Fuzzer: Add cross-module global usage (#7970)

* Export some globals.
* Import some globals.
* Move some code around to enable this.

Author: kripken

src/tools/fuzzing.h

@@ -132,9 +132,7 @@ class TranslateToFuzzReader {
   void setPreserveImportsAndExports(bool preserveImportsAndExports_) {
     preserveImportsAndExports = preserveImportsAndExports_;
   }
-  void setImportedModule(std::string importedModule_) {
-    importedModule = importedModule_;
-  }
+  void setImportedModule(std::string importedModuleName);
 
   void build();
 
@@ -161,7 +159,7 @@ class TranslateToFuzzReader {
   bool preserveImportsAndExports = false;
 
   // An optional module to import from.
-  std::optional<std::string> importedModule;
+  std::optional<Module> importedModule;
 
   // Whether we allow the fuzzer to add unreachable code when generating changes
   // to existing code. This is randomized during startup, but could be an option
@@ -371,7 +369,8 @@ class TranslateToFuzzReader {
 
   void addHangLimitChecks(Function* func);
 
-  void useImportedModule();
+  void useImportedFunctions();
+  void useImportedGlobals();
 
   // Recombination and mutation
 
@@ -396,6 +395,9 @@ class TranslateToFuzzReader {
   void fixAfterChanges(Function* func);
   void modifyInitialFunctions();
 
+  // Note a global for use during code generation.
+  void useGlobalLater(Global* global);
+
   // Initial wasm contents may have come from a test that uses the drop pattern:
   //
   //  (drop ..something interesting..)

src/tools/fuzzing/fuzzing.cpp

@@ -352,6 +352,7 @@ void TranslateToFuzzReader::build() {
   setupHeapTypes();
   setupTables();
   setupGlobals();
+  useImportedGlobals();
   if (wasm.features.hasExceptionHandling()) {
     setupTags();
     addImportThrowingSupport();
@@ -366,7 +367,7 @@ void TranslateToFuzzReader::build() {
   // First, modify initial functions. That includes removing imports. Then,
   // use the imported module, which are function imports that we allow.
   modifyInitialFunctions();
-  useImportedModule();
+  useImportedFunctions();
 
   processFunctions();
   if (fuzzParams->HANG_LIMIT > 0) {
@@ -625,6 +626,20 @@ void TranslateToFuzzReader::setupTables() {
   }
 }
 
+void TranslateToFuzzReader::useGlobalLater(Global* global) {
+  auto type = global->type;
+  auto name = global->name;
+  globalsByType[type].push_back(name);
+  if (global->mutable_) {
+    mutableGlobalsByType[type].push_back(name);
+  } else {
+    immutableGlobalsByType[type].push_back(name);
+    if (global->imported()) {
+      importedImmutableGlobalsByType[type].push_back(name);
+    }
+  }
+}
+
 void TranslateToFuzzReader::setupGlobals() {
   // If there were initial wasm contents, there may be imported globals. That
   // would be a problem in the fuzzer harness as we'd error if we do not
@@ -651,20 +666,6 @@ void TranslateToFuzzReader::setupGlobals() {
     }
   }
 
-  auto useGlobalLater = [&](Global* global) {
-    auto type = global->type;
-    auto name = global->name;
-    globalsByType[type].push_back(name);
-    if (global->mutable_) {
-      mutableGlobalsByType[type].push_back(name);
-    } else {
-      immutableGlobalsByType[type].push_back(name);
-      if (global->imported()) {
-        importedImmutableGlobalsByType[type].push_back(name);
-      }
-    }
-  };
-
   // Randomly assign some globals from initial content to be ignored for the
   // fuzzer to use. Such globals will only be used from initial content. This is
   // important to preserve some real-world patterns, like the "once" pattern in
@@ -712,9 +713,23 @@ void TranslateToFuzzReader::setupGlobals() {
       type = getMVPType();
       init = makeConst(type);
     }
-    auto global = builder.makeGlobal(
-      Names::getValidGlobalName(wasm, "global$"), type, init, mutability);
+    auto name = Names::getValidGlobalName(wasm, "global$");
+    auto global = builder.makeGlobal(name, type, init, mutability);
     useGlobalLater(wasm.addGlobal(std::move(global)));
+
+    // Export some globals, where we can.
+    if (preserveImportsAndExports || type.isTuple() ||
+        !isValidPublicType(type)) {
+      continue;
+    }
+    if (mutability == Builder::Mutable && !wasm.features.hasMutableGlobals()) {
+      continue;
+    }
+    if (oneIn(2)) {
+      auto exportName = Names::getValidExportName(wasm, name);
+      wasm.addExport(
+        Builder::makeExport(exportName, name, ExternalKind::Global));
+    }
   }
 }
 
@@ -1185,23 +1200,26 @@ void TranslateToFuzzReader::addHashMemorySupport() {
   }
 }
 
-void TranslateToFuzzReader::useImportedModule() {
+void TranslateToFuzzReader::setImportedModule(std::string importedModuleName) {
+  importedModule.emplace();
+
+  importedModule->features = FeatureSet::All;
+  ModuleReader().read(importedModuleName, *importedModule);
+}
+
+void TranslateToFuzzReader::useImportedFunctions() {
   if (!importedModule) {
     return;
   }
 
-  Module imported;
-  imported.features = FeatureSet::All;
-  ModuleReader().read(*importedModule, imported);
-
   // Add some of the module's exported functions as imports, at a random rate.
   auto rate = upTo(100);
-  for (auto& exp : imported.exports) {
+  for (auto& exp : importedModule->exports) {
     if (exp->kind != ExternalKind::Function || upTo(100) > rate) {
       continue;
     }
 
-    auto* func = imported.getFunction(*exp->getInternalName());
+    auto* func = importedModule->getFunction(*exp->getInternalName());
     auto name =
       Names::getValidFunctionName(wasm, "primary_" + exp->name.toString());
     // We can import it as its own type, or any (declared) supertype.
@@ -1213,12 +1231,45 @@ void TranslateToFuzzReader::useImportedModule() {
     wasm.addFunction(std::move(import));
   }
 
-  // TODO: All other imports: globals, memories, tables, etc. We must, as we do
+  // TODO: All other imports: memories, tables, etc. We must, as we do
   //       with functions, take care to run this *after* the removal of those
   //       imports (as normally we remove them all, as the fuzzer harness will
   //       not provide them, but an imported module is the exception).
 }
 
+void TranslateToFuzzReader::useImportedGlobals() {
+  if (!importedModule) {
+    return;
+  }
+
+  // Add some of the module's exported globals as imports, at a random rate.
+  auto rate = upTo(100);
+  for (auto& exp : importedModule->exports) {
+    if (exp->kind != ExternalKind::Global || upTo(100) > rate) {
+      continue;
+    }
+
+    auto* global = importedModule->getGlobal(*exp->getInternalName());
+    auto name =
+      Names::getValidGlobalName(wasm, "primary_" + exp->name.toString());
+    // We can import it as its own type, or if immutable, any (declared)
+    // supertype.
+    Type type;
+    Builder::Mutability mutability;
+    if (global->mutable_) {
+      mutability = Builder::Mutable;
+      type = global->type;
+    } else {
+      mutability = Builder::Immutable;
+      type = getSuperType(global->type);
+    }
+    auto import = builder.makeGlobal(name, type, nullptr, mutability);
+    import->module = "primary";
+    import->base = exp->name;
+    useGlobalLater(wasm.addGlobal(std::move(import)));
+  }
+}
+
 TranslateToFuzzReader::FunctionCreationContext::FunctionCreationContext(
   TranslateToFuzzReader& parent, Function* func)
   : parent(parent), func(func) {
@@ -5846,6 +5897,9 @@ HeapType TranslateToFuzzReader::getSuperType(HeapType type) {
 }
 
 Type TranslateToFuzzReader::getSuperType(Type type) {
+  if (!type.isRef()) {
+    return type;
+  }
   auto heapType = getSuperType(type.getHeapType());
   auto nullability = getSuperType(type.getNullability());
   auto superType = Type(heapType, nullability);

test/passes/fuzz_metrics_noprint.bin.txt

@@ -1,34 +1,35 @@
 Metrics
 total
- [exports]      : 32      
- [funcs]        : 42      
+ [exports]      : 139     
+ [funcs]        : 217     
  [globals]      : 7       
- [imports]      : 4       
+ [imports]      : 6       
  [memories]     : 1       
  [memory-data]  : 23      
- [table-data]   : 9       
+ [table-data]   : 71      
  [tables]       : 1       
  [tags]         : 0       
- [total]        : 7716    
- [vars]         : 107     
- Binary         : 512     
- Block          : 1312    
- Break          : 299     
- Call           : 245     
- CallIndirect   : 49      
- Const          : 1197    
- Drop           : 95      
- GlobalGet      : 659     
- GlobalSet      : 465     
- If             : 416     
- Load           : 140     
- LocalGet       : 625     
- LocalSet       : 450     
- Loop           : 188     
- Nop            : 87      
- RefFunc        : 9       
- Return         : 75      
- Select         : 67      
- Store          : 45      
- Unary          : 547     
- Unreachable    : 234     
+ [total]        : 15952   
+ [vars]         : 628     
+ Binary         : 1172    
+ Block          : 2734    
+ Break          : 525     
+ Call           : 628     
+ CallIndirect   : 146     
+ Const          : 2648    
+ Drop           : 185     
+ GlobalGet      : 1418    
+ GlobalSet      : 1052    
+ If             : 866     
+ Load           : 259     
+ LocalGet       : 1011    
+ LocalSet       : 708     
+ Loop           : 309     
+ Nop            : 227     
+ RefFunc        : 71      
+ Return         : 159     
+ Select         : 83      
+ Store          : 105     
+ Switch         : 1       
+ Unary          : 1112    
+ Unreachable    : 533     

test/passes/fuzz_metrics_passes_noprint.bin.txt

@@ -1,35 +1,35 @@
 Metrics
 total
- [exports]      : 17      
- [funcs]        : 25      
+ [exports]      : 33      
+ [funcs]        : 57      
  [globals]      : 4       
- [imports]      : 6       
+ [imports]      : 4       
  [memories]     : 1       
  [memory-data]  : 20      
- [table-data]   : 9       
+ [table-data]   : 14      
  [tables]       : 1       
  [tags]         : 0       
- [total]        : 3774    
- [vars]         : 91      
- Binary         : 238     
- Block          : 655     
- Break          : 105     
- Call           : 135     
- CallIndirect   : 23      
- Const          : 703     
- Drop           : 103     
- GlobalGet      : 258     
- GlobalSet      : 230     
- If             : 211     
- Load           : 44      
- LocalGet       : 285     
- LocalSet       : 163     
- Loop           : 90      
- Nop            : 64      
- RefFunc        : 9       
- Return         : 41      
- Select         : 24      
- Store          : 19      
+ [total]        : 8611    
+ [vars]         : 182     
+ Binary         : 562     
+ Block          : 1467    
+ Break          : 279     
+ Call           : 266     
+ CallIndirect   : 51      
+ Const          : 1345    
+ Drop           : 118     
+ GlobalGet      : 715     
+ GlobalSet      : 508     
+ If             : 493     
+ Load           : 138     
+ LocalGet       : 635     
+ LocalSet       : 564     
+ Loop           : 197     
+ Nop            : 115     
+ RefFunc        : 14      
+ Return         : 98      
+ Select         : 87      
+ Store          : 67      
  Switch         : 2       
- Unary          : 256     
- Unreachable    : 116     
+ Unary          : 634     
+ Unreachable    : 256