[wasm] Fix crash of tag without .wasmTagType

This fixes a crash in Fuzzilli where we have the following pattern:
  v0 <- CreateWasmTag [.wasmi32]
  v1 <- CreateWasmTag [.wasmi64]
  v2 <- LoadBoolean 'true'
  v3 <- TernaryOperation v2, v0, v1

The type of v3 is the union(type(v0), type(v1)) which resulted in
having a .object(ofGroup: "WasmTag") as both inputs are tags but not
having a WasmTypeExtension as these are incompatible (two different)
tag types.

When the WasmTypeExtension gets invalidated by the union, we now also
remove the object group from the TypeExtension.

Change-Id: I00da60a29974e768d7321c577b0015cdd31f8029
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8444056
Reviewed-by: Samuel Groß <[email protected]>
Reviewed-by: Carl Smith <[email protected]>
Commit-Queue: Matthias Liedtke <[email protected]>

Author: Liedtke

Sources/Fuzzilli/FuzzIL/TypeSystem.swift

@@ -643,8 +643,14 @@ public struct ILType: Hashable {
         let commonMethods = self.methods.intersection(other.methods)
         let signature = self.signature == other.signature ? self.signature : nil        // TODO: this is overly coarse, we could also see if one signature subsumes the other, then take the subsuming one.
         let receiver = other.receiver != nil && other.receiver != nil ? self.receiver?.intersection(with: other.receiver!) : nil
-        let group = self.group == other.group ? self.group : nil
+        var group = self.group == other.group ? self.group : nil
         let wasmExt = self.wasmType != nil && other.wasmType != nil ? self.wasmType!.union(other.wasmType!) : nil
+        // Object groups are used to describe certain wasm types. If the WasmTypeExtension is lost,
+        // the group should also be invalidated. This ensures that e.g. any
+        // `.object(ofGroup: "WasmTag")` always has a `.wasmTagType` extension.
+        if wasmExt == nil && (self.wasmType ?? other.wasmType) != nil {
+            group = nil
+        }
 
         return ILType(definiteType: definiteType, possibleType: possibleType, ext: TypeExtension(group: group, properties: commonProperties, methods: commonMethods, signature: signature, wasmExt: wasmExt, receiver: receiver))
     }

Tests/FuzzilliTests/TypeSystemTest.swift

@@ -611,18 +611,22 @@ class TypeSystemTests: XCTestCase {
         XCTAssertEqual(ILTypeGlobalI32Mutable | ILTypeGlobalI32Mutable, ILTypeGlobalI32Mutable)
 
         // Types with not equal WasmTypeExtension don't have a WasmTypeExtension in their union.
-        let unionMutabilityDiff = ILType.object(ofGroup: "WasmGlobal", withProperties: ["value"])
+        let unionMutabilityDiff = ILType.object(withProperties: ["value"])
         XCTAssertEqual(ILTypeGlobalI32Mutable | ILTypeGlobalI32NonMutable, unionMutabilityDiff)
         // Invariant: the union of two types subsumes both types.
         XCTAssert(unionMutabilityDiff >= ILTypeGlobalI32Mutable)
         XCTAssert(unionMutabilityDiff >= ILTypeGlobalI32NonMutable)
 
-        let unionValueTypeDiff = ILType.object(ofGroup: "WasmGlobal", withProperties: ["value"])
+        let unionValueTypeDiff = ILType.object(withProperties: ["value"])
         XCTAssertEqual(ILTypeGlobalI32Mutable | ILTypeGlobalF32Mutable, unionValueTypeDiff)
         XCTAssert(unionValueTypeDiff >= ILTypeGlobalI32Mutable)
         XCTAssert(unionValueTypeDiff >= ILTypeGlobalI32NonMutable)
 
-        XCTAssertEqual(ILTypeGlobalI32Mutable | .object(ofGroup: "WasmGlobal"), .object(ofGroup: "WasmGlobal"))
+        // When removing the WasmTypeExtension, the group is also removed. (Note that this specific
+        // case is artificial as a .object(ofGroup: WasmGlobal) should only be used e.g. as a
+        // search criteria but never appear as a type for a variable without a corresponding
+        // .wasmGlobalType extension.)
+        XCTAssertEqual(ILTypeGlobalI32Mutable | .object(ofGroup: "WasmGlobal"), .object())
         XCTAssert(.object(ofGroup: "WasmGlobal") >= ILTypeGlobalI32Mutable)
         XCTAssertEqual(ILTypeGlobalI32Mutable | .object(withProperties: ["value"]), .object(withProperties: ["value"]))
         XCTAssert(.object(withProperties: ["value"]) >= ILTypeGlobalI32Mutable)
@@ -1155,6 +1159,25 @@ class TypeSystemTests: XCTestCase {
         }
     }
 
+    func testWasmTypeExtensionUnionTypeExtensionVsWasmTypeExtension() {
+        let tagA = ILType.object(ofGroup: "WasmTag", withWasmType: WasmTagType([.wasmi32]))
+        let tagB = ILType.object(ofGroup: "WasmTag", withWasmType: WasmTagType([.wasmi64]))
+        // The union with itself doesn't modify the type.
+        XCTAssertEqual(tagA.union(with: tagA), tagA)
+        // The union of two distinct wasm tags / WasmTypeExtensions leads to the removal of the wasm
+        // type extension. To make the types easier to use (e.g. a catch might just want to search
+        // for any wasm tag by doing `required(.object(ofGroup: "WasmTag"))` and expect to get a tag
+        // with a valid type extension), if the WasmTypeExtension is removed, also any object group
+        // is invalidated on the TypeExtension.
+        let tagUnion = tagA.union(with: tagB)
+        XCTAssertNil(tagUnion.wasmType)
+        XCTAssertNil(tagUnion.group)
+        // The intersection of two unequal tags always leads to an invalid type (as tags never
+        // subsume each other).
+        let tagIntersection = tagA.intersection(with: tagB)
+        XCTAssertEqual(tagIntersection, .nothing)
+    }
+
     func testUnboundFunctionSubsumptionRules() {
         XCTAssertEqual(ILType.unboundFunction(), .unboundFunction())
         XCTAssertNotEqual(ILType.unboundFunction([] => .object()), .unboundFunction())