3 files changed, 113 insertions, 21 deletions

diff --git a/scripts/clusterfuzz/run.py b/scripts/clusterfuzz/run.py
index 8ac880e0d..2fedb6510 100755
--- a/scripts/clusterfuzz/run.py
+++ b/scripts/clusterfuzz/run.py
@@ -200,6 +200,15 @@ def get_js_file_contents(i, output_dir):
 
     print(f'Created {bytes} wasm bytes')
 
+    # Some of the time, fuzz JSPI (similar to fuzz_opt.py, see details there).
+    if system_random.random() < 0.25:
+        # Prepend the flag to enable JSPI.
+        js = 'var JSPI = 1;\n\n' + js
+
+        # Un-comment the async and await keywords.
+        js = js.replace('/* async */', 'async')
+        js = js.replace('/* await */', 'await')
+
     return js
 
 
diff --git a/scripts/fuzz_opt.py b/scripts/fuzz_opt.py
index 87f059058..ca7c9e355 100755
--- a/scripts/fuzz_opt.py
+++ b/scripts/fuzz_opt.py
@@ -232,7 +232,11 @@ def randomize_fuzz_settings():
         if random.random() < 0.5:
             GEN_ARGS += ['--enclose-world']
 
-    print('randomized settings (NaNs, OOB, legalize):', NANS, OOB, LEGALIZE)
+    # Test JSPI somewhat rarely, as it may be slower.
+    global JSPI
+    JSPI = random.random() < 0.25
+
+    print('randomized settings (NaNs, OOB, legalize, JSPI):', NANS, OOB, LEGALIZE, JSPI)
 
 
 def init_important_initial_contents():
@@ -758,11 +762,39 @@ def run_d8_js(js, args=[], liftoff=True):
     return run_vm(cmd)
 
 
-FUZZ_SHELL_JS = in_binaryen('scripts', 'fuzz_shell.js')
+# For JSPI, we must customize fuzz_shell.js. We do so the first time we need
+# it, and save the filename here.
+JSPI_JS_FILE = None
+
+
+def get_fuzz_shell_js():
+    js = in_binaryen('scripts', 'fuzz_shell.js')
+
+    if not JSPI:
+        # Just use the normal fuzz shell script.
+        return js
+
+    global JSPI_JS_FILE
+    if JSPI_JS_FILE:
+        # Use the customized file we've already created.
+        return JSPI_JS_FILE
+
+    JSPI_JS_FILE = os.path.abspath('jspi_fuzz_shell.js')
+    with open(JSPI_JS_FILE, 'w') as f:
+        # Enable JSPI.
+        f.write('var JSPI = 1;\n\n')
+
+        # Un-comment the async and await keywords.
+        with open(js) as g:
+            code = g.read()
+        code = code.replace('/* async */', 'async')
+        code = code.replace('/* await */', 'await')
+        f.write(code)
+    return JSPI_JS_FILE
 
 
 def run_d8_wasm(wasm, liftoff=True, args=[]):
-    return run_d8_js(FUZZ_SHELL_JS, [wasm] + args, liftoff=liftoff)
+    return run_d8_js(get_fuzz_shell_js(), [wasm] + args, liftoff=liftoff)
 
 
 def all_disallowed(features):
@@ -850,7 +882,7 @@ class CompareVMs(TestCaseHandler):
             name = 'd8'
 
             def run(self, wasm, extra_d8_flags=[]):
-                return run_vm([shared.V8, FUZZ_SHELL_JS] + shared.V8_OPTS + get_v8_extra_flags() + extra_d8_flags + ['--', wasm])
+                return run_vm([shared.V8, get_fuzz_shell_js()] + shared.V8_OPTS + get_v8_extra_flags() + extra_d8_flags + ['--', wasm])
 
             def can_run(self, wasm):
                 # V8 does not support shared memories when running with
@@ -1160,7 +1192,7 @@ class Wasm2JS(TestCaseHandler):
                 compare_between_vms(before, interpreter, 'Wasm2JS (vs interpreter)')
 
     def run(self, wasm):
-        with open(FUZZ_SHELL_JS) as f:
+        with open(get_fuzz_shell_js()) as f:
             wrapper = f.read()
         cmd = [in_bin('wasm2js'), wasm, '--emscripten']
         # avoid optimizations if we have nans, as we don't handle them with
@@ -1193,6 +1225,10 @@ class Wasm2JS(TestCaseHandler):
         # specifically for growth here
         if INITIAL_CONTENTS:
             return False
+        # We run in node, which lacks JSPI support, and also we need wasm2js to
+        # implement wasm suspending using JS async/await.
+        if JSPI:
+            return False
         return all_disallowed(['exception-handling', 'simd', 'threads', 'bulk-memory', 'nontrapping-float-to-int', 'tail-call', 'sign-ext', 'reference-types', 'multivalue', 'gc', 'multimemory', 'memory64'])
 
 
diff --git a/scripts/fuzz_shell.js b/scripts/fuzz_shell.js
index 95176bbe6..653146517 100644
--- a/scripts/fuzz_shell.js
+++ b/scripts/fuzz_shell.js
@@ -1,3 +1,17 @@
+// This script can be customized by setting the following variables in code that
+// runs before this script.
+//
+// The binary to be run. (If not set, we get the filename from argv and read
+// from it.)
+var binary;
+// A second binary to be linked in and run as well. (Can also be read from
+// argv.)
+var secondBinary;
+// Whether we are fuzzing JSPI. In addition to this being set, the "async" and
+// "await" keywords must be taken out of the /* KEYWORD */ comments (which they
+// are normally in, so as not to affect normal fuzzing).
+var JSPI;
+
 // Shell integration: find argv and set up readBinary().
 var argv;
 var readBinary;
@@ -25,9 +39,6 @@ if (typeof process === 'object' && typeof require === 'function') {
   };
 }
 
-// The binary to be run. This may be set already (by code that runs before this
-// script), and if not, we get the filename from argv.
-var binary;
 if (!binary) {
   binary = readBinary(argv[0]);
 }
@@ -43,7 +54,6 @@ if (argv.length > 0 && argv[argv.length - 1].startsWith('exports:')) {
 
 // If a second parameter is given, it is a second binary that we will link in
 // with it.
-var secondBinary;
 if (argv[1]) {
   secondBinary = readBinary(argv[1]);
 }
@@ -163,9 +173,9 @@ function callFunc(func) {
 // Calls a given function in a try-catch, swallowing JS exceptions, and return 1
 // if we did in fact swallow an exception. Wasm traps are not swallowed (see
 // details below).
-function tryCall(func) {
+/* async */ function tryCall(func) {
   try {
-    func();
+    /* await */ func();
     return 0;
   } catch (e) {
     // We only want to catch exceptions, not wasm traps: traps should still
@@ -243,19 +253,39 @@ var imports = {
     },
 
     // Export operations.
-    'call-export': (index) => {
-      callFunc(exportList[index].value);
+    'call-export': /* async */ (index) => {
+      /* await */ callFunc(exportList[index].value);
     },
-    'call-export-catch': (index) => {
-      return tryCall(() => callFunc(exportList[index].value));
+    'call-export-catch': /* async */ (index) => {
+      return tryCall(/* async */ () => /* await */ callFunc(exportList[index].value));
     },
 
     // Funcref operations.
-    'call-ref': (ref) => {
-      callFunc(ref);
+    'call-ref': /* async */ (ref) => {
+      // This is a direct function reference, and just like an export, it must
+      // be wrapped for JSPI.
+      ref = wrapExportForJSPI(ref);
+      /* await */ callFunc(ref);
+    },
+    'call-ref-catch': /* async */ (ref) => {
+      ref = wrapExportForJSPI(ref);
+      return tryCall(/* async */ () => /* await */ callFunc(ref));
     },
-    'call-ref-catch': (ref) => {
-      return tryCall(() => callFunc(ref));
+
+    // Sleep a given amount of ms (when JSPI) and return a given id after that.
+    'sleep': (ms, id) => {
+      if (!JSPI) {
+        return id;
+      }
+      return new Promise((resolve, reject) => {
+        setTimeout(() => {
+          resolve(id);
+        }, 0); // TODO: Use the ms in some reasonable, deterministic manner.
+               //       Rather than actually setTimeout on them we could manage
+               //       a queue of pending sleeps manually, and order them based
+               //       on the "ms" (which would not be literal ms, but just
+               //       how many time units to wait).
+      });
     },
   },
   // Emscripten support.
@@ -274,6 +304,22 @@ if (typeof WebAssembly.Tag !== 'undefined') {
   };
 }
 
+// If JSPI is available, wrap the imports and exports.
+if (JSPI) {
+  for (var name of ['sleep', 'call-export', 'call-export-catch', 'call-ref',
+                    'call-ref-catch']) {
+    imports['fuzzing-support'][name] =
+      new WebAssembly.Suspending(imports['fuzzing-support'][name]);
+  }
+}
+
+function wrapExportForJSPI(value) {
+  if (JSPI && typeof value === 'function') {
+    value = WebAssembly.promising(value);
+  }
+  return value;
+}
+
 // If a second binary will be linked in then set up the imports for
 // placeholders. Any import like  (import "placeholder" "0" (func ..  will be
 // provided by the secondary module, and must be called using an indirection.
@@ -312,13 +358,14 @@ function build(binary) {
   // keep the ability to call anything that was ever exported.)
   for (var key in instance.exports) {
     var value = instance.exports[key];
+    value = wrapExportForJSPI(value);
     exports[key] = value;
     exportList.push({ name: key, value: value });
   }
 }
 
 // Run the code by calling exports.
-function callExports() {
+/* async */ function callExports() {
   // Call the exports we were told, or if we were not given an explicit list,
   // call them all.
   var relevantExports = exportsToCall || exportList;
@@ -342,7 +389,7 @@ function callExports() {
 
     try {
       console.log('[fuzz-exec] calling ' + name);
-      var result = callFunc(value);
+      var result = /* await */ callFunc(value);
       if (typeof result !== 'undefined') {
         console.log('[fuzz-exec] note result: ' + name + ' => ' + printed(result));
       }