[wasm] Implement subtyping between abstract and index types

Liedtke · V8-internal LUCI CQ · commit 73b6641b91a6 · 2025-07-28T03:29:43.000-07:00
Change-Id: I2fff66108fdd99b64fdf26c9643879fb8c075c29 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8447376 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Manos Koukoutos <manoskouk@google.com>
diff --git a/Sources/Fuzzilli/FuzzIL/TypeSystem.swift b/Sources/Fuzzilli/FuzzIL/TypeSystem.swift
@@ -241,9 +241,7 @@ public struct ILType: Hashable {
     }
 
     static func wasmSelfReference() -> ILType {
-        let type = wasmTypeDef()
-        type.wasmTypeDefinition!.description = .selfReference
-        return type
+        wasmTypeDef(description: .selfReference)
     }
 
     static func wasmRef(_ kind: WasmReferenceType.Kind, nullability: Bool) -> ILType {
@@ -252,7 +250,7 @@ public struct ILType: Hashable {
             wasmExt: WasmReferenceType(kind, nullability: nullability)))
     }
 
-    static func wasmIndexRef(_ desc: WasmTypeDescription?, nullability: Bool) -> ILType {
+    static func wasmIndexRef(_ desc: WasmTypeDescription, nullability: Bool) -> ILType {
         return wasmRef(.Index(UnownedWasmTypeDescription(desc)), nullability: nullability)
     }
 
@@ -1325,7 +1323,7 @@ public class WasmTypeDefinition: WasmTypeExtension {
 
     func getReferenceTypeTo(nullability: Bool) -> ILType {
         assert(description != nil)
-        return .wasmIndexRef(description, nullability: nullability)
+        return .wasmIndexRef(description!, nullability: nullability)
     }
 }
 
@@ -1455,23 +1453,72 @@ public class WasmReferenceType: WasmTypeExtension {
         case Index(UnownedWasmTypeDescription = UnownedWasmTypeDescription())
         case Abstract(WasmAbstractHeapType)
 
-        func subsumes(_ other: Kind) -> Bool {
+        func union(_ other: Self) -> Self? {
             switch self {
                 case .Index(let desc):
                     switch other {
                         case .Index(let otherDesc):
-                            return desc.get() == nil || desc.get() == otherDesc.get()
-                        case .Abstract(_):
-                            return false
+                            if desc.get() == nil || otherDesc.get() == nil {
+                                return .Index(.init())
+                            }
+                            if desc.get() == otherDesc.get() {
+                                return self
+                            }
+                            if let abstract = desc.get()?.abstractHeapSupertype,
+                               let otherAbstract = otherDesc.get()?.abstractHeapSupertype,
+                               let upperBound = abstract.union(otherAbstract) {
+                                return .Abstract(upperBound)
+                               }
+                        case .Abstract(let otherAbstract):
+                            if let abstractSuper = desc.get()?.abstractHeapSupertype,
+                               let upperBound = abstractSuper.union(otherAbstract) {
+                                return .Abstract(upperBound)
+                            }
                     }
                 case .Abstract(let heapType):
                     switch other {
-                        case .Index(_):
-                            return false
+                        case .Index(let otherDesc):
+                            if let otherAbstract = otherDesc.get()?.abstractHeapSupertype,
+                               let upperBound = heapType.union(otherAbstract) {
+                                return .Abstract(upperBound)
+                            }
+                        case .Abstract(let otherHeapType):
+                            if let upperBound = heapType.union(otherHeapType) {
+                                return .Abstract(upperBound)
+                            }
+                    }
+            }
+            return nil
+        }
+
+        func intersection(_ other: Self) -> Self? {
+            switch self {
+                case .Index(let desc):
+                    switch other {
+                        case .Index(let otherDesc):
+                            if desc.get() == otherDesc.get() || desc.get() == nil || otherDesc.get() == nil {
+                                return .Index(desc)
+                            }
+                        case .Abstract(let otherAbstract):
+                            if let abstractSuper = desc.get()?.abstractHeapSupertype,
+                               otherAbstract.subsumes(abstractSuper) {
+                                return self
+                            }
+                    }
+                case .Abstract(let heapType):
+                    switch other {
+                        case .Index(let otherDesc):
+                            if let otherAbstract = otherDesc.get()?.abstractHeapSupertype,
+                                heapType.subsumes(otherAbstract) {
+                                return other
+                            }
                         case .Abstract(let otherHeapType):
-                            return heapType.subsumes(otherHeapType)
+                            if let lowerBound = heapType.intersection(otherHeapType) {
+                                return .Abstract(lowerBound)
+                            }
                     }
             }
+            return nil
         }
     }
     var kind: Kind
@@ -1498,61 +1545,27 @@ public class WasmReferenceType: WasmTypeExtension {
 
     override func subsumes(_ other: WasmTypeExtension) -> Bool {
         guard let other = other as? WasmReferenceType else { return false }
-        return self.kind.subsumes(other.kind) && (self.nullability || !other.nullability)
+        return self.kind.union(other.kind) == self.kind && (self.nullability || !other.nullability)
     }
 
     override func union(_ other: WasmTypeExtension) -> WasmTypeExtension? {
         guard let other = other as? WasmReferenceType else { return nil }
-        // The union is nullable if either of the two types input types is nullable.
-        let nullability = self.nullability || other.nullability
-        // TODO(gc): Add subtyping between different index types, different abstract types and
-        // between index and abstract types.
-        switch self.kind {
-            case .Index(let desc):
-                switch other.kind {
-                    case .Index(let otherDesc):
-                        return desc.get() == otherDesc.get() ? WasmReferenceType(.Index(desc), nullability: nullability) : nil
-                    case .Abstract(_):
-                        return nil
-                }
-            case .Abstract(let heapType):
-                switch other.kind {
-                    case .Index(_):
-                        return nil
-                    case .Abstract(let otherHeapType):
-                        if let upperBound = heapType.union(otherHeapType) {
-                            return WasmReferenceType(.Abstract(upperBound), nullability: nullability)
-                        }
-                        return nil
-                }
+        if let kind = self.kind.union(other.kind) {
+            // The union is nullable if either of the two types input types is nullable.
+            let nullability = self.nullability || other.nullability
+            return WasmReferenceType(kind, nullability: nullability)
         }
+        return nil
     }
 
     override func intersection(_ other: WasmTypeExtension) -> WasmTypeExtension? {
         guard let other = other as? WasmReferenceType else { return nil }
-        // The intersection is nullable if both are nullable.
-        let nullability = self.nullability && other.nullability
-        // TODO(gc): Add subtyping between different index types, different abstract types and
-        // between index and abstract types.
-        switch self.kind {
-            case .Index(let desc):
-                switch other.kind {
-                    case .Index(let otherDesc):
-                        return desc.get() == otherDesc.get() ? WasmReferenceType(.Index(desc), nullability: nullability) : nil
-                    case .Abstract(_):
-                        return nil
-                }
-            case .Abstract(let heapType):
-                switch other.kind {
-                    case .Index(_):
-                        return nil
-                    case .Abstract(let otherHeapType):
-                        if let lowerBound = heapType.intersection(otherHeapType) {
-                            return WasmReferenceType(.Abstract(lowerBound), nullability: nullability)
-                        }
-                        return nil
-                }
+        if let kind = self.kind.intersection(other.kind) {
+            // The intersection is nullable if both are nullable.
+            let nullability = self.nullability && other.nullability
+            return WasmReferenceType(kind, nullability: nullability)
         }
+        return nil
     }
 
     override public func hash(into hasher: inout Hasher) {
@@ -1935,9 +1948,15 @@ func => (parameters: [ILType], returnTypes: [ILType]) -> WasmSignature {
 class WasmTypeDescription: Hashable {
     static let selfReference = WasmTypeDescription(typeGroupIndex: -1)
     public let typeGroupIndex: Int
+    // The "closest" super type that is an abstract type (.WasmArray for arrays, .WasmStruct for
+    // structs). It is nil for unresolved forward/self references for which the concrete abstract
+    // super type is still undecided.
+    public let abstractHeapSupertype: WasmAbstractHeapType?
 
-    init(typeGroupIndex: Int) {
+    // TODO(gc): We will also need to support subtyping of struct and array types at some point.
+    init(typeGroupIndex: Int, superType: WasmAbstractHeapType? = nil) {
         self.typeGroupIndex = typeGroupIndex
+        self.abstractHeapSupertype = superType
     }
 
     static func == (lhs: WasmTypeDescription, rhs: WasmTypeDescription) -> Bool {
@@ -1956,7 +1975,7 @@ class WasmArrayTypeDescription: WasmTypeDescription {
     init(elementType: ILType, mutability: Bool, typeGroupIndex: Int) {
         self.elementType = elementType
         self.mutability = mutability
-        super.init(typeGroupIndex: typeGroupIndex)
+        super.init(typeGroupIndex: typeGroupIndex, superType: .WasmArray)
     }
 }
 
@@ -1975,6 +1994,6 @@ class WasmStructTypeDescription: WasmTypeDescription {
 
     init(fields: [Field], typeGroupIndex: Int) {
         self.fields = fields
-        super.init(typeGroupIndex: typeGroupIndex)
+        super.init(typeGroupIndex: typeGroupIndex, superType: .WasmStruct)
     }
 }
diff --git a/Tests/FuzzilliTests/ProgramBuilderTest.swift b/Tests/FuzzilliTests/ProgramBuilderTest.swift
@@ -2744,4 +2744,104 @@ class ProgramBuilderTests: XCTestCase {
 
         XCTAssertEqual(typesB.count, 1)
     }
+
+    func testWasmGCSubtyping() {
+        let env = JavaScriptEnvironment()
+        let config = Configuration(logLevel: .error)
+        let fuzzer = makeMockFuzzer(config: config, environment: env)
+        let b = fuzzer.makeBuilder()
+
+        let typeGroupA = b.wasmDefineTypeGroup {
+            [b.wasmDefineArrayType(elementType: .wasmi32, mutability: true),
+            b.wasmDefineStructType(fields: [.init(type: .wasmi64, mutability: false)], indexTypes: [])]
+        }
+        let arrayDefI32 = typeGroupA[0]
+        let structDef = typeGroupA[1]
+        let arrayDefI32B = b.wasmDefineTypeGroup {
+            [b.wasmDefineArrayType(elementType: .wasmi32, mutability: true)]
+        }[0]
+
+        let arrayDefI32Type = b.type(of: arrayDefI32)
+        let structDefType = b.type(of: structDef)
+        let arrayDefI32BType = b.type(of: arrayDefI32B)
+
+        XCTAssert(arrayDefI32Type.Is(.wasmTypeDef()))
+        XCTAssert(structDefType.Is(.wasmTypeDef()))
+        XCTAssert(arrayDefI32BType.Is(.wasmTypeDef()))
+        // The type of a type definition may not be confused with the type of an instance of such
+        // struct / array.
+        XCTAssertFalse(arrayDefI32Type.Is(.wasmGenericRef))
+        XCTAssertFalse(structDefType.Is(.wasmGenericRef))
+        XCTAssertFalse(arrayDefI32BType.Is(.wasmGenericRef))
+
+        b.buildWasmModule { wasmModule in
+            wasmModule.addWasmFunction(with: [.wasmi32] => []) { function, label, args in
+                let arrayI32 = function.wasmArrayNewFixed(arrayType: arrayDefI32, elements: [])
+                let arrayI32Type = b.type(of: arrayI32)
+                XCTAssert(arrayI32Type.Is(.wasmRef(.Index(), nullability: true)))
+                XCTAssert(arrayI32Type.Is(.wasmRef(.Index(), nullability: false)))
+                XCTAssert(arrayI32Type.Is(.wasmRef(.Abstract(.WasmArray), nullability: true)))
+                XCTAssert(arrayI32Type.Is(.wasmRef(.Abstract(.WasmArray), nullability: false)))
+                XCTAssert(arrayI32Type.Is(.wasmRef(.Abstract(.WasmEq), nullability: true)))
+                XCTAssert(arrayI32Type.Is(.wasmRef(.Abstract(.WasmEq), nullability: false)))
+                XCTAssert(arrayI32Type.Is(.wasmRef(.Abstract(.WasmAny), nullability: true)))
+                XCTAssert(arrayI32Type.Is(.wasmRef(.Abstract(.WasmAny), nullability: false)))
+                XCTAssertFalse(arrayI32Type.Is(.wasmRef(.Abstract(.WasmStruct), nullability: true)))
+                XCTAssertFalse(arrayI32Type.Is(.wasmRef(.Abstract(.WasmStruct), nullability: false)))
+                XCTAssertFalse(arrayI32Type.Is(.wasmRef(.Abstract(.WasmExn), nullability: false)))
+
+                let arrayI32B = function.wasmArrayNewFixed(arrayType: arrayDefI32B, elements: [])
+                let arrayI32BType = b.type(of: arrayI32B)
+                XCTAssertFalse(arrayI32BType.Is(arrayI32Type))
+                XCTAssertFalse(arrayI32Type.Is(arrayI32BType))
+                let refArrayType = ILType.wasmRef(.Abstract(.WasmArray), nullability: false)
+                XCTAssertEqual(arrayI32Type.union(with: arrayI32BType), refArrayType)
+                XCTAssertEqual(arrayI32BType.union(with: arrayI32Type), refArrayType)
+                XCTAssertEqual(arrayI32Type.intersection(with: arrayI32BType), .nothing)
+                XCTAssertEqual(arrayI32BType.intersection(with: arrayI32Type), .nothing)
+
+                let structVar = function.wasmStructNewDefault(structType: structDef)
+                let structType = b.type(of: structVar)
+                XCTAssert(structType.Is(.wasmRef(.Index(), nullability: true)))
+                XCTAssert(structType.Is(.wasmRef(.Index(), nullability: false)))
+                XCTAssert(structType.Is(.wasmRef(.Abstract(.WasmStruct), nullability: false)))
+                XCTAssert(structType.Is(.wasmRef(.Abstract(.WasmEq), nullability: false)))
+                XCTAssert(structType.Is(.wasmRef(.Abstract(.WasmAny), nullability: false)))
+                XCTAssertFalse(structType.Is(.wasmRef(.Abstract(.WasmArray), nullability: true)))
+                XCTAssertFalse(structType.Is(.wasmRef(.Abstract(.WasmArray), nullability: false)))
+                XCTAssertFalse(structType.Is(.wasmRef(.Abstract(.WasmExn), nullability: false)))
+
+                let refEqType = ILType.wasmRef(.Abstract(.WasmEq), nullability: false)
+                XCTAssertEqual(structType.union(with: arrayI32Type), refEqType)
+                XCTAssertEqual(arrayI32Type.union(with: structType), refEqType)
+                XCTAssertEqual(structType.intersection(with: arrayI32Type), .nothing)
+                XCTAssertEqual(arrayI32Type.intersection(with: structType), .nothing)
+
+                let i31 = function.wasmRefI31(function.consti32(42))
+                let i31Type = b.type(of: i31)
+                XCTAssertFalse(i31Type.Is(.wasmRef(.Index(), nullability: true)))
+                XCTAssert(i31Type.Is(.wasmRef(.Abstract(.WasmEq), nullability: false)))
+                XCTAssert(i31Type.Is(.wasmRef(.Abstract(.WasmAny), nullability: false)))
+                XCTAssertFalse(i31Type.Is(.wasmRef(.Abstract(.WasmArray), nullability: false)))
+                XCTAssertFalse(i31Type.Is(.wasmRef(.Abstract(.WasmStruct), nullability: false)))
+                XCTAssertFalse(i31Type.Is(.wasmRef(.Abstract(.WasmExn), nullability: false)))
+
+                XCTAssertEqual(structType.union(with: i31Type), refEqType)
+                XCTAssertEqual(arrayI32Type.union(with: i31Type), refEqType)
+                XCTAssertEqual(i31Type.union(with: refEqType), refEqType)
+                XCTAssertEqual(refArrayType.union(with: i31Type), refEqType)
+                let refStructType = ILType.wasmRef(.Abstract(.WasmStruct), nullability: false)
+                XCTAssertEqual(i31Type.union(with: refStructType), refEqType)
+
+                XCTAssertEqual(i31Type.intersection(with: refEqType), i31Type)
+                XCTAssertEqual(refEqType.intersection(with: i31Type), i31Type)
+                let refNone = ILType.wasmRef(.Abstract(.WasmNone), nullability: false)
+                XCTAssertEqual(i31Type.intersection(with: refArrayType), refNone)
+                XCTAssertEqual(refStructType.intersection(with: i31Type), refNone)
+                XCTAssertEqual(i31Type.intersection(with: .wasmExnRef), .nothing)
+
+                return []
+            }
+        }
+    }
 }
