[wasm] Implement subtyping between all abstract heap types

This implements the subtyping rules between abstract heap types.
It does not implement subtyping between index types (structs, arrays)
and abstract heap types.

Bug: 430198271
Change-Id: Id08d632fb21ca5e51753913b33e2efe800dbbfa5
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8446896
Commit-Queue: Matthias Liedtke <[email protected]>
Reviewed-by: Manos Koukoutos <[email protected]>

Author: Liedtke

Sources/Fuzzilli/FuzzIL/TypeSystem.swift

@@ -1332,7 +1332,10 @@ public class WasmTypeDefinition: WasmTypeExtension {
 // TODO: Add continuation types for core stack switching.
 // TODO: Add shared bit for shared-everything-threads.
 // TODO: Add internal string type for JS string builtins.
-enum WasmAbstractHeapType: CaseIterable {
+enum WasmAbstractHeapType: CaseIterable, Comparable {
+    // Note: The union, intersection, ... implementations are inspired by Binaryen's implementation,
+    // so when extending the type system, feel free to use that implemenation as an orientation.
+    // https://github.com/WebAssembly/binaryen/blob/main/src/wasm/wasm-type.cpp
     case WasmExtern
     case WasmFunc
     case WasmAny
@@ -1357,6 +1360,75 @@ enum WasmAbstractHeapType: CaseIterable {
                 return true
         }
     }
+
+    func isBottom() -> Bool {
+        getBottom() == self
+    }
+
+    func getBottom() -> Self {
+        switch self {
+            case .WasmExtern, .WasmNoExtern:
+                return .WasmNoExtern
+            case .WasmFunc, .WasmNoFunc:
+                return .WasmNoFunc
+            case .WasmAny, .WasmEq, .WasmI31, .WasmStruct, .WasmArray, .WasmNone:
+                return .WasmNone
+            case .WasmExn, .WasmNoExn:
+                return .WasmNoExn
+        }
+    }
+
+    func inSameHierarchy(_ other: Self) -> Bool {
+        return getBottom() == other.getBottom()
+    }
+
+    func union(_ other: Self) -> Self? {
+        if self == other {
+            return self
+        }
+        if !self.inSameHierarchy(other) {
+            return nil  // Incompatible heap types.
+        }
+        if self.isBottom() {
+            return other
+        }
+        if other.isBottom() {
+            return self
+        }
+        // Let `a` be the lesser type.
+        let a = min(self, other)
+        let b = max(self, other)
+        return switch a {
+            case .WasmAny:
+                .WasmAny
+            case .WasmEq, .WasmI31, .WasmStruct:
+                .WasmEq
+            case .WasmArray:
+                .WasmAny
+            case .WasmExtern, .WasmFunc, .WasmExn, .WasmNone, .WasmNoExtern, .WasmNoFunc, .WasmNoExn:
+                fatalError("unhandled subtyping for a=\(a) b=\(b)")
+        }
+    }
+
+    func intersection(_ other: Self) -> Self? {
+        if self == other {
+            return self
+        }
+        if self.getBottom() != other.getBottom() {
+            return nil
+        }
+        if self.subsumes(other) {
+            return other
+        }
+        if other.subsumes(self) {
+            return self
+        }
+        return self.getBottom()
+    }
+
+    func subsumes(_ other: Self) -> Bool {
+        union(other) == self
+    }
 }
 
 // A wrapper around a WasmTypeDescription without owning the WasmTypeDescription.
@@ -1397,7 +1469,7 @@ public class WasmReferenceType: WasmTypeExtension {
                         case .Index(_):
                             return false
                         case .Abstract(let otherHeapType):
-                            return heapType == otherHeapType
+                            return heapType.subsumes(otherHeapType)
                     }
             }
         }
@@ -1448,7 +1520,10 @@ public class WasmReferenceType: WasmTypeExtension {
                     case .Index(_):
                         return nil
                     case .Abstract(let otherHeapType):
-                        return heapType == otherHeapType ? WasmReferenceType(.Abstract(heapType), nullability: nullability) : nil
+                        if let upperBound = heapType.union(otherHeapType) {
+                            return WasmReferenceType(.Abstract(upperBound), nullability: nullability)
+                        }
+                        return nil
                 }
         }
     }
@@ -1472,7 +1547,10 @@ public class WasmReferenceType: WasmTypeExtension {
                     case .Index(_):
                         return nil
                     case .Abstract(let otherHeapType):
-                        return heapType == otherHeapType ? WasmReferenceType(.Abstract(heapType), nullability: nullability) : nil
+                        if let lowerBound = heapType.intersection(otherHeapType) {
+                            return WasmReferenceType(.Abstract(lowerBound), nullability: nullability)
+                        }
+                        return nil
                 }
         }
     }

Tests/FuzzilliTests/TypeSystemTest.swift

@@ -1183,6 +1183,85 @@ class TypeSystemTests: XCTestCase {
         XCTAssertEqual(tagIntersection, .nothing)
     }
 
+    func testWasmAbstractHeapTypeSubsumptionRules() {
+        let groupAny: [WasmAbstractHeapType] =
+            [.WasmAny, .WasmEq, .WasmI31, .WasmStruct, .WasmArray, .WasmNone]
+        let groupExtern: [WasmAbstractHeapType] = [.WasmExtern, .WasmNoExtern]
+        let groupFunc: [WasmAbstractHeapType] = [.WasmFunc, .WasmNoFunc]
+        let groupExn: [WasmAbstractHeapType] = [.WasmExn, .WasmNoExn]
+        let allGroups = [groupAny, groupExtern, groupFunc, groupExn]
+        let allTypes = allGroups.joined()
+        // If this fails, please extend the arrays above with the newly added type(s).
+        XCTAssert(WasmAbstractHeapType.allCases.allSatisfy(allTypes.contains))
+
+        // All types in the same type group share the same bottom type.
+        XCTAssert(groupAny.allSatisfy {$0.getBottom() == .WasmNone})
+        XCTAssert(groupExtern.allSatisfy {$0.getBottom() == .WasmNoExtern})
+        XCTAssert(groupFunc.allSatisfy {$0.getBottom() == .WasmNoFunc})
+        XCTAssert(groupExn.allSatisfy {$0.getBottom() == .WasmNoExn})
+
+        // The union and intersection of of two unrelated types are nil.
+        for groupA in allGroups {
+            for groupB in allGroups where groupA != groupB {
+                for typeA in groupA {
+                    for typeB in groupB {
+                        XCTAssertNil(typeA.union(typeB), "a=\(typeA) b=\(typeB)")
+                        XCTAssertNil(typeA.intersection(typeB), "a=\(typeA) b=\(typeB)")
+                    }
+                }
+            }
+        }
+
+        for type in allTypes {
+            XCTAssertEqual(type.union(type), type)
+            XCTAssertEqual(type.union(type.getBottom()), type)
+            XCTAssertEqual(type.getBottom().union(type), type)
+            XCTAssertEqual(type.intersection(type), type)
+            XCTAssertEqual(type.intersection(type.getBottom()), type.getBottom())
+        }
+
+        // Testing a few combinations.
+        XCTAssertEqual(WasmAbstractHeapType.WasmAny.union(.WasmEq), .WasmAny)
+        XCTAssertEqual(WasmAbstractHeapType.WasmStruct.union(.WasmArray), .WasmEq)
+        XCTAssertEqual(WasmAbstractHeapType.WasmI31.union(.WasmArray), .WasmEq)
+        XCTAssertEqual(WasmAbstractHeapType.WasmArray.union(.WasmEq), .WasmEq)
+        XCTAssertEqual(WasmAbstractHeapType.WasmArray.intersection(.WasmStruct), .WasmNone)
+        XCTAssertEqual(WasmAbstractHeapType.WasmI31.intersection(.WasmStruct), .WasmNone)
+        XCTAssertEqual(WasmAbstractHeapType.WasmI31.intersection(.WasmEq), .WasmI31)
+        XCTAssertEqual(WasmAbstractHeapType.WasmAny.intersection(.WasmArray), .WasmArray)
+
+        // Tests on the whole ILType.
+        let ref = {t in ILType.wasmRef(.Abstract(t), nullability: false)}
+        let refNull = {t in ILType.wasmRef(.Abstract(t), nullability: false)}
+        for type in allTypes {
+            let refT = ref(type)
+            let refNullT = refNull(type)
+            XCTAssertEqual(refT.union(with: refNullT), refNullT)
+            XCTAssertEqual(refNullT.union(with: refT), refNullT)
+            XCTAssertEqual(refT.union(with: refT), refT)
+            XCTAssertEqual(refNullT.union(with: refNullT), refNullT)
+            XCTAssertEqual(refT.intersection(with: refT), refT)
+            XCTAssertEqual(refNullT.intersection(with: refNullT), refNullT)
+            XCTAssertEqual(refT.intersection(with: refNullT), refT)
+            XCTAssertEqual(refNullT.intersection(with: refT), refT)
+        }
+
+        XCTAssertEqual(ref(.WasmAny).union(with: refNull(.WasmEq)), refNull(.WasmAny))
+        XCTAssertEqual(ref(.WasmStruct).union(with: ref(.WasmArray)), ref(.WasmEq))
+        // We should never do this for the type information of any Variable as .wasmGenericRef
+        // cannot be encoded in the Wasm module and any instruction that leads to such a static type
+        // is "broken". However, we will still need to allow this union type if we want to be able
+        // to request a .required(.wasmGenericRef) for operations like WasmRefIsNull.
+        XCTAssertEqual(ref(.WasmI31).union(with: refNull(.WasmExn)), .wasmGenericRef)
+
+        XCTAssertEqual(ref(.WasmAny).intersection(with: refNull(.WasmEq)), ref(.WasmEq))
+        XCTAssertEqual(refNull(.WasmI31).intersection(with: refNull(.WasmStruct)), refNull(.WasmNone))
+        // Note that `ref none` is a perfectly valid type in Wasm but such a reference can never be
+        // constructed.
+        XCTAssertEqual(ref(.WasmArray).intersection(with: refNull(.WasmStruct)), ref(.WasmNone))
+        XCTAssertEqual(refNull(.WasmArray).intersection(with: ref(.WasmAny)), ref(.WasmArray))
+    }
+
     func testUnboundFunctionSubsumptionRules() {
         XCTAssertEqual(ILType.unboundFunction(), .unboundFunction())
         XCTAssertNotEqual(ILType.unboundFunction([] => .object()), .unboundFunction())