Fuzzer: Add a pass to prune illegal imports and exports for JS (#6312)

kripken · web-flow · commit 1441bcbb33a5 · 2024-02-20T16:49:37.000-08:00
We already have passes to legalize i64 imports and exports, which the fuzzer will
run so that we can run wasm files in JS VMs. SIMD and multivalue also pose a
problem as they trap on the boundary. In principle we could legalize them as well,
but that is substantial effort, so instead just prune them: given a wasm module,
remove any imports or exports that use SIMD or multivalue (or anything else that
is not legal for JS).

Running this in the fuzzer will allow us to not skip running v8 on any testcase we
enable SIMD and multivalue for.

(Multivalue is allowed in newer VMs, so that part of this PR could be removed
eventually.)

Also remove the limitation on running v8 with multimemory (v8 now supports
that).
diff --git a/scripts/fuzz_opt.py b/scripts/fuzz_opt.py
@@ -188,7 +188,7 @@ def randomize_fuzz_settings():
         FUZZ_OPTS += ['--no-fuzz-oob']
     if random.random() < 0.5:
         LEGALIZE = True
-        FUZZ_OPTS += ['--legalize-js-interface']
+        FUZZ_OPTS += ['--legalize-and-prune-js-interface']
     else:
         LEGALIZE = False
 
@@ -926,7 +926,7 @@ def compare_before_and_after(self, before, after):
                 compare(before[vm], after[vm], 'CompareVMs between before and after: ' + vm.name)
 
     def can_run_on_feature_opts(self, feature_opts):
-        return all_disallowed(['simd', 'multivalue', 'multimemory'])
+        return True
 
 
 # Check for determinism - the same command must have the same output.
@@ -957,7 +957,7 @@ def handle_pair(self, input, before_wasm, after_wasm, opts):
         # later make sense (if we don't do this, the wasm may have i64 exports).
         # after applying other necessary fixes, we'll recreate the after wasm
         # from scratch.
-        run([in_bin('wasm-opt'), before_wasm, '--legalize-js-interface', '-o', before_wasm_temp] + FEATURE_OPTS)
+        run([in_bin('wasm-opt'), before_wasm, '--legalize-and-prune-js-interface', '-o', before_wasm_temp] + FEATURE_OPTS)
         compare_before_to_after = random.random() < 0.5
         compare_to_interpreter = compare_before_to_after and random.random() < 0.5
         if compare_before_to_after:
diff --git a/scripts/fuzz_shell.js b/scripts/fuzz_shell.js
@@ -73,6 +73,11 @@ var imports = {
     'log-i64': logValue,
     'log-f32': logValue,
     'log-f64': logValue,
+    // JS cannot log v128 values (we trap on the boundary), but we must still
+    // provide an import so that we do not trap during linking. (Alternatively,
+    // we could avoid running JS on code with SIMD in it, but it is useful to
+    // fuzz such code as much as we can.)
+    'log-v128': logValue,
   },
   'env': {
     'setTempRet0': function(x) { tempRet0 = x },
diff --git a/src/passes/LegalizeJSInterface.cpp b/src/passes/LegalizeJSInterface.cpp
@@ -29,6 +29,12 @@
 // across modules, we still want to legalize dynCalls so JS can call into the
 // tables even to a signature that is not legal.
 //
+// Another variation also "prunes" imports and exports that we cannot yet
+// legalize, like exports and imports with SIMD or multivalue. Until we write
+// the logic to legalize them, removing those imports/exports still allows us to
+// fuzz all the legal imports/exports. (Note that multivalue is supported in
+// exports in newer VMs - node 16+ - so that part is only needed for older VMs.)
+//
 
 #include "asmjs/shared-constants.h"
 #include "ir/element-utils.h"
@@ -43,6 +49,8 @@
 
 namespace wasm {
 
+namespace {
+
 // These are aliases for getTempRet0/setTempRet0 which emscripten defines in
 // compiler-rt and exports under these names.
 static Name GET_TEMP_RET_EXPORT("__get_temp_ret");
@@ -358,10 +366,88 @@ struct LegalizeJSInterface : public Pass {
   }
 };
 
+struct LegalizeAndPruneJSInterface : public LegalizeJSInterface {
+  // Legalize fully (true) and add pruning on top.
+  LegalizeAndPruneJSInterface() : LegalizeJSInterface(true) {}
+
+  void run(Module* module) override {
+    LegalizeJSInterface::run(module);
+
+    prune(module);
+  }
+
+  void prune(Module* module) {
+    // For each function name, the exported id it is exported with. For
+    // example,
+    //
+    //   (func $foo (export "bar")
+    //
+    // Would have exportedFunctions["foo"] = "bar";
+    std::unordered_map<Name, Name> exportedFunctions;
+    for (auto& exp : module->exports) {
+      if (exp->kind == ExternalKind::Function) {
+        exportedFunctions[exp->value] = exp->name;
+      }
+    }
+
+    for (auto& func : module->functions) {
+      // If the function is neither exported nor imported, no problem.
+      auto imported = func->imported();
+      auto exported = exportedFunctions.count(func->name);
+      if (!imported && !exported) {
+        continue;
+      }
+
+      // The params are allowed to be multivalue, but not the results. Otherwise
+      // look for SIMD.
+      auto sig = func->type.getSignature();
+      auto illegal = isIllegal(sig.results);
+      illegal =
+        illegal || std::any_of(sig.params.begin(),
+                               sig.params.end(),
+                               [&](const Type& t) { return isIllegal(t); });
+      if (!illegal) {
+        continue;
+      }
+
+      // Prune an import by implementing it in a trivial manner.
+      if (imported) {
+        func->module = func->base = Name();
+
+        Builder builder(*module);
+        if (sig.results == Type::none) {
+          func->body = builder.makeNop();
+        } else {
+          func->body =
+            builder.makeConstantExpression(Literal::makeZeros(sig.results));
+        }
+      }
+
+      // Prune an export by just removing it.
+      if (exported) {
+        module->removeExport(exportedFunctions[func->name]);
+      }
+    }
+
+    // TODO: globals etc.
+  }
+
+  bool isIllegal(Type type) {
+    auto features = type.getFeatures();
+    return features.hasSIMD() || features.hasMultivalue();
+  }
+};
+
+} // anonymous namespace
+
 Pass* createLegalizeJSInterfacePass() { return new LegalizeJSInterface(true); }
 
 Pass* createLegalizeJSInterfaceMinimallyPass() {
   return new LegalizeJSInterface(false);
 }
 
+Pass* createLegalizeAndPruneJSInterfacePass() {
+  return new LegalizeAndPruneJSInterface();
+}
+
 } // namespace wasm
diff --git a/src/passes/pass.cpp b/src/passes/pass.cpp
@@ -221,6 +221,9 @@ void PassRegistry::registerPasses() {
                "legalizes i64 types on the import/export boundary in a minimal "
                "manner, only on things only JS will call",
                createLegalizeJSInterfaceMinimallyPass);
+  registerPass("legalize-and-prune-js-interface",
+               "legalizes the import/export boundary and prunes when needed",
+               createLegalizeAndPruneJSInterfacePass);
   registerPass("local-cse",
                "common subexpression elimination inside basic blocks",
                createLocalCSEPass);
diff --git a/src/passes/passes.h b/src/passes/passes.h
@@ -67,6 +67,7 @@ Pass* createInliningPass();
 Pass* createInliningOptimizingPass();
 Pass* createJSPIPass();
 Pass* createJ2CLOptsPass();
+Pass* createLegalizeAndPruneJSInterfacePass();
 Pass* createLegalizeJSInterfacePass();
 Pass* createLegalizeJSInterfaceMinimallyPass();
 Pass* createLimitSegmentsPass();
diff --git a/test/lit/help/wasm-opt.test b/test/lit/help/wasm-opt.test
@@ -225,6 +225,9 @@
 ;; CHECK-NEXT:   --jspi                                        wrap imports and exports for
 ;; CHECK-NEXT:                                                 JavaScript promise integration
 ;; CHECK-NEXT:
+;; CHECK-NEXT:   --legalize-and-prune-js-interface             legalizes the import/export
+;; CHECK-NEXT:                                                 boundary and prunes when needed
+;; CHECK-NEXT:
 ;; CHECK-NEXT:   --legalize-js-interface                       legalizes i64 types on the
 ;; CHECK-NEXT:                                                 import/export boundary
 ;; CHECK-NEXT:
diff --git a/test/lit/help/wasm2js.test b/test/lit/help/wasm2js.test
@@ -179,6 +179,9 @@
 ;; CHECK-NEXT:   --jspi                                        wrap imports and exports for
 ;; CHECK-NEXT:                                                 JavaScript promise integration
 ;; CHECK-NEXT:
+;; CHECK-NEXT:   --legalize-and-prune-js-interface             legalizes the import/export
+;; CHECK-NEXT:                                                 boundary and prunes when needed
+;; CHECK-NEXT:
 ;; CHECK-NEXT:   --legalize-js-interface                       legalizes i64 types on the
 ;; CHECK-NEXT:                                                 import/export boundary
 ;; CHECK-NEXT:
diff --git a/test/lit/passes/legalize-and-prune-js-interface.wast b/test/lit/passes/legalize-and-prune-js-interface.wast
