Update fuzzer to newer GC spec regarding JS interop (#4965)

Do not export functions that have types not allowed in the rules for
JS interop. Only very few GC types can be on the JS boundary atm.

src/tools/fuzzing/fuzzing.cpp

@@ -507,7 +507,8 @@ Function* TranslateToFuzzReader::addFunction() {
  params.push_back(type);
  }
  auto paramType = Type(params);
- func->type = Signature(paramType, getControlFlowType());
+ auto resultType = getControlFlowType();
+ func->type = Signature(paramType, resultType);
  Index numVars = upToSquared(MAX_VARS);
  for (Index i = 0; i < numVars; i++) {
  auto type = getConcreteType();
@@ -549,13 +550,29 @@ Function* TranslateToFuzzReader::addFunction() {
  wasm.addFunction(func);
  // Export some functions, but not all (to allow inlining etc.). Try to export
  // at least one, though, to keep each testcase interesting. Only functions
- // with defaultable params can be exported because the trap fuzzer depends on
- // that (TODO: fix this).
- bool defaultableParams =
- std::all_of(paramType.begin(), paramType.end(), [](Type t) {
- return t.isDefaultable();
+ // with valid params and returns can be exported because the trap fuzzer
+ // depends on that (TODO: fix this).
+ auto validExportType = [](Type t) {
+ if (!t.isRef()) {
+ return true;
+ }
+ auto heapType = t.getHeapType();
+ return heapType == HeapType::ext || heapType == HeapType::func ||
+ heapType == HeapType::string;
+ };
+ bool validExportParams =
+ std::all_of(paramType.begin(), paramType.end(), [&](Type t) {
+ return validExportType(t) && t.isDefaultable();
  });
- if (defaultableParams && (numAddedFunctions == 0 || oneIn(2)) &&
+ // Note: spec discussions around JS API integration are still ongoing, and it
+ // is not clear if we should allow nondefaultable types in exports or not
+ // (in imports, we cannot allow them in the fuzzer anyhow, since it can't
+ // construct such values in JS to send over to the wasm from the fuzzer
+ // harness).
+ bool validExportResults =
+ std::all_of(resultType.begin(), resultType.end(), validExportType);
+ if (validExportParams && validExportResults &&
+ (numAddedFunctions == 0 || oneIn(2)) &&
  !wasm.getExportOrNull(func->name)) {
  auto* export_ = new Export;
  export_->name = func->name;

test/passes/translate-to-fuzz_all-features_metrics_noprint.txt

@@ -1,42 +1,42 @@
 total
- [exports] : 5  
- [funcs] : 8  
+ [exports] : 12 
+ [funcs] : 20 
  [globals] : 6 
  [imports] : 5 
  [memories] : 1 
  [memory-data] : 22 
- [table-data] : 2 
+ [table-data] : 7 
  [tables] : 1 
  [tags] : 2 
- [total] : 495 
- [vars] : 23 
- ArrayInit : 2 
- AtomicNotify : 1 
- Binary : 64 
- Block : 52 
+ [total] : 707 
+ [vars] : 37 
+ ArrayInit : 8 
+ Binary : 78 
+ Block : 78 
  Break : 7 
- Call : 28 
- CallRef : 1 
- Const : 126 
- Drop : 3 
- GlobalGet : 25 
- GlobalSet : 12 
- I31Get : 1 
- I31New : 11 
- If : 19 
- Load : 22 
- LocalGet : 33 
- LocalSet : 20 
- Loop : 4 
- Nop : 5 
- RefFunc : 3 
+ Call : 22 
+ CallRef : 3 
+ Const : 176 
+ Drop : 13 
+ GlobalGet : 51 
+ GlobalSet : 26 
+ I31New : 10 
+ If : 28 
+ Load : 20 
+ LocalGet : 38 
+ LocalSet : 24 
+ Loop : 6 
+ MemoryCopy : 1 
+ MemoryFill : 1 
+ Nop : 10 
+ RefEq : 1 
+ RefFunc : 12 
  RefNull : 4 
- Return : 17 
+ Return : 28 
  SIMDExtract : 3 
- Select : 3 
- Store : 1 
- StructNew : 1 
+ Store : 2 
+ StructNew : 2 
  TupleExtract : 1 
- TupleMake : 11 
- Unary : 13 
+ TupleMake : 14 
+ Unary : 38 
  Unreachable : 2