[wasm-gc][fuzzer] Wrap types in recursive group

As a temporary solution to reenable wasm-gc fuzzing, we modify {WasmModuleBuilder} to optionally wrap all types in a recursive group. Bug: v8:7748 Change-Id: Ib0f8ab17c48ecbe04b51da2b1d01502be77ad35a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3450414 Reviewed-by: Thibaud Michaud <thibaudm@chromium.org> Commit-Queue: Manos Koukoutos <manoskouk@chromium.org> Cr-Commit-Position: refs/heads/main@{#79015}
2022-02-09 11:40:45 +00:00 · 2022-02-09 11:40:45 +00:00 · 775f27c69b
commit 775f27c69b
parent df04c04261
4 changed files with 21 additions and 14 deletions
--- a/src/wasm/wasm-module-builder.cc
+++ b/src/wasm/wasm-module-builder.cc
@ -585,7 +585,8 @@ void WriteInitializerExpression(ZoneBuffer* buffer, const WasmInitExpr& init,
 }
 }  // namespace

-void WasmModuleBuilder::WriteTo(ZoneBuffer* buffer) const {
+void WasmModuleBuilder::WriteTo(ZoneBuffer* buffer,
+                                bool emit_recursive_group) const {
  // == Emit magic =============================================================
  buffer->write_u32(kWasmMagic);
  buffer->write_u32(kWasmVersion);
@ -593,6 +594,13 @@ void WasmModuleBuilder::WriteTo(ZoneBuffer* buffer) const {
  // == Emit types =============================================================
  if (types_.size() > 0) {
    size_t start = EmitSection(kTypeSectionCode, buffer);
+
+    if (emit_recursive_group) {
+      // Wrap all types in a recursive group.
+      buffer->write_size(1);
+      buffer->write_u8(kWasmRecursiveTypeGroupCode);
+    }
+
    buffer->write_size(types_.size());

    // TODO(7748): Add support for recursive groups.
--- a/src/wasm/wasm-module-builder.h
+++ b/src/wasm/wasm-module-builder.h
@ -360,7 +360,10 @@ class V8_EXPORT_PRIVATE WasmModuleBuilder : public ZoneObject {
  void SetHasSharedMemory();

  // Writing methods.
-  void WriteTo(ZoneBuffer* buffer) const;
+  // If {emit_recursive_group}, wrap all type definitions in a wasm-gc recursive
+  // group.
+  // TODO(7748): Support custom recursive groups.
+  void WriteTo(ZoneBuffer* buffer, bool emit_recursive_group = false) const;
  void WriteAsmJsOffsetTable(ZoneBuffer* buffer) const;

  Zone* zone() { return zone_; }
--- a/test/fuzzer/wasm-compile.cc
+++ b/test/fuzzer/wasm-compile.cc
@ -2587,7 +2587,7 @@ class WasmCompileFuzzer : public WasmExecutionFuzzer {
    }

    builder.SetMaxMemorySize(32);
-    builder.WriteTo(buffer);
+    builder.WriteTo(buffer, /* emit_recursive_group = */ liftoff_as_reference);
    return true;
  }
 };
--- a/test/fuzzer/wasm-fuzzer-common.cc
+++ b/test/fuzzer/wasm-fuzzer-common.cc
@ -796,18 +796,14 @@ void WasmExecutionFuzzer::FuzzWasmModule(base::Vector<const uint8_t> data,
  }
  // Note: After dividing by 3 for 4 times, configuration_byte is within [0, 3].

-  // Control whether Liftoff or the interpreter will be used as the reference
-  // tier.
-  // TODO(thibaudm): Port nondeterminism detection to arm.
-  /* TODO(manoskouk): Temporarily disable liftoff-as-reference, i.e., wasm-gc
-     fuzzing until we update the fuzzer to isorecursive types.
-  #if defined(V8_TARGET_ARCH_X64) || defined(V8_TARGET_ARCH_X86)
-    bool liftoff_as_reference = configuration_byte & 1;
-  #else
-    bool liftoff_as_reference = false;
-  #endif
-  */
+// Control whether Liftoff or the interpreter will be used as the reference
+// tier.
+// TODO(thibaudm): Port nondeterminism detection to arm.
+#if defined(V8_TARGET_ARCH_X64) || defined(V8_TARGET_ARCH_X86)
+  bool liftoff_as_reference = configuration_byte & 1;
+#else
  bool liftoff_as_reference = false;
+#endif
  FlagScope<bool> turbo_mid_tier_regalloc(&FLAG_turbo_force_mid_tier_regalloc,
                                          configuration_byte == 0);