[fuzzer][wasm-gc] Add types nullfuncref, nullexternref and nullref

nullfuncref = ref null nofunc nullexternref = ref null noextern nullref = ref null none Bug: v8:7748 Change-Id: Ia54ac52c81bde4315e2d6819cff032cb739216c7 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3820064 Commit-Queue: Matthias Liedtke <mliedtke@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Auto-Submit: Matthias Liedtke <mliedtke@chromium.org> Cr-Commit-Position: refs/heads/main@{#82425}

[fuzzer][wasm-gc] Add types nullfuncref, nullexternref and nullref
nullfuncref = ref null nofunc nullexternref = ref null noextern nullref = ref null none Bug: v8:7748 Change-Id: Ia54ac52c81bde4315e2d6819cff032cb739216c7 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3820064 Commit-Queue: Matthias Liedtke <mliedtke@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Auto-Submit: Matthias Liedtke <mliedtke@chromium.org> Cr-Commit-Position: refs/heads/main@{#82425}
fed595d9 · Matthias Liedtke · V8 LUCI CQ · 937b5d40 · fed595d9 · fed595d9
Commit fed595d9 authored Aug 10, 2022 by Matthias Liedtke Committed by V8 LUCI CQ Aug 12, 2022
6 changed files
--- a/src/compiler/wasm-compiler.cc
+++ b/src/compiler/wasm-compiler.cc
@@ -6337,6 +6337,10 @@ class WasmWrapperGraphBuilder : public WasmGraphBuilder {
            gasm_->Bind(&done);
            return done.PhiAt(0);
          }
+          case wasm::HeapType::kNone:
+          case wasm::HeapType::kNoFunc:
+          case wasm::HeapType::kNoExtern:
+            UNREACHABLE();
          default:
            DCHECK(type.has_index());
            if (module_->has_signature(type.ref_index())) {
@@ -6540,6 +6544,10 @@ class WasmWrapperGraphBuilder : public WasmGraphBuilder {
                                            kLeaveFunctionsAlone);
          case wasm::HeapType::kString:
            return BuildCheckString(input, js_context, type);
+          case wasm::HeapType::kNone:
+          case wasm::HeapType::kNoFunc:
+          case wasm::HeapType::kNoExtern:
+            UNREACHABLE();
          default:
            if (module_->has_signature(type.ref_index())) {
              BuildCheckValidRefValue(input, js_context, type);

--- a/src/wasm/wasm-opcodes.cc
+++ b/src/wasm/wasm-opcodes.cc
@@ -42,9 +42,18 @@ bool IsJSCompatibleSignature(const FunctionSig* sig, const WasmModule* module,
        (type.has_index() && !module->has_signature(type.ref_index()))) {
      return false;
    }
-    if (type == kWasmStringViewWtf8 || type == kWasmStringViewWtf16 ||
-        type == kWasmStringViewIter) {
-      return false;
+    if (type.is_object_reference()) {
+      switch (type.heap_type().representation()) {
+        case HeapType::kStringViewWtf8:
+        case HeapType::kStringViewWtf16:
+        case HeapType::kStringViewIter:
+        case HeapType::kNone:
+        case HeapType::kNoFunc:
+        case HeapType::kNoExtern:
+          return false;
+        default:
+          break;
+      }
    }
  }
  return true;

--- a/test/fuzzer/wasm-compile.cc
+++ b/test/fuzzer/wasm-compile.cc
@@ -126,7 +126,9 @@ ValueType GetValueTypeHelper(DataRange* data, bool liftoff_as_reference,
  const bool nullable =
      (allow_non_nullable == kAllowNonNullables) ? data->get<bool>() : true;
  if (nullable) {
-    types.insert(types.end(), {kWasmI31Ref, kWasmFuncRef, kWasmExternRef});
+    types.insert(types.end(),
+                 {kWasmI31Ref, kWasmFuncRef, kWasmExternRef, kWasmNullRef,
+                  kWasmNullExternRef, kWasmNullFuncRef});
  }
  if (include_generics == kIncludeGenerics) {
    types.insert(types.end(), {kWasmDataRef, kWasmAnyRef, kWasmEqRef});
@@ -2203,11 +2205,15 @@ void WasmGenerator::GenerateRef(HeapType type, DataRange* data,
      return;
    }
    case HeapType::kExtern:
+    case HeapType::kNoExtern:
+    case HeapType::kNoFunc:
+    case HeapType::kNone:
      DCHECK(nullability == Nullability::kNullable);
      ref_null(type, data);
      return;
    default:
      // Indexed type.
+      DCHECK(type.is_index());
      DCHECK(liftoff_as_reference_);
      GenerateOneOf(alternatives_indexed_type, type, data, nullability);
      return;

--- a/test/fuzzer/wasm-fuzzer-common.cc
+++ b/test/fuzzer/wasm-fuzzer-common.cc
@@ -240,6 +240,12 @@ std::string HeapTypeToJSByteEncoding(HeapType heap_type) {
      return "kAnyRefCode";
    case HeapType::kExtern:
      return "kExternRefCode";
+    case HeapType::kNone:
+      return "kNullRefCode";
+    case HeapType::kNoFunc:
+      return "kNullFuncRefCode";
+    case HeapType::kNoExtern:
+      return "kNullExternRefCode";
    case HeapType::kBottom:
      UNREACHABLE();
    default:
@@ -263,6 +269,12 @@ std::string HeapTypeToConstantName(HeapType heap_type) {
      return "kWasmExternRef";
    case HeapType::kAny:
      return "kWasmAnyRef";
+    case HeapType::kNone:
+      return "kWasmNullRef";
+    case HeapType::kNoFunc:
+      return "kWasmNullFuncRef";
+    case HeapType::kNoExtern:
+      return "kWasmNullExternRef";
    case HeapType::kBottom:
      UNREACHABLE();
    default:

--- a/test/mjsunit/wasm/wasm-gc-js-roundtrip.js
+++ b/test/mjsunit/wasm/wasm-gc-js-roundtrip.js
@@ -46,6 +46,10 @@ let instance = (() => {
    eq: kWasmEqRef,
    func: kWasmFuncRef,
    any: kWasmAnyRef,
+    extern: kWasmExternRef,
+    none: kWasmNullRef,
+    nofunc: kWasmNullFuncRef,
+    noextern: kWasmNullExternRef,
  };

  for (key in test_types) {
@@ -144,3 +148,16 @@ assertThrows(
 assertThrows(
    () => instance.exports.raw_array_id(instance.exports.array_producer()),
    TypeError, 'type incompatibility when transforming from/to JS');
+
+// We can roundtrip an extern.
+assertEquals(null, instance.exports.extern_id(instance.exports.extern_null()));
+
+// The special null types are not allowed on the boundary from/to JS.
+for (const nullType of ["none", "nofunc", "noextern"]) {
+  assertThrows(
+    () => instance.exports[`${nullType}_null`](),
+    TypeError, 'type incompatibility when transforming from/to JS');
+  assertThrows(
+    () => instance.exports[`${nullType}_id`](),
+    TypeError, 'type incompatibility when transforming from/to JS');
+}
--- a/test/mjsunit/wasm/wasm-module-builder.js
+++ b/test/mjsunit/wasm/wasm-module-builder.js
@@ -123,8 +123,11 @@ let kWasmExternRef = -0x11;
 let kWasmAnyRef = -0x12;
 let kWasmEqRef = -0x13;
 let kWasmI31Ref = -0x16;
+let kWasmNullExternRef = -0x17;
+let kWasmNullFuncRef = -0x18;
 let kWasmDataRef = -0x19;
 let kWasmArrayRef = -0x1a;
+let kWasmNullRef = -0x1b;
 let kWasmStringRef = -0x1c;
 let kWasmStringViewWtf8 = -0x1d;
 let kWasmStringViewWtf16 = -0x1e;
@@ -138,8 +141,11 @@ let kExternRefCode = kWasmExternRef & kLeb128Mask;
 let kAnyRefCode = kWasmAnyRef & kLeb128Mask;
 let kEqRefCode = kWasmEqRef & kLeb128Mask;
 let kI31RefCode = kWasmI31Ref & kLeb128Mask;
+let kNullExternRefCode = kWasmNullExternRef & kLeb128Mask;
+let kNullFuncRefCode = kWasmNullFuncRef & kLeb128Mask;
 let kDataRefCode = kWasmDataRef & kLeb128Mask;
 let kArrayRefCode = kWasmArrayRef & kLeb128Mask;
+let kNullRefCode = kWasmNullRef & kLeb128Mask;
 let kStringRefCode = kWasmStringRef & kLeb128Mask;
 let kStringViewWtf8Code = kWasmStringViewWtf8 & kLeb128Mask;
 let kStringViewWtf16Code = kWasmStringViewWtf16 & kLeb128Mask;