[wasm] Added ref.cast instruction

Fuzzilli functionality for ref.cast added similarly to ref.test

Bug: 474940922
Change-Id: I7cd3a28b05b7289c8ea0836be0c6d1024556e24c
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8995238
Commit-Queue: Doga Yüksel <dyuksel@google.com>
Reviewed-by: Danylo Mocherniuk <mdanylo@google.com>
Reviewed-by: Matthias Liedtke <mliedtke@google.com>

Author: Doga Yüksel

Sources/Fuzzilli/Base/ProgramBuilder.swift

@@ -4436,10 +4436,18 @@ public class ProgramBuilder {
 
         @discardableResult
         public func wasmRefTest(_ ref: Variable, refType: ILType, typeDef: Variable? = nil) -> Variable {
-            typeDef == nil
-                ? b.emit(WasmRefTest(refType: refType), withInputs: [ref]).output
-                : b.emit(WasmRefTest(refType: refType), withInputs: [ref, typeDef!]).output
+            let inputs = typeDef == nil ? [ref] : [ref, typeDef!]
+            let types: [ILType] = typeDef == nil ? [.wasmGenericRef] : [.wasmGenericRef, .wasmTypeDef()]
+            return b.emit(WasmRefTest(refType: refType), withInputs: inputs, types: types).output
         }
+
+        @discardableResult
+        public func wasmRefCast(_ ref: Variable, refType: ILType, typeDef: Variable? = nil) -> Variable {
+            let inputs = typeDef == nil ? [ref] : [ref, typeDef!]
+            let types: [ILType] = typeDef == nil ? [.wasmGenericRef] : [.wasmGenericRef, .wasmTypeDef()]
+            return b.emit(WasmRefCast(refType: refType), withInputs: inputs, types: types).output
+        }
+
     }
 
     public class WasmModule {

Sources/Fuzzilli/CodeGen/CodeGeneratorWeights.swift

@@ -381,4 +381,6 @@ public let codeGeneratorWeights = [
     "WasmExternConvertAnyGenerator":            5,
     "WasmRefTestGenerator":                     5,
     "WasmRefTestAbstractGenerator":             5,
+    "WasmRefCastGenerator":                     5,
+    "WasmRefCastAbstractGenerator":             5,
 ]

Sources/Fuzzilli/CodeGen/WasmCodeGenerators.swift

@@ -387,6 +387,56 @@ public let WasmCodeGenerators: [CodeGenerator] = [
         )
     },
 
+    CodeGenerator(
+        "WasmRefCastGenerator", inContext: .single(.wasmFunction),
+        inputs: .requiredComplex(.init(.wasmTypeDef())),
+        produces: [.wasmGenericRef]
+    ) { b, typeDef in
+        guard let abstractType =
+            b.type(of: typeDef).wasmTypeDefinition?.description?.abstractHeapSupertype?.heapType
+            as? WasmAbstractHeapType
+        else { fatalError("Invalid type description for \(b.type(of: typeDef))") }
+        let function = b.currentWasmModule.currentWasmFunction
+        let variable = switch abstractType {
+        case .WasmFunc, .WasmNoFunc:
+            function.findOrGenerateWasmVar(ofType: .wasmFuncRef())
+        case .WasmArray, .WasmStruct:
+            function.findOrGenerateWasmVar(ofType: .wasmAnyRef())
+        default:
+            fatalError("The type \(abstractType) shouldn't have a definition")
+        }
+        let refType = ILType.wasmRef(.Index(), nullability: Bool.random())
+        function.wasmRefCast(variable, refType: refType, typeDef: typeDef)
+    },
+
+    CodeGenerator(
+        "WasmRefCastAbstractGenerator", inContext: .single(.wasmFunction),
+        inputs: .required(.wasmGenericRef),
+        produces: [.wasmGenericRef]
+    ) { b, ref in
+        let function = b.currentWasmModule.currentWasmFunction
+        let heapType = switch b.type(of: ref).wasmReferenceType!.kind {
+            case .Abstract(let heapTypeInfo):
+                heapTypeInfo.heapType
+            case .Index(let desc):
+                desc.get()!.abstractHeapSupertype!.heapType
+        }
+        let incompatible: [WasmAbstractHeapType] = [.WasmStruct, .WasmArray, .WasmI31]
+        let chosenType = chooseUniform(
+            from: WasmAbstractHeapType.allCases.filter {
+                $0 != heapType &&
+                $0.inSameHierarchy(heapType) &&
+                (   // 90% of the time it won't contain two incompatible types
+                    probability(0.1) ||
+                    !(incompatible.contains($0) && incompatible.contains(heapType))
+                )
+            }
+        )
+        // TODO(pawkra): add shared variant.
+        let newType = ILType.wasmRef(.Abstract(HeapTypeInfo(chosenType, shared: false)), nullability: Bool.random())
+        function.wasmRefCast(ref, refType: newType)
+    },
+
     // Primitive Value Generators
 
     CodeGenerator(

Sources/Fuzzilli/FuzzIL/Instruction.swift

@@ -1615,6 +1615,10 @@ extension Instruction: ProtobufConvertible {
                 $0.wasmRefTest = Fuzzilli_Protobuf_WasmRefTest.with {
                     $0.type = ILTypeToWasmTypeEnum(op.type)
                 }
+            case .wasmRefCast(let op):
+                $0.wasmRefCast = Fuzzilli_Protobuf_WasmRefCast.with {
+                    $0.type = ILTypeToWasmTypeEnum(op.type)
+                }
             case .wasmRefI31(let op):
                 $0.wasmRefI31 = Fuzzilli_Protobuf_WasmRefI31.with {
                     $0.isShared = op.isShared
@@ -2594,6 +2598,8 @@ extension Instruction: ProtobufConvertible {
             op = WasmRefEq()
         case .wasmRefTest(let p):
             op = WasmRefTest(refType: WasmTypeEnumToILType(p.type))
+        case .wasmRefCast(let p):
+            op = WasmRefCast(refType: WasmTypeEnumToILType(p.type))
         case .wasmRefI31(let p):
             op = WasmRefI31(isShared: p.isShared)
         case .wasmI31Get(let p):

Sources/Fuzzilli/FuzzIL/JSTyper.swift

@@ -949,6 +949,13 @@ public struct JSTyper: Analyzer {
                 setType(of: instr.output, to: .wasmi32)
             case .wasmRefTest(_):
                 setType(of: instr.output, to: .wasmi32)
+            case .wasmRefCast(let op):
+                if op.type.requiredInputCount() == 1 {
+                    let nullable = op.type.wasmReferenceType!.nullability
+                    setReferenceType(of: instr.output, typeDef: instr.input(1), nullability: nullable)
+                } else {
+                    setType(of: instr.output, to: op.type)
+                }
             case .wasmAnyConvertExtern(_):
                 // TODO(pawkra): forward shared bit & update the comment
                 // any.convert_extern forwards the nullability bit from the input.

Sources/Fuzzilli/FuzzIL/Opcodes.swift

@@ -368,4 +368,5 @@ enum Opcode {
     case wasmRefEq(WasmRefEq)
     case wasmRefTest(WasmRefTest)
     case wasmDefineAdHocModuleSignatureType(WasmDefineAdHocModuleSignatureType)
+    case wasmRefCast(WasmRefCast)
 }

Sources/Fuzzilli/FuzzIL/WasmOperations.swift

@@ -2336,6 +2336,15 @@ class WasmRefTest: WasmOperation {
     }
 }
 
+class WasmRefCast: WasmOperation {
+    override var opcode: Opcode { .wasmRefCast(self) }
+    let type: ILType
+    init(refType: ILType) {
+        self.type = refType
+        super.init(numInputs: 1 + type.requiredInputCount(), numOutputs: 1, requiredContext: [.wasmFunction])
+    }
+}
+
 /// An atomic load from Wasm memory.
 /// The accessed address is base + offset.
 final class WasmAtomicLoad: WasmOperation {

Sources/Fuzzilli/Lifting/FuzzILLifter.swift

@@ -1349,6 +1349,10 @@ public class FuzzILLifter: Lifter {
             let typeInput = op.type.requiredInputCount() > 0 ? " (IndexType: \(input(1)))" : ""
             w.emit("\(output()) <- WasmRefTest \(op.type) \(input(0))\(typeInput)")
 
+        case .wasmRefCast(let op):
+            let typeInput = op.type.requiredInputCount() > 0 ? " (IndexType: \(input(1)))" : ""
+            w.emit("\(output()) <- WasmRefCast \(op.type) \(input(0))\(typeInput)")
+
         case .wasmBeginTypeGroup(_):
             w.emit("WasmBeginTypeGroup")
             w.increaseIndentionLevel()

Sources/Fuzzilli/Lifting/JavaScriptLifter.swift

@@ -1795,7 +1795,8 @@ public class JavaScriptLifter: Lifter {
                  .wasmI31Get(_),
                  .wasmAnyConvertExtern(_),
                  .wasmExternConvertAny(_),
-                 .wasmRefTest(_):
+                 .wasmRefTest(_),
+                 .wasmRefCast(_):
                  fatalError("unreachable")
             }
 

Sources/Fuzzilli/Lifting/WasmLifter.swift

@@ -584,6 +584,16 @@ public class WasmLifter {
         fatalError("This function supports only wasmReferenceType.")
     }
 
+    // Helper method in cases we have either abstract type represented by ILType or an index type Variable
+    private func encodeReferenceType(_ refType: WasmReferenceType, instr: Instruction, typeInput: Int) throws -> Data {
+        switch refType.kind {
+        case .Abstract(let heapTypeInfo):
+            return encodeAbstractHeapType(heapTypeInfo)
+        case .Index(_):
+            return try encodeWasmGCType(typer.getTypeDescription(of: instr.input(typeInput)))
+        }
+    }
+
     private func buildTypeEntry(for desc: WasmTypeDescription, data: inout Data) throws {
         if let arrayDesc = desc as? WasmArrayTypeDescription {
             data += [0x5E]
@@ -2200,13 +2210,13 @@ public class WasmLifter {
         case .wasmRefTest(let op):
             let refType = op.type.wasmReferenceType!
             let opCode: UInt8 = refType.nullability ? 0x15 : 0x14
-            let typeData = if refType.isAbstract() {
-                try encodeHeapType(op.type)
-            } else {
-                try encodeWasmGCType(typer.getTypeDescription(of: wasmInstruction.input(1)))
-            }
+            let typeData = try encodeReferenceType(refType, instr: wasmInstruction, typeInput: 1)
+            return Data([Prefix.GC.rawValue, opCode]) + typeData
+        case .wasmRefCast(let op):
+            let refType = op.type.wasmReferenceType!
+            let opCode: UInt8 = refType.nullability ? 0x17 : 0x16
+            let typeData = try encodeReferenceType(refType, instr: wasmInstruction, typeInput: 1)
             return Data([Prefix.GC.rawValue, opCode]) + typeData
-
         case .wasmDefineAdHocSignatureType(_):
             // Nothing to do here, types are defined inside the typegroups, not inside a wasm
             // function.