[wasm] Restructure try-catch blocks in Fuzzilli

Previously, the wasm try catch would look somewhat like this in FuzzIL:
  try -> L:v1
    throw v2
    v3 = 123
    catch v2 -> v4
      // v3 is visible here but it may not be initialized.
    endcatch
    // the code generator might still insert more regular wasm
    // statements here...
  endtry

This CL changes that to:
  try -> L:v1
    throw v2
    v3 = 123
  catch v2 -> L:v4 v5
    // v3 is not visible here.
  endtry

where the catch block finishes the try block and starts a new block at
the same time (for the catch content). The endtry therefore is an end
block for either `try`, `catch`, or `catch_all`.

Change-Id: If61b1c4fd99c630c1fb879cd4db310d7c5509018
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/7967834
Reviewed-by: Carl Smith <[email protected]>
Commit-Queue: Matthias Liedtke <[email protected]>

Author: Liedtke

Sources/Fuzzilli/Base/ProgramBuilder.swift

@@ -3301,24 +3301,22 @@ public class ProgramBuilder {
             return b.emit(WasmEndLoop(outputType: signature.outputType), withInputs: [fallthroughResult]).output
         }
 
-        public func wasmBuildLegacyTry(with signature: Signature, args: [Variable], body: (Variable, [Variable]) -> Void, catchAllBody: (() -> Void)? = nil) {
+        public func wasmBuildLegacyTry(with signature: Signature, args: [Variable], body: (Variable, [Variable]) -> Void, catchAllBody: ((Variable) -> Void)? = nil) {
             assert(signature.parameters.count == args.count)
             let instr = b.emit(WasmBeginTry(with: signature), withInputs: args)
             body(instr.innerOutput(0), Array(instr.innerOutputs(1...)))
             if let catchAllBody = catchAllBody {
-                b.emit(WasmBeginCatchAll(with: signature))
-                catchAllBody()
-                b.emit(WasmEndCatch())
+                let instr = b.emit(WasmBeginCatchAll(with: signature))
+                catchAllBody(instr.innerOutput(0))
             }
             b.emit(WasmEndTry())
         }
 
-        public func WasmBuildLegacyCatch(tag: Variable, body: ((Variable, [Variable]) -> Void)) {
+        public func WasmBuildLegacyCatch(tag: Variable, body: ((Variable, Variable, [Variable]) -> Void)) {
             // TODO(mliedtke): A catch block can produce a result type, however that result type
             // has to be in sync with the try result type (afaict).
             let instr = b.emit(WasmBeginCatch(with: b.type(of: tag).wasmTagType!.parameters => .nothing), withInputs: [tag])
-            body(instr.innerOutput(0), Array(instr.innerOutputs(1...)))
-            b.emit(WasmEndCatch())
+            body(instr.innerOutput(0), instr.innerOutput(1), Array(instr.innerOutputs(2...)))
         }
 
         public func WasmBuildThrow(tag: Variable, inputs: [Variable]) {
@@ -3327,9 +3325,9 @@ public class ProgramBuilder {
             b.emit(WasmThrow(parameters: tagType.parameters), withInputs: [tag] + inputs)
         }
 
-        public func wasmBuildRethrow(_ exception: Variable) {
-            assert(b.type(of: exception).Is(.exceptionLabel))
-            b.emit(WasmRethrow(), withInputs: [exception])
+        public func wasmBuildRethrow(_ exceptionLabel: Variable) {
+            assert(b.type(of: exceptionLabel).Is(.exceptionLabel))
+            b.emit(WasmRethrow(), withInputs: [exceptionLabel])
         }
 
         public func wasmBuildLegacyTryDelegate(with signature: Signature, args: [Variable], body: (Variable, [Variable]) -> Void, delegate: Variable) {

Sources/Fuzzilli/CodeGen/CodeGeneratorWeights.swift

@@ -274,8 +274,7 @@ public let codeGeneratorWeights = [
     "WasmBlockWithSignatureGenerator":          8,
     "WasmLoopGenerator":                        8,
     "WasmLoopWithSignatureGenerator":           8,
-    "WasmLegacyTryGenerator":                   8,
-    "WasmLegacyCatchGenerator":                 8,
+    "WasmLegacyTryCatchGenerator":              8,
     "WasmLegacyTryDelegateGenerator":           8,
     "WasmThrowGenerator":                       2,
     "WasmRethrowGenerator":                     10,

Sources/Fuzzilli/CodeGen/WasmCodeGenerators.swift

@@ -88,12 +88,12 @@ public let WasmCodeGenerators: [CodeGenerator] = [
                     b.buildRecursive(block: blockIndex, of: blockCount, n: 4)
                     blockIndex += 1
                     for _ in 0..<catchCount {
-                        function.WasmBuildLegacyCatch(tag: b.randomVariable(ofType: .object(ofGroup: "WasmTag"))!) { exception, args in
+                        function.WasmBuildLegacyCatch(tag: b.randomVariable(ofType: .object(ofGroup: "WasmTag"))!) { label, exception, args in
                             b.buildRecursive(block: blockIndex, of: blockCount, n: 4)
                             blockIndex += 1
                         }
                     }
-                }, catchAllBody: emitCatchAll == 1 ? {
+                }, catchAllBody: emitCatchAll == 1 ? { label in
                     b.buildRecursive(block: blockIndex, of: blockCount, n: 4)
                     blockIndex += 1
                 } : nil)
@@ -612,22 +612,23 @@ public let WasmCodeGenerators: [CodeGenerator] = [
         }
     },
 
-    RecursiveCodeGenerator("WasmLegacyTryGenerator", inContext: .wasmFunction) { b in
+    RecursiveCodeGenerator("WasmLegacyTryCatchGenerator", inContext: .wasmFunction) { b in
         let function = b.currentWasmModule.currentWasmFunction
         // Choose a few random wasm values as arguments if available.
+        // TODO(mliedtke): Make the argument count random here and in other block generators.
         let args = (0..<5).map {_ in b.findVariable {b.type(of: $0).Is(.wasmPrimitive)}}.filter {$0 != nil}.map {$0!}
         let parameters = args.map {arg in Parameter.plain(b.type(of: arg))}
+        let tags = (0..<Int.random(in: 0...5)).map {_ in b.findVariable { b.type(of: $0).isWasmTagType }}.filter {$0 != nil}.map {$0!}
+        let recursiveCallCount = 2 + tags.count
         function.wasmBuildLegacyTry(with: parameters => .nothing, args: args) { label, args in
-            b.buildRecursive(block: 1, of: 2, n: 4)
-        } catchAllBody: {
-            b.buildRecursive(block: 2, of: 2, n: 4)
-        }
-    },
-
-    RecursiveCodeGenerator("WasmLegacyCatchGenerator", inContext: .wasmTry, inputs: .required(.object(ofGroup: "WasmTag"))) { b, value in
-        let function = b.currentWasmModule.currentWasmFunction
-        function.WasmBuildLegacyCatch(tag: value) { exception, args in
-            b.buildRecursive()
+            b.buildRecursive(block: 1, of: recursiveCallCount, n: 4)
+            for (i, tag) in tags.enumerated() {
+                function.WasmBuildLegacyCatch(tag: tag) { _, _, _ in
+                    b.buildRecursive(block: 2 + i, of: recursiveCallCount, n: 4)
+                }
+            }
+        } catchAllBody: { label in
+            b.buildRecursive(block: 2 + tags.count, of: recursiveCallCount, n: 4)
         }
     },
 

Sources/Fuzzilli/FuzzIL/Analyzer.swift

@@ -128,7 +128,7 @@ struct VariableAnalyzer: Analyzer {
             let variablesInClosedScope = scopes.pop()
             visibleVariables.removeLast(variablesInClosedScope)
 
-            if instr.op is WasmOperation && !(instr.op is WasmEndCatch) {
+            if instr.op is WasmOperation {
                 assert(wasmBranchDepth > 0)
                 wasmBranchDepth -= 1
             }
@@ -141,9 +141,7 @@ struct VariableAnalyzer: Analyzer {
         // This code has to be somewhat careful since e.g. BeginElse both ends and begins a variable scope.
         if instr.isBlockStart {
             scopes.push(0)
-            // TODO(mliedtke): We should probably do this in a more generic way, e.g. adding an extra attribute?
-            // The WasmOperation check isn't required but this way the absolute value doesn't count non-wasm blocks.
-            if instr.op is WasmOperation && !(instr.op is WasmBeginCatch || instr.op is WasmBeginCatchAll) {
+            if instr.op is WasmOperation {
                 wasmBranchDepth += 1
             }
         }
@@ -178,7 +176,7 @@ struct ContextAnalyzer: Analyzer {
                 assert(contextStack.count >= 2)
 
                 // Currently we only support context "skipping" for switch blocks. This logic may need to be refined if it is ever used for other constructs as well.
-                assert((contextStack.top.contains(.switchBlock) && contextStack.top.subtracting(.switchBlock) == .empty) || contextStack.top.contains(.wasmTry))
+                assert((contextStack.top.contains(.switchBlock) && contextStack.top.subtracting(.switchBlock) == .empty))
 
                 newContext.formUnion(contextStack.secondToTop)
             }

Sources/Fuzzilli/FuzzIL/Context.swift

@@ -55,8 +55,6 @@ public struct Context: OptionSet {
     public static let wasmFunction      = Context(rawValue: 1 << 13)
     // Inside a block of a wasm function, allows branches
     public static let wasmBlock         = Context(rawValue: 1 << 14)
-    // Inside a wasm try block, allows catch blocks
-    public static let wasmTry           = Context(rawValue: 1 << 15)
 
     public static let empty             = Context([])
 

Sources/Fuzzilli/FuzzIL/Instruction.swift

@@ -1221,8 +1221,6 @@ extension Instruction: ProtobufConvertible {
                     $0.parameters = convertParametersToWasmTypeEnums(op.signature.parameters)
                     $0.returnType = ILTypeToWasmTypeEnum(op.signature.outputType)
                 }
-            case .wasmEndCatch(_):
-                $0.wasmEndCatch = Fuzzilli_Protobuf_WasmEndCatch()
             case .wasmEndTry(_):
                 $0.wasmEndTry = Fuzzilli_Protobuf_WasmEndTry()
             case .wasmBeginTryDelegate(let op):
@@ -2022,8 +2020,6 @@ extension Instruction: ProtobufConvertible {
                 Parameter.plain(WasmTypeEnumToILType(param))
             })
             op = WasmBeginCatch(with: parameters => WasmTypeEnumToILType(p.returnType))
-        case .wasmEndCatch(_):
-            op = WasmEndCatch()
         case .wasmEndTry(_):
             op = WasmEndTry()
         case .wasmBeginTryDelegate(let p):

Sources/Fuzzilli/FuzzIL/JSTyper.swift

@@ -115,6 +115,7 @@ public struct JSTyper: Analyzer {
                  .wasmBeginElse(_),
                  .wasmBeginTry(_),
                  .wasmBeginCatch(_),
+                 .wasmBeginCatchAll(_),
                  .wasmBeginTryDelegate(_):
                 // Type all the innerOutputs
                 for (innerOutput, paramType) in zip(instr.innerOutputs, (instr.op as! WasmOperation).innerOutputTypes) {

Sources/Fuzzilli/FuzzIL/Opcodes.swift

@@ -293,7 +293,6 @@ enum Opcode {
     case wasmBeginTry(WasmBeginTry)
     case wasmBeginCatchAll(WasmBeginCatchAll)
     case wasmBeginCatch(WasmBeginCatch)
-    case wasmEndCatch(WasmEndCatch)
     case wasmEndTry(WasmEndTry)
     case wasmBeginTryDelegate(WasmBeginTryDelegate)
     case wasmEndTryDelegate(WasmEndTryDelegate)

Sources/Fuzzilli/FuzzIL/Semantics.swift

@@ -228,11 +228,11 @@ extension Operation {
             return endOp is WasmEndBlock
         case .wasmBeginLoop:
             return endOp is WasmEndLoop
-        case .wasmBeginTry:
-            return endOp is WasmEndTry
-        case .wasmBeginCatchAll,
+        case .wasmBeginTry,
              .wasmBeginCatch:
-            return endOp is WasmEndCatch
+            return endOp is WasmEndTry || endOp is WasmBeginCatch || endOp is WasmBeginCatchAll
+        case .wasmBeginCatchAll:
+            return endOp is WasmEndTry
         case .wasmBeginTryDelegate:
             return endOp is WasmEndTryDelegate
         case .wasmBeginIf:

Sources/Fuzzilli/FuzzIL/TypeSystem.swift

@@ -175,8 +175,8 @@ public struct ILType: Hashable {
     // Internal types
 
     // This type is used to indicate block labels in wasm.
-    public static func label(_ parameterTypes: [ILType] = []) -> ILType {
-        return ILType(definiteType: .label, ext: TypeExtension(group: "WasmLabel", properties: [], methods: [], signature: nil, wasmExt: WasmLabelType(parameterTypes)))
+    public static func label(_ parameterTypes: [ILType] = [], isCatch: Bool = false) -> ILType {
+        return ILType(definiteType: .label, ext: TypeExtension(group: "WasmLabel", properties: [], methods: [], signature: nil, wasmExt: WasmLabelType(parameterTypes, isCatch: isCatch)))
     }
 
     public static let anyLabel: ILType = ILType(definiteType: .label, ext: TypeExtension(group: "WasmLabel", properties: [], methods: [], signature: nil, wasmExt: nil))
@@ -1008,19 +1008,22 @@ public class WasmLabelType: WasmTypeExtension {
     // when branching to this label. This is the list of result types for all wasm blocks excluding
     // the loop for which the parameter types are the parameter types of the block. (This is caused
     // by the branch instruction branching to the loop header and not the loop end.)
-    public let parameters: [ILType]
+    let parameters: [ILType]
+    let isCatch: Bool
 
     override func isEqual(to other: WasmTypeExtension) -> Bool {
         guard let other = other as? WasmLabelType else { return false }
-        return self.parameters == other.parameters
+        return self.parameters == other.parameters && self.isCatch == other.isCatch
     }
 
     override public func hash(into hasher: inout Hasher) {
         hasher.combine(parameters)
+        hasher.combine(isCatch)
     }
 
-    init(_ parameters: [ILType]) {
+    init(_ parameters: [ILType], isCatch: Bool) {
         self.parameters = parameters
+        self.isCatch = isCatch
     }
 }