[wasm] Migrate tags to use wasm-gc signatures

With all instructions interacting with Wasm tags switched over to
using wasm-gc signatures in previous changes, tags can now also be
adapted to use wasm-gc types in their signature (their parameter
types).

Note that it is also possible to define tags from JS, e.g.:
>  new WebAssembly.Tag({parameters: ['i32']})
However, these tags do not support index types in the JS API spec, so
they can continue using the current mechanism for their type
information.

Bug: 448860865
Change-Id: If558f0562609d7a26a0119a4055184506351bd52
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8956197
Reviewed-by: Doga Yüksel <dyuksel@google.com>
Commit-Queue: Matthias Liedtke <mliedtke@google.com>

Author: Liedtke

Sources/Fuzzilli/Base/ProgramBuilder.swift

@@ -4534,9 +4534,16 @@ public class ProgramBuilder {
             return b.emit(WasmDefineDataSegment(segment: segment)).output
         }
 
+        @discardableResult
+        public func addTag(signature: Variable) -> Variable {
+            return b.emit(WasmDefineTag(), withInputs: [signature]).output
+        }
+
+        // Convenience function to create a tag including an adhoc signature definition.
         @discardableResult
         public func addTag(parameterTypes: [ILType]) -> Variable {
-            return b.emit(WasmDefineTag(parameterTypes: parameterTypes)).output
+            let signatureDef = b.wasmDefineAdHocSignatureType(signature: parameterTypes => [])
+            return addTag(signature: signatureDef)
         }
 
         private func getModuleVariable() -> Variable {
@@ -4616,7 +4623,8 @@ public class ProgramBuilder {
         }
     }
 
-    public func randomTagParameters() -> [ILType] {
+    // Random tag parameters for Wasm tags defined via the JS API
+    public func randomTagParametersJs() -> [ILType] {
         // TODO(mliedtke): The list of types should be shared with function signature generation
         // etc. We should also support non-nullable references but that requires being able
         // to generate valid ones which currently isn't the case for most of them.
@@ -4646,16 +4654,17 @@ public class ProgramBuilder {
         return params => returnTypes
     }
 
-    public func randomWasmGcSignature() -> (signature: WasmSignature, indexTypes: [Variable]) {
+    public func randomWasmGcSignature(withResults: Bool = true, allowNonNullable: Bool = true)
+            -> (signature: WasmSignature, indexTypes: [Variable]) {
         let typeCount = Int.random(in: 0...10)
-        let returnCount = Int.random(in: 0...typeCount)
+        let returnCount = withResults ? Int.random(in: 0...typeCount) : 0
         let parameterCount = typeCount - returnCount
 
         var indexTypes: [Variable] = []
         let chooseType = {
             if let elementType = self.randomVariable(ofType: .wasmTypeDef()), probability(0.25) {
-                let nullability =
-                    self.type(of: elementType).wasmTypeDefinition!.description == .selfReference
+                let nullability = !allowNonNullable
+                    || self.type(of: elementType).wasmTypeDefinition!.description == .selfReference
                     || probability(0.5)
                 indexTypes.append(elementType)
                 return ILType.wasmRef(.Index(), nullability: nullability)

Sources/Fuzzilli/CodeGen/ProgramTemplates.swift

@@ -146,7 +146,7 @@ public let ProgramTemplates = [
 
         // A few tags (wasm exception kinds) to be used later on.
         let wasmTags = (0...Int.random(in: 0..<5)).map { _ in
-            b.createWasmTag(parameterTypes: b.randomTagParameters())
+            b.createWasmTag(parameterTypes: b.randomTagParametersJs())
         }
         let tags = [b.createWasmJSTag()] + wasmTags
         let tagToThrow = chooseUniform(from: wasmTags)

Sources/Fuzzilli/CodeGen/WasmCodeGenerators.swift

@@ -52,7 +52,7 @@ public let WasmCodeGenerators: [CodeGenerator] = [
         if probability(0.5) {
             b.createWasmJSTag()
         } else {
-            b.createWasmTag(parameterTypes: b.randomTagParameters())
+            b.createWasmTag(parameterTypes: b.randomTagParametersJs())
         }
     },
     //
@@ -1589,7 +1589,13 @@ public let WasmCodeGenerators: [CodeGenerator] = [
         "WasmDefineTagGenerator", inContext: .single(.wasm),
         produces: [.object(ofGroup: "WasmTag")]
     ) { b in
-        b.currentWasmModule.addTag(parameterTypes: b.randomTagParameters())
+        // TODO(mliedtke): If we allow non-nullable reference types in signatures, we'll also need
+        // to be able to provide valid values for them when trying to throw an instance of this tag.
+        let (signature, indexTypes) =
+            b.randomWasmGcSignature(withResults: false, allowNonNullable: false)
+        let signatureDef =
+            b.wasmDefineAdHocSignatureType(signature: signature, indexTypes: indexTypes)
+        b.currentWasmModule.addTag(signature: signatureDef)
     },
 
     CodeGenerator(

Sources/Fuzzilli/FuzzIL/Instruction.swift

@@ -1438,10 +1438,8 @@ extension Instruction: ProtobufConvertible {
                 $0.wasmThrowRef = Fuzzilli_Protobuf_WasmThrowRef()
             case .wasmRethrow(_):
                 $0.wasmRethrow = Fuzzilli_Protobuf_WasmRethrow()
-            case .wasmDefineTag(let op):
-                $0.wasmDefineTag = Fuzzilli_Protobuf_WasmDefineTag.with {
-                    $0.parameterTypes = op.parameterTypes.map(ILTypeToWasmTypeEnum)
-                }
+            case .wasmDefineTag(_):
+                $0.wasmDefineTag = Fuzzilli_Protobuf_WasmDefineTag()
             case .wasmBranch(_):
                 $0.wasmBranch = Fuzzilli_Protobuf_WasmBranch()
             case .wasmBranchIf(let op):
@@ -2483,8 +2481,8 @@ extension Instruction: ProtobufConvertible {
             op = WasmThrowRef()
         case .wasmRethrow(_):
             op = WasmRethrow()
-        case .wasmDefineTag(let p):
-            op = WasmDefineTag(parameterTypes: p.parameterTypes.map(WasmTypeEnumToILType))
+        case .wasmDefineTag(_):
+            op = WasmDefineTag()
         case .wasmBranch(_):
             op = WasmBranch(parameterCount: inouts.count - 1)
         case .wasmBranchIf(let p):

Sources/Fuzzilli/FuzzIL/JSTyper.swift

@@ -754,8 +754,9 @@ public struct JSTyper: Analyzer {
                 setType(of: instr.output, to: .wasmDataSegment(segmentLength: op.segment.count))
             case .wasmDropDataSegment(_):
                 type(of: instr.input(0)).wasmDataSegmentType!.markAsDropped()
-            case .wasmDefineTag(let op):
-                setType(of: instr.output, to: .object(ofGroup: "WasmTag", withWasmType: WasmTagType(op.parameterTypes)))
+            case .wasmDefineTag(_):
+                let signature = type(of: instr.input(0)).wasmFunctionSignatureDefSignature
+                setType(of: instr.output, to: .object(ofGroup: "WasmTag", withWasmType: WasmTagType(signature.parameterTypes)))
                 dynamicObjectGroupManager.addWasmTag(withType: type(of: instr.output), forDefinition: instr, forVariable: instr.output)
             case .wasmThrow(_):
                 let definingInstruction = defUseAnalyzer.definition(of: instr.input(0))

Sources/Fuzzilli/FuzzIL/WasmOperations.swift

@@ -877,11 +877,10 @@ final class WasmDefineDataSegment: WasmOperation {
 
 final class WasmDefineTag: WasmOperation {
     override var opcode: Opcode { .wasmDefineTag(self) }
-    public let parameterTypes: [ILType]
 
-    init(parameterTypes: [ILType]) {
-        self.parameterTypes = parameterTypes
-        super.init(numOutputs: 1, attributes: [], requiredContext: [.wasm])
+    init() {
+        // Inputs: The signature.
+        super.init(numInputs: 1, numOutputs: 1, attributes: [], requiredContext: [.wasm])
     }
 }
 

Sources/Fuzzilli/Lifting/FuzzILLifter.swift

@@ -873,8 +873,8 @@ public class FuzzILLifter: Lifter {
         case .wasmDefineDataSegment(_):
             w.emit("\(output()) <- WasmDefineDataSegment [...]")
 
-        case .wasmDefineTag(let op):
-            w.emit("\(output()) <- WasmDefineTag \(op.parameterTypes)")
+        case .wasmDefineTag(_):
+            w.emit("\(output()) <- WasmDefineTag \(input(0))")
 
         case .wasmLoadGlobal(_):
             w.emit("\(output()) <- WasmLoadGlobal \(input(0))")

Sources/Fuzzilli/Lifting/WasmLifter.swift

@@ -622,12 +622,6 @@ public class WasmLifter {
             registerSignature(signature)
         }
 
-        // Special handling for defined Tags
-        for case let .tag(instr) in self.exports {
-            let tagSignature = (instr!.op as! WasmDefineTag).parameterTypes => []
-            assert(tagSignature.outputTypes.isEmpty)
-            registerSignature(tagSignature)
-        }
         // Special handling for defined functions
         for case let .function(functionInfo) in self.exports {
             registerSignature(functionInfo!.signature)
@@ -1142,9 +1136,9 @@ public class WasmLifter {
         section += Leb128.unsignedEncode(self.exports.count { $0.isTag })
 
         for case let .tag(instr) in self.exports {
-            let tagSignature = (instr!.op as! WasmDefineTag).parameterTypes => []
+            let signatureDesc = typer.getTypeDescription(of: instr!.input(0))
             section.append(0)
-            section.append(Leb128.unsignedEncode(try getSignatureIndex(tagSignature)))
+            section.append(Leb128.unsignedEncode(typeDescToIndex[signatureDesc]!))
         }
 
         self.bytecode.append(Leb128.unsignedEncode(section.count))

Sources/Fuzzilli/Protobuf/operations.pb.swift

@@ -5323,8 +5323,6 @@ public struct Fuzzilli_Protobuf_WasmDefineTag: Sendable {
   // `Message` and `Message+*Additions` files in the SwiftProtobuf library for
   // methods supported on all messages.
 
-  public var parameterTypes: [Fuzzilli_Protobuf_WasmILType] = []
-
   public var unknownFields = SwiftProtobuf.UnknownStorage()
 
   public init() {}
@@ -14093,29 +14091,18 @@ extension Fuzzilli_Protobuf_WasmRethrow: SwiftProtobuf.Message, SwiftProtobuf._M
 
 extension Fuzzilli_Protobuf_WasmDefineTag: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
   public static let protoMessageName: String = _protobuf_package + ".WasmDefineTag"
-  public static let _protobuf_nameMap = SwiftProtobuf._NameMap(bytecode: "\0\u{1}parameterTypes\0")
+  public static let _protobuf_nameMap = SwiftProtobuf._NameMap()
 
   public mutating func decodeMessage<D: SwiftProtobuf.Decoder>(decoder: inout D) throws {
-    while let fieldNumber = try decoder.nextFieldNumber() {
-      // The use of inline closures is to circumvent an issue where the compiler
-      // allocates stack space for every case branch when no optimizations are
-      // enabled. https://github.com/apple/swift-protobuf/issues/1034
-      switch fieldNumber {
-      case 1: try { try decoder.decodeRepeatedMessageField(value: &self.parameterTypes) }()
-      default: break
-      }
-    }
+    // Load everything into unknown fields
+    while try decoder.nextFieldNumber() != nil {}
   }
 
   public func traverse<V: SwiftProtobuf.Visitor>(visitor: inout V) throws {
-    if !self.parameterTypes.isEmpty {
-      try visitor.visitRepeatedMessageField(value: self.parameterTypes, fieldNumber: 1)
-    }
     try unknownFields.traverse(visitor: &visitor)
   }
 
   public static func ==(lhs: Fuzzilli_Protobuf_WasmDefineTag, rhs: Fuzzilli_Protobuf_WasmDefineTag) -> Bool {
-    if lhs.parameterTypes != rhs.parameterTypes {return false}
     if lhs.unknownFields != rhs.unknownFields {return false}
     return true
   }

Sources/Fuzzilli/Protobuf/operations.proto

@@ -1303,7 +1303,6 @@ message WasmRethrow {
 }
 
 message WasmDefineTag {
-  repeated WasmILType parameterTypes = 1;
 }
 
 message WasmBranch {