[wasm] Add WebAssembly.Memory builtin

and check for consistency between registered ObjectGroups for wasm types
in the JavaScriptEnvironment vs. the actual produced types by the
high-level FuzzIL instructions.

Bug: 440226707
Change-Id: Ib3d7604382c0b5c3d9fe2c4aea111777b35b5aa0
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8550562
Reviewed-by: Manos Koukoutos <manoskouk@google.com>
Commit-Queue: Matthias Liedtke <mliedtke@google.com>
Auto-Submit: Matthias Liedtke <mliedtke@google.com>

Author: Liedtke

Sources/Fuzzilli/Environment/JavaScriptEnvironment.swift

@@ -364,6 +364,8 @@ public class JavaScriptEnvironment: ComponentBase {
         registerObjectGroup(.jsWebAssemblyInstanceConstructor)
         registerObjectGroup(.jsWebAssemblyInstance)
         registerObjectGroup(.jsWebAssemblyModule)
+        registerObjectGroup(.jsWebAssemblyMemoryPrototype)
+        registerObjectGroup(.jsWebAssemblyMemoryConstructor)
         registerObjectGroup(.jsWebAssembly)
         registerObjectGroup(.jsWasmGlobal)
         registerObjectGroup(.jsWasmMemory)
@@ -990,6 +992,11 @@ public extension ILType {
         ILType.constructor([.plain(.jsWebAssemblyModule), .plain(.object())] => .jsWebAssemblyInstance)
         + .object(ofGroup: "WebAssemblyInstanceConstructor", withProperties: ["prototype"], withMethods: [])
 
+    // Similarly to Wasm globals, we do not type the results as being part of an object group as the
+    // result type doesn't have a valid WasmTypeExtension.
+    static let jsWebAssemblyMemoryConstructor = ILType.constructor([.plain(.object(withProperties: ["initial"]))] => .object(withProperties: ["buffer"], withMethods: ["grow", "toResizableBuffer", "toFixedLengthBuffer"]))
+        + .object(ofGroup: "WebAssemblyMemoryConstructor", withProperties: ["prototype"])
+
     // The JavaScript WebAssembly.Table object of the given variant, i.e. FuncRef or ExternRef
     static let wasmTable = ILType.object(ofGroup: "WasmTable", withProperties: ["length"], withMethods: ["get", "grow", "set"])
 
@@ -1842,6 +1849,17 @@ public extension ObjectGroup {
         methods: [:]
     )
 
+    static let jsWebAssemblyMemoryPrototype = createPrototypeObjectGroup(jsWasmMemory)
+
+    static let jsWebAssemblyMemoryConstructor = ObjectGroup(
+        name: "WebAssemblyMemoryConstructor",
+        instanceType: .jsWebAssemblyMemoryConstructor,
+        properties: [
+            "prototype": jsWebAssemblyMemoryPrototype.instanceType,
+        ],
+        methods: [:]
+    )
+
     static let jsWebAssembly = ObjectGroup(
         name: "WebAssembly",
         instanceType: nil,
@@ -1851,6 +1869,7 @@ public extension ObjectGroup {
             "Module": .jsWebAssemblyModuleConstructor,
             "Global": .jsWebAssemblyGlobalConstructor,
             "Instance": .jsWebAssemblyInstanceConstructor,
+            "Memory": .jsWebAssemblyMemoryConstructor,
         ],
         overloads: [
             "compile": wasmBufferTypes.map {
@@ -2038,7 +2057,8 @@ public extension ObjectGroup {
             "second": .number,
             "millisecond": .number,
             "microsecond": .number,
-            "nanosecond": .number,        ],
+            "nanosecond": .number,
+        ],
         methods: [
             "add": [jsTemporalDurationLike] => .jsTemporalPlainTime,
             "subtract": [jsTemporalDurationLike] => .jsTemporalPlainTime,

Sources/Fuzzilli/FuzzIL/JSTyper.swift

@@ -660,7 +660,7 @@ public struct JSTyper: Analyzer {
             case .wasmSimdExtractLane(let op):
                 setType(of: instr.output, to: op.kind.laneType())
             case .wasmDefineGlobal(let op):
-                let type = ILType.object(ofGroup: "WasmGlobal", withProperties: ["value"], withWasmType: WasmGlobalType(valueType: op.wasmGlobal.toType(), isMutable: op.isMutable))
+                let type = ILType.object(ofGroup: "WasmGlobal", withProperties: ["value"], withMethods: ["valueOf"], withWasmType: WasmGlobalType(valueType: op.wasmGlobal.toType(), isMutable: op.isMutable))
                 dynamicObjectGroupManager.addWasmGlobal(withType: type, forDefinition: instr, forVariable: instr.output)
                 setType(of: instr.output, to: type)
             case .wasmDefineTable(let op):
@@ -1734,7 +1734,7 @@ public struct JSTyper: Analyzer {
 
         // TODO: also add other macro instructions here.
         case .createWasmGlobal(let op):
-            set(instr.output, .object(ofGroup: "WasmGlobal", withProperties: ["value"], withWasmType: WasmGlobalType(valueType: op.value.toType(), isMutable: op.isMutable)))
+            set(instr.output, .object(ofGroup: "WasmGlobal", withProperties: ["value"], withMethods: ["valueOf"], withWasmType: WasmGlobalType(valueType: op.value.toType(), isMutable: op.isMutable)))
 
         case .createWasmMemory(let op):
             set(instr.output, .wasmMemory(limits: op.memType.limits, isShared: op.memType.isShared, isMemory64: op.memType.isMemory64))

Tests/FuzzilliTests/JSTyperTests.swift

@@ -1519,7 +1519,7 @@ class JSTyperTests: XCTestCase {
         let b = fuzzer.makeBuilder()
 
         let wasmGlobalf64: Variable = b.createWasmGlobal(value: .wasmf64(1337), isMutable: false)
-        XCTAssertEqual(b.type(of: wasmGlobalf64), .object(ofGroup: "WasmGlobal", withProperties: ["value"], withWasmType: WasmGlobalType(valueType: ILType.wasmf64, isMutable: false)))
+        XCTAssertEqual(b.type(of: wasmGlobalf64), .object(ofGroup: "WasmGlobal", withProperties: ["value"], withMethods: ["valueOf"], withWasmType: WasmGlobalType(valueType: ILType.wasmf64, isMutable: false)))
 
         let maxPages: Int? = isShared ? 4 : nil
         let memory = b.createWasmMemory(minPages: 1, maxPages: maxPages, isShared: isShared)
@@ -1612,10 +1612,10 @@ class JSTyperTests: XCTestCase {
         XCTAssertEqual(reexportedFunction, [[] => .object(ofGroup: "_fuzz_Object0")])
 
         let glob0 = b.getProperty("wg0", of: exports)
-        XCTAssertEqual(b.type(of: glob0), .object(ofGroup: "WasmGlobal", withProperties: ["value"], withWasmType: WasmGlobalType(valueType: .wasmi64, isMutable: true)))
+        XCTAssertEqual(b.type(of: glob0), .object(ofGroup: "WasmGlobal", withProperties: ["value"], withMethods: ["valueOf"], withWasmType: WasmGlobalType(valueType: .wasmi64, isMutable: true)))
 
         let glob1 = b.getProperty("iwg0", of: exports)
-        XCTAssertEqual(b.type(of: glob1), .object(ofGroup: "WasmGlobal", withProperties: ["value"], withWasmType: WasmGlobalType(valueType: .wasmf64, isMutable: false)))
+        XCTAssertEqual(b.type(of: glob1), .object(ofGroup: "WasmGlobal", withProperties: ["value"], withMethods: ["valueOf"], withWasmType: WasmGlobalType(valueType: .wasmf64, isMutable: false)))
 
         let mem0 = b.getProperty("wm0", of: exports)
         let memType = ILType.wasmMemory(limits: Limits(min: 3, max: maxPages), isShared: isShared)
@@ -1727,11 +1727,23 @@ class JSTyperTests: XCTestCase {
         // The high-level IL instruction produces properly typed wasm globals.
         let realWasmGlobal = b.createWasmGlobal(value: .wasmi32(1), isMutable: true)
         XCTAssert(b.type(of: realWasmGlobal).Is(.object(ofGroup: "WasmGlobal")))
+        XCTAssert(b.type(of: realWasmGlobal).Is(ObjectGroup.jsWasmGlobal.instanceType))
         // The properly typed wasm globals can be used in conjunction with the
         // WebAssembly.Global.prototype.valueOf() function.
         let globalPrototype = b.getProperty("prototype", of: wasmGlobalConstructor)
         let valueOf = b.getProperty("valueOf", of: globalPrototype)
         XCTAssertEqual(b.type(of: valueOf), .unboundFunction([] => .jsAnything, receiver: .object(ofGroup: "WasmGlobal", withProperties: ["value"], withMethods: ["valueOf"])))
+
+        let wasmMemoryConstructor = b.getProperty("Memory", of: wasm)
+        let wasmMemory = b.construct(wasmMemoryConstructor) // In theory this needs arguments.
+        XCTAssertFalse(b.type(of: wasmMemory).Is(.object(ofGroup: "WasmMemory")))
+        let realWasmMemory = b.createWasmMemory(minPages: 1, maxPages: 1, isShared: false)
+        XCTAssert(b.type(of: realWasmMemory).Is(.object(ofGroup: "WasmMemory")))
+        XCTAssert(b.type(of: realWasmMemory).Is(ObjectGroup.jsWasmMemory.instanceType))
+        let memoryPrototype = b.getProperty("prototype", of: wasmMemoryConstructor)
+        let grow = b.getProperty("grow", of: memoryPrototype)
+        XCTAssert(b.type(of: grow).Is(.unboundFunction([.number] => .number, receiver: .object(ofGroup: "WasmMemory"))))
+
     }
 
     func testProducingGenerators() {

Tests/FuzzilliTests/WasmTests.swift

@@ -188,10 +188,10 @@ class WasmFoundationTests: XCTestCase {
 
         // This test tests whether re-exported imports and module defined globals are re-ordered from the typer.
         let wasmGlobali32: Variable = b.createWasmGlobal(value: .wasmi32(1337), isMutable: true)
-        XCTAssertEqual(b.type(of: wasmGlobali32), .object(ofGroup: "WasmGlobal", withProperties: ["value"], withWasmType: WasmGlobalType(valueType: ILType.wasmi32, isMutable: true)))
+        XCTAssertEqual(b.type(of: wasmGlobali32), .object(ofGroup: "WasmGlobal", withProperties: ["value"], withMethods: ["valueOf"], withWasmType: WasmGlobalType(valueType: ILType.wasmi32, isMutable: true)))
 
         let wasmGlobalf32: Variable = b.createWasmGlobal(value: .wasmf32(42.0), isMutable: false)
-        XCTAssertEqual(b.type(of: wasmGlobalf32), .object(ofGroup: "WasmGlobal", withProperties: ["value"], withWasmType: WasmGlobalType(valueType: ILType.wasmf32, isMutable: false)))
+        XCTAssertEqual(b.type(of: wasmGlobalf32), .object(ofGroup: "WasmGlobal", withProperties: ["value"], withMethods: ["valueOf"], withWasmType: WasmGlobalType(valueType: ILType.wasmf32, isMutable: false)))
 
         let module = b.buildWasmModule { wasmModule in
             // Imports are always before internal globals, this breaks the logic if we add a global and then import a global.
@@ -429,7 +429,7 @@ class WasmFoundationTests: XCTestCase {
         let b = fuzzer.makeBuilder()
 
         let wasmGlobali64: Variable = b.createWasmGlobal(value: .wasmi64(1337), isMutable: true)
-        XCTAssertEqual(b.type(of: wasmGlobali64), .object(ofGroup: "WasmGlobal", withProperties: ["value"], withWasmType: WasmGlobalType(valueType: ILType.wasmi64, isMutable: true)))
+        XCTAssertEqual(b.type(of: wasmGlobali64), .object(ofGroup: "WasmGlobal", withProperties: ["value"], withMethods: ["valueOf"], withWasmType: WasmGlobalType(valueType: ILType.wasmi64, isMutable: true)))
 
         let module = b.buildWasmModule { wasmModule in
             let global = wasmModule.addGlobal(wasmGlobal: .wasmi64(1339), isMutable: true)
@@ -499,7 +499,7 @@ class WasmFoundationTests: XCTestCase {
         let module = b.buildWasmModule { wasmModule in
             // Note that globals of exnref can only be defined in wasm, not in JS.
             let global = wasmModule.addGlobal(wasmGlobal: .exnref, isMutable: true)
-            XCTAssertEqual(b.type(of: global), .object(ofGroup: "WasmGlobal", withProperties: ["value"], withWasmType: WasmGlobalType(valueType: ILType.wasmExnRef, isMutable: true)))
+            XCTAssertEqual(b.type(of: global), .object(ofGroup: "WasmGlobal", withProperties: ["value"], withMethods: ["valueOf"], withWasmType: WasmGlobalType(valueType: ILType.wasmExnRef, isMutable: true)))
 
             wasmModule.addWasmFunction(with: [] => [.wasmi32]) { function, label, args in
                 let value = function.wasmLoadGlobal(globalVariable: global)
@@ -586,7 +586,7 @@ class WasmFoundationTests: XCTestCase {
 
         let module = b.buildWasmModule { wasmModule in
             let global = wasmModule.addGlobal(wasmGlobal: .externref, isMutable: true)
-            XCTAssertEqual(b.type(of: global), .object(ofGroup: "WasmGlobal", withProperties: ["value"], withWasmType: WasmGlobalType(valueType: ILType.wasmExternRef, isMutable: true)))
+            XCTAssertEqual(b.type(of: global), .object(ofGroup: "WasmGlobal", withProperties: ["value"], withMethods: ["valueOf"], withWasmType: WasmGlobalType(valueType: ILType.wasmExternRef, isMutable: true)))
 
             wasmModule.addWasmFunction(with: [] => [.wasmExternRef]) { function, label, args in
                 [function.wasmLoadGlobal(globalVariable: global)]
@@ -626,7 +626,7 @@ class WasmFoundationTests: XCTestCase {
         let b = fuzzer.makeBuilder()
 
         let global: Variable = b.createWasmGlobal(value: .externref, isMutable: true)
-        XCTAssertEqual(b.type(of: global), .object(ofGroup: "WasmGlobal", withProperties: ["value"], withWasmType: WasmGlobalType(valueType: ILType.wasmExternRef, isMutable: true)))
+        XCTAssertEqual(b.type(of: global), .object(ofGroup: "WasmGlobal", withProperties: ["value"], withMethods: ["valueOf"], withWasmType: WasmGlobalType(valueType: ILType.wasmExternRef, isMutable: true)))
 
         let outputFunc = b.createNamedVariable(forBuiltin: "output")
         // The initial value is "undefined" (because we didn't provide an explicit initialization).
@@ -651,7 +651,7 @@ class WasmFoundationTests: XCTestCase {
 
         let module = b.buildWasmModule { wasmModule in
             let global = wasmModule.addGlobal(wasmGlobal: .i31ref, isMutable: true)
-            XCTAssertEqual(b.type(of: global), .object(ofGroup: "WasmGlobal", withProperties: ["value"], withWasmType: WasmGlobalType(valueType: ILType.wasmI31Ref, isMutable: true)))
+            XCTAssertEqual(b.type(of: global), .object(ofGroup: "WasmGlobal", withProperties: ["value"], withMethods: ["valueOf"], withWasmType: WasmGlobalType(valueType: ILType.wasmI31Ref, isMutable: true)))
 
             wasmModule.addWasmFunction(with: [] => [.wasmI31Ref]) { function, label, args in
                 [function.wasmLoadGlobal(globalVariable: global)]
@@ -690,7 +690,7 @@ class WasmFoundationTests: XCTestCase {
         let b = fuzzer.makeBuilder()
 
         let global: Variable = b.createWasmGlobal(value: .i31ref, isMutable: true)
-        XCTAssertEqual(b.type(of: global), .object(ofGroup: "WasmGlobal", withProperties: ["value"], withWasmType: WasmGlobalType(valueType: ILType.wasmI31Ref, isMutable: true)))
+        XCTAssertEqual(b.type(of: global), .object(ofGroup: "WasmGlobal", withProperties: ["value"], withMethods: ["valueOf"], withWasmType: WasmGlobalType(valueType: ILType.wasmI31Ref, isMutable: true)))
 
         let outputFunc = b.createNamedVariable(forBuiltin: "output")
         // The initial value is "null" (because we didn't provide an explicit initialization).
@@ -6268,7 +6268,7 @@ class WasmJSPITests: XCTestCase {
         let b = fuzzer.makeBuilder()
 
         let wasmGlobali64: Variable = b.createWasmGlobal(value: .wasmi64(1337), isMutable: true)
-        XCTAssertEqual(b.type(of: wasmGlobali64), .object(ofGroup: "WasmGlobal", withProperties: ["value"], withWasmType: WasmGlobalType(valueType: ILType.wasmi64, isMutable: true)))
+        XCTAssertEqual(b.type(of: wasmGlobali64), .object(ofGroup: "WasmGlobal", withProperties: ["value"], withMethods: ["valueOf"], withWasmType: WasmGlobalType(valueType: ILType.wasmi64, isMutable: true)))
 
         let module = b.buildWasmModule { wasmModule in
             // Function 0, modifies the imported global.