[wasm] Support more reference types in tag signatures

Change-Id: Ieeb8dab3eb77426d35414a5d24345ffdc51107c1
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8447736
Reviewed-by: Manos Koukoutos <[email protected]>
Commit-Queue: Matthias Liedtke <[email protected]>
Reviewed-by: Carl Smith <[email protected]>

Author: Liedtke

Sources/Fuzzilli/Base/ProgramBuilder.swift

@@ -3926,9 +3926,16 @@ public class ProgramBuilder {
     }
 
     public func randomTagParameters() -> [ILType] {
-        // TODO(mliedtke): The list of types should be shared with function signature generation etc.
-        return (0..<Int.random(in: 0...10)).map {_ in chooseUniform(from:
-            [.wasmi32, .wasmi64, .wasmf32, .wasmf64, .wasmFuncRef, .wasmExnRef, .wasmExternRef, .wasmI31Ref, .wasmSimd128])}
+        // TODO(mliedtke): The list of types should be shared with function signature generation
+        // etc. We should also support non-nullable references but that requires being able
+        // to generate valid ones which currently isn't the case for most of them.
+        return (0..<Int.random(in: 0...10)).map {_ in chooseUniform(from: [
+            // Value types:
+            .wasmi32, .wasmi64, .wasmf32, .wasmf64, .wasmSimd128,
+            // Subset of abstract heap types (the null (bottom) types are not allowed in the JS API):
+            .wasmExternRef, .wasmFuncRef, .wasmAnyRef, .wasmEqRef, .wasmI31Ref, .wasmStructRef,
+            .wasmArrayRef, .wasmExnRef
+        ])}
     }
 
     public func randomWasmSignature() -> WasmSignature {

Sources/Fuzzilli/FuzzIL/TypeSystem.swift

@@ -229,6 +229,10 @@ public struct ILType: Hashable {
     public static let wasmFuncRef = ILType.wasmRef(.Abstract(.WasmFunc), nullability: true)
     public static let wasmExnRef = ILType.wasmRef(.Abstract(.WasmExn), nullability: true)
     public static let wasmI31Ref = ILType.wasmRef(.Abstract(.WasmI31), nullability: true)
+    public static let wasmAnyRef = ILType.wasmRef(.Abstract(.WasmAny), nullability: true)
+    public static let wasmEqRef = ILType.wasmRef(.Abstract(.WasmEq), nullability: true)
+    public static let wasmStructRef = ILType.wasmRef(.Abstract(.WasmStruct), nullability: true)
+    public static let wasmArrayRef = ILType.wasmRef(.Abstract(.WasmArray), nullability: true)
     public static let wasmRefI31 = ILType.wasmRef(.Abstract(.WasmI31), nullability: false)
     public static let wasmSimd128 = ILType(definiteType: .wasmSimd128)
     public static let wasmGenericRef = ILType(definiteType: .wasmRef)

Sources/Fuzzilli/Lifting/JavaScriptLifter.swift

@@ -1539,8 +1539,6 @@ public class JavaScriptLifter: Lifter {
                 let LET = w.varKeyword
                 let types = op.parameterTypes.map {type in
                     switch(type) {
-                        case .wasmExternRef:
-                            return "\"externref\""
                         case .wasmf32:
                             return "\"f32\""
                         case .wasmf64:
@@ -1551,12 +1549,23 @@ public class JavaScriptLifter: Lifter {
                             return "\"i64\""
                         case .wasmSimd128:
                             return "\"v128\""
+                        case .wasmExternRef:
+                            return "\"externref\""
                         case .wasmFuncRef:
                             return "\"anyfunc\""
-                        case .wasmExnRef:
-                            return "\"exnref\""
+                        case .wasmAnyRef:
+                            return "\"anyref\""
+                        case .wasmEqRef:
+                            return "\"eqref\""
                         case .wasmI31Ref:
                             return "\"i31ref\""
+                        case .wasmStructRef:
+                            return "\"structref\""
+                        case .wasmArrayRef:
+                            return "\"arrayref\""
+                        case .wasmExnRef:
+                            return "\"exnref\""
+
                         default:
                             fatalError("Unhandled wasm type \(type)")
                     }

Tests/FuzzilliTests/WasmTests.swift

@@ -3642,18 +3642,23 @@ class WasmFoundationTests: XCTestCase {
         try tagExportedToDifferentWasmModule(defineInWasm: false)
     }
 
-    // Test that defining a Wasm tag in JS with a funcref in its parameter types does not fail.
-    func testTagFuncRefInJS() throws {
+    // Test that defining a Wasm tag in JS with all supported abstract ref types does not fail.
+    func testTagAllRefTypesInJS() throws {
         let runner = try GetJavaScriptExecutorOrSkipTest(type: .any, withArguments: ["--experimental-wasm-exnref"])
         let liveTestConfig = Configuration(logLevel: .error, enableInspection: true)
         let fuzzer = makeMockFuzzer(config: liveTestConfig, environment: JavaScriptEnvironment())
         let b = fuzzer.makeBuilder()
-        b.createWasmTag(parameterTypes: [.wasmFuncRef])
+        // Assumption: All types but the bottom (null) types are supported in the JS API.
+        let supportedTypes = WasmAbstractHeapType.allCases.filter {!$0.isBottom()}.map { heapType in
+            ILType.wasmRef(.Abstract(heapType), nullability:true)
+        }
+        b.createWasmTag(parameterTypes: supportedTypes)
         let prog = b.finalize()
         let jsProg = fuzzer.lifter.lift(prog, withOptions: [.includeComments])
         // The "funcref" type name is only available with the reflection proposal. Otherwise the
         // name has to be "anyfunc".
         XCTAssert(jsProg.contains("\"anyfunc\""))
+        // We just expect the JS execution not throwing an exception.
         testForOutput(program: jsProg, runner: runner, outputString: "")
     }