Add wasm select instruction

Liedtke · V8-internal LUCI CQ · commit 706fda68e0bc · 2025-01-20T06:30:25.000-08:00
Change-Id: I69614762932b78d3d05d87528439035872d3bb90 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/7963008 Auto-Submit: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Carl Smith <cffsmith@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
diff --git a/Sources/Fuzzilli/Base/ProgramBuilder.swift b/Sources/Fuzzilli/Base/ProgramBuilder.swift
@@ -3328,6 +3328,11 @@ public class ProgramBuilder {
             b.emit(WasmUnreachable())
         }
 
+        @discardableResult
+        public func wasmSelect(type: ILType, on condition: Variable, trueValue: Variable, falseValue: Variable) -> Variable {
+            return b.emit(WasmSelect(type: type), withInputs: [trueValue, falseValue, condition]).output
+        }
+
         public func wasmReturn(_ returnVariable: Variable) {
             let returnType = b.type(of: returnVariable)
             b.emit(WasmReturn(returnType: returnType), withInputs: [returnVariable])
diff --git a/Sources/Fuzzilli/CodeGen/CodeGeneratorWeights.swift b/Sources/Fuzzilli/CodeGen/CodeGeneratorWeights.swift
@@ -291,4 +291,6 @@ public let codeGeneratorWeights = [
     "WasmI64x2SplatGenerator":                  10,
     "WasmI64x2ExtractLaneGenerator":            10,
     "WasmI64x2LoadSplatGenerator":              10,
+
+    "WasmSelectGenerator":                      10,
 ]
diff --git a/Sources/Fuzzilli/CodeGen/WasmCodeGenerators.swift b/Sources/Fuzzilli/CodeGen/WasmCodeGenerators.swift
@@ -633,6 +633,16 @@ public let WasmCodeGenerators: [CodeGenerator] = [
         }
     },
 
+    CodeGenerator("WasmSelectGenerator", inContext: .wasmFunction, inputs: .required(.wasmi32)) { b, condition in
+        let function = b.currentWasmModule.currentWasmFunction
+        let supportedTypes : ILType = .wasmi32 | .wasmi64 | .wasmf32 | .wasmf64 | .wasmExternRef
+        // The condition is an i32, so we should always find at least that one as a possible input.
+        let trueValue = b.randomVariable(ofType: supportedTypes)!
+        let selectType = b.type(of: trueValue)
+        let falseValue = b.randomVariable(ofType: selectType)!
+        function.wasmSelect(type: selectType, on: condition, trueValue: trueValue, falseValue: falseValue)
+    },
+
     CodeGenerator("WasmThrowGenerator", inContext: .wasmFunction, inputs: .required(.object(ofGroup: "WasmTag"))) { b, tag in
         let function = b.currentWasmModule.currentWasmFunction
         let wasmTagType = b.type(of: tag).wasmTagType!
diff --git a/Sources/Fuzzilli/FuzzIL/Instruction.swift b/Sources/Fuzzilli/FuzzIL/Instruction.swift
@@ -1252,6 +1252,10 @@ extension Instruction: ProtobufConvertible {
                 fatalError("Should never be serialized")
             case .wasmUnreachable(_):
                 $0.wasmUnreachable = Fuzzilli_Protobuf_WasmUnreachable()
+            case .wasmSelect(let op):
+                $0.wasmSelect = Fuzzilli_Protobuf_WasmSelect.with {
+                    $0.type = ILTypeToWasmTypeEnum(op.type)
+                }
             case .constSimd128(let op):
                 $0.constSimd128 = Fuzzilli_Protobuf_ConstSimd128.with { $0.value = op.value.map{ UInt32($0) } }
             case .wasmSimd128IntegerUnOp(let op):
@@ -2037,6 +2041,8 @@ extension Instruction: ProtobufConvertible {
             fatalError("Should never be deserialized!")
         case .wasmUnreachable(_):
             op = WasmUnreachable()
+        case .wasmSelect(let p):
+            op = WasmSelect(type: WasmTypeEnumToILType(p.type))
         case .constSimd128(let p):
             op = ConstSimd128(value: p.value.map{ UInt8($0) })
         case .wasmSimd128IntegerUnOp(let p):
diff --git a/Sources/Fuzzilli/FuzzIL/Opcodes.swift b/Sources/Fuzzilli/FuzzIL/Opcodes.swift
@@ -312,4 +312,5 @@ enum Opcode {
     case wasmI64x2LoadSplat(WasmI64x2LoadSplat)
 
     case wasmUnreachable(WasmUnreachable)
+    case wasmSelect(WasmSelect)
 }
diff --git a/Sources/Fuzzilli/FuzzIL/WasmOperations.swift b/Sources/Fuzzilli/FuzzIL/WasmOperations.swift
@@ -932,6 +932,19 @@ final class WasmJsCall: WasmOperation {
     }
 }
 
+final class WasmSelect: WasmOperation {
+    override var opcode: Opcode { .wasmSelect(self) }
+    let type: ILType
+
+    init(type: ILType) {
+        self.type = type
+        // Note that the condition is the third input. This is due to the lifting that pushes all
+        // inputs to the value stack in reverse order (and the select expects the condition as the
+        // first value on the stack.)
+        super.init(inputTypes: [type, type, .wasmi32], outputType: type, requiredContext: [.wasmFunction])
+    }
+}
+
 final class WasmBeginBlock: WasmOperation {
     override var opcode: Opcode { .wasmBeginBlock(self) }
 
diff --git a/Sources/Fuzzilli/Lifting/FuzzILLifter.swift b/Sources/Fuzzilli/Lifting/FuzzILLifter.swift
@@ -1069,6 +1069,9 @@ public class FuzzILLifter: Lifter {
         case .wasmUnreachable:
             w.emit("WasmUnreachable")
 
+        case .wasmSelect(let op):
+            w.emit("\(output()) <- WasmSelect[\(op.type)] \(input(2)) ? \(input(0)) : \(input(1))")
+
         case .constSimd128(let op):
             w.emit("\(output()) <- ConstSimd128 \(op.value)")
 
diff --git a/Sources/Fuzzilli/Lifting/JavaScriptLifter.swift b/Sources/Fuzzilli/Lifting/JavaScriptLifter.swift
@@ -1599,6 +1599,7 @@ public class JavaScriptLifter: Lifter {
                  .wasmEndIf(_),
                  .wasmNop(_),
                  .wasmUnreachable(_),
+                 .wasmSelect(_),
                  .constSimd128(_),
                  .wasmSimd128IntegerUnOp(_),
                  .wasmSimd128IntegerBinOp(_),
diff --git a/Sources/Fuzzilli/Lifting/WasmLifter.swift b/Sources/Fuzzilli/Lifting/WasmLifter.swift
@@ -1436,6 +1436,8 @@ public class WasmLifter {
             return Data([0x01])
         case .wasmUnreachable(_):
             return Data([0x00])
+        case .wasmSelect(let op):
+            return Data([0x1c, 0x01]) + ILTypeMapping[op.type]!
         case .constSimd128(let op):
             return Data([0xFD]) + Leb128.unsignedEncode(12) + Data(op.value)
         case .wasmSimd128IntegerUnOp(let op):
diff --git a/Sources/Fuzzilli/Mutators/OperationMutator.swift b/Sources/Fuzzilli/Mutators/OperationMutator.swift
@@ -558,6 +558,7 @@ public class OperationMutator: BaseInstructionMutator {
              .wasmEndIf(_),
              .wasmNop(_),
              .wasmUnreachable(_),
+             .wasmSelect(_),
              .wasmDefineTag(_):
              assert(!instr.isOperationMutable)
              fatalError("Unexpected Operation")
diff --git a/Sources/Fuzzilli/Protobuf/operations.pb.swift b/Sources/Fuzzilli/Protobuf/operations.pb.swift
@@ -1,5 +1,6 @@
 // DO NOT EDIT.
 // swift-format-ignore-file
+// swiftlint:disable all
 //
 // Generated by the Swift generator plugin for the protocol buffer compiler.
 // Source: operations.proto
@@ -21,7 +22,6 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-import Foundation
 import SwiftProtobuf
 
 // If the compiler emits an error on this type, it is because this file
@@ -4185,6 +4185,18 @@ public struct Fuzzilli_Protobuf_WasmUnreachable: Sendable {
   public init() {}
 }
 
+public struct Fuzzilli_Protobuf_WasmSelect: Sendable {
+  // SwiftProtobuf.Message conformance is added in an extension below. See the
+  // `Message` and `Message+*Additions` files in the SwiftProtobuf library for
+  // methods supported on all messages.
+
+  public var type: Fuzzilli_Protobuf_WasmILType = .consti32
+
+  public var unknownFields = SwiftProtobuf.UnknownStorage()
+
+  public init() {}
+}
+
 public struct Fuzzilli_Protobuf_ConstSimd128: Sendable {
   // SwiftProtobuf.Message conformance is added in an extension below. See the
   // `Message` and `Message+*Additions` files in the SwiftProtobuf library for
@@ -12186,6 +12198,38 @@ extension Fuzzilli_Protobuf_WasmUnreachable: SwiftProtobuf.Message, SwiftProtobu
   }
 }
 
+extension Fuzzilli_Protobuf_WasmSelect: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
+  public static let protoMessageName: String = _protobuf_package + ".WasmSelect"
+  public static let _protobuf_nameMap: SwiftProtobuf._NameMap = [
+    1: .same(proto: "type"),
+  ]
+
+  public mutating func decodeMessage<D: SwiftProtobuf.Decoder>(decoder: inout D) throws {
+    while let fieldNumber = try decoder.nextFieldNumber() {
+      // The use of inline closures is to circumvent an issue where the compiler
+      // allocates stack space for every case branch when no optimizations are
+      // enabled. https://github.com/apple/swift-protobuf/issues/1034
+      switch fieldNumber {
+      case 1: try { try decoder.decodeSingularEnumField(value: &self.type) }()
+      default: break
+      }
+    }
+  }
+
+  public func traverse<V: SwiftProtobuf.Visitor>(visitor: inout V) throws {
+    if self.type != .consti32 {
+      try visitor.visitSingularEnumField(value: self.type, fieldNumber: 1)
+    }
+    try unknownFields.traverse(visitor: &visitor)
+  }
+
+  public static func ==(lhs: Fuzzilli_Protobuf_WasmSelect, rhs: Fuzzilli_Protobuf_WasmSelect) -> Bool {
+    if lhs.type != rhs.type {return false}
+    if lhs.unknownFields != rhs.unknownFields {return false}
+    return true
+  }
+}
+
 extension Fuzzilli_Protobuf_ConstSimd128: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
   public static let protoMessageName: String = _protobuf_package + ".ConstSimd128"
   public static let _protobuf_nameMap: SwiftProtobuf._NameMap = [
diff --git a/Sources/Fuzzilli/Protobuf/operations.proto b/Sources/Fuzzilli/Protobuf/operations.proto
@@ -1210,6 +1210,10 @@ message WasmNop {
 message WasmUnreachable {
 }
 
+message WasmSelect {
+    WasmILType type = 1;
+}
+
 message ConstSimd128 {
     repeated uint32 value = 1;
 }
diff --git a/Sources/Fuzzilli/Protobuf/program.pb.swift b/Sources/Fuzzilli/Protobuf/program.pb.swift
@@ -1,5 +1,6 @@
 // DO NOT EDIT.
 // swift-format-ignore-file
+// swiftlint:disable all
 //
 // Generated by the Swift generator plugin for the protocol buffer compiler.
 // Source: program.proto
@@ -2256,6 +2257,14 @@ public struct Fuzzilli_Protobuf_Instruction: Sendable {
     set {operation = .wasmUnreachable(newValue)}
   }
 
+  public var wasmSelect: Fuzzilli_Protobuf_WasmSelect {
+    get {
+      if case .wasmSelect(let v)? = operation {return v}
+      return Fuzzilli_Protobuf_WasmSelect()
+    }
+    set {operation = .wasmSelect(newValue)}
+  }
+
   public var unknownFields = SwiftProtobuf.UnknownStorage()
 
   public enum OneOf_Operation: Equatable, Sendable {
@@ -2535,6 +2544,7 @@ public struct Fuzzilli_Protobuf_Instruction: Sendable {
     case wasmI64X2ExtractLane(Fuzzilli_Protobuf_WasmI64x2ExtractLane)
     case wasmI64X2LoadSplat(Fuzzilli_Protobuf_WasmI64x2LoadSplat)
     case wasmUnreachable(Fuzzilli_Protobuf_WasmUnreachable)
+    case wasmSelect(Fuzzilli_Protobuf_WasmSelect)
 
   }
 
@@ -2861,6 +2871,7 @@ extension Fuzzilli_Protobuf_Instruction: SwiftProtobuf.Message, SwiftProtobuf._M
     275: .same(proto: "wasmI64x2ExtractLane"),
     276: .same(proto: "wasmI64x2LoadSplat"),
     277: .same(proto: "wasmUnreachable"),
+    278: .same(proto: "wasmSelect"),
   ]
 
   public mutating func decodeMessage<D: SwiftProtobuf.Decoder>(decoder: inout D) throws {
@@ -6453,6 +6464,19 @@ extension Fuzzilli_Protobuf_Instruction: SwiftProtobuf.Message, SwiftProtobuf._M
           self.operation = .wasmUnreachable(v)
         }
       }()
+      case 278: try {
+        var v: Fuzzilli_Protobuf_WasmSelect?
+        var hadOneofValue = false
+        if let current = self.operation {
+          hadOneofValue = true
+          if case .wasmSelect(let m) = current {v = m}
+        }
+        try decoder.decodeSingularMessageField(value: &v)
+        if let v = v {
+          if hadOneofValue {try decoder.handleConflictingOneOf()}
+          self.operation = .wasmSelect(v)
+        }
+      }()
       default: break
       }
     }
@@ -7571,6 +7595,10 @@ extension Fuzzilli_Protobuf_Instruction: SwiftProtobuf.Message, SwiftProtobuf._M
       guard case .wasmUnreachable(let v)? = self.operation else { preconditionFailure() }
       try visitor.visitSingularMessageField(value: v, fieldNumber: 277)
     }()
+    case .wasmSelect?: try {
+      guard case .wasmSelect(let v)? = self.operation else { preconditionFailure() }
+      try visitor.visitSingularMessageField(value: v, fieldNumber: 278)
+    }()
     case nil: break
     }
     try unknownFields.traverse(visitor: &visitor)
diff --git a/Sources/Fuzzilli/Protobuf/program.proto b/Sources/Fuzzilli/Protobuf/program.proto
@@ -301,6 +301,7 @@ message Instruction {
         WasmI64x2ExtractLane wasmI64x2ExtractLane = 275;
         WasmI64x2LoadSplat wasmI64x2LoadSplat = 276;
         WasmUnreachable wasmUnreachable = 277;
+        WasmSelect wasmSelect = 278;
     }
 }
 
diff --git a/Sources/Fuzzilli/Protobuf/sync.pb.swift b/Sources/Fuzzilli/Protobuf/sync.pb.swift
@@ -1,5 +1,6 @@
 // DO NOT EDIT.
 // swift-format-ignore-file
+// swiftlint:disable all
 //
 // Generated by the Swift generator plugin for the protocol buffer compiler.
 // Source: sync.proto
diff --git a/Tests/FuzzilliTests/WasmTests.swift b/Tests/FuzzilliTests/WasmTests.swift
@@ -1353,6 +1353,43 @@ class WasmFoundationTests: XCTestCase {
         let jsProg = fuzzer.lifter.lift(prog)
         testForOutput(program: jsProg, runner: runner, outputString: "Caught wasm trap\n")
     }
+
+    func testSelect() throws {
+        let runner = try GetJavaScriptExecutorOrSkipTest()
+        let liveTestConfig = Configuration(logLevel: .error, enableInspection: true)
+        let fuzzer = makeMockFuzzer(config: liveTestConfig, environment: JavaScriptEnvironment())
+        let b = fuzzer.makeBuilder()
+
+        let module = b.buildWasmModule { wasmModule in
+            wasmModule.addWasmFunction(with: [.wasmi32] => .wasmi64) { function, args in
+                function.wasmReturn(function.wasmSelect(type: .wasmi64, on: args[0],
+                    trueValue: function.consti64(123), falseValue: function.consti64(321)))
+            }
+
+            wasmModule.addWasmFunction(with: [.wasmi32, .wasmExternRef, .wasmExternRef] => .wasmExternRef) { function, args in
+                function.wasmReturn(function.wasmSelect(type: .wasmExternRef, on: args[0], trueValue: args[1], falseValue: args[2]))
+            }
+        }
+
+        let exports = module.loadExports()
+        let outputFunc = b.createNamedVariable(forBuiltin: "output")
+        // Select with i64.
+        var wasmOut = b.callMethod(module.getExportedMethod(at: 0), on: exports, withArgs: [b.loadInt(0)])
+        b.callFunction(outputFunc, withArgs: [b.callMethod("toString", on: wasmOut)])
+        wasmOut = b.callMethod(module.getExportedMethod(at: 0), on: exports, withArgs: [b.loadInt(1)])
+        b.callFunction(outputFunc, withArgs: [b.callMethod("toString", on: wasmOut)])
+        // Select with externref.
+        let hello = b.loadString("Hello")
+        let world = b.loadString("World")
+        wasmOut = b.callMethod(module.getExportedMethod(at: 1), on: exports, withArgs: [b.loadInt(1), hello, world])
+        b.callFunction(outputFunc, withArgs: [wasmOut])
+        wasmOut = b.callMethod(module.getExportedMethod(at: 1), on: exports, withArgs: [b.loadInt(0), hello, world])
+        b.callFunction(outputFunc, withArgs: [wasmOut])
+
+        let prog = b.finalize()
+        let jsProg = fuzzer.lifter.lift(prog)
+        testForOutput(program: jsProg, runner: runner, outputString: "321\n123\nHello\nWorld\n")
+    }
 }
 
 class WasmNumericalTests: XCTestCase {

Original file line number	Diff line number	Diff line change
`@@ -291,4 +291,6 @@ public let codeGeneratorWeights = [`
`291`	`291`	`"WasmI64x2SplatGenerator": 10,`
`292`	`292`	`"WasmI64x2ExtractLaneGenerator": 10,`
`293`	`293`	`"WasmI64x2LoadSplatGenerator": 10,`
	`294`	`+`
	`295`	`+ "WasmSelectGenerator": 10,`
`294`	`296`	`]`
Original file line number	Diff line number	Diff line change
`@@ -312,4 +312,5 @@ enum Opcode {`
`312`	`312`	`case wasmI64x2LoadSplat(WasmI64x2LoadSplat)`
`313`	`313`
`314`	`314`	`case wasmUnreachable(WasmUnreachable)`
	`315`	`+ case wasmSelect(WasmSelect)`
`315`	`316`	`}`