[EH] Fuzz calls from JS by calling wasm exports, sometimes catching (#7067)

This adds two new imports to fuzzer modules:

* call-export, which gets an export index and calls it.
* call-export-catch, which does the call in a try-catch, swallowing
  any error, and returning 1 if it saw an error.

The former gives us calls back into the wasm, possibly making various
trips between wasm and JS in interesting ways. The latter adds a
try-catch which helps fuzz wasm EH.

We do these calls using a wasm export index, i.e., the index in
the list of exports. This is simple, but it does have the downside that
it makes executing the wasm sensitive to changes in exports (e.g.
wasm-merge adds more), which requires some handling in the fuzzer.

3 files changed, 136 insertions, 5 deletions

diff --git a/src/tools/execution-results.h b/src/tools/execution-results.h
index 78cc5af1f..25d0c0772 100644
--- a/src/tools/execution-results.h
+++ b/src/tools/execution-results.h
@@ -40,10 +40,15 @@ private:
 
   // The name of the table exported by the name 'table.' Imports access it.
   Name exportedTable;
+  Module& wasm;
+
+  // The ModuleRunner and this ExternalInterface end up needing links both ways,
+  // so we cannot init this in the constructor.
+  ModuleRunner* instance = nullptr;
 
 public:
   LoggingExternalInterface(Loggings& loggings, Module& wasm)
-    : loggings(loggings) {
+    : loggings(loggings), wasm(wasm) {
     for (auto& exp : wasm.exports) {
       if (exp->kind == ExternalKind::Table && exp->name == "table") {
         exportedTable = exp->value;
@@ -99,6 +104,18 @@ public:
         }
         tableStore(exportedTable, index, arguments[1]);
         return {};
+      } else if (import->base == "call-export") {
+        callExport(arguments[0].geti32());
+        // Return nothing. If we wanted to return a value we'd need to have
+        // multiple such functions, one for each signature.
+        return {};
+      } else if (import->base == "call-export-catch") {
+        try {
+          callExport(arguments[0].geti32());
+          return {Literal(int32_t(0))};
+        } catch (const WasmException& e) {
+          return {Literal(int32_t(1))};
+        }
       } else {
         WASM_UNREACHABLE("unknown fuzzer import");
       }
@@ -127,6 +144,35 @@ public:
     auto payload = std::make_shared<ExnData>("__private", Literals{});
     throwException(WasmException{Literal(payload)});
   }
+
+  Literals callExport(Index index) {
+    if (index >= wasm.exports.size()) {
+      // No export.
+      throwEmptyException();
+    }
+    auto& exp = wasm.exports[index];
+    if (exp->kind != ExternalKind::Function) {
+      // No callable export.
+      throwEmptyException();
+    }
+    auto* func = wasm.getFunction(exp->value);
+
+    // TODO JS traps on some types on the boundary, which we should behave the
+    // same on. For now, this is not needed because the fuzzer will prune all
+    // non-JS-compatible exports anyhow.
+
+    // Send default values as arguments, or trap if we need anything else.
+    Literals arguments;
+    for (const auto& param : func->getParams()) {
+      if (!param.isDefaultable()) {
+        throwEmptyException();
+      }
+      arguments.push_back(Literal::makeZero(param));
+    }
+    return instance->callFunction(func->name, arguments);
+  }
+
+  void setModuleRunner(ModuleRunner* instance_) { instance = instance_; }
 };
 
 // gets execution results from a wasm module. this is useful for fuzzing
@@ -148,6 +194,7 @@ struct ExecutionResults {
     LoggingExternalInterface interface(loggings, wasm);
     try {
       ModuleRunner instance(wasm, &interface);
+      interface.setModuleRunner(&instance);
       // execute all exported methods (that are therefore preserved through
       // opts)
       for (auto& exp : wasm.exports) {
@@ -298,6 +345,7 @@ struct ExecutionResults {
     LoggingExternalInterface interface(loggings, wasm);
     try {
       ModuleRunner instance(wasm, &interface);
+      interface.setModuleRunner(&instance);
       return run(func, wasm, instance);
     } catch (const TrapException&) {
       // May throw in instance creation (init of offsets).
diff --git a/src/tools/fuzzing.h b/src/tools/fuzzing.h
index 6f73feca9..3e8ec5b97 100644
--- a/src/tools/fuzzing.h
+++ b/src/tools/fuzzing.h
@@ -104,10 +104,11 @@ private:
   Name funcrefTableName;
 
   std::unordered_map<Type, Name> logImportNames;
-
   Name throwImportName;
   Name tableGetImportName;
   Name tableSetImportName;
+  Name callExportImportName;
+  Name callExportCatchImportName;
 
   std::unordered_map<Type, std::vector<Name>> globalsByType;
   std::unordered_map<Type, std::vector<Name>> mutableGlobalsByType;
@@ -225,9 +226,8 @@ private:
   void finalizeTable();
   void prepareHangLimitSupport();
   void addHangLimitSupport();
-  // Imports that we call to log out values.
   void addImportLoggingSupport();
-  // An import that we call to throw an exception from outside.
+  void addImportCallingSupport();
   void addImportThrowingSupport();
   void addImportTableSupport();
   void addHashMemorySupport();
@@ -238,6 +238,7 @@ private:
   Expression* makeImportThrowing(Type type);
   Expression* makeImportTableGet();
   Expression* makeImportTableSet(Type type);
+  Expression* makeImportCallExport(Type type);
   Expression* makeMemoryHashLogging();
 
   // Function creation
diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp
index 1329e886e..f4e21d870 100644
--- a/src/tools/fuzzing/fuzzing.cpp
+++ b/src/tools/fuzzing/fuzzing.cpp
@@ -182,6 +182,7 @@ void TranslateToFuzzReader::build() {
     addImportTableSupport();
   }
   addImportLoggingSupport();
+  addImportCallingSupport();
   modifyInitialFunctions();
   // keep adding functions until we run out of input
   while (!random.finished()) {
@@ -635,6 +636,49 @@ void TranslateToFuzzReader::addImportLoggingSupport() {
   }
 }
 
+void TranslateToFuzzReader::addImportCallingSupport() {
+  // Only add these some of the time, as they inhibit some fuzzing (things like
+  // wasm-ctor-eval and wasm-merge are sensitive to the wasm being able to call
+  // its own exports, and to care about the indexes of the exports):
+  //
+  //  0 - none
+  //  1 - call-export
+  //  2 - call-export-catch
+  //  3 - call-export & call-export-catch
+  //  4 - none
+  //  5 - none
+  //
+  auto choice = upTo(6);
+  if (choice >= 4) {
+    return;
+  }
+
+  if (choice & 1) {
+    // Given an export index, call it from JS.
+    callExportImportName = Names::getValidFunctionName(wasm, "call-export");
+    auto func = std::make_unique<Function>();
+    func->name = callExportImportName;
+    func->module = "fuzzing-support";
+    func->base = "call-export";
+    func->type = Signature({Type::i32}, Type::none);
+    wasm.addFunction(std::move(func));
+  }
+
+  if (choice & 2) {
+    // Given an export index, call it from JS and catch all exceptions. Return
+    // whether we caught. Exceptions are common (if the index is invalid, in
+    // particular), so a variant that catches is useful to avoid halting.
+    callExportCatchImportName =
+      Names::getValidFunctionName(wasm, "call-export-catch");
+    auto func = std::make_unique<Function>();
+    func->name = callExportCatchImportName;
+    func->module = "fuzzing-support";
+    func->base = "call-export-catch";
+    func->type = Signature(Type::i32, Type::i32);
+    wasm.addFunction(std::move(func));
+  }
+}
+
 void TranslateToFuzzReader::addImportThrowingSupport() {
   // Throw some kind of exception from JS.
   // TODO: Send an index, which is which exported wasm Tag we should throw, or
@@ -820,6 +864,38 @@ Expression* TranslateToFuzzReader::makeImportTableSet(Type type) {
     Type::none);
 }
 
+Expression* TranslateToFuzzReader::makeImportCallExport(Type type) {
+  // The none-returning variant just does the call. The i32-returning one
+  // catches any errors and returns 1 when it saw an error. Based on the
+  // variant, pick which to call, and the maximum index to call.
+  Name target;
+  Index maxIndex = wasm.exports.size();
+  if (type == Type::none) {
+    target = callExportImportName;
+  } else if (type == Type::i32) {
+    target = callExportCatchImportName;
+    // This never traps, so we can be less careful, but we do still want to
+    // avoid trapping a lot as executing code is more interesting. (Note that
+    // even though we double here, the risk is not that great: we are still
+    // adding functions as we go, so the first half of functions/exports can
+    // double here and still end up in bounds by the time we've added them all.)
+    maxIndex = (maxIndex + 1) * 2;
+  } else {
+    WASM_UNREACHABLE("bad import.call");
+  }
+  // We must have set up the target function.
+  assert(target);
+
+  // Most of the time, call a valid export index in the range we picked, but
+  // sometimes allow anything at all.
+  auto* index = make(Type::i32);
+  if (!allowOOB || !oneIn(10)) {
+    index = builder.makeBinary(
+      RemUInt32, index, builder.makeConst(int32_t(maxIndex)));
+  }
+  return builder.makeCall(target, {index}, type);
+}
+
 Expression* TranslateToFuzzReader::makeMemoryHashLogging() {
   auto* hash = builder.makeCall(std::string("hashMemory"), {}, Type::i32);
   return builder.makeCall(logImportNames[Type::i32], {hash}, Type::none);
@@ -1511,6 +1587,9 @@ Expression* TranslateToFuzzReader::_makeConcrete(Type type) {
     options.add(FeatureSet::Atomics, &Self::makeAtomic);
   }
   if (type == Type::i32) {
+    if (callExportCatchImportName) {
+      options.add(FeatureSet::MVP, &Self::makeImportCallExport);
+    }
     options.add(FeatureSet::ReferenceTypes, &Self::makeRefIsNull);
     options.add(FeatureSet::ReferenceTypes | FeatureSet::GC,
                 &Self::makeRefEq,
@@ -1590,6 +1669,9 @@ Expression* TranslateToFuzzReader::_makenone() {
   if (tableSetImportName) {
     options.add(FeatureSet::ReferenceTypes, &Self::makeImportTableSet);
   }
+  if (callExportImportName) {
+    options.add(FeatureSet::MVP, &Self::makeImportCallExport);
+  }
   return (this->*pick(options))(Type::none);
 }
 
@@ -2023,7 +2105,7 @@ Expression* TranslateToFuzzReader::makeCallIndirect(Type type) {
       return makeTrivial(type);
     }
   }
-  // with high probability, make sure the type is valid  otherwise, most are
+  // with high probability, make sure the type is valid - otherwise, most are
   // going to trap
   auto addressType = wasm.getTable(funcrefTableName)->addressType;
   Expression* target;