[wasm] Support call_ref

This CL adds support for the call_ref instruction.

Bug: 474940922
Change-Id: If708e70dc9fcdd2f53f218f85e93c3d807a5ab9a
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9330021
Commit-Queue: Leon Bettscheider <bettscheider@google.com>
Reviewed-by: Matthias Liedtke <mliedtke@google.com>

Author: leonbett

Sources/Fuzzilli/Base/ProgramBuilder.swift

@@ -4783,6 +4783,22 @@ public class ProgramBuilder {
                 ).outputs)
         }
 
+        @discardableResult
+        public func wasmCallRef(
+            functionRef: Variable, functionArgs: [Variable]
+        ) -> [Variable] {
+            let signatureDef = b.getWasmTypeDef(for: b.type(of: functionRef))
+            let signature = b.type(of: signatureDef).wasmFunctionSignatureDefSignature
+            return Array(
+                b.emit(
+                    WasmCallRef(
+                        parameterCount: signature.parameterTypes.count,
+                        outputCount: signature.outputTypes.count),
+                    withInputs: functionArgs + [functionRef],
+                    types: signature.parameterTypes + [.wasmFuncRef()]
+                ).outputs)
+        }
+
         public func wasmReturnCallDirect(function: Variable, functionArgs: [Variable]) {
             let signature = b.type(of: function).wasmFunctionDefSignature!
             assert(

Sources/Fuzzilli/CodeGen/CodeGeneratorWeights.swift

@@ -363,6 +363,7 @@ public let codeGeneratorWeights = [
     "WasmJsCallGenerator":                      30,
     "WasmCallIndirectGenerator":                5,
     "WasmCallDirectGenerator":                  10,
+    "WasmCallRefGenerator":                     10,
     "WasmReturnCallDirectGenerator":            10,
     "WasmReturnCallIndirectGenerator":          10,
 

Sources/Fuzzilli/CodeGen/WasmCodeGenerators.swift

@@ -1021,6 +1021,26 @@ public let WasmCodeGenerators: [CodeGenerator] = [
         function.wasmCallDirect(function: functionVar, functionArgs: functionArgs)
     },
 
+    CodeGenerator(
+        "WasmCallRefGenerator", inContext: .single(.wasmFunction),
+        inputs: .required(.wasmFunctionDef())
+    ) { b, functionVar in
+        let function = b.currentWasmModule.currentWasmFunction
+        let functionRef =
+            b.findVariable {
+                let varType = b.type(of: $0)
+                return varType.Is(.wasmFuncRef())
+                    && varType.Is(.wasmRef(.Index(), nullability: false))
+            } ?? function.wasmRefFunc(functionVar)
+
+        let signatureDef = b.getWasmTypeDef(for: b.type(of: functionRef))
+        let signature = b.type(of: signatureDef).wasmFunctionSignatureDefSignature
+
+        let functionArgs = b.randomWasmArguments(forWasmSignature: signature, generate: true)
+        guard let functionArgs else { return }
+        function.wasmCallRef(functionRef: functionRef, functionArgs: functionArgs)
+    },
+
     CodeGenerator("WasmReturnCallDirectGenerator", inContext: .single(.wasmFunction)) {
         b in
         let function = b.currentWasmModule.currentWasmFunction

Sources/Fuzzilli/FuzzIL/Instruction.swift

@@ -1484,6 +1484,11 @@ extension Instruction: ProtobufConvertible {
                     $0.parameterCount = Int32(op.parameterCount)
                     $0.outputCount = Int32(op.numOutputs)
                 }
+            case .wasmCallRef(let op):
+                $0.wasmCallRef = Fuzzilli_Protobuf_WasmCallRef.with {
+                    $0.parameterCount = Int32(op.parameterCount)
+                    $0.outputCount = Int32(op.numOutputs)
+                }
             case .wasmReturnCallDirect(let op):
                 $0.wasmReturnCallDirect = Fuzzilli_Protobuf_WasmReturnCallDirect.with {
                     $0.parameterCount = Int32(op.parameterCount)
@@ -2733,6 +2738,9 @@ extension Instruction: ProtobufConvertible {
         case .wasmCallDirect(let p):
             op = WasmCallDirect(
                 parameterCount: Int(p.parameterCount), outputCount: Int(p.outputCount))
+        case .wasmCallRef(let p):
+            op = WasmCallRef(
+                parameterCount: Int(p.parameterCount), outputCount: Int(p.outputCount))
         case .wasmReturnCallDirect(let p):
             op = WasmReturnCallDirect(parameterCount: Int(p.parameterCount))
         case .wasmReturnCallIndirect(let p):

Sources/Fuzzilli/FuzzIL/JSTyper.swift

@@ -1070,6 +1070,13 @@ public struct JSTyper: Analyzer {
                 for (output, outputType) in zip(instr.outputs, signature.outputTypes) {
                     setType(of: output, to: outputType)
                 }
+            case .wasmCallRef(_):
+                let functionRef = instr.inputs.last!
+                let typeDesc = getTypeDescription(of: functionRef) as! WasmSignatureTypeDescription
+                let signature = typeDesc.signature
+                for (output, outputType) in zip(instr.outputs, signature.outputTypes) {
+                    setType(of: output, to: outputType)
+                }
             // Functions that can be called through a table are also already added by the wasmDefineTable instruction.
             // No need to analyze this and add them to the DynamicObjectGroupManager.
             case .wasmArrayNewFixed(_),

Sources/Fuzzilli/FuzzIL/Opcodes.swift

@@ -381,4 +381,5 @@ enum Opcode {
     case wasmBranchOnCastFail(WasmBranchOnCastFail)
     case wasmRefFunc(WasmRefFunc)
     case wasmRefAsNonNull(WasmRefAsNonNull)
+    case wasmCallRef(WasmCallRef)
 }

Sources/Fuzzilli/FuzzIL/WasmOperations.swift

@@ -1012,6 +1012,19 @@ final class WasmCallDirect: WasmOperation {
     var parameterCount: Int { numInputs - 1 }
 }
 
+final class WasmCallRef: WasmOperation {
+    override var opcode: Opcode { .wasmCallRef(self) }
+
+    init(parameterCount: Int, outputCount: Int) {
+        // The inputs are the function reference and the function arguments.
+        super.init(
+            numInputs: 1 + parameterCount, numOutputs: outputCount, requiredContext: [.wasmFunction]
+        )
+    }
+
+    var parameterCount: Int { numInputs - 1 }
+}
+
 final class WasmReturnCallDirect: WasmOperation {
     override var opcode: Opcode { .wasmReturnCallDirect(self) }
 

Sources/Fuzzilli/Lifting/FuzzILLifter.swift

@@ -1219,6 +1219,15 @@ public class FuzzILLifter: Lifter {
                 w.emit("\(outputs) <- WasmCallDirect \(inputs)")
             }
 
+        case .wasmCallRef(_):
+            let inputs = instr.inputs.map(lift).joined(separator: ", ")
+            if instr.outputs.isEmpty {
+                w.emit("WasmCallRef \(inputs)")
+            } else {
+                let outputs = instr.outputs.map(lift).joined(separator: ", ")
+                w.emit("\(outputs) <- WasmCallRef \(inputs)")
+            }
+
         case .wasmReturnCallDirect(_):
             let inputs = instr.inputs.map(lift).joined(separator: ", ")
             w.emit("WasmReturnCallDirect \(inputs)")

Sources/Fuzzilli/Lifting/JavaScriptLifter.swift

@@ -1911,6 +1911,7 @@ public class JavaScriptLifter: Lifter {
                 .wasmTableGrow(_),
                 .wasmCallIndirect(_),
                 .wasmCallDirect(_),
+                .wasmCallRef(_),
                 .wasmReturnCallDirect(_),
                 .wasmReturnCallIndirect(_),
                 .wasmMemoryLoad(_),

Sources/Fuzzilli/Lifting/WasmLifter.swift

@@ -1950,6 +1950,11 @@ public class WasmLifter {
             let functionRef = wasmInstruction.input(0)
             return Data([0x10])
                 + Leb128.unsignedEncode(try resolveIdx(ofType: .function, for: functionRef))
+        case .wasmCallRef(_):
+            let functionRef = wasmInstruction.inputs.last!
+            let typeDesc = typer.getTypeDescription(of: functionRef)
+            let sigIndex = typeDescToIndex[typeDesc]!
+            return Data([0x14]) + Leb128.unsignedEncode(sigIndex)
         case .wasmReturnCallDirect(_):
             let functionRef = wasmInstruction.input(0)
             return Data([0x12])