[wasm] Do not use WasmInitExpr for element segments

Changes:
- Use a lightweight WasmElemSegment::Entry struct to store element
  segment entries in a WasmModule.
- Also, restructure LoadElemSegmentImpl to handle all types of
  global.get entries correctly.
- Simplify InitializeIndirectFunctionTables and make it handle all types
  of entries correctly.
- In the above two cases, reject WasmJSFunctions for now.

Bug: v8:11895
Change-Id: Ie714f8c7f1af8959486138d2ad49bc622a89276d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2991248
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75513}

src/wasm/module-decoder.cc

@@ -916,10 +916,11 @@ class ModuleDecoderImpl : public Decoder {
           consume_count("number of elements", max_table_init_entries());
 
       for (uint32_t j = 0; j < num_elem; j++) {
-        WasmInitExpr init =
+        WasmElemSegment::Entry init =
             expressions_as_elements
                 ? consume_element_expr()
-                : WasmInitExpr::RefFuncConst(consume_element_func_index());
+                : WasmElemSegment::Entry(WasmElemSegment::Entry::kRefFuncEntry,
+                                         consume_element_func_index());
         if (failed()) return;
         if (!IsSubtypeOf(TypeOf(init), segment.type, module_.get())) {
           errorf(pc_,
@@ -928,7 +929,7 @@ class ModuleDecoderImpl : public Decoder {
                  segment.type.name().c_str(), TypeOf(init).name().c_str());
           return;
         }
-        segment.entries.push_back(std::move(init));
+        segment.entries.push_back(init);
       }
       module_->elem_segments.push_back(std::move(segment));
     }
@@ -1423,8 +1424,16 @@ class ModuleDecoderImpl : public Decoder {
   AccountingAllocator allocator_;
   Zone init_expr_zone_{&allocator_, "initializer expression zone"};
 
-  ValueType TypeOf(const WasmInitExpr& expr) {
-    return expr.type(module_.get(), enabled_features_);
+  ValueType TypeOf(WasmElemSegment::Entry entry) {
+    switch (entry.kind) {
+      case WasmElemSegment::Entry::kGlobalGetEntry:
+        return module_->globals[entry.index].type;
+      case WasmElemSegment::Entry::kRefFuncEntry:
+        return ValueType::Ref(module_->functions[entry.index].sig_index,
+                              kNonNullable);
+      case WasmElemSegment::Entry::kRefNullEntry:
+        return ValueType::Ref(entry.index, kNullable);
+    }
   }
 
   bool has_seen_unordered_section(SectionCode section_code) {
@@ -1991,9 +2000,10 @@ class ModuleDecoderImpl : public Decoder {
     return index;
   }
 
-  // TODO(manoskouk): When reftypes lands, remove this and use
-  // consume_init_expr() instead.
-  WasmInitExpr consume_element_expr() {
+  // TODO(manoskouk): When reftypes lands, consider if we can implement this
+  // with consume_init_expr(). It will require changes in module-instantiate.cc,
+  // in {LoadElemSegmentImpl}.
+  WasmElemSegment::Entry consume_element_expr() {
     uint8_t opcode = consume_u8("element opcode");
     if (failed()) return {};
     switch (opcode) {
@@ -2002,13 +2012,14 @@ class ModuleDecoderImpl : public Decoder {
                                                this->pc(), module_.get());
         consume_bytes(imm.length, "ref.null immediate");
         expect_u8("end opcode", kExprEnd);
-        return WasmInitExpr::RefNullConst(imm.type.representation());
+        return {WasmElemSegment::Entry::kRefNullEntry,
+                static_cast<uint32_t>(imm.type.representation())};
       }
       case kExprRefFunc: {
         uint32_t index = consume_element_func_index();
         if (failed()) return {};
         expect_u8("end opcode", kExprEnd);
-        return WasmInitExpr::RefFuncConst(index);
+        return {WasmElemSegment::Entry::kRefFuncEntry, index};
       }
       case kExprGlobalGet: {
         if (!enabled_features_.has_reftypes()) {
@@ -2025,7 +2036,7 @@ class ModuleDecoderImpl : public Decoder {
           return {};
         }
         expect_u8("end opcode", kExprEnd);
-        return WasmInitExpr::GlobalGet(index);
+        return {WasmElemSegment::Entry::kGlobalGetEntry, index};
       }
       default:
         error("invalid opcode in element");

src/wasm/wasm-module.h

@@ -135,7 +135,13 @@ struct WasmElemSegment {
   ValueType type;
   uint32_t table_index;
   WireBytesRef offset;
-  std::vector<WasmInitExpr> entries;
+  struct Entry {
+    enum Kind { kGlobalGetEntry, kRefFuncEntry, kRefNullEntry } kind;
+    uint32_t index;
+    Entry(Kind kind, uint32_t index) : kind(kind), index(index) {}
+    Entry() : kind(kRefNullEntry), index(0) {}
+  };
+  std::vector<Entry> entries;
   enum Status {
     kStatusActive,      // copied automatically during instantiation.
     kStatusPassive,     // copied explicitly after instantiation.

test/cctest/wasm/wasm-run-utils.cc

@@ -302,7 +302,8 @@ uint32_t TestingModuleBuilder::AddPassiveElementSegment(
   test_module_->elem_segments.emplace_back(kWasmFuncRef, false);
   auto& elem_segment = test_module_->elem_segments.back();
   for (uint32_t entry : entries) {
-    elem_segment.entries.push_back(WasmInitExpr::RefFuncConst(entry));
+    elem_segment.entries.push_back(
+        WasmElemSegment::Entry(WasmElemSegment::Entry::kRefFuncEntry, entry));
   }
 
   // The vector pointers may have moved, so update the instance object.

test/fuzzer/wasm-fuzzer-common.cc

@@ -159,37 +159,17 @@ std::ostream& operator<<(std::ostream& os, const PrintName& name) {
   return os.write(name.name.begin(), name.name.size());
 }
 
-std::ostream& operator<<(std::ostream& os, const WasmInitExpr& expr) {
+std::ostream& operator<<(std::ostream& os, WasmElemSegment::Entry entry) {
   os << "WasmInitExpr.";
-  switch (expr.kind()) {
-    case WasmInitExpr::kNone:
-      UNREACHABLE();
-    case WasmInitExpr::kS128Const:
-    case WasmInitExpr::kRttCanon:
-    case WasmInitExpr::kRttSub:
-    case WasmInitExpr::kRttFreshSub:
-    case WasmInitExpr::kRefNullConst:
-    case WasmInitExpr::kStructNewWithRtt:
-    case WasmInitExpr::kArrayInit:
-      // TODO(manoskouk): Implement these.
-      UNIMPLEMENTED();
-    case WasmInitExpr::kGlobalGet:
-      os << "GlobalGet(" << expr.immediate().index;
-      break;
-    case WasmInitExpr::kI32Const:
-      os << "I32Const(" << expr.immediate().i32_const;
-      break;
-    case WasmInitExpr::kI64Const:
-      os << "I64Const(" << expr.immediate().i64_const;
-      break;
-    case WasmInitExpr::kF32Const:
-      os << "F32Const(" << expr.immediate().f32_const;
+  switch (entry.kind) {
+    case WasmElemSegment::Entry::kGlobalGetEntry:
+      os << "GlobalGet(" << entry.index;
       break;
-    case WasmInitExpr::kF64Const:
-      os << "F64Const(" << expr.immediate().f64_const;
+    case WasmElemSegment::Entry::kRefFuncEntry:
+      os << "RefFunc(" << entry.index;
       break;
-    case WasmInitExpr::kRefFuncConst:
-      os << "RefFunc(" << expr.immediate().index;
+    case WasmElemSegment::Entry::kRefNullEntry:
+      os << "RefNull(" << HeapType(entry.index).name().c_str();
       break;
   }
   return os << ")";

test/unittests/wasm/function-body-decoder-unittest.cc

@@ -161,16 +161,16 @@ class TestModuleBuilder {
     auto& init = mod.elem_segments.back();
     // Add 5 empty elements.
     for (uint32_t j = 0; j < 5; j++) {
-      init.entries.push_back(
-          WasmInitExpr::RefNullConst(type.heap_representation()));
+      init.entries.push_back(WasmElemSegment::Entry(
+          WasmElemSegment::Entry::kRefNullEntry, type.heap_representation()));
     }
     return static_cast<byte>(mod.elem_segments.size() - 1);
   }
 
   byte AddDeclarativeElementSegment() {
     mod.elem_segments.emplace_back(kWasmFuncRef, true);
-    mod.elem_segments.back().entries.push_back(
-        WasmInitExpr::RefNullConst(HeapType::kFunc));
+    mod.elem_segments.back().entries.push_back(WasmElemSegment::Entry(
+        WasmElemSegment::Entry::kRefNullEntry, HeapType::kFunc));
     return static_cast<byte>(mod.elem_segments.size() - 1);
   }