WasmLifter: Handle non-local inputs based on types, not instructions

Liedtke · V8-internal LUCI CQ · commit f6d29ebc444a · 2025-01-20T07:30:01.000-08:00
Change-Id: I42108ee26f2e9485148c6255bd77d7d162a15713 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/7967830 Commit-Queue: Matthias Liedtke <mliedtke@google.com> Reviewed-by: Carl Smith <cffsmith@google.com>
diff --git a/Sources/Fuzzilli/FuzzIL/TypeSystem.swift b/Sources/Fuzzilli/FuzzIL/TypeSystem.swift
@@ -405,6 +405,10 @@ public struct ILType: Hashable {
         return wasmType as? WasmTagType
     }
 
+    public var isWasmTagType: Bool {
+        return wasmTagType != nil && ext?.group == "WasmTag"
+    }
+
     public var properties: Set<String> {
         return ext?.properties ?? Set()
     }
diff --git a/Sources/Fuzzilli/Lifting/WasmLifter.swift b/Sources/Fuzzilli/Lifting/WasmLifter.swift
@@ -945,7 +945,8 @@ public class WasmLifter {
         // Check if instruction input is a parameter or if we have an expression for it, if so, we need to load it now.
         for input in instr.inputs {
             // Skip "internal" inputs, i.e. ones that don't map to a slot, such as .label variables
-            if typer.type(of: input).Is(.label) {
+            let inputType = typer.type(of: input)
+            if inputType.Is(.label) || inputType.Is(.exceptionLabel) {
                 continue
             }
 
@@ -962,19 +963,16 @@ public class WasmLifter {
                 continue
             }
 
-            // TODO(mliedtke): Make this an attribute.
-            // Instruction has to be a glue instruction now, maybe add an attribute to the instruction that it may have non-wasm inputs, i.e. inputs that do not have a local slot.
-            if instr.op is WasmLoadGlobal || instr.op is WasmStoreGlobal || instr.op is WasmJsCall
-                || instr.op is WasmMemoryStore || instr.op is WasmMemoryLoad || instr.op is WasmTableGet
-                || instr.op is WasmTableSet || instr.op is WasmBeginCatch || instr.op is WasmThrow
-                || instr.op is WasmRethrow || instr.op is WasmBeginBlock || instr.op is WasmBeginTry
-                || instr.op is WasmI64x2LoadSplat || instr.op is WasmBeginTryDelegate
-                || instr.op is WasmBeginIf || instr.op is WasmBeginElse {
-                continue
+            // Special inputs that aren't locals (e.g. memories, functions, tags, ...)
+            let isLocallyDefined = inputType.isWasmTagType && tags.contains(input)
+                || inputType.isWasmTableType && tables.contains(where: {$0.output == input})
+                || inputType.Is(.wasmFuncRef) && functions.contains(where: {$0.outputVariable == input})
+                || inputType.isWasmGlobalType && globals.contains(where: {$0.output == input})
+                || inputType.isWasmMemoryType && memories.contains(where: {$0.output == input})
+            if !isLocallyDefined {
+                assert(self.imports.contains(where: {$0.0 == input}), "Variable \(input) needs to be imported during importAnalysis()")
             }
-            fatalError("unreachable")
         }
-
     }
 
     private func emitBytesForInstruction(forInstruction instr: Instruction) throws {

Original file line number	Diff line number	Diff line change
`@@ -405,6 +405,10 @@ public struct ILType: Hashable {`
`405`	`405`	`return wasmType as? WasmTagType`
`406`	`406`	`}`
`407`	`407`
	`408`	`+ public var isWasmTagType: Bool {`
	`409`	`+ return wasmTagType != nil && ext?.group == "WasmTag"`
	`410`	`+ }`
	`411`	`+`
`408`	`412`	`public var properties: Set<String> {`
`409`	`413`	`return ext?.properties ?? Set()`
`410`	`414`	`}`