Fuzz the Table from JS (#7042)

Continues the work from #7027 which added throwing from JS, this adds
table get/set operations from JS, to further increase our coverage of
Wasm/JS interactions (the table can be used from both sides).

3 files changed, 117 insertions, 6 deletions

diff --git a/src/tools/execution-results.h b/src/tools/execution-results.h
index d9fefc44e..eb302b4b2 100644
--- a/src/tools/execution-results.h
+++ b/src/tools/execution-results.h
@@ -38,8 +38,19 @@ private:
     uint32_t tempRet0 = 0;
   } state;
 
+  // The name of the table exported by the name 'table.' Imports access it.
+  Name exportedTable;
+
 public:
-  LoggingExternalInterface(Loggings& loggings) : loggings(loggings) {}
+  LoggingExternalInterface(Loggings& loggings, Module& wasm)
+    : loggings(loggings) {
+    for (auto& exp : wasm.exports) {
+      if (exp->kind == ExternalKind::Table && exp->name == "table") {
+        exportedTable = exp->value;
+        break;
+      }
+    }
+  }
 
   Literals callImport(Function* import, const Literals& arguments) override {
     if (import->module == "fuzzing-support") {
@@ -66,9 +77,28 @@ public:
         std::cout << "]\n";
         return {};
       } else if (import->base == "throw") {
-        // Throw something. We use a (hopefully) private name here.
-        auto payload = std::make_shared<ExnData>("__private", Literals{});
-        throwException(WasmException{Literal(payload)});
+        throwEmptyException();
+      } else if (import->base == "table-get") {
+        // Check for errors here, duplicating tableLoad(), because that will
+        // trap, and we just want to throw an exception (the same as JS would).
+        if (!exportedTable) {
+          throwEmptyException();
+        }
+        Index index = arguments[0].geti32();
+        if (index >= tables[exportedTable].size()) {
+          throwEmptyException();
+        }
+        return {tableLoad(exportedTable, index)};
+      } else if (import->base == "table-set") {
+        if (!exportedTable) {
+          throwEmptyException();
+        }
+        Index index = arguments[0].geti32();
+        if (index >= tables[exportedTable].size()) {
+          throwEmptyException();
+        }
+        tableStore(exportedTable, index, arguments[1]);
+        return {};
       } else {
         WASM_UNREACHABLE("unknown fuzzer import");
       }
@@ -91,6 +121,12 @@ public:
               << import->module << " . " << import->base << '\n';
     return {};
   }
+
+  void throwEmptyException() {
+    // Use a hopefully private tag.
+    auto payload = std::make_shared<ExnData>("__private", Literals{});
+    throwException(WasmException{Literal(payload)});
+  }
 };
 
 // gets execution results from a wasm module. this is useful for fuzzing
@@ -109,7 +145,7 @@ struct ExecutionResults {
 
   // get results of execution
   void get(Module& wasm) {
-    LoggingExternalInterface interface(loggings);
+    LoggingExternalInterface interface(loggings, wasm);
     try {
       ModuleRunner instance(wasm, &interface);
       // execute all exported methods (that are therefore preserved through
@@ -259,7 +295,7 @@ struct ExecutionResults {
   bool operator!=(ExecutionResults& other) { return !((*this) == other); }
 
   FunctionResult run(Function* func, Module& wasm) {
-    LoggingExternalInterface interface(loggings);
+    LoggingExternalInterface interface(loggings, wasm);
     try {
       ModuleRunner instance(wasm, &interface);
       return run(func, wasm, instance);
diff --git a/src/tools/fuzzing.h b/src/tools/fuzzing.h
index 69fee656c..0ecc751a4 100644
--- a/src/tools/fuzzing.h
+++ b/src/tools/fuzzing.h
@@ -107,6 +107,8 @@ private:
   std::unordered_map<Type, Name> logImportNames;
 
   Name throwImportName;
+  Name tableGetImportName;
+  Name tableSetImportName;
 
   std::unordered_map<Type, std::vector<Name>> globalsByType;
   std::unordered_map<Type, std::vector<Name>> mutableGlobalsByType;
@@ -228,12 +230,15 @@ private:
   void addImportLoggingSupport();
   // An import that we call to throw an exception from outside.
   void addImportThrowingSupport();
+  void addImportTableSupport();
   void addHashMemorySupport();
 
   // Special expression makers
   Expression* makeHangLimitCheck();
   Expression* makeImportLogging();
   Expression* makeImportThrowing(Type type);
+  Expression* makeImportTableGet();
+  Expression* makeImportTableSet(Type type);
   Expression* makeMemoryHashLogging();
 
   // Function creation
diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp
index b7d075dcc..5dcdc66d5 100644
--- a/src/tools/fuzzing/fuzzing.cpp
+++ b/src/tools/fuzzing/fuzzing.cpp
@@ -178,6 +178,9 @@ void TranslateToFuzzReader::build() {
     setupTags();
     addImportThrowingSupport();
   }
+  if (wasm.features.hasReferenceTypes()) {
+    addImportTableSupport();
+  }
   addImportLoggingSupport();
   modifyInitialFunctions();
   // keep adding functions until we run out of input
@@ -609,6 +612,49 @@ void TranslateToFuzzReader::addImportThrowingSupport() {
   wasm.addFunction(std::move(func));
 }
 
+void TranslateToFuzzReader::addImportTableSupport() {
+  // For the table imports to be able to do anything, we must export a table
+  // for them. For simplicity, use the funcref table we use internally, though
+  // we could pick one at random, support non-funcref ones, and even export
+  // multiple ones TODO
+  if (!funcrefTableName) {
+    return;
+  }
+
+  // If a "table" export already exists, skip fuzzing these imports, as the
+  // current export may not contain a valid table for it.
+  if (wasm.getExportOrNull("table")) {
+    return;
+  }
+
+  // Export the table.
+  wasm.addExport(
+    builder.makeExport("table", funcrefTableName, ExternalKind::Table));
+
+  // Get from the table.
+  {
+    tableGetImportName = Names::getValidFunctionName(wasm, "table-get");
+    auto func = std::make_unique<Function>();
+    func->name = tableGetImportName;
+    func->module = "fuzzing-support";
+    func->base = "table-get";
+    func->type = Signature({Type::i32}, Type(HeapType::func, Nullable));
+    wasm.addFunction(std::move(func));
+  }
+
+  // Set into the table.
+  {
+    tableSetImportName = Names::getValidFunctionName(wasm, "table-set");
+    auto func = std::make_unique<Function>();
+    func->name = tableSetImportName;
+    func->module = "fuzzing-support";
+    func->base = "table-set";
+    func->type =
+      Signature({Type::i32, Type(HeapType::func, Nullable)}, Type::none);
+    wasm.addFunction(std::move(func));
+  }
+}
+
 void TranslateToFuzzReader::addHashMemorySupport() {
   // Add memory hasher helper (for the hash, see hash.h). The function looks
   // like:
@@ -722,6 +768,21 @@ Expression* TranslateToFuzzReader::makeImportThrowing(Type type) {
   return builder.makeCall(throwImportName, {}, Type::none);
 }
 
+Expression* TranslateToFuzzReader::makeImportTableGet() {
+  assert(tableGetImportName);
+  return builder.makeCall(
+    tableGetImportName, {make(Type::i32)}, Type(HeapType::func, Nullable));
+}
+
+Expression* TranslateToFuzzReader::makeImportTableSet(Type type) {
+  assert(type == Type::none);
+  assert(tableSetImportName);
+  return builder.makeCall(
+    tableSetImportName,
+    {make(Type::i32), makeBasicRef(Type(HeapType::func, Nullable))},
+    Type::none);
+}
+
 Expression* TranslateToFuzzReader::makeMemoryHashLogging() {
   auto* hash = builder.makeCall(std::string("hashMemory"), {}, Type::i32);
   return builder.makeCall(logImportNames[Type::i32], {hash}, Type::none);
@@ -1489,6 +1550,9 @@ Expression* TranslateToFuzzReader::_makenone() {
     .add(FeatureSet::ReferenceTypes | FeatureSet::GC, &Self::makeBrOn)
     .add(FeatureSet::ReferenceTypes | FeatureSet::GC,
          &Self::makeArrayBulkMemoryOp);
+  if (tableSetImportName) {
+    options.add(FeatureSet::ReferenceTypes, &Self::makeImportTableSet);
+  }
   return (this->*pick(options))(Type::none);
 }
 
@@ -2679,6 +2743,12 @@ Expression* TranslateToFuzzReader::makeBasicRef(Type type) {
       return null;
     }
     case HeapType::func: {
+      // Rarely, emit a call to imported table.get (when nullable, unshared, and
+      // where we can emit a call).
+      if (type.isNullable() && share == Unshared && funcContext &&
+          tableGetImportName && !oneIn(3)) {
+        return makeImportTableGet();
+      }
       return makeRefFuncConst(type);
     }
     case HeapType::cont: {