[wasm] Add code generator producing an exnref

The WasmThrowRefGenerator requires an exnref as an input. Without having
a generator that produces it, it isn't very likely that there is an
exnref available in the current program, so the generator cannot be run
in most cases.

Registering a generator producing that exnref (if a tag is available)
helps significantly.

Change-Id: Idbd9337f5a7339d58fe1f76e264569907f7081ce
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9123976
Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Reviewed-by: Manos Koukoutos <manoskouk@google.com>
Commit-Queue: Manos Koukoutos <manoskouk@google.com>

Author: Liedtke

Sources/Fuzzilli/CodeGen/CodeGeneratorWeights.swift

@@ -324,6 +324,9 @@ public let codeGeneratorWeights = [
     "WasmLegacyTryDelegateGenerator":           8,
     "WasmThrowGenerator":                       2,
     "WasmLegacyRethrowGenerator":               10,
+    // This generator is mostly just there, so that the WasmThrowRefGenerator
+    // can create an exnref on demand (if a wasm tag is present).
+    "WasmCreateExnRefGenerator":                1,
     "WasmThrowRefGenerator":                    6,
     "WasmBranchGenerator":                      6,
     "WasmBranchIfGenerator":                    6,

Sources/Fuzzilli/CodeGen/WasmCodeGenerators.swift

@@ -1620,6 +1620,30 @@ public let WasmCodeGenerators: [CodeGenerator] = [
         function.wasmBuildLegacyRethrow(exception)
     },
 
+    CodeGenerator(
+        "WasmCreateExnRefGenerator", inContext: .single(.wasmFunction),
+        inputs: .required(.object(ofGroup: "WasmTag")),
+        produces: [.wasmExnRef()]
+    ) { b, tag in
+        let function = b.currentWasmModule.currentWasmFunction
+        let tagType = b.type(of: tag).wasmTagType!
+        guard !tagType.isJSTag else {
+            // We can't throw a JSTag, so simply create a null value.
+            function.wasmRefNull(type: .wasmExnRef())
+            return
+        }
+        // Create a try-catch throwing and catching a tag producing an exnref as
+        // a result.
+        function.wasmBuildBlockWithResults(with: [] => (tagType.parameters + [.wasmExnRef()]), args: []) { label, _ in
+            let args = tagType.parameters.map(function.findOrGenerateWasmVar)
+            function.wasmBuildTryTable(with: [] => [], args: [tag, label], catches: [.Ref]) { _, _ in
+                function.WasmBuildThrow(tag: tag, inputs: args)
+                return []
+            }
+            return args + [function.wasmRefNull(type: .wasmExnRef())]
+        }
+    },
+
     CodeGenerator(
         "WasmThrowRefGenerator", inContext: .single(.wasmFunction),
         inputs: .required(.wasmExnRef())

Tests/FuzzilliTests/ProgramBuilderTest.swift

@@ -3125,6 +3125,7 @@ class ProgramBuilderTests: XCTestCase {
         test("WasmStructNewDefaultGenerator", expectAny: WasmStructNewDefault.self)
         test("WasmArrayGetGenerator", expectAny: WasmArrayGet.self, requiresTypes: true)
         test("WasmStructGetGenerator", expectAny: WasmStructGet.self, requiresTypes: true)
+        test("WasmThrowRefGenerator", expectAny: WasmThrowRef.self)
     }
 
     func testThatGeneratorsExistAndAreBuildableFromJs() {