[wasm] Support br_on_cast_fail

leonbett · v8-internal-scoped@luci-project-accounts.iam.gserviceaccount.com · commit fd0e618c3794 · 2026-05-27T01:48:44.000-07:00
This CL adds support for the br_on_cast_fail instruction. Bug: 474940922 Change-Id: Icacbd109fff843179f69806769437322f14326c8 Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/9299601 Commit-Queue: Leon Bettscheider <bettscheider@google.com> Reviewed-by: Matthias Liedtke <mliedtke@google.com>
diff --git a/Sources/Fuzzilli/Base/ProgramBuilder.swift b/Sources/Fuzzilli/Base/ProgramBuilder.swift
@@ -5200,14 +5200,31 @@ public class ProgramBuilder {
                 types.append(.wasmTypeDef())
             }
 
-            let wasmRefType = targetRefType.wasmReferenceType!
-            let cleanTargetRefType =
-                wasmRefType.isAbstract()
-                ? targetRefType : ILType.wasmRef(.Index(), nullability: wasmRefType.nullability)
-
             let instr = b.emit(
                 WasmBranchOnCast(
-                    parameterCount: labelParams.count - 1, targetRefType: cleanTargetRefType),
+                    parameterCount: labelParams.count - 1, targetRefType: targetRefType),
+                withInputs: inputs,
+                types: types)
+            return Array(instr.outputs)
+        }
+
+        @discardableResult
+        public func wasmBranchOnCastFail(
+            _ reference: Variable, targetRefType: ILType, to label: Variable, args: [Variable] = [],
+            typeDef: Variable? = nil
+        ) -> [Variable] {
+            let labelType = b.type(of: label)
+            let labelParams = labelType.wasmLabelType!.parameters
+            var inputs = [label] + args + [reference]
+            var types = [.anyWasmLabel] + labelParams.dropLast() + [.wasmGenericRef]
+            if let typeDef {
+                inputs.append(typeDef)
+                types.append(.wasmTypeDef())
+            }
+
+            let instr = b.emit(
+                WasmBranchOnCastFail(
+                    parameterCount: labelParams.count - 1, targetRefType: targetRefType),
                 withInputs: inputs,
                 types: types)
             return Array(instr.outputs)
@@ -5620,7 +5637,9 @@ public class ProgramBuilder {
             fatalError("Could not find or generate wasm variable of type \(type)")
         }
 
-        public func randomWasmReferenceType(withAbstractSuperType type: ILType) -> ILType {
+        public func randomWasmReferenceType(withAbstractSuperType type: ILType) -> (
+            type: ILType, typeDef: Variable?
+        ) {
             assert(type.wasmReferenceType?.isAbstract() == true)
 
             let nullability = type.wasmReferenceType!.nullability
@@ -5646,16 +5665,15 @@ public class ProgramBuilder {
                 }
 
                 if let typeDef {
-                    let desc = b.type(of: typeDef).wasmTypeDefinition!.description!
-                    return ILType.wasmIndexRef(desc, nullability: nullability)
+                    return (.wasmRef(.Index(), nullability: nullability), typeDef)
                 }
             }
 
             let candidates = WasmAbstractHeapType.allCases
                 .map { ILType.wasmRef($0, shared: false, nullability: nullability) }
                 .filter { type.subsumes($0) }
 
-            return candidates.randomElement() ?? type
+            return (candidates.randomElement() ?? type, nil)
         }
 
         public func wasmUnreachable() {
diff --git a/Sources/Fuzzilli/CodeGen/CodeGeneratorWeights.swift b/Sources/Fuzzilli/CodeGen/CodeGeneratorWeights.swift
@@ -412,4 +412,5 @@ public let codeGeneratorWeights = [
     "WasmRefCastGenerator":                     5,
     "WasmRefCastAbstractGenerator":             5,
     "WasmBranchOnCastGenerator":                5,
+    "WasmBranchOnCastFailGenerator":            5,
 ]
diff --git a/Sources/Fuzzilli/CodeGen/WasmCodeGenerators.swift b/Sources/Fuzzilli/CodeGen/WasmCodeGenerators.swift
@@ -1906,30 +1906,80 @@ public let WasmCodeGenerators: [CodeGenerator] = [
             let labelType = b.type(of: label).wasmLabelType!
             let lastParamType = labelType.parameters.last!
             assert(lastParamType.wasmReferenceType != nil, "This should never be a wasmGenericRef")
-            let isIndexType = !lastParamType.wasmReferenceType!.isAbstract()
-            let typeDef = isIndexType ? b.getWasmTypeDef(for: lastParamType) : nil
             let sourceType = lastParamType.wasmReferenceType!.kind.topType()
             let v = function.findOrGenerateWasmVar(ofType: sourceType)
             let args = labelType.parameters.dropLast().map(function.findOrGenerateWasmVar)
-            function.wasmBranchOnCast(
-                v, targetRefType: lastParamType, to: label, args: args, typeDef: typeDef)
+            let isIndexType = !lastParamType.wasmReferenceType!.isAbstract()
+            if isIndexType {
+                let typeDef = b.getWasmTypeDef(for: lastParamType)
+                let unlinkedLastParamType = ILType.wasmRef(
+                    .Index(), nullability: lastParamType.wasmReferenceType!.nullability)
+                function.wasmBranchOnCast(
+                    v, targetRefType: unlinkedLastParamType, to: label, args: args, typeDef: typeDef
+                )
+            } else {
+                function.wasmBranchOnCast(v, targetRefType: lastParamType, to: label, args: args)
+            }
         } else {
-            let hierarchies: [ILType] = [
-                .wasmAnyRef(), .wasmFuncRef(), .wasmExternRef(), .wasmExnRef(),
-            ]
-            let topType = hierarchies.randomElement()!
-            let targetRefType = function.randomWasmReferenceType(withAbstractSuperType: topType)
-            let isIndexType = !targetRefType.wasmReferenceType!.isAbstract()
-            let typeDef = isIndexType ? b.getWasmTypeDef(for: targetRefType) : nil
+            let topType = ILType.wasmRefHierarchyTopTypes.randomElement()!
+            let (targetRefType, typeDef) = function.randomWasmReferenceType(
+                withAbstractSuperType: topType)
+            var blockOutputTypes = b.randomWasmBlockOutputTypes(upTo: 2) + [targetRefType]
+            let signatureDef = b.wasmDefineAdHocSignatureType(
+                signature: [] => blockOutputTypes,
+                indexTypes: typeDef != nil ? [typeDef!] : nil)
 
-            let blockParamTypes = b.randomWasmBlockOutputTypes(upTo: 2) + [targetRefType]
+            let signature = b.type(of: signatureDef).wasmFunctionSignatureDefSignature
+
+            function.wasmBuildBlockWithResults(with: signatureDef, args: []) {
+                blockLabel, _ in
+                let sourceVar = function.findOrGenerateWasmVar(ofType: topType)
+                let args = signature.outputTypes.map(function.findOrGenerateWasmVar)
+
+                function.wasmBranchOnCast(
+                    sourceVar, targetRefType: targetRefType, to: blockLabel, args: args.dropLast(),
+                    typeDef: typeDef)
+
+                return args
+            }
+        }
+    },
+
+    CodeGenerator(
+        "WasmBranchOnCastFailGenerator", inContext: .single(.wasmFunction)
+    ) { b in
+        let function = b.currentWasmModule.currentWasmFunction
+
+        let label = b.findVariable { label in
+            if let params = b.type(of: label).wasmLabelType?.parameters, let last = params.last {
+                return ILType.wasmRefHierarchyTopTypes.contains(last)
+            }
+            return false
+        }
+
+        if let label {
+            let labelType = b.type(of: label).wasmLabelType!
+            let lastParamType = labelType.parameters.last!
+
+            let sourceVar = function.findOrGenerateWasmVar(ofType: lastParamType)
+            let (targetRefType, typeDef) = function.randomWasmReferenceType(
+                withAbstractSuperType: lastParamType)
+
+            let args = labelType.parameters.dropLast().map(function.findOrGenerateWasmVar)
+            function.wasmBranchOnCastFail(
+                sourceVar, targetRefType: targetRefType, to: label, args: args, typeDef: typeDef)
+        } else {
+            let topType = ILType.wasmRefHierarchyTopTypes.randomElement()!
+            let blockParamTypes = b.randomWasmBlockOutputTypes(upTo: 2) + [topType]
 
             function.wasmBuildBlockWithResults(with: [] => blockParamTypes, args: []) {
                 blockLabel, _ in
                 let sourceVar = function.findOrGenerateWasmVar(ofType: topType)
+                let (targetRefType, typeDef) = function.randomWasmReferenceType(
+                    withAbstractSuperType: topType)
                 let args = blockParamTypes.map(function.findOrGenerateWasmVar)
 
-                function.wasmBranchOnCast(
+                function.wasmBranchOnCastFail(
                     sourceVar, targetRefType: targetRefType, to: blockLabel, args: args.dropLast(),
                     typeDef: typeDef)
 
diff --git a/Sources/Fuzzilli/FuzzIL/Instruction.swift b/Sources/Fuzzilli/FuzzIL/Instruction.swift
@@ -1627,6 +1627,10 @@ extension Instruction: ProtobufConvertible {
                 $0.wasmBranchOnCast = Fuzzilli_Protobuf_WasmBranchOnCast.with {
                     $0.type = ILTypeToWasmTypeEnum(op.targetType)
                 }
+            case .wasmBranchOnCastFail(let op):
+                $0.wasmBranchOnCastFail = Fuzzilli_Protobuf_WasmBranchOnCastFail.with {
+                    $0.type = ILTypeToWasmTypeEnum(op.targetType)
+                }
             case .wasmBranchOnNonNull(_):
                 $0.wasmBranchOnNonNull = Fuzzilli_Protobuf_WasmBranchOnNonNull()
             case .wasmBeginIf(let op):
@@ -2805,6 +2809,11 @@ extension Instruction: ProtobufConvertible {
             op = WasmBranchOnCast(
                 parameterCount: (inouts.count - 3 - type.requiredInputCount()) / 2,
                 targetRefType: type)
+        case .wasmBranchOnCastFail(let p):
+            let type = WasmTypeEnumToILType(p.type)
+            op = WasmBranchOnCastFail(
+                parameterCount: (inouts.count - 3 - type.requiredInputCount()) / 2,
+                targetRefType: type)
         case .wasmBranchOnNonNull(_):
             op = WasmBranchOnNonNull(parameterCount: (inouts.count - 2) / 2)
         case .wasmBeginIf(let p):
diff --git a/Sources/Fuzzilli/FuzzIL/JSTyper.swift b/Sources/Fuzzilli/FuzzIL/JSTyper.swift
@@ -1153,6 +1153,26 @@ public struct JSTyper: Analyzer {
                 let sourceTopType = actualSourceType.kind.topType()
                 setType(of: instr.outputs.last!, to: sourceTopType)
 
+            case .wasmBranchOnCastFail(let op):
+                let labelType = type(of: instr.input(0))
+                let parameterTypes = labelType.wasmLabelType!.parameters
+                assert(instr.outputs.count == parameterTypes.count)
+                for (output, parameterType) in zip(
+                    instr.outputs.dropLast(), parameterTypes.dropLast())
+                {
+                    setType(of: output, to: parameterType)
+                }
+
+                let targetType = op.targetType.wasmReferenceType!
+                if targetType.isAbstract() {
+                    setType(of: instr.outputs.last!, to: op.targetType)
+                } else {
+                    let typeDefInputIndex = 1 + op.parameterCount + 1
+                    setReferenceType(
+                        of: instr.outputs.last!, typeDef: instr.input(typeDefInputIndex),
+                        nullability: targetType.nullability)
+                }
+
             case .wasmBranchOnNonNull(_):
                 let labelType = type(of: instr.input(0))
                 let parameterTypes = labelType.wasmLabelType!.parameters
diff --git a/Sources/Fuzzilli/FuzzIL/Opcodes.swift b/Sources/Fuzzilli/FuzzIL/Opcodes.swift
@@ -386,4 +386,5 @@ enum Opcode {
     case endWorkerFunction(EndWorkerFunction)
     case wasmBranchOnCast(WasmBranchOnCast)
     case importNamespace(ImportNamespace)
+    case wasmBranchOnCastFail(WasmBranchOnCastFail)
 }
diff --git a/Sources/Fuzzilli/FuzzIL/TypeSystem.swift b/Sources/Fuzzilli/FuzzIL/TypeSystem.swift
@@ -431,6 +431,10 @@ public struct ILType: Hashable {
         .wasmi32, .wasmi64, .wasmf32, .wasmf64, .wasmSimd128,
     ]
 
+    public static let wasmRefHierarchyTopTypes: [ILType] = [
+        .wasmAnyRef(), .wasmFuncRef(), .wasmExternRef(), .wasmExnRef(),
+    ]
+
     public static let anyNonNullableIndexRef = wasmRef(.Index(), nullability: false)
     public static let anyIndexRef = wasmRef(.Index(), nullability: true)
 
diff --git a/Sources/Fuzzilli/FuzzIL/WasmOperations.swift b/Sources/Fuzzilli/FuzzIL/WasmOperations.swift
@@ -1645,6 +1645,23 @@ final class WasmBranchOnCast: WasmOperation {
     var parameterCount: Int { numInputs - 2 - targetType.requiredInputCount() }
 }
 
+final class WasmBranchOnCastFail: WasmOperation {
+    override var opcode: Opcode { .wasmBranchOnCastFail(self) }
+    let targetType: ILType
+
+    init(parameterCount: Int, targetRefType: ILType) {
+        self.targetType = targetRefType
+        // Inputs: label, args, ref, type definition
+        // Outputs: args, original ref
+        super.init(
+            numInputs: 1 + parameterCount + 1 + targetType.requiredInputCount(),
+            numOutputs: parameterCount + 1,
+            requiredContext: [.wasmFunction])
+    }
+
+    var parameterCount: Int { numInputs - 2 - targetType.requiredInputCount() }
+}
+
 final class WasmBranchOnNonNull: WasmOperation {
     override var opcode: Opcode { .wasmBranchOnNonNull(self) }
 
diff --git a/Sources/Fuzzilli/Lifting/FuzzILLifter.swift b/Sources/Fuzzilli/Lifting/FuzzILLifter.swift
@@ -1431,19 +1431,35 @@ public class FuzzILLifter: Lifter {
             }
 
         case .wasmBranchOnCast(let op):
-            let refInputIndex = 1 + op.parameterCount
-            let ref = instr.inputs[refInputIndex]
+            let typeDefCount = op.targetType.requiredInputCount()  // 0 or 1
+            let ref = instr.inputs.dropLast(typeDefCount).last!
             let label = instr.inputs.first!
-            let args = instr.inputs[1..<refInputIndex].map(lift).joined(separator: ", ")
+            let args = instr.inputs.dropFirst().dropLast(1 + typeDefCount).map(lift).joined(
+                separator: ", ")
             let typeInput =
-                op.targetType.requiredInputCount() > 0
-                ? " (IndexType: \(instr.inputs[refInputIndex + 1])" : ""
+                typeDefCount > 0
+                ? " (IndexType: \(instr.inputs.last!))" : ""
 
             let outputs = instr.outputs.map(lift).joined(separator: ", ")
             w.emit(
                 "\(outputs) <- WasmBranchOnCast \(op.targetType) \(ref) to \(label) [\(args)]\(typeInput)"
             )
 
+        case .wasmBranchOnCastFail(let op):
+            let typeDefCount = op.targetType.requiredInputCount()  // 0 or 1
+            let ref = instr.inputs.dropLast(typeDefCount).last!
+            let label = instr.inputs.first!
+            let args = instr.inputs.dropFirst().dropLast(1 + typeDefCount).map(lift).joined(
+                separator: ", ")
+            let typeInput =
+                typeDefCount > 0
+                ? " (IndexType: \(instr.inputs.last!))" : ""
+
+            let outputs = instr.outputs.map(lift).joined(separator: ", ")
+            w.emit(
+                "\(outputs) <- WasmBranchOnCastFail \(op.targetType) \(ref) to \(label) [\(args)]\(typeInput)"
+            )
+
         case .wasmBranchTable(let op):
             let table =
                 (0..<op.valueCount).enumerated().map { "\($0) => \(instr.input($1)), " }.joined()
diff --git a/Sources/Fuzzilli/Lifting/JavaScriptLifter.swift b/Sources/Fuzzilli/Lifting/JavaScriptLifter.swift
@@ -1999,6 +1999,7 @@ public class JavaScriptLifter: Lifter {
                 .wasmBranchOnNull(_),
                 .wasmBranchOnNonNull(_),
                 .wasmBranchOnCast(_),
+                .wasmBranchOnCastFail(_),
                 .wasmBranchTable(_),
                 .wasmBeginIf(_),
                 .wasmBeginElse(_),
diff --git a/Sources/Fuzzilli/Lifting/WasmLifter.swift b/Sources/Fuzzilli/Lifting/WasmLifter.swift
@@ -2154,6 +2154,27 @@ public class WasmLifter {
                 targetRefType, instr: wasmInstruction, typeInput: targetTypeInputIndex)
             return Data([Prefix.GC.rawValue, 0x18, flags]) + Leb128.unsignedEncode(branchDepth)
                 + sourceData + targetData
+        case .wasmBranchOnCastFail(let op):
+            let branchDepth = try branchDepthFor(label: wasmInstruction.input(0))
+            let refInputIndex = 1 + op.parameterCount
+            let targetTypeInputIndex = refInputIndex + 1
+
+            let actualSourceType = typer.type(of: wasmInstruction.input(refInputIndex))
+                .wasmReferenceType!
+            let targetRefType = op.targetType.wasmReferenceType!
+
+            // actualSourceType and targetRefType may be nullable or non-nullable independently of each other.
+            // For br_on_cast_fail to be valid: targetRefType.nullability => actualSourceType.nullability
+            var flags: UInt8 = 0
+            if actualSourceType.nullability || targetRefType.nullability { flags |= 0x01 }
+            if targetRefType.nullability { flags |= 0x02 }
+
+            // To ensure br_on_cast_fail validation succeeds (target <= source), we use the top type of the hierarchy as the source type.
+            let sourceData = try encodeHeapType(actualSourceType.kind.topType())
+            let targetData = try encodeReferenceType(
+                targetRefType, instr: wasmInstruction, typeInput: targetTypeInputIndex)
+            return Data([Prefix.GC.rawValue, 0x19, flags]) + Leb128.unsignedEncode(branchDepth)
+                + sourceData + targetData
         case .wasmBranchOnNonNull(_):
             let branchDepth = try branchDepthFor(label: wasmInstruction.input(0))
             return Data([0xD6]) + Leb128.unsignedEncode(branchDepth)
diff --git a/Sources/Fuzzilli/Mutators/OperationMutator.swift b/Sources/Fuzzilli/Mutators/OperationMutator.swift
@@ -842,6 +842,7 @@ public class OperationMutator: BaseInstructionMutator {
             .wasmBranchOnNull(_),
             .wasmBranchOnNonNull(_),
             .wasmBranchOnCast(_),
+            .wasmBranchOnCastFail(_),
             .wasmBranchTable(_),
             .wasmBeginElse(_),
             .wasmEndIf(_),
diff --git a/Sources/Fuzzilli/Protobuf/operations.pb.swift b/Sources/Fuzzilli/Protobuf/operations.pb.swift
diff --git a/Sources/Fuzzilli/Protobuf/operations.proto b/Sources/Fuzzilli/Protobuf/operations.proto
diff --git a/Sources/Fuzzilli/Protobuf/program.pb.swift b/Sources/Fuzzilli/Protobuf/program.pb.swift
diff --git a/Sources/Fuzzilli/Protobuf/program.proto b/Sources/Fuzzilli/Protobuf/program.proto
diff --git a/Tests/FuzzilliTests/WasmTests.swift b/Tests/FuzzilliTests/WasmTests.swift

Original file line number	Diff line number	Diff line change
`@@ -412,4 +412,5 @@ public let codeGeneratorWeights = [`
`412`	`412`	`"WasmRefCastGenerator": 5,`
`413`	`413`	`"WasmRefCastAbstractGenerator": 5,`
`414`	`414`	`"WasmBranchOnCastGenerator": 5,`
	`415`	`+ "WasmBranchOnCastFailGenerator": 5,`
`415`	`416`	`]`
Original file line number	Diff line number	Diff line change
`@@ -386,4 +386,5 @@ enum Opcode {`
`386`	`386`	`case endWorkerFunction(EndWorkerFunction)`
`387`	`387`	`case wasmBranchOnCast(WasmBranchOnCast)`
`388`	`388`	`case importNamespace(ImportNamespace)`
	`389`	`+ case wasmBranchOnCastFail(WasmBranchOnCastFail)`
`389`	`390`	`}`
Original file line number	Diff line number	Diff line change
`@@ -431,6 +431,10 @@ public struct ILType: Hashable {`
`431`	`431`	`.wasmi32, .wasmi64, .wasmf32, .wasmf64, .wasmSimd128,`
`432`	`432`	`]`
`433`	`433`
	`434`	`+ public static let wasmRefHierarchyTopTypes: [ILType] = [`
	`435`	`+ .wasmAnyRef(), .wasmFuncRef(), .wasmExternRef(), .wasmExnRef(),`
	`436`	`+ ]`
	`437`	`+`
`434`	`438`	`public static let anyNonNullableIndexRef = wasmRef(.Index(), nullability: false)`
`435`	`439`	`public static let anyIndexRef = wasmRef(.Index(), nullability: true)`
`436`	`440`