[wasm] remove confusing ProgramBuilder.addWasmFunction overload

Liedtke · V8-internal LUCI CQ · commit c6695c2e39b3 · 2025-08-04T01:24:52.000-07:00
Since wasm functions support implicit fall-through of values and multiple return values, the old overload is not supposed to be used as it inserts random magic to provide input values for the EndWasmFunction operation. Change-Id: Ib9579a70812325db2dbe41d3881057eb5776c3d4 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8465496 Reviewed-by: Manos Koukoutos <manoskouk@google.com> Auto-Submit: Matthias Liedtke <mliedtke@google.com> Commit-Queue: Matthias Liedtke <mliedtke@google.com>
diff --git a/Sources/Fuzzilli/Base/ProgramBuilder.swift b/Sources/Fuzzilli/Base/ProgramBuilder.swift
@@ -3840,17 +3840,6 @@ public class ProgramBuilder {
         }
 
         // TODO: distinguish between exported and non-exported functions
-        @discardableResult
-        public func addWasmFunction(with signature: WasmSignature, _ body: (WasmFunction, [Variable]) -> ()) -> Variable {
-            let instr = b.emit(BeginWasmFunction(signature: signature))
-            // Ignore the label in this overload.
-            body(currentWasmFunction, Array(instr.innerOutputs.dropFirst()))
-            // TODO(mliedtke): Ideally we'd replace all overloads of this function to the new one
-            // expecting explicit return values.
-            let results = signature.outputTypes.map {b.randomVariable(ofType: $0) ?? currentWasmFunction.generateRandomWasmVar(ofType: $0)!}
-            return b.emit(EndWasmFunction(signature: signature), withInputs: results).output
-        }
-
         @discardableResult
         public func addWasmFunction(with signature: WasmSignature, _ body: (WasmFunction, Variable, [Variable]) -> [Variable]) -> Variable {
             let instr = b.emit(BeginWasmFunction(signature: signature))
diff --git a/Sources/Fuzzilli/CodeGen/ProgramTemplates.swift b/Sources/Fuzzilli/CodeGen/ProgramTemplates.swift
@@ -105,7 +105,7 @@ public let ProgramTemplates = [
         let wrapped = b.wrapSuspending(function: f!)
 
         let m = b.buildWasmModule { mod in
-            mod.addWasmFunction(with: [] => []) { fbuilder, _  in
+            mod.addWasmFunction(with: [] => []) { fbuilder, _, _  in
                 // This will create a bunch of locals, which should create large (>4KB) frames.
                 if probability(0.02) {
                     for _ in 0..<1000 {
@@ -120,6 +120,7 @@ public let ProgramTemplates = [
                     fbuilder.wasmJsCall(function: wrapped, withArgs: args, withWasmSignature: wasmSignature)
                 }
                 b.build(n: 4)
+                return []
             }
             if probability(0.2) {
                 b.build(n: 20)
@@ -156,7 +157,7 @@ public let ProgramTemplates = [
         let module = b.buildWasmModule { wasmModule in
             // Wasm function that throws a tag, catches a tag (the same or a different one) to
             // rethrow it again (or another exnref if present).
-            wasmModule.addWasmFunction(with: [] => []) { function, args in
+            wasmModule.addWasmFunction(with: [] => []) { function, label, args in
                 b.build(n: 10)
                 let caughtValues = function.wasmBuildBlockWithResults(with: [] => catchBlockOutputTypes, args: []) { catchRefLabel, _ in
                     // TODO(mliedtke): We should probably allow mutations of try_tables to make
@@ -173,6 +174,7 @@ public let ProgramTemplates = [
                 }
                 b.build(n: 10)
                 function.wasmBuildThrowRef(exception: b.randomVariable(ofType: .wasmExnRef)!)
+                return []
             }
         }
 
diff --git a/Sources/Fuzzilli/FuzzIL/TypeSystem.swift b/Sources/Fuzzilli/FuzzIL/TypeSystem.swift
@@ -1914,8 +1914,8 @@ public struct Signature: Hashable, CustomStringConvertible {
 }
 
 public struct WasmSignature: Hashable, CustomStringConvertible {
-    let parameterTypes: [ILType]
-    let outputTypes: [ILType]
+    public let parameterTypes: [ILType]
+    public let outputTypes: [ILType]
 
     init(expects parameters: [ILType], returns returnTypes: [ILType]) {
         self.parameterTypes = parameters
diff --git a/Sources/FuzzilliCli/Profiles/V8Profile.swift b/Sources/FuzzilliCli/Profiles/V8Profile.swift
@@ -499,16 +499,17 @@ fileprivate let WasmFastCallFuzzer = WasmProgramTemplate("WasmFastCallFuzzer") {
     let m = b.buildWasmModule { m in
         let allWasmTypes: WeightedList<ILType> = WeightedList([(.wasmi32, 1), (.wasmi64, 1), (.wasmf32, 1), (.wasmf64, 1), (.wasmExternRef, 1), (.wasmFuncRef, 1)])
         let wasmSignature = ProgramBuilder.convertJsSignatureToWasmSignature(wrappedSig, availableTypes: allWasmTypes)
-        m.addWasmFunction(with: wasmSignature) {fbuilder, _  in
+        m.addWasmFunction(with: wasmSignature) {fbuilder, _, _  in
             let args = b.randomWasmArguments(forWasmSignature: wasmSignature)
             if let args {
                 let maybeRet = fbuilder.wasmJsCall(function: wrapped, withArgs: args, withWasmSignature: wasmSignature)
                 if let ret = maybeRet {
-                  fbuilder.wasmReturn(ret)
+                  return [ret]
                 }
             } else {
                 logger.error("Arguments should have been generated")
             }
+            return wasmSignature.outputTypes.map(fbuilder.findOrGenerateWasmVar)
         }
     }
 
diff --git a/Tests/FuzzilliTests/JSTyperTests.swift b/Tests/FuzzilliTests/JSTyperTests.swift
@@ -1226,7 +1226,7 @@ class JSTyperTests: XCTestCase {
         let b = fuzzer.makeBuilder()
 
         b.buildWasmModule { m in
-            m.addWasmFunction(with: [] => []) { f, _ in
+            m.addWasmFunction(with: [] => []) { f, _, _ in
                 let ci32 = f.consti32(1337)
                 let ci64 = f.consti64(1338)
                 let cf32 = f.constf32(13.37)
@@ -1240,6 +1240,7 @@ class JSTyperTests: XCTestCase {
                 XCTAssertTrue(b.type(of: ci64).Is(.wasmPrimitive))
                 XCTAssertTrue(b.type(of: cf32).Is(.wasmPrimitive))
                 XCTAssertTrue(b.type(of: cf64).Is(.wasmPrimitive))
+                return []
             }
         }
     }
@@ -1546,7 +1547,7 @@ class JSTyperTests: XCTestCase {
             wasmModule.addTag(parameterTypes: [.wasmi32])
 
             // Function zero
-            wasmModule.addWasmFunction(with: [] => []) { function, _ in
+            wasmModule.addWasmFunction(with: [] => []) { function, _, _ in
                 // This forces an import of the wasmGlobalf64, second global
                 function.wasmLoadGlobal(globalVariable: wasmGlobalf64)
                 // This forces an import and a re-export of the jsTag.
@@ -1556,6 +1557,7 @@ class JSTyperTests: XCTestCase {
                     }
                 }
                 function.wasmUnreachable()
+                return []
             }
 
             // Function one
diff --git a/Tests/FuzzilliTests/LifterTest.swift b/Tests/FuzzilliTests/LifterTest.swift
@@ -3239,8 +3239,9 @@ class LifterTests: XCTestCase {
         b.reassign(table, to: table)
 
         b.buildWasmModule { m in
-            m.addWasmFunction(with: [] => []) { f, _ in
+            m.addWasmFunction(with: [] => []) { f, _, _ in
                 f.wasmCallIndirect(signature: [] => [], table: table, functionArgs: [], tableIndex: f.consti64(0))
+                return []
             }
         }
 
diff --git a/Tests/FuzzilliTests/MinimizerTest.swift b/Tests/FuzzilliTests/MinimizerTest.swift
@@ -2035,11 +2035,12 @@ class MinimizerTests: XCTestCase {
             }
 
             b.buildWasmModule { wasmModule in
-                wasmModule.addWasmFunction(with: [] => []) { function, _ in
+                wasmModule.addWasmFunction(with: [] => []) { function, _, _ in
                     let constOne = function.consti32(1)
                     evaluator.nextInstructionIsImportant(in: b)
                     function.wasmArrayNewDefault(arrayType: typeGroupB[1], size: constOne)
                     function.wasmArrayNewDefault(arrayType: typeGroupB[0], size: constOne)
+                    return []
                 }
             }
         }
@@ -2055,9 +2056,10 @@ class MinimizerTests: XCTestCase {
             }
 
             b.buildWasmModule { wasmModule in
-                wasmModule.addWasmFunction(with: [] => []) { function, _ in
+                wasmModule.addWasmFunction(with: [] => []) { function, _, _ in
                     let constOne = function.consti32(1)
                     function.wasmArrayNewDefault(arrayType: typeGroupB[0], size: constOne)
+                    return []
                 }
             }
         }
diff --git a/Tests/FuzzilliTests/WasmAtomicsTests.swift b/Tests/FuzzilliTests/WasmAtomicsTests.swift
@@ -147,40 +147,44 @@ class WasmAtomicsTests: XCTestCase {
             // Load operations
 
             for memory in [unsharedMemory, sharedMemory] {
-                wasmModule.addWasmFunction(with: [] => []) { f, _ in
+                wasmModule.addWasmFunction(with: [] => []) { f, _, _ in
                     let address = f.consti32(1) // Unaligned for 4-byte access
                     // This should trap.
                     f.wasmAtomicLoad(memory: memory, address: address, loadType: .i32Load, offset: 0)
+                    return []
                 }
             }
 
             // memory64
             for memory in [unsharedMemory, sharedMemory] {
-                wasmModule.addWasmFunction(with: [] => []) { f, _ in
+                wasmModule.addWasmFunction(with: [] => []) { f, _, _ in
                     let address = f.consti32(4) // Unaligned for 8-byte access
                     // This should trap.
                     f.wasmAtomicLoad(memory: memory, address: address, loadType: .i64Load, offset: 0)
+                    return []
                 }
             }
 
             // Store operations
 
             for memory in [unsharedMemory, sharedMemory] {
-                wasmModule.addWasmFunction(with: [] => []) { f, _ in
+                wasmModule.addWasmFunction(with: [] => []) { f, _, _ in
                     let address = f.consti32(2) // Unaligned for 4-byte access
                     // This should trap.
                     let value = f.consti32(0x1337)
                     f.wasmAtomicStore(memory: memory, address: address, value: value, storeType: .i32Store, offset: 0)
+                    return []
                 }
             }
 
             // memory64
             for memory in [unsharedMemory, sharedMemory] {
-                wasmModule.addWasmFunction(with: [] => []) { f, _ in
+                wasmModule.addWasmFunction(with: [] => []) { f, _, _ in
                     let address = f.consti32(7) // Unaligned for 8-byte access
                     // This should trap.
                     let value = f.consti64(0xDEADBEEF)
                     f.wasmAtomicStore(memory: memory, address: address, value: value, storeType: .i64Store, offset: 0)
+                    return []
                 }
             }
         }
diff --git a/Tests/FuzzilliTests/WasmTests.swift b/Tests/FuzzilliTests/WasmTests.swift

Original file line number	Diff line number	Diff line change
`@@ -105,7 +105,7 @@ public let ProgramTemplates = [`
`105`	`105`	`let wrapped = b.wrapSuspending(function: f!)`
`106`	`106`
`107`	`107`	`let m = b.buildWasmModule { mod in`
`108`		`- mod.addWasmFunction(with: [] => []) { fbuilder, _ in`
	`108`	`+ mod.addWasmFunction(with: [] => []) { fbuilder, _, _ in`
`109`	`109`	`// This will create a bunch of locals, which should create large (>4KB) frames.`
`110`	`110`	`if probability(0.02) {`
`111`	`111`	`for _ in 0..<1000 {`
`@@ -120,6 +120,7 @@ public let ProgramTemplates = [`
`120`	`120`	`fbuilder.wasmJsCall(function: wrapped, withArgs: args, withWasmSignature: wasmSignature)`
`121`	`121`	`}`
`122`	`122`	`b.build(n: 4)`
	`123`	`+ return []`
`123`	`124`	`}`
`124`	`125`	`if probability(0.2) {`
`125`	`126`	`b.build(n: 20)`
`@@ -156,7 +157,7 @@ public let ProgramTemplates = [`
`156`	`157`	`let module = b.buildWasmModule { wasmModule in`
`157`	`158`	`// Wasm function that throws a tag, catches a tag (the same or a different one) to`
`158`	`159`	`// rethrow it again (or another exnref if present).`
`159`		`- wasmModule.addWasmFunction(with: [] => []) { function, args in`
	`160`	`+ wasmModule.addWasmFunction(with: [] => []) { function, label, args in`
`160`	`161`	`b.build(n: 10)`
`161`	`162`	`let caughtValues = function.wasmBuildBlockWithResults(with: [] => catchBlockOutputTypes, args: []) { catchRefLabel, _ in`
`162`	`163`	`// TODO(mliedtke): We should probably allow mutations of try_tables to make`
`@@ -173,6 +174,7 @@ public let ProgramTemplates = [`
`173`	`174`	`}`
`174`	`175`	`b.build(n: 10)`
`175`	`176`	`function.wasmBuildThrowRef(exception: b.randomVariable(ofType: .wasmExnRef)!)`
	`177`	`+ return []`
`176`	`178`	`}`
`177`	`179`	`}`
`178`	`180`
Original file line number	Diff line number	Diff line change
`@@ -1914,8 +1914,8 @@ public struct Signature: Hashable, CustomStringConvertible {`
`1914`	`1914`	`}`
`1915`	`1915`
`1916`	`1916`	`public struct WasmSignature: Hashable, CustomStringConvertible {`
`1917`		`- let parameterTypes: [ILType]`
`1918`		`- let outputTypes: [ILType]`
	`1917`	`+ public let parameterTypes: [ILType]`
	`1918`	`+ public let outputTypes: [ILType]`
`1919`	`1919`
`1920`	`1920`	`init(expects parameters: [ILType], returns returnTypes: [ILType]) {`
`1921`	`1921`	`self.parameterTypes = parameters`
Original file line number	Diff line number	Diff line change
`@@ -499,16 +499,17 @@ fileprivate let WasmFastCallFuzzer = WasmProgramTemplate("WasmFastCallFuzzer") {`
`499`	`499`	`let m = b.buildWasmModule { m in`
`500`	`500`	`let allWasmTypes: WeightedList<ILType> = WeightedList([(.wasmi32, 1), (.wasmi64, 1), (.wasmf32, 1), (.wasmf64, 1), (.wasmExternRef, 1), (.wasmFuncRef, 1)])`
`501`	`501`	`let wasmSignature = ProgramBuilder.convertJsSignatureToWasmSignature(wrappedSig, availableTypes: allWasmTypes)`
`502`		`- m.addWasmFunction(with: wasmSignature) {fbuilder, _ in`
	`502`	`+ m.addWasmFunction(with: wasmSignature) {fbuilder, _, _ in`
`503`	`503`	`let args = b.randomWasmArguments(forWasmSignature: wasmSignature)`
`504`	`504`	`if let args {`
`505`	`505`	`let maybeRet = fbuilder.wasmJsCall(function: wrapped, withArgs: args, withWasmSignature: wasmSignature)`
`506`	`506`	`if let ret = maybeRet {`
`507`		`- fbuilder.wasmReturn(ret)`
	`507`	`+ return [ret]`
`508`	`508`	`}`
`509`	`509`	`} else {`
`510`	`510`	`logger.error("Arguments should have been generated")`
`511`	`511`	`}`
	`512`	`+ return wasmSignature.outputTypes.map(fbuilder.findOrGenerateWasmVar)`
`512`	`513`	`}`
`513`	`514`	`}`
`514`	`515`
Original file line number	Diff line number	Diff line change
`@@ -1226,7 +1226,7 @@ class JSTyperTests: XCTestCase {`
`1226`	`1226`	`let b = fuzzer.makeBuilder()`
`1227`	`1227`
`1228`	`1228`	`b.buildWasmModule { m in`
`1229`		`- m.addWasmFunction(with: [] => []) { f, _ in`
	`1229`	`+ m.addWasmFunction(with: [] => []) { f, _, _ in`
`1230`	`1230`	`let ci32 = f.consti32(1337)`
`1231`	`1231`	`let ci64 = f.consti64(1338)`
`1232`	`1232`	`let cf32 = f.constf32(13.37)`
`@@ -1240,6 +1240,7 @@ class JSTyperTests: XCTestCase {`
`1240`	`1240`	`XCTAssertTrue(b.type(of: ci64).Is(.wasmPrimitive))`
`1241`	`1241`	`XCTAssertTrue(b.type(of: cf32).Is(.wasmPrimitive))`
`1242`	`1242`	`XCTAssertTrue(b.type(of: cf64).Is(.wasmPrimitive))`
	`1243`	`+ return []`
`1243`	`1244`	`}`
`1244`	`1245`	`}`
`1245`	`1246`	`}`
`@@ -1546,7 +1547,7 @@ class JSTyperTests: XCTestCase {`
`1546`	`1547`	`wasmModule.addTag(parameterTypes: [.wasmi32])`
`1547`	`1548`
`1548`	`1549`	`// Function zero`
`1549`		`- wasmModule.addWasmFunction(with: [] => []) { function, _ in`
	`1550`	`+ wasmModule.addWasmFunction(with: [] => []) { function, _, _ in`
`1550`	`1551`	`// This forces an import of the wasmGlobalf64, second global`
`1551`	`1552`	`function.wasmLoadGlobal(globalVariable: wasmGlobalf64)`
`1552`	`1553`	`// This forces an import and a re-export of the jsTag.`
`@@ -1556,6 +1557,7 @@ class JSTyperTests: XCTestCase {`
`1556`	`1557`	`}`
`1557`	`1558`	`}`
`1558`	`1559`	`function.wasmUnreachable()`
	`1560`	`+ return []`
`1559`	`1561`	`}`
`1560`	`1562`
`1561`	`1563`	`// Function one`
Original file line number	Diff line number	Diff line change
`@@ -3239,8 +3239,9 @@ class LifterTests: XCTestCase {`
`3239`	`3239`	`b.reassign(table, to: table)`
`3240`	`3240`
`3241`	`3241`	`b.buildWasmModule { m in`
`3242`		`- m.addWasmFunction(with: [] => []) { f, _ in`
	`3242`	`+ m.addWasmFunction(with: [] => []) { f, _, _ in`
`3243`	`3243`	`f.wasmCallIndirect(signature: [] => [], table: table, functionArgs: [], tableIndex: f.consti64(0))`
	`3244`	`+ return []`
`3244`	`3245`	`}`
`3245`	`3246`	`}`
`3246`	`3247`
Original file line number	Diff line number	Diff line change
`@@ -2035,11 +2035,12 @@ class MinimizerTests: XCTestCase {`
`2035`	`2035`	`}`
`2036`	`2036`
`2037`	`2037`	`b.buildWasmModule { wasmModule in`
`2038`		`- wasmModule.addWasmFunction(with: [] => []) { function, _ in`
	`2038`	`+ wasmModule.addWasmFunction(with: [] => []) { function, _, _ in`
`2039`	`2039`	`let constOne = function.consti32(1)`
`2040`	`2040`	`evaluator.nextInstructionIsImportant(in: b)`
`2041`	`2041`	`function.wasmArrayNewDefault(arrayType: typeGroupB[1], size: constOne)`
`2042`	`2042`	`function.wasmArrayNewDefault(arrayType: typeGroupB[0], size: constOne)`
	`2043`	`+ return []`
`2043`	`2044`	`}`
`2044`	`2045`	`}`
`2045`	`2046`	`}`
`@@ -2055,9 +2056,10 @@ class MinimizerTests: XCTestCase {`
`2055`	`2056`	`}`
`2056`	`2057`
`2057`	`2058`	`b.buildWasmModule { wasmModule in`
`2058`		`- wasmModule.addWasmFunction(with: [] => []) { function, _ in`
	`2059`	`+ wasmModule.addWasmFunction(with: [] => []) { function, _, _ in`
`2059`	`2060`	`let constOne = function.consti32(1)`
`2060`	`2061`	`function.wasmArrayNewDefault(arrayType: typeGroupB[0], size: constOne)`
	`2062`	`+ return []`
`2061`	`2063`	`}`
`2062`	`2064`	`}`
`2063`	`2065`	`}`
Original file line number	Diff line number	Diff line change
`@@ -147,40 +147,44 @@ class WasmAtomicsTests: XCTestCase {`
`147`	`147`	`// Load operations`
`148`	`148`
`149`	`149`	`for memory in [unsharedMemory, sharedMemory] {`
`150`		`- wasmModule.addWasmFunction(with: [] => []) { f, _ in`
	`150`	`+ wasmModule.addWasmFunction(with: [] => []) { f, _, _ in`
`151`	`151`	`let address = f.consti32(1) // Unaligned for 4-byte access`
`152`	`152`	`// This should trap.`
`153`	`153`	`f.wasmAtomicLoad(memory: memory, address: address, loadType: .i32Load, offset: 0)`
	`154`	`+ return []`
`154`	`155`	`}`
`155`	`156`	`}`
`156`	`157`
`157`	`158`	`// memory64`
`158`	`159`	`for memory in [unsharedMemory, sharedMemory] {`
`159`		`- wasmModule.addWasmFunction(with: [] => []) { f, _ in`
	`160`	`+ wasmModule.addWasmFunction(with: [] => []) { f, _, _ in`
`160`	`161`	`let address = f.consti32(4) // Unaligned for 8-byte access`
`161`	`162`	`// This should trap.`
`162`	`163`	`f.wasmAtomicLoad(memory: memory, address: address, loadType: .i64Load, offset: 0)`
	`164`	`+ return []`
`163`	`165`	`}`
`164`	`166`	`}`
`165`	`167`
`166`	`168`	`// Store operations`
`167`	`169`
`168`	`170`	`for memory in [unsharedMemory, sharedMemory] {`
`169`		`- wasmModule.addWasmFunction(with: [] => []) { f, _ in`
	`171`	`+ wasmModule.addWasmFunction(with: [] => []) { f, _, _ in`
`170`	`172`	`let address = f.consti32(2) // Unaligned for 4-byte access`
`171`	`173`	`// This should trap.`
`172`	`174`	`let value = f.consti32(0x1337)`
`173`	`175`	`f.wasmAtomicStore(memory: memory, address: address, value: value, storeType: .i32Store, offset: 0)`
	`176`	`+ return []`
`174`	`177`	`}`
`175`	`178`	`}`
`176`	`179`
`177`	`180`	`// memory64`
`178`	`181`	`for memory in [unsharedMemory, sharedMemory] {`
`179`		`- wasmModule.addWasmFunction(with: [] => []) { f, _ in`
	`182`	`+ wasmModule.addWasmFunction(with: [] => []) { f, _, _ in`
`180`	`183`	`let address = f.consti32(7) // Unaligned for 8-byte access`
`181`	`184`	`// This should trap.`
`182`	`185`	`let value = f.consti64(0xDEADBEEF)`
`183`	`186`	`f.wasmAtomicStore(memory: memory, address: address, value: value, storeType: .i64Store, offset: 0)`
	`187`	`+ return []`
`184`	`188`	`}`
`185`	`189`	`}`
`186`	`190`	`}`