[wasm] Properly fix typing issue in WasmBeginCatch

The first attempt of fixing this was
commit 89691a1,
however this means we might end up not typing the inner outputs (the
tag's "elements" available inside the catch) which breaks the typer's
assumptions that everything gets typed.
Typing it with some dummy value can also lead to issues downstream (e.g.
by the next instruction taking now an input that isn't of the needed
type any more), so instead we solve this issue by always also adding a
signature as an input. As the signature is defined in Wasm, input
replacement can only happen with strict type checks, so it is safe to
rely on this.

It's a bit annoying for the WasmBeginCatch to take an extra input for
this specific problem, however, WasmBeginCatch is anyways related to the
"legacy" exception handling which isn't a properly spec'ed Wasm feature
but a "browsers have been shipping this without a finished spec" kind of
thing.

Bug: 448860865
Change-Id: I06638ccbb5ed0c9dbb7355ac198b7ace25f521b8
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9129497
Reviewed-by: Michael Achenbach <machenbach@google.com>
Auto-Submit: Matthias Liedtke <mliedtke@google.com>
Commit-Queue: Matthias Liedtke <mliedtke@google.com>

Author: Liedtke

Sources/Fuzzilli/Base/ProgramBuilder.swift

@@ -4092,18 +4092,28 @@ public class ProgramBuilder {
                 catchAllBody: ((Variable) -> Void)? = nil) {
             let signature = [] => []
             let signatureDef = b.wasmDefineAdHocSignatureType(signature: signature)
+
+            // Define tag signatures before the try block so they don't interfere with the try/catch
+            // bodies and their scoping.
+            // TODO(mliedtke): We should reuse the signature of the tag once tags use a wasm-gc
+            // signature.
+            let tagSignatures = catchClauses.map {
+                b.wasmDefineAdHocSignatureType(signature: b.type(of: $0.tag).wasmTagType!.parameters => [])
+            }
+
             let instr = b.emit(WasmBeginTry(
                 parameterCount: 0), withInputs: [signatureDef], types: [.wasmTypeDef()])
             assert(instr.innerOutputs.count == 1)
             body(instr.innerOutput(0))
-            for (tag, generator) in catchClauses {
+            for (i, (tag, generator)) in catchClauses.enumerated() {
                 b.reportErrorIf(!b.type(of: tag).isWasmTagType,
                     "Expected tag misses the WasmTagType extension for variable \(tag), typed \(b.type(of: tag)).")
+                let tagSignatureDef = tagSignatures[i]
                 let instr = b.emit(WasmBeginCatch(
                         blockOutputCount: signature.outputTypes.count,
                         labelParameterCount:  b.type(of: tag).wasmTagType!.parameters.count),
-                    withInputs: [signatureDef, tag],
-                    types: [.wasmTypeDef(), .object(ofGroup: "WasmTag")] + signature.outputTypes)
+                    withInputs: [signatureDef, tag, tagSignatureDef],
+                    types: [.wasmTypeDef(), .object(ofGroup: "WasmTag"), .wasmTypeDef()] + signature.outputTypes)
                 generator(instr.innerOutput(0), instr.innerOutput(1), Array(instr.innerOutputs(2...)))
             }
             if let catchAllBody {
@@ -4125,18 +4135,28 @@ public class ProgramBuilder {
                 catchClauses: [(tag: Variable, body: (Variable, Variable, [Variable]) -> [Variable])] = [],
                 catchAllBody: ((Variable) -> [Variable])? = nil) -> [Variable] {
             let parameterCount = signature.parameterTypes.count
+
+            // Define tag signatures before the try block so they don't interfere with the try/catch
+            // bodies and their scoping.
+            // TODO(mliedtke): We should reuse the signature of the tag once tags use a wasm-gc
+            // signature.
+            let tagSignatures = catchClauses.map {
+                b.wasmDefineAdHocSignatureType(signature: b.type(of: $0.tag).wasmTagType!.parameters => [])
+            }
+
             let instr = b.emit(WasmBeginTry(parameterCount: parameterCount),
                 withInputs: [signatureDef] + args,
                 types: [.wasmTypeDef()] + signature.parameterTypes)
             var result = body(instr.innerOutput(0), Array(instr.innerOutputs(1...)))
-            for (tag, generator) in catchClauses {
+            for (i, (tag, generator)) in catchClauses.enumerated() {
                 b.reportErrorIf(!b.type(of: tag).isWasmTagType,
                     "Expected tag misses the WasmTagType extension for variable \(tag), typed \(b.type(of: tag)).")
+                let tagSignatureDef = tagSignatures[i]
                 let instr = b.emit(WasmBeginCatch(
                         blockOutputCount: signature.outputTypes.count,
                         labelParameterCount:  b.type(of: tag).wasmTagType!.parameters.count),
-                    withInputs: [signatureDef, tag] + result,
-                    types: [.wasmTypeDef(), .object(ofGroup: "WasmTag")] + signature.outputTypes)
+                    withInputs: [signatureDef, tag, tagSignatureDef] + result,
+                    types: [.wasmTypeDef(), .object(ofGroup: "WasmTag"), .wasmTypeDef()] + signature.outputTypes)
                 result = generator(instr.innerOutput(0), instr.innerOutput(1), Array(instr.innerOutputs(2...)))
             }
             if let catchAllBody = catchAllBody {

Sources/Fuzzilli/FuzzIL/JSTyper.swift

@@ -883,13 +883,11 @@ public struct JSTyper: Analyzer {
                 // exception with the legacy exception handling proposal. (This is similar to the
                 // exnref in the standard exception handling spec.)
                 setType(of: instr.innerOutput(1), to: .exceptionLabel)
-                // Type the tag parameters.
-                // If the input isn't typed as a Wasm tag any more (this can happen as tags can be
-                // defined in JS and there a reassign as part of a CodeGenMutator run can loosen the
-                // inferred type), just act as if there weren't any label parameters. In that case
-                // the lifter will fail and the test case will be discarded.
-                let labelParameters = type(of: instr.input(1)).wasmTagType?.parameters ?? []
-                for (innerOutput, paramType) in zip(instr.innerOutputs.dropFirst(2), labelParameters) {
+                // Type the tag parameters based on the tag's signature definition.
+                // This guarantees that the inner outputs are properly typed, even if a mutator
+                // changed the tag variable to something that's not typed as a Wasm tag anymore.
+                let tagSignature = type(of: instr.input(2)).wasmFunctionSignatureDefSignature
+                for (innerOutput, paramType) in zip(instr.innerOutputs.dropFirst(2), tagSignature.parameterTypes) {
                     setType(of: innerOutput, to: paramType)
                 }
                 for (output, outputType) in zip(instr.outputs, blockSignature.outputTypes) {

Sources/Fuzzilli/FuzzIL/WasmOperations.swift

@@ -1408,9 +1408,9 @@ final class WasmBeginCatch : WasmOperation {
         // the usage. For now, we just emit a label for branching and the ".exceptionLabel" for
         // rethrows.
         super.init(
-            // Inputs: The block signature, the tag and the outputs of the preceding try or catch
+            // Inputs: The block signature, the tag, the tag signature, and the outputs of the preceding try or catch
             // (all) block.
-            numInputs: 2 + blockOutputCount,
+            numInputs: 3 + blockOutputCount,
             // Inner outputs are the branch label, the exception label and the tag parameters.
             numInnerOutputs: 2 + labelParameterCount,
             attributes: [