Add support for memory.copy instruction

pkk33 · V8-internal LUCI CQ · commit 38f4ca1d0715 · 2025-09-01T03:31:53.000-07:00
Bug: 427115604 Change-Id: I523ff10c7ecdefeb98b523ebfbc3783c3bef4bf7 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8539457 Commit-Queue: Pawel Krawczyk <pawkra@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com> Auto-Submit: Pawel Krawczyk <pawkra@google.com>
diff --git a/Sources/Fuzzilli/Base/ProgramBuilder.swift b/Sources/Fuzzilli/Base/ProgramBuilder.swift
@@ -3367,6 +3367,16 @@ public class ProgramBuilder {
                 types: [.object(ofGroup: "WasmMemory"), addrType]).output
         }
 
+        public func wasmMemoryCopy(dstMemory: Variable, srcMemory: Variable,  dstOffset: Variable, srcOffset: Variable, size: Variable) {
+            let dstMemoryType = b.type(of: dstMemory).wasmMemoryType!
+            let srcMemoryType = b.type(of: srcMemory).wasmMemoryType!
+            assert(dstMemoryType.isMemory64 == srcMemoryType.isMemory64)
+
+            let addrType = dstMemoryType.addrType
+            b.emit(WasmMemoryCopy(), withInputs: [dstMemory, srcMemory, dstOffset, srcOffset, size],
+                types: [.object(ofGroup: "WasmMemory"), .object(ofGroup: "WasmMemory"), addrType, addrType, addrType])
+        }
+
         public func wasmMemoryFill(memory: Variable, offset: Variable, byteToSet: Variable, nrOfBytesToUpdate: Variable) {
             let addrType = b.type(of: memory).wasmMemoryType!.addrType
             b.emit(WasmMemoryFill(), withInputs: [memory, offset, byteToSet, nrOfBytesToUpdate],
diff --git a/Sources/Fuzzilli/CodeGen/CodeGeneratorWeights.swift b/Sources/Fuzzilli/CodeGen/CodeGeneratorWeights.swift
@@ -228,6 +228,7 @@ public let codeGeneratorWeights = [
     "WasmAtomicCmpxchgGenerator":               10,
     "WasmMemorySizeGenerator":                  5,
     "WasmMemoryGrowGenerator":                  1,
+    "WasmMemoryCopyGenerator":                  5,
     "WasmMemoryFillGenerator":                  5,
     "WasmMemoryInitGenerator":                  5,
     "WasmDefineGlobalGenerator":                2,
diff --git a/Sources/Fuzzilli/CodeGen/WasmCodeGenerators.swift b/Sources/Fuzzilli/CodeGen/WasmCodeGenerators.swift
@@ -420,6 +420,31 @@ public let WasmCodeGenerators: [CodeGenerator] = [
         function.wasmMemoryGrow(memory: memory, growByPages: growBy)
     },
 
+    CodeGenerator("WasmMemoryCopyGenerator", inContext: .wasmFunction, inputs: .required(.object(ofGroup: "WasmMemory"))) { b, srcMemory in
+        let function = b.currentWasmModule.currentWasmFunction
+        let srcMemoryTypeInfo = b.type(of: srcMemory).wasmMemoryType!
+        let dstMemory = b.findVariable {v in
+          let type = b.type(of: v)
+          return type.Is(.object(ofGroup: "WasmMemory"))
+              && type.wasmMemoryType!.isMemory64 == srcMemoryTypeInfo.isMemory64
+        }!
+        let dstMemoryTypeInfo = b.type(of: srcMemory).wasmMemoryType!
+        let memArg = {v in function.memoryArgument(v, dstMemoryTypeInfo)}
+
+        let srcMemSize = srcMemoryTypeInfo.limits.min * WasmConstants.specWasmMemPageSize
+        let dstMemSize = dstMemoryTypeInfo.limits.min * WasmConstants.specWasmMemPageSize
+        let srcOffsetValue = b.randomNonNegativeIndex(upTo: Int64(srcMemSize))
+        let srcOffset = memArg(srcOffsetValue)
+        let dstOffsetValue = b.randomNonNegativeIndex(upTo: Int64(dstMemSize))
+        let dstOffset = memArg(dstOffsetValue)
+
+        let maxCopySize = min(Int64(srcMemSize) - srcOffsetValue, Int64(dstMemSize) - dstOffsetValue)
+        let copySizeValue = b.randomSize(upTo:maxCopySize)
+        let copySize = memArg(copySizeValue)
+
+        function.wasmMemoryCopy(dstMemory: dstMemory, srcMemory: srcMemory, dstOffset: dstOffset, srcOffset: srcOffset, size: copySize)
+    },
+
     CodeGenerator("WasmMemoryFillGenerator", inContext: .wasmFunction, inputs: .required(.object(ofGroup: "WasmMemory"))) { b, memory in
         if (b.hasZeroPages(memory: memory)) { return }
 
@@ -446,7 +471,7 @@ public let WasmCodeGenerators: [CodeGenerator] = [
         let memoryOffset = function.memoryArgument(memoryOffsetValue, memoryTypeInfo)
 
         let dataSegmentTypeInfo = b.type(of: dataSegment).wasmDataSegmentType!
-        let dataSegmentOffsetValue = b.randomSize(upTo: Int64(dataSegmentTypeInfo.segmentLength))
+        let dataSegmentOffsetValue = b.randomNonNegativeIndex(upTo: Int64(dataSegmentTypeInfo.segmentLength))
         let dataSegmentOffset = function.consti32(Int32(dataSegmentOffsetValue))
 
         let maxNrOfBytesToUpdate = min(memSize - memoryOffsetValue, Int64(dataSegmentTypeInfo.segmentLength) - dataSegmentOffsetValue)
diff --git a/Sources/Fuzzilli/FuzzIL/Instruction.swift b/Sources/Fuzzilli/FuzzIL/Instruction.swift
@@ -1331,6 +1331,8 @@ extension Instruction: ProtobufConvertible {
                 $0.wasmTableSize = Fuzzilli_Protobuf_WasmTableSize()
             case .wasmTableGrow(_):
                 $0.wasmTableGrow = Fuzzilli_Protobuf_WasmTableGrow()
+            case .wasmMemoryCopy(_):
+                $0.wasmMemoryCopy = Fuzzilli_Protobuf_WasmMemoryCopy()
             case .wasmMemoryFill(_):
                 $0.wasmMemoryFill = Fuzzilli_Protobuf_WasmMemoryFill()
             case .wasmMemoryInit(_):
@@ -2365,6 +2367,8 @@ extension Instruction: ProtobufConvertible {
             op = WasmTableSize()
         case .wasmTableGrow(_):
             op = WasmTableGrow()
+        case .wasmMemoryCopy(_):
+            op = WasmMemoryCopy()
         case .wasmMemoryFill(_):
             op = WasmMemoryFill()
         case .wasmMemoryInit(_):
diff --git a/Sources/Fuzzilli/FuzzIL/Opcodes.swift b/Sources/Fuzzilli/FuzzIL/Opcodes.swift
@@ -351,4 +351,5 @@ enum Opcode {
     case wasmI31Get(WasmI31Get)
     case wasmAnyConvertExtern(WasmAnyConvertExtern)
     case wasmExternConvertAny(WasmExternConvertAny)
+    case wasmMemoryCopy(WasmMemoryCopy)
 }
diff --git a/Sources/Fuzzilli/FuzzIL/WasmOperations.swift b/Sources/Fuzzilli/FuzzIL/WasmOperations.swift
@@ -1159,6 +1159,15 @@ class WasmMemoryFill: WasmOperation {
     }
 }
 
+class WasmMemoryCopy: WasmOperation {
+    override var opcode: Opcode { .wasmMemoryCopy(self) }
+
+    init() {
+        super.init(
+            numInputs: 5, numOutputs: 0, requiredContext: [.wasmFunction])
+    }
+}
+
 class WasmMemoryInit: WasmOperation {
     override var opcode: Opcode { .wasmMemoryInit(self) }
 
diff --git a/Sources/Fuzzilli/Lifting/FuzzILLifter.swift b/Sources/Fuzzilli/Lifting/FuzzILLifter.swift
@@ -878,8 +878,11 @@ public class FuzzILLifter: Lifter {
         case .wasmMemoryFill(_):
             w.emit("WasmMemoryFill \(input(0)), \(input(1)), \(input(2)), \(input(3))")
 
+        case .wasmMemoryCopy(_):
+            w.emit("WasmMemoryCopy \(input(0)), \(input(1)), \(input(2)), \(input(3)), \(input(4))")
+
         case .wasmMemoryInit(_):
-            w.emit("WasmMemoryInit \(input(0)), \(input(1)), \(input(2)), \(input(3)) \(input(4))")
+            w.emit("WasmMemoryInit \(input(0)), \(input(1)), \(input(2)), \(input(3)), \(input(4))")
 
         case .wasmDropDataSegment(_):
             w.emit("WasmDropDataSegment \(input(0))")
diff --git a/Sources/Fuzzilli/Lifting/JavaScriptLifter.swift b/Sources/Fuzzilli/Lifting/JavaScriptLifter.swift
@@ -1644,6 +1644,7 @@ public class JavaScriptLifter: Lifter {
                  .wasmAtomicCmpxchg(_),
                  .wasmMemorySize(_),
                  .wasmMemoryGrow(_),
+                 .wasmMemoryCopy(_),
                  .wasmMemoryFill(_),
                  .wasmMemoryInit(_),
                  .wasmDropDataSegment(_),
diff --git a/Sources/Fuzzilli/Lifting/WasmLifter.swift b/Sources/Fuzzilli/Lifting/WasmLifter.swift
@@ -1829,6 +1829,10 @@ public class WasmLifter {
         case .wasmMemoryGrow(_):
             let memoryIdx = try resolveIdx(ofType: .memory, for: wasmInstruction.input(0))
             return Data([0x40]) + Leb128.unsignedEncode(memoryIdx)
+        case .wasmMemoryCopy(_):
+            let dstMemIdx = try resolveIdx(ofType: .memory, for: wasmInstruction.input(0))
+            let srcMemIdx = try resolveIdx(ofType: .memory, for: wasmInstruction.input(1))
+            return Data([0xFC, 0x0a]) + Leb128.unsignedEncode(dstMemIdx) + Leb128.unsignedEncode(srcMemIdx)
         case .wasmMemoryFill(_):
             let memoryIdx = try resolveIdx(ofType: .memory, for: wasmInstruction.input(0))
             return Data([0xFC, 0x0b]) + Leb128.unsignedEncode(memoryIdx)
diff --git a/Sources/Fuzzilli/Mutators/OperationMutator.swift b/Sources/Fuzzilli/Mutators/OperationMutator.swift
@@ -620,6 +620,7 @@ public class OperationMutator: BaseInstructionMutator {
              .wasmSignExtend32Intoi64(_),
              .wasmMemorySize(_),
              .wasmMemoryGrow(_),
+             .wasmMemoryCopy(_),
              .wasmMemoryFill(_),
              .wasmTableSize(_),
              .wasmTableGrow(_),
diff --git a/Sources/Fuzzilli/Protobuf/operations.pb.swift b/Sources/Fuzzilli/Protobuf/operations.pb.swift
@@ -5925,6 +5925,16 @@ public struct Fuzzilli_Protobuf_WasmMemoryInit: Sendable {
   public init() {}
 }
 
+public struct Fuzzilli_Protobuf_WasmMemoryCopy: Sendable {
+  // SwiftProtobuf.Message conformance is added in an extension below. See the
+  // `Message` and `Message+*Additions` files in the SwiftProtobuf library for
+  // methods supported on all messages.
+
+  public var unknownFields = SwiftProtobuf.UnknownStorage()
+
+  public init() {}
+}
+
 // MARK: - Code below here is support for the SwiftProtobuf runtime.
 
 fileprivate let _protobuf_package = "fuzzilli.protobuf"
@@ -15304,3 +15314,22 @@ extension Fuzzilli_Protobuf_WasmMemoryInit: SwiftProtobuf.Message, SwiftProtobuf
     return true
   }
 }
+
+extension Fuzzilli_Protobuf_WasmMemoryCopy: SwiftProtobuf.Message, SwiftProtobuf._MessageImplementationBase, SwiftProtobuf._ProtoNameProviding {
+  public static let protoMessageName: String = _protobuf_package + ".WasmMemoryCopy"
+  public static let _protobuf_nameMap = SwiftProtobuf._NameMap()
+
+  public mutating func decodeMessage<D: SwiftProtobuf.Decoder>(decoder: inout D) throws {
+    // Load everything into unknown fields
+    while try decoder.nextFieldNumber() != nil {}
+  }
+
+  public func traverse<V: SwiftProtobuf.Visitor>(visitor: inout V) throws {
+    try unknownFields.traverse(visitor: &visitor)
+  }
+
+  public static func ==(lhs: Fuzzilli_Protobuf_WasmMemoryCopy, rhs: Fuzzilli_Protobuf_WasmMemoryCopy) -> Bool {
+    if lhs.unknownFields != rhs.unknownFields {return false}
+    return true
+  }
+}
diff --git a/Sources/Fuzzilli/Protobuf/operations.proto b/Sources/Fuzzilli/Protobuf/operations.proto
@@ -1647,3 +1647,6 @@ message WasmDropDataSegment {
 
 message WasmMemoryInit {
 }
+
+message WasmMemoryCopy {
+}
diff --git a/Sources/Fuzzilli/Protobuf/program.pb.swift b/Sources/Fuzzilli/Protobuf/program.pb.swift
diff --git a/Sources/Fuzzilli/Protobuf/program.proto b/Sources/Fuzzilli/Protobuf/program.proto
@@ -347,6 +347,7 @@ message Instruction {
         WasmI31Get wasmI31Get = 321;
         WasmAnyConvertExtern wasmAnyConvertExtern = 322;
         WasmExternConvertAny wasmExternConvertAny = 323;
+        WasmMemoryCopy wasmMemoryCopy = 324;
     }
 }
 
diff --git a/Tests/FuzzilliTests/WasmTests.swift b/Tests/FuzzilliTests/WasmTests.swift
@@ -1627,6 +1627,53 @@ class WasmFoundationTests: XCTestCase {
         try memoryBulkOperations(isMemory64: true)
     }
 
+    func memoryCopy(isMemory64: Bool) throws {
+        let runner = try GetJavaScriptExecutorOrSkipTest()
+
+        let jsProg = buildAndLiftProgram() { b in
+            let module = b.buildWasmModule { wasmModule in
+                let mem1 = wasmModule.addMemory(minPages: 1, maxPages: 2, isMemory64: isMemory64)
+                let mem2 = wasmModule.addMemory(minPages: 1, maxPages: 2, isMemory64: isMemory64)
+                let memTypeInfo = b.type(of: mem1).wasmMemoryType!
+
+                wasmModule.addWasmFunction(with: [] => [.wasmi32, .wasmi32, .wasmi32]) { function, _, _ in
+                    let setValueAtOffset = { (value: Int32, offsetValue: Int64) -> () in
+                        let valToSet = function.consti32(value)
+                        let offset = function.memoryArgument(offsetValue, memTypeInfo)
+                        function.wasmMemoryStore(memory: mem1, dynamicOffset: offset, value: valToSet, storeType: .I32StoreMem, staticOffset: 0)
+                    }
+                    setValueAtOffset(111, 4)
+                    setValueAtOffset(222, 8)
+                    setValueAtOffset(333, 12)
+
+                    let dstOffset = function.memoryArgument(128, memTypeInfo)
+                    let srcOffset = function.memoryArgument(8, memTypeInfo)
+                    let size = function.memoryArgument(4, memTypeInfo)
+                    function.wasmMemoryCopy(dstMemory: mem2, srcMemory: mem1, dstOffset: dstOffset, srcOffset: srcOffset, size: size)
+
+                    let loadAtOffset = { (offsetValue: Int64) -> Variable in
+                        let dynamicOffset = function.memoryArgument(offsetValue, memTypeInfo)
+                        return function.wasmMemoryLoad(memory: mem2, dynamicOffset: dynamicOffset, loadType: .I32LoadMem, staticOffset: 0)
+                    }
+                    return [loadAtOffset(124), loadAtOffset(128), loadAtOffset(132)]
+                }
+            }
+
+            let res0 = b.callMethod(module.getExportedMethod(at: 0), on: module.loadExports())
+            b.callFunction(b.createNamedVariable(forBuiltin: "output"), withArgs: [b.callMethod("toString", on: res0)])
+        }
+
+        testForOutput(program: jsProg, runner: runner, outputString: "0,222,0\n")
+    }
+
+    func testMemoryCopy32() throws {
+        try memoryCopy(isMemory64: false)
+    }
+
+    func testMemoryCopy64() throws {
+        try memoryCopy(isMemory64: true)
+    }
+
     func wasmSimdLoadStore(isMemory64: Bool) throws {
         let runner = try GetJavaScriptExecutorOrSkipTest()
         let liveTestConfig = Configuration(logLevel: .error, enableInspection: true)

Original file line number	Diff line number	Diff line change
`@@ -351,4 +351,5 @@ enum Opcode {`
`351`	`351`	`case wasmI31Get(WasmI31Get)`
`352`	`352`	`case wasmAnyConvertExtern(WasmAnyConvertExtern)`
`353`	`353`	`case wasmExternConvertAny(WasmExternConvertAny)`
	`354`	`+ case wasmMemoryCopy(WasmMemoryCopy)`
`354`	`355`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1159,6 +1159,15 @@ class WasmMemoryFill: WasmOperation {`
`1159`	`1159`	`}`
`1160`	`1160`	`}`
`1161`	`1161`
	`1162`	`+class WasmMemoryCopy: WasmOperation {`
	`1163`	`+ override var opcode: Opcode { .wasmMemoryCopy(self) }`
	`1164`	`+`
	`1165`	`+ init() {`
	`1166`	`+ super.init(`
	`1167`	`+ numInputs: 5, numOutputs: 0, requiredContext: [.wasmFunction])`
	`1168`	`+ }`
	`1169`	`+}`
	`1170`	`+`
`1162`	`1171`	`class WasmMemoryInit: WasmOperation {`
`1163`	`1172`	`override var opcode: Opcode { .wasmMemoryInit(self) }`
`1164`	`1173`