 
   public static func ==(lhs: Fuzzilli_Protobuf_WasmEndTryDelegate, rhs: Fuzzilli_Protobuf_WasmEndTryDelegate) -> Bool {
-    if lhs.outputTypes != rhs.outputTypes {return false}
+    if lhs.outputCount != rhs.outputCount {return false}
     if lhs.unknownFields != rhs.unknownFields {return false}
     return true
   }

Sources/Fuzzilli/Protobuf/operations.proto

@@ -1287,12 +1287,11 @@ message WasmEndTry {
 }
 
 message WasmBeginTryDelegate {
-  repeated WasmILType parameterTypes = 1;
-  repeated WasmILType outputTypes = 2;
+    int32 parameterCount = 1;
 }
 
 message WasmEndTryDelegate {
-  repeated WasmILType outputTypes = 1;
+    int32 outputCount = 1;
 }
 
 message WasmThrow {