[wasm] Add superType input to WasmDefineSignatureType

This CL adds an optional superType input to the WasmDefineSignatureType
JS operation. It also extends WasmSignatureTypeDescription to take an
optional superType parameter that it passes on to the
WasmTypeDescription constructor.

Bug: 517707090
Change-Id: I0b6aa71450534d0a113d8bd4f3d57195d2d7245d
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9358622
Commit-Queue: Leon Bettscheider <bettscheider@chromium.org>
Reviewed-by: Matthias Liedtke <mliedtke@google.com>

Author: leonbett

Sources/Fuzzilli/Base/ProgramBuilder.swift

@@ -6463,8 +6463,44 @@ public class ProgramBuilder {
     }
 
     @discardableResult
-    func wasmDefineSignatureType(signature: WasmSignature, indexTypes: [Variable]) -> Variable {
-        return emit(WasmDefineSignatureType(signature: signature), withInputs: indexTypes).output
+    func wasmDefineSignatureType(
+        signature: WasmSignature, indexTypes: [Variable], superType: Variable? = nil
+    ) -> Variable {
+        var inputs: [Variable] = []
+        if let superType {
+            let superTypeDesc = type(of: superType).wasmTypeDefinition?.description
+            assert(
+                superTypeDesc != .selfReference, "Supertype cannot be a forward or self-reference")
+            guard let superSigType = superTypeDesc as? WasmSignatureTypeDescription else {
+                fatalError("Supertype of a signature must be a signature type")
+            }
+
+            assert(signature.parameterTypes.count == superSigType.signature.parameterTypes.count)
+            assert(signature.outputTypes.count == superSigType.signature.outputTypes.count)
+
+            // Contravariant parameters
+            for (superParam, subParam) in zip(
+                superSigType.signature.parameterTypes, signature.parameterTypes)
+            {
+                assert(subParam.subsumes(superParam))
+            }
+
+            // Covariant outputs
+            for (superOutput, subOutput) in zip(
+                superSigType.signature.outputTypes, signature.outputTypes)
+            {
+                assert(superOutput.subsumes(subOutput))
+            }
+
+            inputs.append(superType)
+        }
+
+        inputs += indexTypes
+
+        return emit(
+            WasmDefineSignatureType(signature: signature, hasSuperType: superType != nil),
+            withInputs: inputs
+        ).output
     }
 
     /// Like wasmDefineSignatureType but instead of within a type group this defines a signature

Sources/Fuzzilli/FuzzIL/Instruction.swift

@@ -1750,6 +1750,7 @@ extension Instruction: ProtobufConvertible {
                 $0.wasmDefineSignatureType = Fuzzilli_Protobuf_WasmDefineSignatureType.with {
                     $0.parameterTypes = op.signature.parameterTypes.map(ILTypeToWasmTypeEnum)
                     $0.outputTypes = op.signature.outputTypes.map(ILTypeToWasmTypeEnum)
+                    $0.hasSuperType_p = op.hasSuperType
                 }
             case .wasmDefineArrayType(let op):
                 $0.wasmDefineArrayType = Fuzzilli_Protobuf_WasmDefineArrayType.with {
@@ -2921,7 +2922,8 @@ extension Instruction: ProtobufConvertible {
         case .wasmDefineSignatureType(let p):
             op = WasmDefineSignatureType(
                 signature: p.parameterTypes.map(WasmTypeEnumToILType)
-                    => p.outputTypes.map(WasmTypeEnumToILType))
+                    => p.outputTypes.map(WasmTypeEnumToILType),
+                hasSuperType: p.hasSuperType_p)
         case .wasmDefineAdHocSignatureType(let p):
             op = WasmDefineAdHocSignatureType(
                 signature: p.parameterTypes.map(WasmTypeEnumToILType)

Sources/Fuzzilli/FuzzIL/JSTyper.swift

@@ -513,7 +513,9 @@ public struct JSTyper: Analyzer {
     }
 
     mutating func addSignatureType(
-        def: Variable, signature: WasmSignature, inputs: ArraySlice<Variable>, isAdHoc: Bool = false
+        def: Variable, signature: WasmSignature, inputs: ArraySlice<Variable>,
+        isAdHoc: Bool = false,
+        concreteHeapSupertype: WasmTypeDescription? = nil
     ) {
         assert(isWithinTypeGroup)
         var inputs = inputs.makeIterator()
@@ -571,7 +573,8 @@ public struct JSTyper: Analyzer {
                 description: WasmSignatureTypeDescription(
                     signature: resolvedParameterTypes => resolvedOutputTypes,
                     typeGroupIndex: tgIndex,
-                    isAdHoc: isAdHoc)))
+                    isAdHoc: isAdHoc,
+                    concreteHeapSupertype: concreteHeapSupertype)))
         typeGroups[typeGroups.count - 1].append(def)
     }
 
@@ -2514,7 +2517,12 @@ public struct JSTyper: Analyzer {
             }
 
         case .wasmDefineSignatureType(let op):
-            addSignatureType(def: instr.output, signature: op.signature, inputs: instr.inputs)
+            let concreteHeapSupertype =
+                op.hasSuperType ? getTypeDescription(of: instr.inputs.first!) : nil
+            let sigInputs = op.hasSuperType ? instr.inputs.dropFirst() : instr.inputs
+            addSignatureType(
+                def: instr.output, signature: op.signature, inputs: sigInputs,
+                concreteHeapSupertype: concreteHeapSupertype)
 
         case .wasmDefineArrayType(let op):
             let elementRef = op.elementType.requiredInputCount() == 1 ? instr.inputs.last! : nil

Sources/Fuzzilli/FuzzIL/JsOperations.swift

@@ -2902,12 +2902,16 @@ class WasmDefineStructType: WasmTypeOperation {
 class WasmDefineSignatureType: WasmTypeOperation {
     override var opcode: Opcode { .wasmDefineSignatureType(self) }
     let signature: WasmSignature
+    let hasSuperType: Bool
 
-    init(signature: WasmSignature) {
+    init(signature: WasmSignature, hasSuperType: Bool = false) {
         self.signature = signature
-        let numInputs = (signature.outputTypes + signature.parameterTypes).map {
-            $0.requiredInputCount()
-        }.reduce(0) { $0 + $1 }
+        self.hasSuperType = hasSuperType
+        let numInputs =
+            (hasSuperType ? 1 : 0)
+            + (signature.outputTypes + signature.parameterTypes).map {
+                $0.requiredInputCount()
+            }.reduce(0) { $0 + $1 }
         super.init(numInputs: numInputs, numOutputs: 1, requiredContext: [.wasmTypeGroup])
     }
 }

Sources/Fuzzilli/FuzzIL/TypeSystem.swift

@@ -2718,13 +2718,17 @@ class WasmSignatureTypeDescription: WasmTypeDescription {
     var signature: WasmSignature
     let isAdHoc: Bool
 
-    init(signature: WasmSignature, typeGroupIndex: Int, isAdHoc: Bool = false) {
+    init(
+        signature: WasmSignature, typeGroupIndex: Int, isAdHoc: Bool = false,
+        concreteHeapSupertype: WasmTypeDescription? = nil
+    ) {
         self.signature = signature
         self.isAdHoc = isAdHoc
         // TODO(pawkra): support shared variant.
         super.init(
             typeGroupIndex: typeGroupIndex,
-            abstractHeapSupertype: HeapTypeInfo.init(.WasmFunc, shared: false))
+            abstractHeapSupertype: HeapTypeInfo.init(.WasmFunc, shared: false),
+            concreteHeapSupertype: concreteHeapSupertype)
     }
 
     override func format(abbreviate: Bool) -> String {

Sources/Fuzzilli/Lifting/FuzzILLifter.swift

@@ -1632,8 +1632,12 @@ public class FuzzILLifter: Lifter {
             w.emit("\(outputs) <- WasmEndTypeGroup [\(inputs)]")
 
         case .wasmDefineSignatureType(let op):
-            let inputs = instr.inputs.map(lift).joined(separator: ", ")
-            w.emit("\(output()) <- WasmDefineSignatureType(\(op.signature)) [\(inputs)]")
+            let superTypeInput = op.hasSuperType ? " superType=\(lift(instr.inputs.first!))" : ""
+            let sigInputs = (op.hasSuperType ? instr.inputs.dropFirst() : instr.inputs).map(lift)
+                .joined(separator: ", ")
+            w.emit(
+                "\(output()) <- WasmDefineSignatureType(\(op.signature))\(superTypeInput) [\(sigInputs)]"
+            )
 
         case .wasmDefineAdHocSignatureType(let op):
             let inputs = instr.inputs.map(lift).joined(separator: ", ")

Sources/Fuzzilli/Protobuf/operations.pb.swift

@@ -5849,6 +5849,8 @@ public struct Fuzzilli_Protobuf_WasmDefineSignatureType: Sendable {
 
   public var outputTypes: [Fuzzilli_Protobuf_WasmILType] = []
 
+  public var hasSuperType_p: Bool = false
+
   public var unknownFields = SwiftProtobuf.UnknownStorage()
 
   public init() {}
@@ -15330,7 +15332,7 @@ extension Fuzzilli_Protobuf_WasmEndTypeGroup: SwiftProtobuf.Message, SwiftProtob
 
 extension Fuzzilli_Protobuf_WasmDefineSignatureType: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
   public static let protoMessageName: String = _protobuf_package + ".WasmDefineSignatureType"
-  public static let _protobuf_nameMap = SwiftProtobuf._NameMap(bytecode: "\0\u{1}parameterTypes\0\u{1}outputTypes\0")
+  public static let _protobuf_nameMap = SwiftProtobuf._NameMap(bytecode: "\0\u{1}parameterTypes\0\u{1}outputTypes\0\u{1}hasSuperType\0")
 
   public mutating func decodeMessage<D: SwiftProtobuf.Decoder>(decoder: inout D) throws {
     while let fieldNumber = try decoder.nextFieldNumber() {
@@ -15340,6 +15342,7 @@ extension Fuzzilli_Protobuf_WasmDefineSignatureType: SwiftProtobuf.Message, Swif
       switch fieldNumber {
       case 1: try { try decoder.decodeRepeatedMessageField(value: &self.parameterTypes) }()
       case 2: try { try decoder.decodeRepeatedMessageField(value: &self.outputTypes) }()
+      case 3: try { try decoder.decodeSingularBoolField(value: &self.hasSuperType_p) }()
       default: break
       }
     }
@@ -15352,12 +15355,16 @@ extension Fuzzilli_Protobuf_WasmDefineSignatureType: SwiftProtobuf.Message, Swif
     if !self.outputTypes.isEmpty {
       try visitor.visitRepeatedMessageField(value: self.outputTypes, fieldNumber: 2)
     }
+    if self.hasSuperType_p != false {
+      try visitor.visitSingularBoolField(value: self.hasSuperType_p, fieldNumber: 3)
+    }
     try unknownFields.traverse(visitor: &visitor)
   }
 
   public static func ==(lhs: Fuzzilli_Protobuf_WasmDefineSignatureType, rhs: Fuzzilli_Protobuf_WasmDefineSignatureType) -> Bool {
     if lhs.parameterTypes != rhs.parameterTypes {return false}
     if lhs.outputTypes != rhs.outputTypes {return false}
+    if lhs.hasSuperType_p != rhs.hasSuperType_p {return false}
     if lhs.unknownFields != rhs.unknownFields {return false}
     return true
   }

Sources/Fuzzilli/Protobuf/operations.proto

@@ -1500,6 +1500,7 @@ message WasmEndTypeGroup {
 message WasmDefineSignatureType {
     repeated WasmILType parameterTypes = 1;
     repeated WasmILType outputTypes = 2;
+    bool hasSuperType = 3;
 }
 
 message WasmDefineAdHocSignatureType {

Tests/FuzzilliTests/TypeSystemTest.swift

@@ -1682,6 +1682,16 @@ class TypeSystemTests: XCTestCase {
         XCTAssertFalse(subStructDescMultiWidthAndDepth.subsumes(superStructDescMulti))
     }
 
+    func testWasmSignatureSubtypingRules() {
+        let superSigDesc = WasmSignatureTypeDescription(
+            signature: [] => [], typeGroupIndex: 0)
+        let subSigDesc = WasmSignatureTypeDescription(
+            signature: [] => [], typeGroupIndex: 1, concreteHeapSupertype: superSigDesc)
+
+        XCTAssertTrue(superSigDesc.subsumes(subSigDesc))
+        XCTAssertFalse(subSigDesc.subsumes(superSigDesc))
+    }
+
     func testWasmTypeExtensionUnionTypeExtensionVsWasmTypeExtension() {
         let tagA = ILType.object(ofGroup: "WasmTag", withWasmType: WasmTagType([.wasmi32]))
         let tagB = ILType.object(ofGroup: "WasmTag", withWasmType: WasmTagType([.wasmi64]))