[wasm] Add all missing wasm-gc MVP abstract heap types

This change adds all the missing heap types defined by the wasm-gc
MVP spec (and the exception-handling spec) but excludes newer specs
like core stack switching ("wasm fx") or shared-everything-threads.

Bug: 430198271
Change-Id: I964a5deca6537ce6eab915d31b948e17809068d9
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8440756
Commit-Queue: Matthias Liedtke <[email protected]>
Reviewed-by: Carl Smith <[email protected]>

Author: Liedtke

Sources/Fuzzilli/Base/ProgramBuilder.swift

@@ -3738,6 +3738,8 @@ public class ProgramBuilder {
 
         @discardableResult
         public func wasmRefNull(type: ILType) -> Variable {
+            assert(type.isWasmReferenceType)
+            assert(type.wasmReferenceType!.isAbstract(), "index types must use .wasmRefNull(Variable)")
             return b.emit(WasmRefNull(type: type)).output
         }
 
@@ -3910,12 +3912,12 @@ public class ProgramBuilder {
 
     public func randomWasmBlockOutputTypes(upTo n: Int) -> [ILType] {
         // TODO(mliedtke): This should allow more types as well as non-nullable references for all
-        // // abstract heap types. To be able to emit them, generateRandomWasmVar() needs to be able
+        // abstract heap types. To be able to emit them, generateRandomWasmVar() needs to be able
         // to generate a sequence that produces such a non-nullable value which might be difficult
         // for some types as of now.
         (0..<Int.random(in: 0...n)).map {_ in chooseUniform(from:
-            [.wasmi32, .wasmi64, .wasmf32, .wasmf64, .wasmExternRef, .wasmFuncRef, .wasmExnRef,
-             .wasmI31Ref, .wasmRefI31, .wasmSimd128])}
+            [.wasmi32, .wasmi64, .wasmf32, .wasmf64, .wasmSimd128, .wasmRefI31]
+                + WasmAbstractHeapType.allCases.map {.wasmRef(.Abstract($0), nullability: true)})}
     }
 
     public func randomWasmBlockArguments(upTo n: Int) -> [Variable] {

Sources/Fuzzilli/FuzzIL/Instruction.swift

@@ -398,6 +398,23 @@ extension Instruction: ProtobufConvertible {
                                     Fuzzilli_Protobuf_WasmReferenceTypeKind.funcref
                                 case .WasmExtern:
                                     Fuzzilli_Protobuf_WasmReferenceTypeKind.externref
+                                case .WasmAny:
+                                    Fuzzilli_Protobuf_WasmReferenceTypeKind.anyref
+                                case .WasmEq:
+                                    Fuzzilli_Protobuf_WasmReferenceTypeKind.eqref
+                                case .WasmStruct:
+                                    Fuzzilli_Protobuf_WasmReferenceTypeKind.structref
+                                case .WasmArray:
+                                    Fuzzilli_Protobuf_WasmReferenceTypeKind.arrayref
+                                case .WasmNone:
+                                    Fuzzilli_Protobuf_WasmReferenceTypeKind.noneref
+                                case .WasmNoExtern:
+                                    Fuzzilli_Protobuf_WasmReferenceTypeKind.noexternref
+                                case .WasmNoFunc:
+                                    Fuzzilli_Protobuf_WasmReferenceTypeKind.nofuncref
+                                case .WasmNoExn:
+                                    Fuzzilli_Protobuf_WasmReferenceTypeKind.noexnref
+
                             }
                             return Fuzzilli_Protobuf_WasmILType.with {
                                 $0.refType = Fuzzilli_Protobuf_WasmReferenceType.with {
@@ -1580,20 +1597,37 @@ extension Instruction: ProtobufConvertible {
                     fatalError("Unrecognized wasm value type \(value)")
                 }
             case .refType(_):
-                switch wasmType.refType.kind {
+                let refKind: WasmReferenceType.Kind = switch wasmType.refType.kind {
                 case .index:
-                    return .wasmRef(.Index(), nullability: wasmType.refType.nullability)
+                    .Index()
                 case .externref:
-                    return .wasmRef(.Abstract(.WasmExtern), nullability: wasmType.refType.nullability)
+                    .Abstract(.WasmExtern)
                 case .funcref:
-                    return .wasmRef(.Abstract(.WasmFunc), nullability: wasmType.refType.nullability)
+                    .Abstract(.WasmFunc)
                 case .exnref:
-                    return .wasmRef(.Abstract(.WasmExn), nullability: wasmType.refType.nullability)
+                    .Abstract(.WasmExn)
                 case .i31Ref:
-                    return .wasmRef(.Abstract(.WasmI31), nullability: wasmType.refType.nullability)
+                    .Abstract(.WasmI31)
+                case .anyref:
+                    .Abstract(.WasmAny)
+                case .eqref:
+                    .Abstract(.WasmEq)
+                case .structref:
+                    .Abstract(.WasmStruct)
+                case .arrayref:
+                    .Abstract(.WasmArray)
+                case .noneref:
+                    .Abstract(.WasmNone)
+                case .noexternref:
+                    .Abstract(.WasmNoExtern)
+                case .nofuncref:
+                    .Abstract(.WasmNoFunc)
+                case .noexnref:
+                    .Abstract(.WasmNoExn)
                 case .UNRECOGNIZED(let value):
                     fatalError("Unrecognized wasm reference type \(value)")
                 }
+                return .wasmRef(refKind, nullability: wasmType.refType.nullability)
             case .none:
                 fatalError("Absent wasm type")
             }

Sources/Fuzzilli/FuzzIL/TypeSystem.swift

@@ -1329,11 +1329,34 @@ public class WasmTypeDefinition: WasmTypeExtension {
     }
 }
 
+// TODO: Add continuation types for core stack switching.
+// TODO: Add shared bit for shared-everything-threads.
+// TODO: Add internal string type for JS string builtins.
 enum WasmAbstractHeapType: CaseIterable {
     case WasmExtern
     case WasmFunc
-    case WasmExn
+    case WasmAny
+    case WasmEq
     case WasmI31
+    case WasmStruct
+    case WasmArray
+    case WasmExn
+    case WasmNone
+    case WasmNoExtern
+    case WasmNoFunc
+    case WasmNoExn
+
+    // True if the type can be used from JS, i.e. either passing the value from JS as a parameter or
+    // returning the value to JS as a result. (exnrefs cannot be passed from/to JS and throw
+    // runtime errors when trying to do so.)
+    func isUsableInJS() -> Bool {
+        switch self {
+            case .WasmExn, .WasmNoExn:
+                return false
+            default:
+                return true
+        }
+    }
 }
 
 // A wrapper around a WasmTypeDescription without owning the WasmTypeDescription.
@@ -1387,6 +1410,15 @@ public class WasmReferenceType: WasmTypeExtension {
         self.nullability = nullability
     }
 
+    func isAbstract() -> Bool {
+        switch self.kind {
+            case .Abstract(_):
+                return true
+            case .Index(_):
+                return false
+        }
+    }
+
     override func isEqual(to other: WasmTypeExtension) -> Bool {
         guard let other = other as? WasmReferenceType else { return false }
         return kind == other.kind && self.nullability == other.nullability

Sources/Fuzzilli/Lifting/WasmLifter.swift

@@ -527,10 +527,26 @@ public class WasmLifter {
                 return Data([0x6f])
             case .WasmFunc:
                 return Data([0x70])
+            case .WasmAny:
+                return Data([0x6e])
+            case .WasmEq:
+                return Data([0x6d])
             case .WasmI31:
                 return Data([0x6c])
+            case .WasmStruct:
+                return Data([0x6b])
+            case .WasmArray:
+                return Data([0x6a])
             case .WasmExn:
                 return Data([0x69])
+            case .WasmNone:
+                return Data([0x71])
+            case .WasmNoExtern:
+                return Data([0x72])
+            case .WasmNoFunc:
+                return Data([0x73])
+            case .WasmNoExn:
+                return Data([0x74])
         }
     }
 

Sources/Fuzzilli/Protobuf/operations.pb.swift

@@ -620,6 +620,14 @@ public enum Fuzzilli_Protobuf_WasmReferenceTypeKind: SwiftProtobuf.Enum, Swift.C
   case funcref // = 2
   case exnref // = 3
   case i31Ref // = 4
+  case anyref // = 5
+  case eqref // = 6
+  case structref // = 7
+  case arrayref // = 8
+  case noneref // = 9
+  case noexternref // = 10
+  case nofuncref // = 11
+  case noexnref // = 12
   case UNRECOGNIZED(Int)
 
   public init() {
@@ -633,6 +641,14 @@ public enum Fuzzilli_Protobuf_WasmReferenceTypeKind: SwiftProtobuf.Enum, Swift.C
     case 2: self = .funcref
     case 3: self = .exnref
     case 4: self = .i31Ref
+    case 5: self = .anyref
+    case 6: self = .eqref
+    case 7: self = .structref
+    case 8: self = .arrayref
+    case 9: self = .noneref
+    case 10: self = .noexternref
+    case 11: self = .nofuncref
+    case 12: self = .noexnref
     default: self = .UNRECOGNIZED(rawValue)
     }
   }
@@ -644,6 +660,14 @@ public enum Fuzzilli_Protobuf_WasmReferenceTypeKind: SwiftProtobuf.Enum, Swift.C
     case .funcref: return 2
     case .exnref: return 3
     case .i31Ref: return 4
+    case .anyref: return 5
+    case .eqref: return 6
+    case .structref: return 7
+    case .arrayref: return 8
+    case .noneref: return 9
+    case .noexternref: return 10
+    case .nofuncref: return 11
+    case .noexnref: return 12
     case .UNRECOGNIZED(let i): return i
     }
   }
@@ -655,6 +679,14 @@ public enum Fuzzilli_Protobuf_WasmReferenceTypeKind: SwiftProtobuf.Enum, Swift.C
     .funcref,
     .exnref,
     .i31Ref,
+    .anyref,
+    .eqref,
+    .structref,
+    .arrayref,
+    .noneref,
+    .noexternref,
+    .nofuncref,
+    .noexnref,
   ]
 
 }
@@ -5546,6 +5578,14 @@ extension Fuzzilli_Protobuf_WasmReferenceTypeKind: SwiftProtobuf._ProtoNameProvi
     2: .same(proto: "FUNCREF"),
     3: .same(proto: "EXNREF"),
     4: .same(proto: "I31REF"),
+    5: .same(proto: "ANYREF"),
+    6: .same(proto: "EQREF"),
+    7: .same(proto: "STRUCTREF"),
+    8: .same(proto: "ARRAYREF"),
+    9: .same(proto: "NONEREF"),
+    10: .same(proto: "NOEXTERNREF"),
+    11: .same(proto: "NOFUNCREF"),
+    12: .same(proto: "NOEXNREF"),
   ]
 }
 

Sources/Fuzzilli/Protobuf/operations.proto

@@ -883,6 +883,14 @@ enum WasmReferenceTypeKind {
   FUNCREF = 2;
   EXNREF = 3;
   I31REF = 4;
+  ANYREF = 5;
+  EQREF = 6;
+  STRUCTREF = 7;
+  ARRAYREF = 8;
+  NONEREF = 9;
+  NOEXTERNREF = 10;
+  NOFUNCREF = 11;
+  NOEXNREF = 12;
 }
 
 message WasmReferenceType {

Tests/FuzzilliTests/TypeSystemTest.swift

@@ -1099,6 +1099,11 @@ class TypeSystemTests: XCTestCase {
         // Test union of merged types
         let strObjOrFuncObj = (ILType.string + ILType.object(withProperties: ["foo"])) | (ILType.function([.rest(.jsAnything)] => .float) + ILType.object(withProperties: ["foo"]))
         XCTAssertEqual(strObjOrFuncObj.description, ".string + .object(withProperties: [\"foo\"]) | .object(withProperties: [\"foo\"]) + .function()")
+
+        let nullExn = ILType.wasmRef(.Abstract(.WasmExn), nullability: true)
+        let nonNullAny = ILType.wasmRef(.Abstract(.WasmAny), nullability: false)
+        XCTAssertEqual(nullExn.description, ".wasmRef(.Abstract(null WasmExn))")
+        XCTAssertEqual(nonNullAny.description, ".wasmRef(.Abstract(WasmAny))")
     }
 
     func testWasmSubsumptionRules() {
@@ -1147,7 +1152,7 @@ class TypeSystemTests: XCTestCase {
         XCTAssertFalse(ILType.wasmGenericRef <= ILType.wasmRef(.Index(), nullability: true))
 
         // Test nullability rules for abstract Wasm types.
-        for heapType: WasmAbstractHeapType in [.WasmExn, .WasmExtern, .WasmFunc, .WasmI31] {
+        for heapType: WasmAbstractHeapType in WasmAbstractHeapType.allCases {
             let nullable = ILType.wasmRef(.Abstract(heapType), nullability: true)
             let nonNullable = ILType.wasmRef(.Abstract(heapType), nullability: false)
             XCTAssert(nonNullable.Is(nullable))

Tests/FuzzilliTests/WasmTests.swift

@@ -4226,7 +4226,7 @@ class WasmGCTests: XCTestCase {
         testForOutput(program: jsProg, runner: runner, outputString: "42\n")
     }
 
-    func testRefNull() throws {
+    func testRefNullIndexTypes() throws {
         let runner = try GetJavaScriptExecutorOrSkipTest()
         let liveTestConfig = Configuration(logLevel: .error, enableInspection: true)
         let fuzzer = makeMockFuzzer(config: liveTestConfig, environment: JavaScriptEnvironment())
@@ -4235,32 +4235,64 @@ class WasmGCTests: XCTestCase {
         let arrayType = b.wasmDefineTypeGroup {[b.wasmDefineArrayType(elementType: .wasmi32, mutability: true)]}[0]
 
         let module = b.buildWasmModule { wasmModule in
-            wasmModule.addWasmFunction(with: [] => [.wasmExternRef]) { function, args in
-                function.wasmReturn(function.wasmRefNull(type: .wasmExternRef))
-            }
-            wasmModule.addWasmFunction(with: [] => [.wasmFuncRef]) { function, args in
-                function.wasmReturn(function.wasmRefNull(type: .wasmFuncRef))
-            }
-            wasmModule.addWasmFunction(with: [] => [.wasmi32]) { function, args in
+            wasmModule.addWasmFunction(with: [] => [.wasmi32]) { function, label, args in
                 let refNull = function.wasmRefNull(typeDef: arrayType)
-                function.wasmRefIsNull(refNull)
+                return [function.wasmRefIsNull(refNull)]
             }
-            wasmModule.addWasmFunction(with: [] => [.wasmi32]) { function, args in
+            wasmModule.addWasmFunction(with: [] => [.wasmi32]) { function, label, args in
                 let array = function.wasmArrayNewFixed(arrayType: arrayType, elements: [])
-                function.wasmRefIsNull(array)
+                return [function.wasmRefIsNull(array)]
             }
         }
 
         let exports = module.loadExports()
         let outputFunc = b.createNamedVariable(forBuiltin: "output")
-        for i in 0..<4 {
+        for i in 0..<2 {
             let wasmOut = b.callMethod(module.getExportedMethod(at: i), on: exports, withArgs: [])
             b.callFunction(outputFunc, withArgs: [wasmOut])
         }
 
         let prog = b.finalize()
         let jsProg = fuzzer.lifter.lift(prog)
-        testForOutput(program: jsProg, runner: runner, outputString: "null\nnull\n1\n0\n")
+        testForOutput(program: jsProg, runner: runner, outputString: "1\n0\n")
+    }
+
+    func testRefNullAbstractTypes() throws {
+        let runner = try GetJavaScriptExecutorOrSkipTest()
+        let liveTestConfig = Configuration(logLevel: .error, enableInspection: true)
+        let fuzzer = makeMockFuzzer(config: liveTestConfig, environment: JavaScriptEnvironment())
+        let b = fuzzer.makeBuilder()
+
+        let module = b.buildWasmModule { wasmModule in
+            for heapType in WasmAbstractHeapType.allCases {
+                let valueType = ILType.wasmRef(.Abstract(heapType), nullability: true)
+                if heapType.isUsableInJS() {
+                    // ref.null <heapType>
+                    wasmModule.addWasmFunction(with: [] => [valueType]) { function, label, args in
+                        [function.wasmRefNull(type: valueType)]
+                    }
+                }
+                // ref.is_null(ref.null <heapType>)
+                wasmModule.addWasmFunction(with: [] => [.wasmi32]) { function, label, args in
+                    [function.wasmRefIsNull(function.wasmRefNull(type: valueType))]
+                }
+            }
+        }
+
+        let exports = module.loadExports()
+        let outputFunc = b.createNamedVariable(forBuiltin: "output")
+        let exportedFctCount = WasmAbstractHeapType.allCases.count
+                             + WasmAbstractHeapType.allCases.count {$0.isUsableInJS()}
+        for i in 0..<exportedFctCount {
+            let wasmOut = b.callMethod(module.getExportedMethod(at: i), on: exports, withArgs: [])
+            b.callFunction(outputFunc, withArgs: [wasmOut])
+        }
+
+        let prog = b.finalize()
+        let jsProg = fuzzer.lifter.lift(prog)
+        // In JS all null values look the same (they are the same).
+        let expected = WasmAbstractHeapType.allCases.map {$0.isUsableInJS() ? "null\n1\n" : "1\n"}.joined()
+        testForOutput(program: jsProg, runner: runner, outputString: expected)
     }
 
     func testI31Ref() throws {