Integrate the heap type fuzzer into the main fuzzer (#5555)

With this we generate random GC types that may be used in creating
instructions later.

We don't create many instructions yet, which will be the next step after
this.

Also add some trivial assertions in some places, that have helped
debugging in the past.

Stop fuzzing TypeMerging for now due to #5556 , which this PR
uncovers.

3 files changed, 36 insertions, 4 deletions

diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp
index 3ef721db9..42d3ec3ba 100644
--- a/src/tools/fuzzing/fuzzing.cpp
+++ b/src/tools/fuzzing/fuzzing.cpp
@@ -277,11 +277,36 @@ void TranslateToFuzzReader::setupHeapTypes() {
   // initial content we began with.
   auto possibleHeapTypes = ModuleUtils::collectHeapTypes(wasm);
 
-  // TODO: use heap type fuzzer to add new types in addition to the previous
-
   // Filter away uninhabitable heap types, that is, heap types that we cannot
   // construct, like a type with a non-nullable reference to itself.
   interestingHeapTypes = HeapTypeGenerator::getInhabitable(possibleHeapTypes);
+
+  // For GC, also generate random types.
+  if (wasm.features.hasGC()) {
+    auto generator =
+      HeapTypeGenerator::create(random, wasm.features, upTo(MAX_NEW_GC_TYPES));
+    auto result = generator.builder.build();
+    if (auto* err = result.getError()) {
+      Fatal() << "Failed to build heap types: " << err->reason << " at index "
+              << err->index;
+    }
+
+    // Make the new types inhabitable. This process modifies existing types, so
+    // it leaves more available compared to HeapTypeGenerator::getInhabitable.
+    // We run that before on existing content, which may have instructions that
+    // use the types, as editing them is not trivial, and for new types here we
+    // are free to modify them so we keep as many as we can.
+    auto inhabitable = HeapTypeGenerator::makeInhabitable(*result);
+    for (auto type : inhabitable) {
+      // Trivial types are already handled specifically in e.g.
+      // getSingleConcreteType(), and we avoid adding them here as then we'd
+      // need to add code to avoid uninhabitable combinations of them (like a
+      // non-nullable bottom heap type).
+      if (!type.isBottom() && !type.isBasic()) {
+        interestingHeapTypes.push_back(type);
+      }
+    }
+  }
 }
 
 // TODO(reference-types): allow the fuzzer to create multiple tables
@@ -1992,6 +2017,7 @@ Expression* TranslateToFuzzReader::makeRefFuncConst(Type type) {
       (type.isNonNullable() && oneIn(16) && funcContext)) {
     Expression* ret = builder.makeRefNull(HeapType::nofunc);
     if (!type.isNullable()) {
+      assert(funcContext);
       ret = builder.makeRefAs(RefAsNonNull, ret);
     }
     return ret;
@@ -2044,6 +2070,7 @@ Expression* TranslateToFuzzReader::makeConstBasicRef(Type type) {
       // TODO: support actual non-nullable externrefs via imported globals or
       // similar.
       if (!type.isNullable()) {
+        assert(funcContext);
         return builder.makeRefAs(RefAsNonNull, null);
       }
       return null;
@@ -2127,6 +2154,7 @@ Expression* TranslateToFuzzReader::makeConstBasicRef(Type type) {
     case HeapType::nofunc: {
       auto null = builder.makeRefNull(heapType);
       if (!type.isNullable()) {
+        assert(funcContext);
         return builder.makeRefAs(RefAsNonNull, null);
       }
       return null;
diff --git a/src/tools/fuzzing/heap-types.cpp b/src/tools/fuzzing/heap-types.cpp
index 0edeb833a..7fa0cd338 100644
--- a/src/tools/fuzzing/heap-types.cpp
+++ b/src/tools/fuzzing/heap-types.cpp
@@ -541,8 +541,9 @@ struct HeapTypeGeneratorImpl {
   }
 
   Signature generateSubSignature(Signature super) {
-    return Signature(generateSupertype(super.params),
-                     generateSubtype(super.results));
+    auto params = generateSupertype(super.params);
+    auto results = generateSubtype(super.results);
+    return Signature(params, results);
   }
 
   Field generateSubField(Field super) {
diff --git a/src/tools/fuzzing/parameters.h b/src/tools/fuzzing/parameters.h
index e92c88210..9e5cefd9a 100644
--- a/src/tools/fuzzing/parameters.h
+++ b/src/tools/fuzzing/parameters.h
@@ -61,6 +61,9 @@ constexpr Address USABLE_MEMORY = 16;
 // no hang protection.
 constexpr int HANG_LIMIT = 100;
 
+// the maximum amount of new GC types (structs, etc.) to create
+constexpr int MAX_NEW_GC_TYPES = 25;
+
 //
 constexpr size_t VeryImportant = 4;
 constexpr size_t Important = 2;