[fuzzer] Adding struct.new and array.new operations

We add new alternative "new_object" in order to
emit new struct and array types. We check whether
heaptype is struct or array type so we could emit
"NewDefault" or "NewWithRtt". The additional methods
(IsArray/StructType, GetArray/StructType)  was added to WasmModuleBuilder.

Bug: v8:11954
Change-Id: I7a0e73edfbaa49beb1efd60b0f1b9916dc50df22
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3056459Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Commit-Queue: Rakhim Khismet <khismet@google.com>
Cr-Commit-Position: refs/heads/master@{#75966}

src/wasm/wasm-module-builder.h

@@ -292,6 +292,17 @@ class V8_EXPORT_PRIVATE WasmModuleBuilder : public ZoneObject {
     DCHECK(types_[index].kind == Type::kFunctionSig);
     return types_[index].sig;
   }
+  bool IsStructType(uint32_t index) {
+    return types_[index].kind == Type::kStructType;
+  }
+  StructType* GetStructType(uint32_t index) {
+    return types_[index].struct_type;
+  }
+
+  bool IsArrayType(uint32_t index) {
+    return types_[index].kind == Type::kArrayType;
+  }
+  ArrayType* GetArrayType(uint32_t index) { return types_[index].array_type; }
 
   int NumExceptions() { return static_cast<int>(exceptions_.size()); }
 

test/fuzzer/wasm-compile.cc

@@ -750,6 +750,49 @@ class WasmGenerator {
       ref_null(type, data);
     }
   }
+  void new_object(HeapType type, DataRange* data) {
+    if (liftoff_as_reference_ && type.is_index()) {
+      bool new_default = data->get<uint8_t>() % 2;
+      uint32_t index = type.ref_index();
+      if (builder_->builder()->IsStructType(index)) {
+        if (new_default) {
+          builder_->EmitWithPrefix(kExprRttCanon);
+          builder_->EmitU32V(index);
+          builder_->EmitWithPrefix(kExprStructNewDefault);
+          builder_->EmitU32V(index);
+        } else {
+          StructType* struct_gen = builder_->builder()->GetStructType(index);
+          int field_count = struct_gen->field_count();
+          for (int i = 0; i < field_count; i++) {
+            Generate(struct_gen->field(i), data);
+          }
+          builder_->EmitWithPrefix(kExprRttCanon);
+          builder_->EmitU32V(index);
+          builder_->EmitWithPrefix(kExprStructNewWithRtt);
+          builder_->EmitU32V(index);
+        }
+        return;
+      } else if (builder_->builder()->IsArrayType(index)) {
+        if (new_default) {
+          Generate(kWasmI32, data);
+          builder_->EmitWithPrefix(kExprRttCanon);
+          builder_->EmitU32V(index);
+          builder_->EmitWithPrefix(kExprArrayNewDefault);
+          builder_->EmitU32V(index);
+        } else {
+          Generate(builder_->builder()->GetArrayType(index)->element_type(),
+                   data);
+          Generate(kWasmI32, data);
+          builder_->EmitWithPrefix(kExprRttCanon);
+          builder_->EmitU32V(index);
+          builder_->EmitWithPrefix(kExprArrayNewWithRtt);
+          builder_->EmitU32V(index);
+        }
+        return;
+      }
+    }
+    ref_null(type, data);
+  }
 
   using GenerateFn = void (WasmGenerator::*const)(DataRange*);
   using GenerateFnWithHeap = void (WasmGenerator::*const)(HeapType, DataRange*);
@@ -1565,7 +1608,8 @@ void WasmGenerator::Generate(ValueType type, DataRange* data) {
 
 void WasmGenerator::GenerateOptRef(HeapType type, DataRange* data) {
   constexpr GenerateFnWithHeap alternatives[] = {
-      &WasmGenerator::ref_null, &WasmGenerator::get_local_opt_ref};
+      &WasmGenerator::ref_null, &WasmGenerator::get_local_opt_ref,
+      &WasmGenerator::new_object};
 
   GenerateOneOf(alternatives, type, data);
 }