Fuzzer: Stop emitting nullable stringviews (#6574)

As of

https://chromium-review.googlesource.com/c/v8/v8/+/5471674

V8 requires stringviews to be non-nullable. It might be possible to make that
change in our IR, or to remove views entirely, but for now this PR makes the
fuzzer stop emitting nullable stringviews as a workaround to allow us to fuzz
current V8.

There are still rare corner cases where this pattern is emitted, that we have
not tracked down, and so this also makes the fuzzer ignore the error for now.

Author: kripken

scripts/fuzz_opt.py

@@ -668,6 +668,9 @@ def filter_known_issues(output):
             HOST_LIMIT_PREFIX,
             # see comment above on this constant
             V8_UNINITIALIZED_NONDEF_LOCAL,
+            # V8 does not accept nullable stringviews
+            # (https://github.com/WebAssembly/binaryen/pull/6574)
+            'expected (ref stringview_wtf16), got nullref',
         ]
         for issue in known_issues:
             if issue in output:

src/ir/type-updating.cpp

@@ -304,6 +304,15 @@ namespace TypeUpdating {
 
 bool canHandleAsLocal(Type type) {
   // TODO: Inline this into its callers.
+  if (type.isRef()) {
+    // V8 does not accept nullable string views, and so we must avoid putting
+    // them in locals (as even a non-nullable one may end up nullable if we see
+    // situations that require fixing in handleNonDefaultableLocals).
+    auto heapType = type.getHeapType();
+    return heapType != HeapType::stringview_wtf8 &&
+           heapType != HeapType::stringview_wtf16 &&
+           heapType != HeapType::stringview_iter;
+  }
   return type.isConcrete();
 }
 

src/tools/fuzzing/fuzzing.cpp

@@ -29,8 +29,12 @@ namespace wasm {
 
 namespace {
 
-// Weighting for the core make* methods. Some nodes are important enough that
-// we should do them quite often.
+bool canBeNullable(HeapType type) {
+  // V8 does not accept nullable string views.
+  return type != HeapType::stringview_wtf8 &&
+         type != HeapType::stringview_wtf16 &&
+         type != HeapType::stringview_iter;
+}
 
 } // anonymous namespace
 
@@ -703,6 +707,9 @@ Function* TranslateToFuzzReader::addFunction() {
   Index numVars = upToSquared(MAX_VARS);
   for (Index i = 0; i < numVars; i++) {
     auto type = getConcreteType();
+    if (!TypeUpdating::canHandleAsLocal(type)) {
+      type = Type::i32;
+    }
     func->vars.push_back(type);
   }
   context.computeTypeLocals();
@@ -1858,7 +1865,7 @@ Expression* TranslateToFuzzReader::makeLocalGet(Type type) {
   // the time), or emit a local.get of a new local, or emit a local.tee of a new
   // local.
   auto choice = upTo(3);
-  if (choice == 0) {
+  if (choice == 0 || !TypeUpdating::canHandleAsLocal(type)) {
     return makeConst(type);
   }
   // Otherwise, add a new local. If the type is not non-nullable then we may
@@ -2712,6 +2719,9 @@ Expression* TranslateToFuzzReader::makeCompoundRef(Type type) {
     if (funcContext && !funcContext->typeLocals[type].empty()) {
       return makeLocalGet(type);
     }
+    if (!canBeNullable(heapType)) {
+      return makeConst(type);
+    }
     return builder.makeRefAs(RefAsNonNull, builder.makeRefNull(heapType));
   }
 
@@ -2824,7 +2834,8 @@ Expression* TranslateToFuzzReader::makeStringConcat() {
 }
 
 Expression* TranslateToFuzzReader::makeStringSlice() {
-  auto* ref = makeTrappingRefUse(HeapType::stringview_wtf16);
+  // StringViews cannot be non-nullable.
+  auto* ref = make(Type(HeapType::stringview_wtf16, NonNullable));
   auto* start = make(Type::i32);
   auto* end = make(Type::i32);
   return builder.makeStringSliceWTF(StringSliceWTF16, ref, start, end);
@@ -2855,7 +2866,8 @@ Expression* TranslateToFuzzReader::makeStringMeasure(Type type) {
 Expression* TranslateToFuzzReader::makeStringGet(Type type) {
   assert(type == Type::i32);
 
-  auto* ref = makeTrappingRefUse(HeapType::stringview_wtf16);
+  // StringViews cannot be non-nullable.
+  auto* ref = make(Type(HeapType::stringview_wtf16, NonNullable));
   auto* pos = make(Type::i32);
   return builder.makeStringWTF16Get(ref, pos);
 }