[wasm] Remove parameter and return types from WasmJsCall

Bug: 445356784
Change-Id: I0eb33e4e3f800919b5c92bf6ce48ded45d372ac5
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9108176
Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Reviewed-by: Manos Koukoutos <manoskouk@google.com>
Commit-Queue: Matthias Liedtke <mliedtke@google.com>

Author: Liedtke

Sources/Fuzzilli/Base/ProgramBuilder.swift

@@ -3802,8 +3802,9 @@ public class ProgramBuilder {
 
         @discardableResult
         public func wasmJsCall(function: Variable, withArgs args: [Variable], withWasmSignature signature: WasmSignature) -> Variable? {
-            let instr = b.emit(WasmJsCall(signature: signature), withInputs: [function] + args,
-                types: [.function() | .object(ofGroup: "WasmSuspendingObject")] + signature.parameterTypes)
+            let signatureDef = b.wasmDefineAdHocSignatureType(signature: signature)
+            let instr = b.emit(WasmJsCall(parameterCount: signature.parameterTypes.count, outputCount: signature.outputTypes.count), withInputs: [signatureDef, function] + args,
+                types: [.wasmTypeDef(), .function() | .object(ofGroup: "WasmSuspendingObject")] + signature.parameterTypes)
             if signature.outputTypes.isEmpty {
                 assert(!instr.hasOutputs)
                 return nil

Sources/Fuzzilli/FuzzIL/Instruction.swift

@@ -1131,8 +1131,8 @@ extension Instruction: ProtobufConvertible {
                 $0.wasmReturn = Fuzzilli_Protobuf_WasmReturn()
             case .wasmJsCall(let op):
                 $0.wasmJsCall = Fuzzilli_Protobuf_WasmJsCall.with {
-                    $0.parameterTypes = op.functionSignature.parameterTypes.map(ILTypeToWasmTypeEnum)
-                    $0.outputTypes = op.functionSignature.outputTypes.map(ILTypeToWasmTypeEnum)
+                    $0.parameterCount = Int32(op.parameterCount)
+                    $0.outputCount = Int32(op.outputCount)
                 }
             case .wasmi32CompareOp(let op):
                 $0.wasmi32CompareOp = Fuzzilli_Protobuf_Wasmi32CompareOp.with { $0.compareOperator = Int32(op.compareOpKind.rawValue) }
@@ -2287,9 +2287,7 @@ extension Instruction: ProtobufConvertible {
         case .wasmReturn(_):
             op = WasmReturn(returnCount: inouts.count)
         case .wasmJsCall(let p):
-            let parameters = p.parameterTypes.map(WasmTypeEnumToILType)
-            let outputs = p.outputTypes.map(WasmTypeEnumToILType)
-            op = WasmJsCall(signature: parameters => outputs)
+            op = WasmJsCall(parameterCount: Int(p.parameterCount), outputCount: Int(p.outputCount))
 
         // Wasm Numerical Operations
         case .wasmi32CompareOp(let p):

Sources/Fuzzilli/FuzzIL/JSTyper.swift

@@ -803,14 +803,15 @@ public struct JSTyper: Analyzer {
                 registerWasmMemoryUse(for: instr.input(0))
                 setType(of: instr.output, to: isMemory64 ? .wasmi64 : .wasmi32)
             case .wasmJsCall(let op):
-                let sigOutputTypes = op.functionSignature.outputTypes
+                let wasmSignature = type(of: instr.input(0)).wasmFunctionSignatureDefSignature
+                let sigOutputTypes = wasmSignature.outputTypes
                 assert(sigOutputTypes.count < 2, "multi-return js calls are not supported")
                 if !sigOutputTypes.isEmpty {
                     setType(of: instr.output, to: sigOutputTypes[0])
                 }
-                let definingInstruction = defUseAnalyzer.definition(of: instr.input(0))
+                let definingInstruction = defUseAnalyzer.definition(of: instr.input(1))
                 // Here we query the typer for the signature of the instruction as that is the correct "JS" Signature instead of taking the call-site specific converted wasm signature.
-                dynamicObjectGroupManager.addWasmFunction(withSignature: type(of: instr.input(0)).signature ?? Signature.forUnknownFunction, forDefinition: definingInstruction, forVariable: instr.input(0))
+                dynamicObjectGroupManager.addWasmFunction(withSignature: type(of: instr.input(1)).signature ?? Signature.forUnknownFunction, forDefinition: definingInstruction, forVariable: instr.input(1))
             case .beginWasmFunction(let op):
                 wasmTypeBeginBlock(instr, op.signature)
             case .endWasmFunction(let op):

Sources/Fuzzilli/FuzzIL/WasmOperations.swift

@@ -1225,12 +1225,12 @@ final class WasmDropDataSegment: WasmOperation {
 final class WasmJsCall: WasmOperation {
     override var opcode: Opcode { .wasmJsCall(self) }
 
-    let functionSignature: WasmSignature
-
-    init(signature: WasmSignature) {
-        self.functionSignature = signature
-        super.init(numInputs: 1 + signature.parameterTypes.count, numOutputs: signature.outputTypes.count, requiredContext: [.wasmFunction])
+    init(parameterCount: Int, outputCount: Int) {
+        super.init(numInputs: 2 + parameterCount, numOutputs: outputCount, requiredContext: [.wasmFunction])
     }
+
+    var parameterCount: Int { numInputs - 2 }
+    var outputCount: Int { numOutputs }
 }
 
 final class WasmSelect: WasmOperation {

Sources/Fuzzilli/Lifting/FuzzILLifter.swift

@@ -1046,13 +1046,13 @@ public class FuzzILLifter: Lifter {
 
         case .wasmJsCall(let op):
             var arguments: [Variable] = []
-            for i in 0..<op.functionSignature.parameterTypes.count {
-                arguments.append(instr.input(i + 1))
+            for i in 0..<op.parameterCount {
+                arguments.append(instr.input(i + 2))
             }
-            if op.functionSignature.outputTypes.isEmpty {
-                w.emit("WasmJsCall(\(op.functionSignature)) \(instr.input(0)) [\(liftCallArguments(arguments[...]))]")
+            if op.outputCount == 0 {
+                w.emit("WasmJsCall \(instr.input(1)) [\(liftCallArguments(arguments[...]))]")
             } else {
-                w.emit("\(output()) <- WasmJsCall(\(op.functionSignature)) \(instr.input(0)) [\(liftCallArguments(arguments[...]))]")
+                w.emit("\(output()) <- WasmJsCall \(instr.input(1)) [\(liftCallArguments(arguments[...]))]")
             }
 
         case .wasmCallIndirect(let op):

Sources/Fuzzilli/Lifting/WasmLifter.swift

@@ -1483,8 +1483,9 @@ public class WasmLifter {
                 // Special handling for functions, we only expect them in WasmJSCalls, and WasmDefineTable instructions right now.
                 // We can treat the suspendingObjects as function imports.
                 if inputType.Is(.function()) || inputType.Is(.object(ofGroup: "WasmSuspendingObject")) {
-                    if case .wasmJsCall(let op) = instr.op.opcode {
-                        importIfNeeded(.import(type: .function(nil), variable: input, signature: op.functionSignature))
+                    if case .wasmJsCall(_) = instr.op.opcode {
+                        let wasmSignature = typer.type(of: instr.input(0)).wasmFunctionSignatureDefSignature
+                        importIfNeeded(.import(type: .function(nil), variable: input, signature: wasmSignature))
                     } else if case .wasmDefineTable(let op) = instr.op.opcode {
                         // Find the signature in the defined entries
                         let sig = op.definedEntries[idx].signature
@@ -1887,9 +1888,9 @@ public class WasmLifter {
             let dstTableIdx = try resolveIdx(ofType: .table, for: wasmInstruction.input(0))
             let srcTableIdx = try resolveIdx(ofType: .table, for: wasmInstruction.input(1))
             return Data([0xFC, 0x0e]) + Leb128.unsignedEncode(dstTableIdx) + Leb128.unsignedEncode(srcTableIdx)
-        case .wasmJsCall(let op):
+        case .wasmJsCall(_):
             // We filter first, such that we get the index of functions only.
-            let wasmSignature = op.functionSignature
+            let wasmSignature = typer.type(of: wasmInstruction.input(0)).wasmFunctionSignatureDefSignature
 
             // This has somewhat special handling as we might have multiple imports for this variable, we also need to get the right index that matches that signature that we expect here.
             // TODO(cffsmith): consider adding that signature matching feature to resolveIdx.
@@ -1900,7 +1901,7 @@ public class WasmLifter {
                     return false
                 }
             }).firstIndex(where: {
-                wasmInstruction.input(0) == $0.getImport()!.variable && wasmSignature == $0.getImport()!.signature
+                wasmInstruction.input(1) == $0.getImport()!.variable && wasmSignature == $0.getImport()!.signature
             }) {
                 return Data([0x10]) + Leb128.unsignedEncode(index)
             } else {

Sources/Fuzzilli/Protobuf/operations.pb.swift

@@ -4208,9 +4208,9 @@ public struct Fuzzilli_Protobuf_WasmJsCall: Sendable {
   // `Message` and `Message+*Additions` files in the SwiftProtobuf library for
   // methods supported on all messages.
 
-  public var parameterTypes: [Fuzzilli_Protobuf_WasmILType] = []
+  public var parameterCount: Int32 = 0
 
-  public var outputTypes: [Fuzzilli_Protobuf_WasmILType] = []
+  public var outputCount: Int32 = 0
 
   public var unknownFields = SwiftProtobuf.UnknownStorage()
 
@@ -11759,34 +11759,34 @@ extension Fuzzilli_Protobuf_EndWasmFunction: SwiftProtobuf.Message, SwiftProtobu
 
 extension Fuzzilli_Protobuf_WasmJsCall: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
   public static let protoMessageName: String = _protobuf_package + ".WasmJsCall"
-  public static let _protobuf_nameMap = SwiftProtobuf._NameMap(bytecode: "\0\u{1}parameterTypes\0\u{1}outputTypes\0")
+  public static let _protobuf_nameMap = SwiftProtobuf._NameMap(bytecode: "\0\u{1}parameterCount\0\u{1}outputCount\0")
 
   public mutating func decodeMessage<D: SwiftProtobuf.Decoder>(decoder: inout D) throws {
     while let fieldNumber = try decoder.nextFieldNumber() {
       // The use of inline closures is to circumvent an issue where the compiler
       // allocates stack space for every case branch when no optimizations are
       // enabled. https://github.com/apple/swift-protobuf/issues/1034
       switch fieldNumber {
-      case 1: try { try decoder.decodeRepeatedMessageField(value: &self.parameterTypes) }()
-      case 2: try { try decoder.decodeRepeatedMessageField(value: &self.outputTypes) }()
+      case 1: try { try decoder.decodeSingularInt32Field(value: &self.parameterCount) }()
+      case 2: try { try decoder.decodeSingularInt32Field(value: &self.outputCount) }()
       default: break
       }
     }
   }
 
   public func traverse<V: SwiftProtobuf.Visitor>(visitor: inout V) throws {
-    if !self.parameterTypes.isEmpty {
-      try visitor.visitRepeatedMessageField(value: self.parameterTypes, fieldNumber: 1)
+    if self.parameterCount != 0 {
+      try visitor.visitSingularInt32Field(value: self.parameterCount, fieldNumber: 1)
     }
-    if !self.outputTypes.isEmpty {
-      try visitor.visitRepeatedMessageField(value: self.outputTypes, fieldNumber: 2)
+    if self.outputCount != 0 {
+      try visitor.visitSingularInt32Field(value: self.outputCount, fieldNumber: 2)
     }
     try unknownFields.traverse(visitor: &visitor)
   }
 
   public static func ==(lhs: Fuzzilli_Protobuf_WasmJsCall, rhs: Fuzzilli_Protobuf_WasmJsCall) -> Bool {
-    if lhs.parameterTypes != rhs.parameterTypes {return false}
-    if lhs.outputTypes != rhs.outputTypes {return false}
+    if lhs.parameterCount != rhs.parameterCount {return false}
+    if lhs.outputCount != rhs.outputCount {return false}
     if lhs.unknownFields != rhs.unknownFields {return false}
     return true
   }

Sources/Fuzzilli/Protobuf/operations.proto

@@ -939,8 +939,8 @@ message EndWasmFunction {
 }
 
 message WasmJsCall {
-  repeated WasmILType parameterTypes = 1;
-  repeated WasmILType outputTypes = 2;
+  int32 parameterCount = 1;
+  int32 outputCount = 2;
 }
 
 message Wasmi32CompareOp {

Tests/FuzzilliTests/WasmTests.swift

@@ -6539,7 +6539,8 @@ class WasmSpliceTests: XCTestCase {
             module.addWasmFunction(with: [] => []) { function, label, args in
                 let argument = function.consti32(1337)
                 let signature = ProgramBuilder.convertJsSignatureToWasmSignature([.number] => .integer, availableTypes: WeightedList([(.wasmi32, 1)]))
-                splicePoint = b.indexOfNextInstruction()
+                // +1 for the wasm-gc signature type that is created implicitly.
+                splicePoint = b.indexOfNextInstruction() + 1
                 function.wasmJsCall(function: f, withArgs: [argument], withWasmSignature: signature)
                 return []
             }
@@ -6583,7 +6584,8 @@ class WasmSpliceTests: XCTestCase {
             module.addWasmFunction(with: [] => []) { function, label, args in
                 let argument = function.consti32(1337)
                 let signature = ProgramBuilder.convertJsSignatureToWasmSignature([.number] => .integer, availableTypes: WeightedList([(.wasmi32, 1)]))
-                splicePoint = b.indexOfNextInstruction()
+                // +1 for the wasm-gc signature type that is created implicitly.
+                splicePoint = b.indexOfNextInstruction() + 1
                 function.wasmJsCall(function: f, withArgs: [argument], withWasmSignature: signature)
                 return []
             }