[wasm] Add prototype property for WebAssembly.*

Bug: 440226707
Change-Id: If33749baa0b406b905630133d1a58db1177e2bf6
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8550380
Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Reviewed-by: Manos Koukoutos <manoskouk@google.com>
Commit-Queue: Manos Koukoutos <manoskouk@google.com>

Author: Liedtke

Sources/Fuzzilli/Environment/JavaScriptEnvironment.swift

@@ -360,6 +360,7 @@ public class JavaScriptEnvironment: ComponentBase {
         registerObjectGroup(.jsWebAssemblyCompileOptions)
         registerObjectGroup(.jsWebAssemblyModuleConstructor)
         registerObjectGroup(.jsWebAssemblyGlobalConstructor)
+        registerObjectGroup(.jsWebAssemblyGlobalPrototype)
         registerObjectGroup(.jsWebAssemblyInstanceConstructor)
         registerObjectGroup(.jsWebAssemblyInstance)
         registerObjectGroup(.jsWebAssemblyModule)
@@ -971,15 +972,16 @@ public extension ILType {
     // TODO: The first constructor argument can also be any typed array and .jsSharedArrayBuffer.
     static let jsWebAssemblyModuleConstructor =
         ILType.constructor([.plain(.jsArrayBuffer)] => .jsWebAssemblyModule)
-        + .object(ofGroup: "WebAssemblyModuleConstructor", withProperties: [],
+        + .object(ofGroup: "WebAssemblyModuleConstructor", withProperties: ["prototype"],
             withMethods: ["customSections", "imports", "exports"])
 
-    static let jsWasmGlobal = ILType.object(ofGroup: "WasmGlobal", withProperties: ["value"],
-        withMethods: ["valueOf"])
-
     static let jsWebAssemblyGlobalConstructor =
-        ILType.constructor([.plain(.object()), .jsAnything] => .jsWasmGlobal)
-        + .object(ofGroup: "WebAssemblyGlobalConstructor", withProperties: [], withMethods: [])
+        // We do not type the result as being part of the ObjectGroup "WasmGlobal" as that would
+        // require to also add a WasmTypeExtension to its type. This is fine as the proper
+        // construction of globals is done via the high-level Wasm operations and these builtins
+        // only serve the purpose of fuzzing the API.
+        ILType.constructor([.plain(.object()), .jsAnything] => .object(withProperties: ["value"], withMethods: ["valueOf"]))
+        + .object(ofGroup: "WebAssemblyGlobalConstructor", withProperties: ["prototype"], withMethods: [])
 
     static let jsWebAssemblyInstance = ILType.object(ofGroup: "WebAssembly.Instance",
         withProperties: ["exports"])
@@ -1801,18 +1803,24 @@ public extension ObjectGroup {
     static let jsWebAssemblyModuleConstructor = ObjectGroup(
         name: "WebAssemblyModuleConstructor",
         instanceType: .jsWebAssemblyModuleConstructor,
-        properties: [:],
+        properties: [
+            "prototype": .object()
+        ],
         methods: [
             "customSections": [.plain(jsWebAssemblyModule.instanceType), .plain(.jsString)] => .jsArray,
             "exports": [.plain(jsWebAssemblyModule.instanceType)] => .jsArray,
             "imports": [.plain(jsWebAssemblyModule.instanceType)] => .jsArray,
         ]
     )
 
+    static let jsWebAssemblyGlobalPrototype = createPrototypeObjectGroup(jsWasmGlobal)
+
     static let jsWebAssemblyGlobalConstructor = ObjectGroup(
         name: "WebAssemblyGlobalConstructor",
         instanceType: .jsWebAssemblyGlobalConstructor,
-        properties: [:],
+        properties: [
+            "prototype": jsWebAssemblyGlobalPrototype.instanceType,
+        ],
         methods: [:]
     )
 
@@ -1866,7 +1874,7 @@ public extension ObjectGroup {
     /// ObjectGroup modelling JavaScript WebAssembly Global objects.
     static let jsWasmGlobal = ObjectGroup(
         name: "WasmGlobal",
-        instanceType: .jsWasmGlobal,
+        instanceType: nil,
         properties: [
             // TODO: Try using precise JS types based on the global's underlying valuetype (e.g. float for f32 and f64).
             "value" : .jsAnything

Tests/FuzzilliTests/JSTyperTests.swift

@@ -1717,6 +1717,21 @@ class JSTyperTests: XCTestCase {
         XCTAssert(b.type(of: wasmModuleConstructor).Is(.object(ofGroup: "WebAssemblyModuleConstructor")))
         let wasmModule = b.construct(wasmModuleConstructor) // In theory this needs arguments.
         XCTAssert(b.type(of: wasmModule).Is(.object(ofGroup: "WebAssembly.Module")))
+
+        let wasmGlobalConstructor = b.getProperty("Global", of: wasm)
+        XCTAssert(b.type(of: wasmGlobalConstructor).Is(.object(ofGroup: "WebAssemblyGlobalConstructor")))
+        let wasmGlobal = b.construct(wasmGlobalConstructor) // In theory this needs arguments.
+        // We do not type the constructed value as globals as the "WasmGlobal" object group expects
+        // to have a WasmTypeExtension.
+        XCTAssertFalse(b.type(of: wasmGlobal).Is(.object(ofGroup: "WasmGlobal")))
+        // The high-level IL instruction produces properly typed wasm globals.
+        let realWasmGlobal = b.createWasmGlobal(value: .wasmi32(1), isMutable: true)
+        XCTAssert(b.type(of: realWasmGlobal).Is(.object(ofGroup: "WasmGlobal")))
+        // The properly typed wasm globals can be used in conjunction with the
+        // WebAssembly.Global.prototype.valueOf() function.
+        let globalPrototype = b.getProperty("prototype", of: wasmGlobalConstructor)
+        let valueOf = b.getProperty("valueOf", of: globalPrototype)
+        XCTAssertEqual(b.type(of: valueOf), .unboundFunction([] => .jsAnything, receiver: .object(ofGroup: "WasmGlobal", withProperties: ["value"], withMethods: ["valueOf"])))
     }
 
     func testProducingGenerators() {