[Custom Descriptors] Enable fuzzing (#7796)

Enable fuzz_opt.py and clusterfuzz to use initial contents containing
custom descriptors types and instructions and to generate new types that
use custom descriptors. Enable custom descriptors when running V8.

Do not yet allow the fuzzer to use initial contents containing
br_on_cast_desc instructions, since V8 still has some bugs around those.
Also do not yet generate new uses of custom descriptors instructions
that were not present in the initial contents.

Author: tlively

scripts/bundle_clusterfuzz.py

@@ -107,7 +107,6 @@
     '-all',
     '--disable-shared-everything',
     '--disable-fp16',
-    '--disable-custom-descriptors',
     '--disable-strings',
 ]
 

scripts/clusterfuzz/run.py

@@ -33,7 +33,7 @@
 
 # The V8 flags we put in the "fuzzer flags" files, which tell ClusterFuzz how to
 # run V8. By default we apply all staging flags.
-FUZZER_FLAGS = '--wasm-staging'
+FUZZER_FLAGS = '--wasm-staging --experimental-wasm-custom-descriptors'
 
 # Optional V8 flags to add to FUZZER_FLAGS, some of the time.
 OPTIONAL_FUZZER_FLAGS = [
@@ -92,7 +92,6 @@
     '-all',
     '--disable-shared-everything',
     '--disable-fp16',
-    '--disable-custom-descriptors',
     '--disable-strings',
 ]
 

scripts/test/fuzzing.py

@@ -96,6 +96,14 @@
     # it removes unknown imports
     'string-lifting.wast',
     'string-lifting-custom-module.wast',
+    # TODO: V8 still has bugs in br_on_cast_desc
+    'custom-descriptors.wast',
+    'abstract-type-refining-desc.wast',
+    'abstract-type-refining-tnh-exact-casts.wast',
+    'precompute-desc.wast',
+    'remove-unused-brs-desc.wast',
+    'vacuum-desc.wast',
+    'br_on_cast_desc.wast',
     # TODO: fuzzer support for stack switching
     'stack_switching.wast',
     'stack_switching_contnew.wast',
@@ -113,30 +121,6 @@
     'vacuum-stack-switching.wast',
     'cont.wast',
     'cont_simple.wast',
-    # TODO: fuzzer support for custom descriptors
-    'remove-unused-module-elements-refs-descriptors.wast',
-    'custom-descriptors.wast',
-    'br_on_cast_desc.wast',
-    'ref.get_desc.wast',
-    'ref.cast_desc.wast',
-    'struct.new-desc.wast',
-    'remove-unused-types-descriptors.wast',
-    'unsubtyping-desc.wast',
-    'type-merging-desc.wast',
-    'heap2local-desc.wast',
-    'minimize-rec-groups-desc.wast',
-    'precompute-desc.wast',
-    'gc-desc.wast',
-    'optimize-instructions-desc.wast',
-    'gto-desc.wast',
-    'type-ssa-desc.wast',
-    'abstract-type-refining-desc.wast',
-    'abstract-type-refining-tnh-exact-casts.wast',
-    'remove-unused-brs-desc.wast',
-    'vacuum-desc.wast',
-    'j2cl-merge-itables-desc.wast',
-    'heap-store-optimization-desc.wast',
-    'unused-descriptors.wast',
     # TODO: fix split_wast() on tricky escaping situations like a string ending
     #       in \\" (the " is not escaped - there is an escaped \ before it)
     'string-lifting-section.wast',

src/tools/fuzzing/fuzzing.cpp

@@ -446,11 +446,8 @@ void TranslateToFuzzReader::setupHeapTypes() {
 
   // For GC, also generate random types.
   if (wasm.features.hasGC()) {
-    // TODO: Support custom descriptors.
-    auto features = wasm.features;
-    features.setCustomDescriptors(false);
     auto generator = HeapTypeGenerator::create(
-      random, features, upTo(fuzzParams->MAX_NEW_GC_TYPES));
+      random, wasm.features, upTo(fuzzParams->MAX_NEW_GC_TYPES));
     auto result = generator.builder.build();
     if (auto* err = result.getError()) {
       Fatal() << "Failed to build heap types: " << err->reason << " at index "
@@ -3655,7 +3652,11 @@ Expression* TranslateToFuzzReader::makeCompoundRef(Type type) {
           nester.add(values.size() - 1);
         }
       }
-      return builder.makeStructNew(heapType, values);
+      Expression* descriptor = nullptr;
+      if (auto descType = heapType.getDescriptorType()) {
+        descriptor = make(Type(*descType, Nullable, Exact));
+      }
+      return builder.makeStructNew(heapType, values, descriptor);
     }
     case HeapTypeKind::Array: {
       auto element = heapType.getArray().element;
@@ -5576,9 +5577,11 @@ Type TranslateToFuzzReader::getSubType(Type type) {
     auto subType = Type(heapType, nullability, exactness);
     // We don't want to emit lots of uninhabitable types like (ref none), so
     // avoid them with high probability. Specifically, if the original type was
-    // inhabitable then return that; avoid adding more uninhabitability.
+    // inhabitable then return that; avoid adding more uninhabitability. We can
+    // never add new uninhabitability outside of functions, where we cannot
+    // use casts to generate something valid.
     if (GCTypeUtils::isUninhabitable(subType) &&
-        !GCTypeUtils::isUninhabitable(type) && !oneIn(20)) {
+        !GCTypeUtils::isUninhabitable(type) && (!funcContext || !oneIn(20))) {
       return type;
     }
     return subType;

test/unit/test_cluster_fuzz.py

@@ -422,7 +422,11 @@ def test_file_contents(self):
                 fuzz_file = os.path.join(temp_dir.name, f'fuzz-binaryen-{i}.js')
 
                 # Add --fuzzing to allow legacy and standard EH to coexist
-                cmd = [shared.V8, '--wasm-staging', '--fuzzing', fuzz_file]
+                cmd = [shared.V8,
+                       '--wasm-staging',
+                       '--experimental-wasm-custom-descriptors',
+                       '--fuzzing',
+                       fuzz_file]
                 proc = subprocess.run(cmd, stdout=subprocess.PIPE)
 
                 # An execution is valid if we exited without error, and if we