[fuzzer] Add struct type and array type to fuzzed module

We add a struct type and array type to the fuzzed module.
Since the interpreter does not support wasm-gc,
we only do so if liftoff is used as a reference implementation.
Also, adding liftoff parameter to all GenerateModule definitions.

Bug: v8:11954
Change-Id: Ia8d2d7a8e1e12d375605f15d1393dd64f426607d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3024160Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Rakhim Khismet <khismet@google.com>
Cr-Commit-Position: refs/heads/master@{#75782}

test/fuzzer/wasm-code.cc

@@ -19,8 +19,8 @@ namespace fuzzer {
 
 class WasmCodeFuzzer : public WasmExecutionFuzzer {
   bool GenerateModule(Isolate* isolate, Zone* zone,
-                      base::Vector<const uint8_t> data,
-                      ZoneBuffer* buffer) override {
+                      base::Vector<const uint8_t> data, ZoneBuffer* buffer,
+                      bool liftoff_as_reference) override {
     TestSignatures sigs;
     WasmModuleBuilder builder(zone);
     WasmFunctionBuilder* f = builder.AddFunction(sigs.i_iii());

test/fuzzer/wasm-compile.cc

@@ -1632,8 +1632,8 @@ FunctionSig* GenerateSig(Zone* zone, DataRange* data, SigKind sig_kind) {
 
 class WasmCompileFuzzer : public WasmExecutionFuzzer {
   bool GenerateModule(Isolate* isolate, Zone* zone,
-                      base::Vector<const uint8_t> data,
-                      ZoneBuffer* buffer) override {
+                      base::Vector<const uint8_t> data, ZoneBuffer* buffer,
+                      bool liftoff_as_reference) override {
     TestSignatures sigs;
 
     WasmModuleBuilder builder(zone);
@@ -1693,12 +1693,28 @@ class WasmCompileFuzzer : public WasmExecutionFuzzer {
     for (int i = 0; i < num_functions; ++i) {
       builder.SetIndirectFunction(i, i);
     }
-
+    if (liftoff_as_reference) {
+      uint32_t count = 4;
+      StructType::Builder struct_builder(zone, count);
+      struct_builder.AddField(kWasmI32, false);
+      struct_builder.AddField(kWasmI64, false);
+      struct_builder.AddField(kWasmF32, false);
+      struct_builder.AddField(kWasmF64, false);
+      StructType* struct_fuz = struct_builder.Build();
+      builder.AddStructType(struct_fuz);
+      ArrayType* array_fuzI32 = zone->New<ArrayType>(kWasmI32, true);
+      ArrayType* array_fuzI64 = zone->New<ArrayType>(kWasmI64, true);
+      ArrayType* array_fuzF32 = zone->New<ArrayType>(kWasmF32, true);
+      ArrayType* array_fuzF64 = zone->New<ArrayType>(kWasmF64, true);
+      builder.AddArrayType(array_fuzI32);
+      builder.AddArrayType(array_fuzI64);
+      builder.AddArrayType(array_fuzF32);
+      builder.AddArrayType(array_fuzF64);
+    }
     builder.SetMaxMemorySize(32);
     // We enable shared memory to be able to test atomics.
     builder.SetHasSharedMemory();
     builder.WriteTo(buffer);
-
     return true;
   }
 };

test/fuzzer/wasm-fuzzer-common.cc

@@ -521,7 +521,7 @@ void WasmExecutionFuzzer::FuzzWasmModule(base::Vector<const uint8_t> data,
   bool liftoff_as_reference = false;
 #endif
   if (!data.empty()) data += 1;
-  if (!GenerateModule(i_isolate, &zone, data, &buffer)) {
+  if (!GenerateModule(i_isolate, &zone, data, &buffer, liftoff_as_reference)) {
     return;
   }
 

test/fuzzer/wasm-fuzzer-common.h

@@ -48,7 +48,8 @@ class WasmExecutionFuzzer {
  protected:
   virtual bool GenerateModule(Isolate* isolate, Zone* zone,
                               base::Vector<const uint8_t> data,
-                              ZoneBuffer* buffer) = 0;
+                              ZoneBuffer* buffer,
+                              bool liftoff_as_reference) = 0;
 };
 
 }  // namespace fuzzer