Allow the fuzzer to use tests with exact types (#7598)

Remove the list of tests containing exact types from the list of tests
the fuzzer is disallowed from using as initial contents. Also allow
fuzzing V8 with exact types. Fix various parts of the fuzzer to ensure
we emit valid binaries when initial contents have exact references.

Author: tlively

scripts/fuzz_opt.py

@@ -151,12 +151,10 @@ def randomize_feature_opts():
 
         # The shared-everything feature is new and we want to fuzz it, but it
         # also currently disables fuzzing V8, so disable it most of the time.
-        # Same with custom descriptors and strings - all these cannot be run in
-        # V8 for now. Relaxed SIMD's nondeterminism disables much but not all of
-        # our V8 fuzzing, so avoid it too.
+        # Same with strings. Relaxed SIMD's nondeterminism disables much but not
+        # all of our V8 fuzzing, so avoid it too.
         if random.random() < 0.9:
             FEATURE_OPTS.append('--disable-shared-everything')
-            FEATURE_OPTS.append('--disable-custom-descriptors')
             FEATURE_OPTS.append('--disable-strings')
             FEATURE_OPTS.append('--disable-relaxed-simd')
 
@@ -826,9 +824,8 @@ def run(self, wasm, extra_d8_flags=[]):
             def can_run(self, wasm):
                 # V8 does not support shared memories when running with
                 # shared-everything enabled, so do not fuzz shared-everything
-                # for now. It also does not yet support custom descriptors, nor
-                # strings.
-                return all_disallowed(['shared-everything', 'custom-descriptors', 'strings'])
+                # for now. It also does not yet support strings.
+                return all_disallowed(['shared-everything', 'strings'])
 
             def can_compare_to_self(self):
                 # With nans, VM differences can confuse us, so only very simple VMs
@@ -1595,7 +1592,7 @@ def can_run_on_wasm(self, wasm):
             return False
 
         # see D8.can_run
-        return all_disallowed(['shared-everything', 'custom-descriptors', 'strings'])
+        return all_disallowed(['shared-everything', 'strings'])
 
 
 # Check that the text format round-trips without error.
@@ -1798,7 +1795,7 @@ def can_run_on_wasm(self, wasm):
             return False
         if NANS:
             return False
-        return all_disallowed(['shared-everything', 'custom-descriptors', 'strings'])
+        return all_disallowed(['shared-everything', 'strings'])
 
 
 # Test --fuzz-preserve-imports-exports, which never modifies imports or exports.

scripts/test/fuzzing.py

@@ -110,33 +110,13 @@
     'dce-stack-switching.wast',
     'precompute-stack-switching.wast',
     'vacuum-stack-switching.wast',
-    # TODO: fuzzer support for exact references
-    'exact-references.wast',
-    'exact-references-lowering.wast',
-    'exact-casts.wast',
-    'exact-casts-trivial.wast',
-    'abstract-type-refining-exact.wast',
-    'optimize-instructions-exact.wast',
-    'optimize-instructions-all-casts.wast',
-    'optimize-instructions-all-casts-exact.wast',
-    'local-subtyping-exact.wast',
-    'remove-unused-types-exact.wast',
-    'coalesce-locals-exact.wast',
-    'remove-unused-brs-exact.wast',
-    'signature-refining-exact.wast',
-    'gufa-cast-all-exact.wast',
-    'type-merging-exact.wast',
-    'type-refining-exact.wast',
-    'type-refining-gufa-exact.wast',
-    'type-ssa-exact.wast',
-    'minimize-rec-groups-exact.wast',
-    'minimize-rec-groups-ignore-exact.wast',
-    'public-exact.wast',
     # TODO: fuzzer support for custom descriptors
     'custom-descriptors.wast',
     # TODO: fix split_wast() on tricky escaping situations like a string ending
     #       in \\" (the " is not escaped - there is an escaped \ before it)
     'string-lifting-section.wast',
+    # TODO: fuzzer support for uninhabitable imported globals
+    'exact-references.wast',
 ]
 
 

scripts/test/shared.py

@@ -257,6 +257,7 @@ def has_shell_timeout():
     '--experimental-wasm-compilation-hints',
     '--experimental-wasm-stringref',
     '--experimental-wasm-fp16',
+    '--experimental-wasm-custom-descriptors',
 ]
 
 # external tools

src/tools/fuzzing/fuzzing.cpp

@@ -2177,8 +2177,11 @@ Expression* TranslateToFuzzReader::_makeConcrete(Type type) {
       options.add(FeatureSet::ReferenceTypes | FeatureSet::GC,
                   &Self::makeCompoundRef);
     }
-    options.add(FeatureSet::ReferenceTypes | FeatureSet::GC,
-                &Self::makeRefCast);
+    // Exact casts are only allowed with custom descriptors enabled.
+    if (type.isInexact() || wasm.features.hasCustomDescriptors()) {
+      options.add(FeatureSet::ReferenceTypes | FeatureSet::GC,
+                  &Self::makeRefCast);
+    }
   }
   if (wasm.features.hasGC()) {
     if (typeStructFields.find(type) != typeStructFields.end()) {
@@ -4907,22 +4910,25 @@ Expression* TranslateToFuzzReader::makeBrOn(Type type) {
     case BrOnNonNull: {
       // The sent type is the non-nullable version of the reference, so any ref
       // of that type is ok, nullable or not.
-      refType = Type(targetType.getHeapType(), getNullability());
+      refType = targetType.with(getNullability());
       break;
     }
     case BrOnCast: {
       // The sent type is the heap type we cast to, with the input type's
       // nullability, so the combination of the two must be a subtype of
       // targetType.
       castType = getSubType(targetType);
-      if (!wasm.features.hasCustomDescriptors()) {
-        // Exact cast targets disallowed without custom descriptors.
-        castType = castType.with(Inexact);
+      if (castType.isExact() && !wasm.features.hasCustomDescriptors()) {
+        // This exact cast is only valid if its input has the same type (or the
+        // only possible strict subtype, bottom).
+        refType = castType;
+      } else {
+        // The ref's type must be castable to castType, or we'd not validate.
+        // But it can also be a subtype, which will trivially also succeed (so
+        // do that more rarely). Pick subtypes rarely, as they make the cast
+        // trivial.
+        refType = oneIn(5) ? getSubType(castType) : getSuperType(castType);
       }
-      // The ref's type must be castable to castType, or we'd not validate. But
-      // it can also be a subtype, which will trivially also succeed (so do that
-      // more rarely). Pick subtypes rarely, as they make the cast trivial.
-      refType = oneIn(5) ? getSubType(castType) : getSuperType(castType);
       if (targetType.isNonNullable()) {
         // And it must have the right nullability for the target, as mentioned
         // above: if the target type is non-nullable then either the ref or the
@@ -4945,10 +4951,7 @@ Expression* TranslateToFuzzReader::makeBrOn(Type type) {
       refType = getSubType(targetType);
       // See above on BrOnCast, but flipped.
       castType = oneIn(5) ? getSuperType(refType) : getSubType(refType);
-      if (!wasm.features.hasCustomDescriptors()) {
-        // Exact cast targets disallowed without custom descriptors.
-        castType = castType.with(Inexact);
-      }
+      castType = castType.withInexactIfNoCustomDescs(wasm.features);
       // There is no nullability to adjust: if targetType is non-nullable then
       // both refType and castType are as well, as subtypes of it. But we can
       // also allow castType to be nullable (it is not sent to the target).

src/tools/fuzzing/heap-types.cpp

@@ -900,13 +900,14 @@ std::vector<HeapType> Inhabitator::build() {
     }
     auto heapType = type.getHeapType();
     auto nullability = type.getNullability();
+    auto exactness = type.getExactness();
     if (auto it = typeIndices.find(heapType); it != typeIndices.end()) {
       heapType = builder[it->second];
     }
     if (nullables.count(pos)) {
       nullability = Nullable;
     }
-    type = builder.getTempRefType(heapType, nullability);
+    type = builder.getTempRefType(heapType, nullability, exactness);
   };
 
   for (size_t i = 0; i < types.size(); ++i) {