1 use crate::config::Config;
2 use crate::cranelift_arbitrary::CraneliftArbitrary;
3 use crate::target_isa_extras::TargetIsaExtras;
4 use anyhow::Result;
5 use arbitrary::{Arbitrary, Unstructured};
6 use cranelift::codegen::data_value::DataValue;
7 use cranelift::codegen::ir::immediates::Offset32;
8 use cranelift::codegen::ir::instructions::{InstructionFormat, ResolvedConstraint};
9 use cranelift::codegen::ir::stackslot::StackSize;
10 
11 use cranelift::codegen::ir::{
12     types::*, AliasRegion, AtomicRmwOp, Block, ConstantData, Endianness, ExternalName, FuncRef,
13     Function, LibCall, Opcode, SigRef, Signature, StackSlot, UserExternalName, UserFuncName, Value,
14 };
15 use cranelift::codegen::isa::CallConv;
16 use cranelift::frontend::{FunctionBuilder, FunctionBuilderContext, Switch, Variable};
17 use cranelift::prelude::isa::OwnedTargetIsa;
18 use cranelift::prelude::{
19     EntityRef, ExtFuncData, FloatCC, InstBuilder, IntCC, JumpTableData, MemFlags, StackSlotData,
20     StackSlotKind,
21 };
22 use once_cell::sync::Lazy;
23 use std::collections::HashMap;
24 use std::ops::RangeInclusive;
25 use std::str::FromStr;
26 use target_lexicon::{Architecture, Triple};
27 
28 type BlockSignature = Vec<Type>;
29 
30 fn insert_opcode(
31     fgen: &mut FunctionGenerator,
32     builder: &mut FunctionBuilder,
33     opcode: Opcode,
34     args: &[Type],
35     rets: &[Type],
36 ) -> Result<()> {
37     let mut vals = Vec::with_capacity(args.len());
38     for &arg in args.into_iter() {
39         let var = fgen.get_variable_of_type(arg)?;
40         let val = builder.use_var(var);
41         vals.push(val);
42     }
43 
44     // Some opcodes require us to look at their input arguments to determine the
45     // controlling type. This is not the general case, but we can neatly check this
46     // using `requires_typevar_operand`.
47     let ctrl_type = if opcode.constraints().requires_typevar_operand() {
48         args.first()
49     } else {
50         rets.first()
51     }
52     .copied()
53     .unwrap_or(INVALID);
54 
55     // Choose the appropriate instruction format for this opcode
56     let (inst, dfg) = match opcode.format() {
57         InstructionFormat::NullAry => builder.ins().NullAry(opcode, ctrl_type),
58         InstructionFormat::Unary => builder.ins().Unary(opcode, ctrl_type, vals[0]),
59         InstructionFormat::Binary => builder.ins().Binary(opcode, ctrl_type, vals[0], vals[1]),
60         InstructionFormat::Ternary => builder
61             .ins()
62             .Ternary(opcode, ctrl_type, vals[0], vals[1], vals[2]),
63         _ => unimplemented!(),
64     };
65     let results = dfg.inst_results(inst).to_vec();
66 
67     for (val, &ty) in results.into_iter().zip(rets) {
68         let var = fgen.get_variable_of_type(ty)?;
69         builder.def_var(var, val);
70     }
71     Ok(())
72 }
73 
74 fn insert_call_to_function(
75     fgen: &mut FunctionGenerator,
76     builder: &mut FunctionBuilder,
77     call_opcode: Opcode,
78     sig: &Signature,
79     sig_ref: SigRef,
80     func_ref: FuncRef,
81 ) -> Result<()> {
82     let actuals = fgen.generate_values_for_signature(
83         builder,
84         sig.params.iter().map(|abi_param| abi_param.value_type),
85     )?;
86 
87     let addr_ty = fgen.isa.pointer_type();
88     let call = match call_opcode {
89         Opcode::Call => builder.ins().call(func_ref, &actuals),
90         Opcode::ReturnCall => builder.ins().return_call(func_ref, &actuals),
91         Opcode::CallIndirect => {
92             let addr = builder.ins().func_addr(addr_ty, func_ref);
93             builder.ins().call_indirect(sig_ref, addr, &actuals)
94         }
95         Opcode::ReturnCallIndirect => {
96             let addr = builder.ins().func_addr(addr_ty, func_ref);
97             builder.ins().return_call_indirect(sig_ref, addr, &actuals)
98         }
99         _ => unreachable!(),
100     };
101 
102     // Assign the return values to random variables
103     let ret_values = builder.inst_results(call).to_vec();
104     let ret_types = sig.returns.iter().map(|p| p.value_type);
105     for (ty, val) in ret_types.zip(ret_values) {
106         let var = fgen.get_variable_of_type(ty)?;
107         builder.def_var(var, val);
108     }
109 
110     Ok(())
111 }
112 
113 fn insert_call(
114     fgen: &mut FunctionGenerator,
115     builder: &mut FunctionBuilder,
116     opcode: Opcode,
117     _args: &[Type],
118     _rets: &[Type],
119 ) -> Result<()> {
120     assert!(matches!(opcode, Opcode::Call | Opcode::CallIndirect));
121     let (sig, sig_ref, func_ref) = fgen.u.choose(&fgen.resources.func_refs)?.clone();
122 
123     insert_call_to_function(fgen, builder, opcode, &sig, sig_ref, func_ref)
124 }
125 
126 fn insert_stack_load(
127     fgen: &mut FunctionGenerator,
128     builder: &mut FunctionBuilder,
129     _opcode: Opcode,
130     _args: &[Type],
131     rets: &[Type],
132 ) -> Result<()> {
133     let typevar = rets[0];
134     let type_size = typevar.bytes();
135     let (slot, slot_size, _align, category) = fgen.stack_slot_with_size(type_size)?;
136 
137     // `stack_load` doesn't support setting MemFlags, and it does not set any
138     // alias analysis bits, so we can only emit it for `Other` slots.
139     if category != AACategory::Other {
140         return Err(arbitrary::Error::IncorrectFormat.into());
141     }
142 
143     let offset = fgen.u.int_in_range(0..=(slot_size - type_size))? as i32;
144 
145     let val = builder.ins().stack_load(typevar, slot, offset);
146     let var = fgen.get_variable_of_type(typevar)?;
147     builder.def_var(var, val);
148 
149     Ok(())
150 }
151 
152 fn insert_stack_store(
153     fgen: &mut FunctionGenerator,
154     builder: &mut FunctionBuilder,
155     _opcode: Opcode,
156     args: &[Type],
157     _rets: &[Type],
158 ) -> Result<()> {
159     let typevar = args[0];
160     let type_size = typevar.bytes();
161 
162     let (slot, slot_size, _align, category) = fgen.stack_slot_with_size(type_size)?;
163 
164     // `stack_store` doesn't support setting MemFlags, and it does not set any
165     // alias analysis bits, so we can only emit it for `Other` slots.
166     if category != AACategory::Other {
167         return Err(arbitrary::Error::IncorrectFormat.into());
168     }
169 
170     let offset = fgen.u.int_in_range(0..=(slot_size - type_size))? as i32;
171 
172     let arg0 = fgen.get_variable_of_type(typevar)?;
173     let arg0 = builder.use_var(arg0);
174 
175     builder.ins().stack_store(arg0, slot, offset);
176     Ok(())
177 }
178 
179 fn insert_cmp(
180     fgen: &mut FunctionGenerator,
181     builder: &mut FunctionBuilder,
182     opcode: Opcode,
183     args: &[Type],
184     rets: &[Type],
185 ) -> Result<()> {
186     let lhs = fgen.get_variable_of_type(args[0])?;
187     let lhs = builder.use_var(lhs);
188 
189     let rhs = fgen.get_variable_of_type(args[1])?;
190     let rhs = builder.use_var(rhs);
191 
192     let res = if opcode == Opcode::Fcmp {
193         let cc = *fgen.u.choose(FloatCC::all())?;
194 
195         // We filter out condition codes that aren't supported by the target at
196         // this point after randomly choosing one, instead of randomly choosing a
197         // supported one, to avoid invalidating the corpus when these get implemented.
198         let unimplemented_cc = match (fgen.isa.triple().architecture, cc) {
199             // Some FloatCC's are not implemented on AArch64, see:
200             // https://github.com/bytecodealliance/wasmtime/issues/4850
201             (Architecture::Aarch64(_), FloatCC::OrderedNotEqual) => true,
202             (Architecture::Aarch64(_), FloatCC::UnorderedOrEqual) => true,
203             (Architecture::Aarch64(_), FloatCC::UnorderedOrLessThan) => true,
204             (Architecture::Aarch64(_), FloatCC::UnorderedOrLessThanOrEqual) => true,
205             (Architecture::Aarch64(_), FloatCC::UnorderedOrGreaterThan) => true,
206             (Architecture::Aarch64(_), FloatCC::UnorderedOrGreaterThanOrEqual) => true,
207 
208             // These are not implemented on x86_64, for vectors.
209             (Architecture::X86_64, FloatCC::UnorderedOrEqual | FloatCC::OrderedNotEqual) => {
210                 args[0].is_vector()
211             }
212             _ => false,
213         };
214         if unimplemented_cc {
215             return Err(arbitrary::Error::IncorrectFormat.into());
216         }
217 
218         builder.ins().fcmp(cc, lhs, rhs)
219     } else {
220         let cc = *fgen.u.choose(IntCC::all())?;
221         builder.ins().icmp(cc, lhs, rhs)
222     };
223 
224     let var = fgen.get_variable_of_type(rets[0])?;
225     builder.def_var(var, res);
226 
227     Ok(())
228 }
229 
230 fn insert_const(
231     fgen: &mut FunctionGenerator,
232     builder: &mut FunctionBuilder,
233     _opcode: Opcode,
234     _args: &[Type],
235     rets: &[Type],
236 ) -> Result<()> {
237     let typevar = rets[0];
238     let var = fgen.get_variable_of_type(typevar)?;
239     let val = fgen.generate_const(builder, typevar)?;
240     builder.def_var(var, val);
241     Ok(())
242 }
243 
244 fn insert_bitcast(
245     fgen: &mut FunctionGenerator,
246     builder: &mut FunctionBuilder,
247     args: &[Type],
248     rets: &[Type],
249 ) -> Result<()> {
250     let from_var = fgen.get_variable_of_type(args[0])?;
251     let from_val = builder.use_var(from_var);
252 
253     let to_var = fgen.get_variable_of_type(rets[0])?;
254 
255     // TODO: We can generate little/big endian flags here.
256     let mut memflags = MemFlags::new();
257 
258     // When bitcasting between vectors of different lane counts, we need to
259     // specify the endianness.
260     if args[0].lane_count() != rets[0].lane_count() {
261         memflags.set_endianness(Endianness::Little);
262     }
263 
264     let res = builder.ins().bitcast(rets[0], memflags, from_val);
265     builder.def_var(to_var, res);
266     Ok(())
267 }
268 
269 fn insert_load_store(
270     fgen: &mut FunctionGenerator,
271     builder: &mut FunctionBuilder,
272     opcode: Opcode,
273     args: &[Type],
274     rets: &[Type],
275 ) -> Result<()> {
276     if opcode == Opcode::Bitcast {
277         return insert_bitcast(fgen, builder, args, rets);
278     }
279 
280     let ctrl_type = *rets.first().or(args.first()).unwrap();
281     let type_size = ctrl_type.bytes();
282 
283     let is_atomic = [Opcode::AtomicLoad, Opcode::AtomicStore].contains(&opcode);
284     let (address, flags, offset) =
285         fgen.generate_address_and_memflags(builder, type_size, is_atomic)?;
286 
287     // The variable being loaded or stored into
288     let var = fgen.get_variable_of_type(ctrl_type)?;
289 
290     match opcode.format() {
291         InstructionFormat::LoadNoOffset => {
292             let (inst, dfg) = builder
293                 .ins()
294                 .LoadNoOffset(opcode, ctrl_type, flags, address);
295 
296             let new_val = dfg.first_result(inst);
297             builder.def_var(var, new_val);
298         }
299         InstructionFormat::StoreNoOffset => {
300             let val = builder.use_var(var);
301 
302             builder
303                 .ins()
304                 .StoreNoOffset(opcode, ctrl_type, flags, val, address);
305         }
306         InstructionFormat::Store => {
307             let val = builder.use_var(var);
308 
309             builder
310                 .ins()
311                 .Store(opcode, ctrl_type, flags, offset, val, address);
312         }
313         InstructionFormat::Load => {
314             let (inst, dfg) = builder
315                 .ins()
316                 .Load(opcode, ctrl_type, flags, offset, address);
317 
318             let new_val = dfg.first_result(inst);
319             builder.def_var(var, new_val);
320         }
321         _ => unimplemented!(),
322     }
323 
324     Ok(())
325 }
326 
327 fn insert_atomic_rmw(
328     fgen: &mut FunctionGenerator,
329     builder: &mut FunctionBuilder,
330     _: Opcode,
331     _: &[Type],
332     rets: &[Type],
333 ) -> Result<()> {
334     let ctrl_type = *rets.first().unwrap();
335     let type_size = ctrl_type.bytes();
336 
337     let rmw_op = *fgen.u.choose(AtomicRmwOp::all())?;
338 
339     let (address, flags, offset) = fgen.generate_address_and_memflags(builder, type_size, true)?;
340 
341     // AtomicRMW does not directly support offsets, so add the offset to the address separately.
342     let address = builder.ins().iadd_imm(address, i64::from(offset));
343 
344     // Load and store target variables
345     let source_var = fgen.get_variable_of_type(ctrl_type)?;
346     let target_var = fgen.get_variable_of_type(ctrl_type)?;
347 
348     let source_val = builder.use_var(source_var);
349     let new_val = builder
350         .ins()
351         .atomic_rmw(ctrl_type, flags, rmw_op, address, source_val);
352 
353     builder.def_var(target_var, new_val);
354     Ok(())
355 }
356 
357 fn insert_atomic_cas(
358     fgen: &mut FunctionGenerator,
359     builder: &mut FunctionBuilder,
360     _: Opcode,
361     _: &[Type],
362     rets: &[Type],
363 ) -> Result<()> {
364     let ctrl_type = *rets.first().unwrap();
365     let type_size = ctrl_type.bytes();
366 
367     let (address, flags, offset) = fgen.generate_address_and_memflags(builder, type_size, true)?;
368 
369     // AtomicCas does not directly support offsets, so add the offset to the address separately.
370     let address = builder.ins().iadd_imm(address, i64::from(offset));
371 
372     // Source and Target variables
373     let expected_var = fgen.get_variable_of_type(ctrl_type)?;
374     let store_var = fgen.get_variable_of_type(ctrl_type)?;
375     let loaded_var = fgen.get_variable_of_type(ctrl_type)?;
376 
377     let expected_val = builder.use_var(expected_var);
378     let store_val = builder.use_var(store_var);
379     let new_val = builder
380         .ins()
381         .atomic_cas(flags, address, expected_val, store_val);
382 
383     builder.def_var(loaded_var, new_val);
384     Ok(())
385 }
386 
387 fn insert_shuffle(
388     fgen: &mut FunctionGenerator,
389     builder: &mut FunctionBuilder,
390     opcode: Opcode,
391     _: &[Type],
392     rets: &[Type],
393 ) -> Result<()> {
394     let ctrl_type = *rets.first().unwrap();
395 
396     let lhs = builder.use_var(fgen.get_variable_of_type(ctrl_type)?);
397     let rhs = builder.use_var(fgen.get_variable_of_type(ctrl_type)?);
398 
399     let mask = {
400         let mut lanes = [0u8; 16];
401         for lane in lanes.iter_mut() {
402             *lane = fgen.u.int_in_range(0..=31)?;
403         }
404         let lanes = ConstantData::from(lanes.as_ref());
405         builder.func.dfg.immediates.push(lanes)
406     };
407 
408     // This function is called for any `InstructionFormat::Shuffle`. Which today is just
409     // `shuffle`, but lets assert that, just to be sure we don't accidentally insert
410     // something else.
411     assert_eq!(opcode, Opcode::Shuffle);
412     let res = builder.ins().shuffle(lhs, rhs, mask);
413 
414     let target_var = fgen.get_variable_of_type(ctrl_type)?;
415     builder.def_var(target_var, res);
416 
417     Ok(())
418 }
419 
420 fn insert_ins_ext_lane(
421     fgen: &mut FunctionGenerator,
422     builder: &mut FunctionBuilder,
423     opcode: Opcode,
424     args: &[Type],
425     rets: &[Type],
426 ) -> Result<()> {
427     let vector_type = *args.first().unwrap();
428     let ret_type = *rets.first().unwrap();
429 
430     let lhs = builder.use_var(fgen.get_variable_of_type(vector_type)?);
431     let max_lane = (vector_type.lane_count() as u8) - 1;
432     let lane = fgen.u.int_in_range(0..=max_lane)?;
433 
434     let res = match opcode {
435         Opcode::Insertlane => {
436             let rhs = builder.use_var(fgen.get_variable_of_type(args[1])?);
437             builder.ins().insertlane(lhs, rhs, lane)
438         }
439         Opcode::Extractlane => builder.ins().extractlane(lhs, lane),
440         _ => todo!(),
441     };
442 
443     let target_var = fgen.get_variable_of_type(ret_type)?;
444     builder.def_var(target_var, res);
445 
446     Ok(())
447 }
448 
449 type OpcodeInserter = fn(
450     fgen: &mut FunctionGenerator,
451     builder: &mut FunctionBuilder,
452     Opcode,
453     &[Type],
454     &[Type],
455 ) -> Result<()>;
456 
457 macro_rules! exceptions {
458     ($op:expr, $args:expr, $rets:expr, $(($($cases:pat),*)),* $(,)?) => {
459         match ($op, $args, $rets) {
460             $( ($($cases,)* ..) => return false, )*
461             _ => true,
462         }
463     }
464 }
465 
466 /// Returns true if we believe this `OpcodeSignature` should compile correctly
467 /// for the given target triple. We currently have a range of known issues
468 /// with specific lowerings on specific backends, and we don't want to get
469 /// fuzz bug reports for those. Over time our goal is to eliminate all of these
470 /// exceptions.
471 fn valid_for_target(triple: &Triple, op: Opcode, args: &[Type], rets: &[Type]) -> bool {
472     // Rule out invalid combinations that we don't yet have a good way of rejecting with the
473     // instruction DSL type constraints.
474     match op {
475         Opcode::FcvtToUintSat | Opcode::FcvtToSintSat => {
476             assert_eq!(args.len(), 1);
477             assert_eq!(rets.len(), 1);
478 
479             let arg = args[0];
480             let ret = rets[0];
481 
482             // Vector arguments must produce vector results, and scalar arguments must produce
483             // scalar results.
484             if arg.is_vector() != ret.is_vector() {
485                 return false;
486             }
487 
488             if arg.is_vector() && ret.is_vector() {
489                 // Vector conversions must have the same number of lanes, and the lanes must be the
490                 // same bit-width.
491                 if arg.lane_count() != ret.lane_count() {
492                     return false;
493                 }
494 
495                 if arg.lane_of().bits() != ret.lane_of().bits() {
496                     return false;
497                 }
498             }
499         }
500 
501         Opcode::Bitcast => {
502             assert_eq!(args.len(), 1);
503             assert_eq!(rets.len(), 1);
504 
505             let arg = args[0];
506             let ret = rets[0];
507 
508             // The opcode generator still allows bitcasts between different sized types, but these
509             // are rejected in the verifier.
510             if arg.bits() != ret.bits() {
511                 return false;
512             }
513         }
514 
515         _ => {}
516     }
517 
518     match triple.architecture {
519         Architecture::X86_64 => {
520             exceptions!(
521                 op,
522                 args,
523                 rets,
524                 (Opcode::UmulOverflow | Opcode::SmulOverflow, &[I128, I128]),
525                 (Opcode::Imul, &[I8X16, I8X16]),
526                 // https://github.com/bytecodealliance/wasmtime/issues/4756
527                 (Opcode::Udiv | Opcode::Sdiv, &[I128, I128]),
528                 // https://github.com/bytecodealliance/wasmtime/issues/5474
529                 (Opcode::Urem | Opcode::Srem, &[I128, I128]),
530                 // https://github.com/bytecodealliance/wasmtime/issues/3370
531                 (
532                     Opcode::Smin | Opcode::Umin | Opcode::Smax | Opcode::Umax,
533                     &[I128, I128]
534                 ),
535                 // https://github.com/bytecodealliance/wasmtime/issues/5107
536                 (Opcode::Cls, &[I8], &[I8]),
537                 (Opcode::Cls, &[I16], &[I16]),
538                 (Opcode::Cls, &[I32], &[I32]),
539                 (Opcode::Cls, &[I64], &[I64]),
540                 (Opcode::Cls, &[I128], &[I128]),
541                 // TODO
542                 (Opcode::Bitselect, &[_, _, _], &[F32 | F64]),
543                 // https://github.com/bytecodealliance/wasmtime/issues/4897
544                 // https://github.com/bytecodealliance/wasmtime/issues/4899
545                 (
546                     Opcode::FcvtToUint
547                         | Opcode::FcvtToUintSat
548                         | Opcode::FcvtToSint
549                         | Opcode::FcvtToSintSat,
550                     &[F32 | F64],
551                     &[I8 | I16 | I128]
552                 ),
553                 (Opcode::FcvtToUint | Opcode::FcvtToSint, &[F32X4], &[I32X4]),
554                 (
555                     Opcode::FcvtToUint
556                         | Opcode::FcvtToUintSat
557                         | Opcode::FcvtToSint
558                         | Opcode::FcvtToSintSat,
559                     &[F64X2],
560                     &[I64X2]
561                 ),
562                 // https://github.com/bytecodealliance/wasmtime/issues/4900
563                 (Opcode::FcvtFromUint, &[I128], &[F32 | F64]),
564                 // This has a lowering, but only when preceded by `uwiden_low`.
565                 (Opcode::FcvtFromUint, &[I64X2], &[F64X2]),
566                 // https://github.com/bytecodealliance/wasmtime/issues/4900
567                 (Opcode::FcvtFromSint, &[I128], &[F32 | F64]),
568                 (Opcode::FcvtFromSint, &[I64X2], &[F64X2]),
569                 (
570                     Opcode::Umulhi | Opcode::Smulhi,
571                     &([I8X16, I8X16] | [I16X8, I16X8] | [I32X4, I32X4] | [I64X2, I64X2])
572                 ),
573                 (
574                     Opcode::UaddSat | Opcode::SaddSat | Opcode::UsubSat | Opcode::SsubSat,
575                     &([I32X4, I32X4] | [I64X2, I64X2])
576                 ),
577                 (Opcode::Fcopysign, &([F32X4, F32X4] | [F64X2, F64X2])),
578                 (Opcode::Popcnt, &([I8X16] | [I16X8] | [I32X4] | [I64X2])),
579                 (
580                     Opcode::Umax | Opcode::Smax | Opcode::Umin | Opcode::Smin,
581                     &[I64X2, I64X2]
582                 ),
583                 // https://github.com/bytecodealliance/wasmtime/issues/6104
584                 (Opcode::Bitcast, &[I128], &[_]),
585                 (Opcode::Bitcast, &[_], &[I128]),
586                 (Opcode::Uunarrow),
587                 (Opcode::Snarrow | Opcode::Unarrow, &[I64X2, I64X2]),
588                 (Opcode::SqmulRoundSat, &[I32X4, I32X4]),
589                 // This Icmp is not implemented: #5529
590                 (Opcode::Icmp, &[I64X2, I64X2]),
591                 // IaddPairwise is implemented, but only for some types, and with some preceding ops.
592                 (Opcode::IaddPairwise),
593                 // Nothing wrong with this select. But we have an isle rule that can optimize it
594                 // into a `min`/`max` instructions, which we don't have implemented yet.
595                 (Opcode::Select, &[_, I128, I128]),
596                 // These stack accesses can cause segfaults if they are merged into an SSE instruction.
597                 // See: #5922
598                 (
599                     Opcode::StackStore,
600                     &[I8X16 | I16X8 | I32X4 | I64X2 | F32X4 | F64X2]
601                 ),
602                 (
603                     Opcode::StackLoad,
604                     &[],
605                     &[I8X16 | I16X8 | I32X4 | I64X2 | F32X4 | F64X2]
606                 ),
607                 // TODO
608                 (
609                     Opcode::Sshr | Opcode::Ushr | Opcode::Ishl,
610                     &[I8X16 | I16X8 | I32X4 | I64X2, I128]
611                 ),
612                 (
613                     Opcode::Rotr | Opcode::Rotl,
614                     &[I8X16 | I16X8 | I32X4 | I64X2, _]
615                 ),
616             )
617         }
618 
619         Architecture::Aarch64(_) => {
620             exceptions!(
621                 op,
622                 args,
623                 rets,
624                 (Opcode::UmulOverflow | Opcode::SmulOverflow, &[I128, I128]),
625                 // https://github.com/bytecodealliance/wasmtime/issues/4864
626                 (Opcode::Udiv | Opcode::Sdiv, &[I128, I128]),
627                 // https://github.com/bytecodealliance/wasmtime/issues/5472
628                 (Opcode::Urem | Opcode::Srem, &[I128, I128]),
629                 // https://github.com/bytecodealliance/wasmtime/issues/4313
630                 (
631                     Opcode::Smin | Opcode::Umin | Opcode::Smax | Opcode::Umax,
632                     &[I128, I128]
633                 ),
634                 // https://github.com/bytecodealliance/wasmtime/issues/4870
635                 (Opcode::Bnot, &[F32 | F64]),
636                 (
637                     Opcode::Band
638                         | Opcode::Bor
639                         | Opcode::Bxor
640                         | Opcode::BandNot
641                         | Opcode::BorNot
642                         | Opcode::BxorNot,
643                     &([F32, F32] | [F64, F64])
644                 ),
645                 // https://github.com/bytecodealliance/wasmtime/issues/5198
646                 (Opcode::Bitselect, &[I128, I128, I128]),
647                 // https://github.com/bytecodealliance/wasmtime/issues/4934
648                 (
649                     Opcode::FcvtToUint
650                         | Opcode::FcvtToUintSat
651                         | Opcode::FcvtToSint
652                         | Opcode::FcvtToSintSat,
653                     &[F32 | F64],
654                     &[I128]
655                 ),
656                 // https://github.com/bytecodealliance/wasmtime/issues/4933
657                 (
658                     Opcode::FcvtFromUint | Opcode::FcvtFromSint,
659                     &[I128],
660                     &[F32 | F64]
661                 ),
662                 (
663                     Opcode::Umulhi | Opcode::Smulhi,
664                     &([I8X16, I8X16] | [I16X8, I16X8] | [I32X4, I32X4] | [I64X2, I64X2])
665                 ),
666                 (Opcode::Popcnt, &[I16X8 | I32X4 | I64X2]),
667                 // Nothing wrong with this select. But we have an isle rule that can optimize it
668                 // into a `min`/`max` instructions, which we don't have implemented yet.
669                 (Opcode::Select, &[I8, I128, I128]),
670                 // https://github.com/bytecodealliance/wasmtime/issues/6104
671                 (Opcode::Bitcast, &[I128], &[_]),
672                 (Opcode::Bitcast, &[_], &[I128]),
673                 // TODO
674                 (
675                     Opcode::Sshr | Opcode::Ushr | Opcode::Ishl,
676                     &[I8X16 | I16X8 | I32X4 | I64X2, I128]
677                 ),
678                 (
679                     Opcode::Rotr | Opcode::Rotl,
680                     &[I8X16 | I16X8 | I32X4 | I64X2, _]
681                 ),
682                 // TODO
683                 (Opcode::Bitselect, &[_, _, _], &[F32 | F64]),
684                 (Opcode::VhighBits, &[F32X4 | F64X2]),
685             )
686         }
687 
688         Architecture::S390x => {
689             exceptions!(
690                 op,
691                 args,
692                 rets,
693                 (Opcode::UaddOverflow | Opcode::SaddOverflow),
694                 (Opcode::UsubOverflow | Opcode::SsubOverflow),
695                 (Opcode::UmulOverflow | Opcode::SmulOverflow),
696                 (
697                     Opcode::Udiv | Opcode::Sdiv | Opcode::Urem | Opcode::Srem,
698                     &[I128, I128]
699                 ),
700                 (Opcode::Bnot, &[F32 | F64]),
701                 (
702                     Opcode::Band
703                         | Opcode::Bor
704                         | Opcode::Bxor
705                         | Opcode::BandNot
706                         | Opcode::BorNot
707                         | Opcode::BxorNot,
708                     &([F32, F32] | [F64, F64])
709                 ),
710                 (
711                     Opcode::FcvtToUint
712                         | Opcode::FcvtToUintSat
713                         | Opcode::FcvtToSint
714                         | Opcode::FcvtToSintSat,
715                     &[F32 | F64],
716                     &[I128]
717                 ),
718                 (
719                     Opcode::FcvtFromUint | Opcode::FcvtFromSint,
720                     &[I128],
721                     &[F32 | F64]
722                 ),
723                 (Opcode::SsubSat | Opcode::SaddSat, &[I64X2, I64X2]),
724                 // https://github.com/bytecodealliance/wasmtime/issues/6104
725                 (Opcode::Bitcast, &[I128], &[_]),
726                 (Opcode::Bitcast, &[_], &[I128]),
727                 // TODO
728                 (Opcode::Bitselect, &[_, _, _], &[F32 | F64]),
729             )
730         }
731 
732         Architecture::Riscv64(_) => {
733             exceptions!(
734                 op,
735                 args,
736                 rets,
737                 // TODO
738                 (Opcode::UaddOverflow | Opcode::SaddOverflow),
739                 (Opcode::UsubOverflow | Opcode::SsubOverflow),
740                 (Opcode::UmulOverflow | Opcode::SmulOverflow),
741                 // TODO
742                 (
743                     Opcode::Udiv | Opcode::Sdiv | Opcode::Urem | Opcode::Srem,
744                     &[I128, I128]
745                 ),
746                 // TODO
747                 (Opcode::Iabs, &[I128]),
748                 // TODO
749                 (Opcode::Bitselect, &[I128, I128, I128]),
750                 // https://github.com/bytecodealliance/wasmtime/issues/5528
751                 (
752                     Opcode::FcvtToUint | Opcode::FcvtToSint,
753                     [F32 | F64],
754                     &[I128]
755                 ),
756                 (
757                     Opcode::FcvtToUintSat | Opcode::FcvtToSintSat,
758                     &[F32 | F64],
759                     &[I128]
760                 ),
761                 // https://github.com/bytecodealliance/wasmtime/issues/5528
762                 (
763                     Opcode::FcvtFromUint | Opcode::FcvtFromSint,
764                     &[I128],
765                     &[F32 | F64]
766                 ),
767                 // TODO
768                 (
769                     Opcode::SelectSpectreGuard,
770                     &[_, _, _],
771                     &[F32 | F64 | I8X16 | I16X8 | I32X4 | I64X2 | F64X2 | F32X4]
772                 ),
773                 // TODO
774                 (Opcode::Bitselect, &[_, _, _], &[F32 | F64]),
775                 (
776                     Opcode::Rotr | Opcode::Rotl,
777                     &[I8X16 | I16X8 | I32X4 | I64X2, _]
778                 ),
779             )
780         }
781 
782         _ => true,
783     }
784 }
785 
786 type OpcodeSignature = (Opcode, Vec<Type>, Vec<Type>);
787 
788 static OPCODE_SIGNATURES: Lazy<Vec<OpcodeSignature>> = Lazy::new(|| {
789     let types = &[
790         I8, I16, I32, I64, I128, // Scalar Integers
791         F32, F64, // Scalar Floats
792         I8X16, I16X8, I32X4, I64X2, // SIMD Integers
793         F32X4, F64X2, // SIMD Floats
794     ];
795 
796     // When this env variable is passed, we only generate instructions for the opcodes listed in
797     // the comma-separated list. This is useful for debugging, as it allows us to focus on a few
798     // specific opcodes.
799     let allowed_opcodes = std::env::var("FUZZGEN_ALLOWED_OPS").ok().map(|s| {
800         s.split(',')
801             .map(|s| s.trim())
802             .filter(|s| !s.is_empty())
803             .map(|s| Opcode::from_str(s).expect("Unrecoginzed opcode"))
804             .collect::<Vec<_>>()
805     });
806 
807     Opcode::all()
808         .iter()
809         .filter(|op| {
810             match op {
811                 // Control flow opcodes should not be generated through `generate_instructions`.
812                 Opcode::BrTable
813                 | Opcode::Brif
814                 | Opcode::Jump
815                 | Opcode::Return
816                 | Opcode::ReturnCall
817                 | Opcode::ReturnCallIndirect => false,
818 
819                 // Constants are generated outside of `generate_instructions`
820                 Opcode::Iconst => false,
821 
822                 // TODO: extract_vector raises exceptions during return type generation because it
823                 // uses dynamic vectors.
824                 Opcode::ExtractVector => false,
825 
826                 _ => true,
827             }
828         })
829         .flat_map(|op| {
830             let constraints = op.constraints();
831 
832             let ctrl_types = if let Some(ctrls) = constraints.ctrl_typeset() {
833                 Vec::from_iter(types.iter().copied().filter(|ty| ctrls.contains(*ty)))
834             } else {
835                 vec![INVALID]
836             };
837 
838             ctrl_types.into_iter().flat_map(move |ctrl_type| {
839                 let rets = Vec::from_iter(
840                     (0..constraints.num_fixed_results())
841                         .map(|i| constraints.result_type(i, ctrl_type)),
842                 );
843 
844                 // Cols is a vector whose length will match `num_fixed_value_arguments`, and whose
845                 // elements will be vectors of types that are valid for that fixed argument
846                 // position.
847                 let mut cols = vec![];
848 
849                 for i in 0..constraints.num_fixed_value_arguments() {
850                     match constraints.value_argument_constraint(i, ctrl_type) {
851                         ResolvedConstraint::Bound(ty) => cols.push(Vec::from([ty])),
852                         ResolvedConstraint::Free(tys) => cols.push(Vec::from_iter(
853                             types.iter().copied().filter(|ty| tys.contains(*ty)),
854                         )),
855                     }
856                 }
857 
858                 // Generate the cartesian product of cols to produce a vector of argument lists,
859                 // argss. The argss vector is seeded with the empty argument list, so there's an
860                 // initial value to be extended in the loop below.
861                 let mut argss = vec![vec![]];
862                 let mut cols = cols.as_slice();
863                 while let Some((col, rest)) = cols.split_last() {
864                     cols = rest;
865 
866                     let mut next = vec![];
867                     for current in argss.iter() {
868                         // Extend the front of each argument candidate with every type in `col`.
869                         for ty in col {
870                             let mut args = vec![*ty];
871                             args.extend_from_slice(&current);
872                             next.push(args);
873                         }
874                     }
875 
876                     let _ = std::mem::replace(&mut argss, next);
877                 }
878 
879                 argss.into_iter().map(move |args| (*op, args, rets.clone()))
880             })
881         })
882         .filter(|(op, args, rets)| {
883             // These op/signature combinations need to be vetted
884             exceptions!(
885                 op,
886                 args.as_slice(),
887                 rets.as_slice(),
888                 (Opcode::Debugtrap),
889                 (Opcode::Trap),
890                 (Opcode::Trapz),
891                 (Opcode::Trapnz),
892                 (Opcode::CallIndirect, &[I32]),
893                 (Opcode::FuncAddr),
894                 (Opcode::X86Pshufb),
895                 (Opcode::AvgRound),
896                 (Opcode::Uload8x8),
897                 (Opcode::Sload8x8),
898                 (Opcode::Uload16x4),
899                 (Opcode::Sload16x4),
900                 (Opcode::Uload32x2),
901                 (Opcode::Sload32x2),
902                 (Opcode::StackAddr),
903                 (Opcode::DynamicStackLoad),
904                 (Opcode::DynamicStackStore),
905                 (Opcode::DynamicStackAddr),
906                 (Opcode::GlobalValue),
907                 (Opcode::SymbolValue),
908                 (Opcode::TlsValue),
909                 (Opcode::GetPinnedReg),
910                 (Opcode::SetPinnedReg),
911                 (Opcode::GetFramePointer),
912                 (Opcode::GetStackPointer),
913                 (Opcode::GetReturnAddress),
914                 (Opcode::X86Blendv),
915                 (Opcode::IcmpImm),
916                 (Opcode::X86Pmulhrsw),
917                 (Opcode::IaddImm),
918                 (Opcode::ImulImm),
919                 (Opcode::UdivImm),
920                 (Opcode::SdivImm),
921                 (Opcode::UremImm),
922                 (Opcode::SremImm),
923                 (Opcode::IrsubImm),
924                 (Opcode::IaddCin),
925                 (Opcode::IaddCarry),
926                 (Opcode::UaddOverflowTrap),
927                 (Opcode::IsubBin),
928                 (Opcode::IsubBorrow),
929                 (Opcode::BandImm),
930                 (Opcode::BorImm),
931                 (Opcode::BxorImm),
932                 (Opcode::RotlImm),
933                 (Opcode::RotrImm),
934                 (Opcode::IshlImm),
935                 (Opcode::UshrImm),
936                 (Opcode::SshrImm),
937                 (Opcode::ScalarToVector),
938                 (Opcode::X86Pmaddubsw),
939                 (Opcode::X86Cvtt2dq),
940                 (Opcode::Umulhi, &[I128, I128], &[I128]),
941                 (Opcode::Smulhi, &[I128, I128], &[I128]),
942                 // https://github.com/bytecodealliance/wasmtime/issues/6073
943                 (Opcode::Iconcat, &[I32, I32], &[I64]),
944                 (Opcode::Iconcat, &[I16, I16], &[I32]),
945                 (Opcode::Iconcat, &[I8, I8], &[I16]),
946                 // https://github.com/bytecodealliance/wasmtime/issues/6073
947                 (Opcode::Isplit, &[I64], &[I32, I32]),
948                 (Opcode::Isplit, &[I32], &[I16, I16]),
949                 (Opcode::Isplit, &[I16], &[I8, I8]),
950                 (Opcode::Fmin, &[F32X4, F32X4], &[F32X4]),
951                 (Opcode::Fmin, &[F64X2, F64X2], &[F64X2]),
952                 (Opcode::Fmax, &[F32X4, F32X4], &[F32X4]),
953                 (Opcode::Fmax, &[F64X2, F64X2], &[F64X2]),
954                 (Opcode::FcvtToUintSat, &[F32X4], &[I8]),
955                 (Opcode::FcvtToUintSat, &[F64X2], &[I8]),
956                 (Opcode::FcvtToUintSat, &[F32X4], &[I16]),
957                 (Opcode::FcvtToUintSat, &[F64X2], &[I16]),
958                 (Opcode::FcvtToUintSat, &[F32X4], &[I32]),
959                 (Opcode::FcvtToUintSat, &[F64X2], &[I32]),
960                 (Opcode::FcvtToUintSat, &[F32X4], &[I64]),
961                 (Opcode::FcvtToUintSat, &[F64X2], &[I64]),
962                 (Opcode::FcvtToUintSat, &[F32X4], &[I128]),
963                 (Opcode::FcvtToUintSat, &[F64X2], &[I128]),
964                 (Opcode::FcvtToUintSat, &[F32], &[I8X16]),
965                 (Opcode::FcvtToUintSat, &[F64], &[I8X16]),
966                 (Opcode::FcvtToUintSat, &[F32X4], &[I8X16]),
967                 (Opcode::FcvtToUintSat, &[F64X2], &[I8X16]),
968                 (Opcode::FcvtToUintSat, &[F32], &[I16X8]),
969                 (Opcode::FcvtToUintSat, &[F64], &[I16X8]),
970                 (Opcode::FcvtToUintSat, &[F32X4], &[I16X8]),
971                 (Opcode::FcvtToUintSat, &[F64X2], &[I16X8]),
972                 (Opcode::FcvtToUintSat, &[F32], &[I32X4]),
973                 (Opcode::FcvtToUintSat, &[F64], &[I32X4]),
974                 (Opcode::FcvtToUintSat, &[F64X2], &[I32X4]),
975                 (Opcode::FcvtToUintSat, &[F32], &[I64X2]),
976                 (Opcode::FcvtToUintSat, &[F64], &[I64X2]),
977                 (Opcode::FcvtToUintSat, &[F32X4], &[I64X2]),
978                 (Opcode::FcvtToSintSat, &[F32X4], &[I8]),
979                 (Opcode::FcvtToSintSat, &[F64X2], &[I8]),
980                 (Opcode::FcvtToSintSat, &[F32X4], &[I16]),
981                 (Opcode::FcvtToSintSat, &[F64X2], &[I16]),
982                 (Opcode::FcvtToSintSat, &[F32X4], &[I32]),
983                 (Opcode::FcvtToSintSat, &[F64X2], &[I32]),
984                 (Opcode::FcvtToSintSat, &[F32X4], &[I64]),
985                 (Opcode::FcvtToSintSat, &[F64X2], &[I64]),
986                 (Opcode::FcvtToSintSat, &[F32X4], &[I128]),
987                 (Opcode::FcvtToSintSat, &[F64X2], &[I128]),
988                 (Opcode::FcvtToSintSat, &[F32], &[I8X16]),
989                 (Opcode::FcvtToSintSat, &[F64], &[I8X16]),
990                 (Opcode::FcvtToSintSat, &[F32X4], &[I8X16]),
991                 (Opcode::FcvtToSintSat, &[F64X2], &[I8X16]),
992                 (Opcode::FcvtToSintSat, &[F32], &[I16X8]),
993                 (Opcode::FcvtToSintSat, &[F64], &[I16X8]),
994                 (Opcode::FcvtToSintSat, &[F32X4], &[I16X8]),
995                 (Opcode::FcvtToSintSat, &[F64X2], &[I16X8]),
996                 (Opcode::FcvtToSintSat, &[F32], &[I32X4]),
997                 (Opcode::FcvtToSintSat, &[F64], &[I32X4]),
998                 (Opcode::FcvtToSintSat, &[F64X2], &[I32X4]),
999                 (Opcode::FcvtToSintSat, &[F32], &[I64X2]),
1000                 (Opcode::FcvtToSintSat, &[F64], &[I64X2]),
1001                 (Opcode::FcvtToSintSat, &[F32X4], &[I64X2]),
1002                 (Opcode::FcvtFromUint, &[I8X16], &[F32]),
1003                 (Opcode::FcvtFromUint, &[I16X8], &[F32]),
1004                 (Opcode::FcvtFromUint, &[I32X4], &[F32]),
1005                 (Opcode::FcvtFromUint, &[I64X2], &[F32]),
1006                 (Opcode::FcvtFromUint, &[I8X16], &[F64]),
1007                 (Opcode::FcvtFromUint, &[I16X8], &[F64]),
1008                 (Opcode::FcvtFromUint, &[I32X4], &[F64]),
1009                 (Opcode::FcvtFromUint, &[I64X2], &[F64]),
1010                 (Opcode::FcvtFromUint, &[I8], &[F32X4]),
1011                 (Opcode::FcvtFromUint, &[I16], &[F32X4]),
1012                 (Opcode::FcvtFromUint, &[I32], &[F32X4]),
1013                 (Opcode::FcvtFromUint, &[I64], &[F32X4]),
1014                 (Opcode::FcvtFromUint, &[I128], &[F32X4]),
1015                 (Opcode::FcvtFromUint, &[I8X16], &[F32X4]),
1016                 (Opcode::FcvtFromUint, &[I16X8], &[F32X4]),
1017                 (Opcode::FcvtFromUint, &[I64X2], &[F32X4]),
1018                 (Opcode::FcvtFromUint, &[I8], &[F64X2]),
1019                 (Opcode::FcvtFromUint, &[I16], &[F64X2]),
1020                 (Opcode::FcvtFromUint, &[I32], &[F64X2]),
1021                 (Opcode::FcvtFromUint, &[I64], &[F64X2]),
1022                 (Opcode::FcvtFromUint, &[I128], &[F64X2]),
1023                 (Opcode::FcvtFromUint, &[I8X16], &[F64X2]),
1024                 (Opcode::FcvtFromUint, &[I16X8], &[F64X2]),
1025                 (Opcode::FcvtFromUint, &[I32X4], &[F64X2]),
1026                 (Opcode::FcvtFromSint, &[I8X16], &[F32]),
1027                 (Opcode::FcvtFromSint, &[I16X8], &[F32]),
1028                 (Opcode::FcvtFromSint, &[I32X4], &[F32]),
1029                 (Opcode::FcvtFromSint, &[I64X2], &[F32]),
1030                 (Opcode::FcvtFromSint, &[I8X16], &[F64]),
1031                 (Opcode::FcvtFromSint, &[I16X8], &[F64]),
1032                 (Opcode::FcvtFromSint, &[I32X4], &[F64]),
1033                 (Opcode::FcvtFromSint, &[I64X2], &[F64]),
1034                 (Opcode::FcvtFromSint, &[I8], &[F32X4]),
1035                 (Opcode::FcvtFromSint, &[I16], &[F32X4]),
1036                 (Opcode::FcvtFromSint, &[I32], &[F32X4]),
1037                 (Opcode::FcvtFromSint, &[I64], &[F32X4]),
1038                 (Opcode::FcvtFromSint, &[I128], &[F32X4]),
1039                 (Opcode::FcvtFromSint, &[I8X16], &[F32X4]),
1040                 (Opcode::FcvtFromSint, &[I16X8], &[F32X4]),
1041                 (Opcode::FcvtFromSint, &[I64X2], &[F32X4]),
1042                 (Opcode::FcvtFromSint, &[I8], &[F64X2]),
1043                 (Opcode::FcvtFromSint, &[I16], &[F64X2]),
1044                 (Opcode::FcvtFromSint, &[I32], &[F64X2]),
1045                 (Opcode::FcvtFromSint, &[I64], &[F64X2]),
1046                 (Opcode::FcvtFromSint, &[I128], &[F64X2]),
1047                 (Opcode::FcvtFromSint, &[I8X16], &[F64X2]),
1048                 (Opcode::FcvtFromSint, &[I16X8], &[F64X2]),
1049                 (Opcode::FcvtFromSint, &[I32X4], &[F64X2]),
1050             )
1051         })
1052         .filter(|(op, ..)| {
1053             allowed_opcodes
1054                 .as_ref()
1055                 .map_or(true, |opcodes| opcodes.contains(op))
1056         })
1057         .collect()
1058 });
1059 
1060 fn inserter_for_format(fmt: InstructionFormat) -> OpcodeInserter {
1061     match fmt {
1062         InstructionFormat::AtomicCas => insert_atomic_cas,
1063         InstructionFormat::AtomicRmw => insert_atomic_rmw,
1064         InstructionFormat::Binary => insert_opcode,
1065         InstructionFormat::BinaryImm64 => todo!(),
1066         InstructionFormat::BinaryImm8 => insert_ins_ext_lane,
1067         InstructionFormat::Call => insert_call,
1068         InstructionFormat::CallIndirect => insert_call,
1069         InstructionFormat::CondTrap => todo!(),
1070         InstructionFormat::DynamicStackLoad => todo!(),
1071         InstructionFormat::DynamicStackStore => todo!(),
1072         InstructionFormat::FloatCompare => insert_cmp,
1073         InstructionFormat::FuncAddr => todo!(),
1074         InstructionFormat::IntAddTrap => todo!(),
1075         InstructionFormat::IntCompare => insert_cmp,
1076         InstructionFormat::IntCompareImm => todo!(),
1077         InstructionFormat::Load => insert_load_store,
1078         InstructionFormat::LoadNoOffset => insert_load_store,
1079         InstructionFormat::NullAry => insert_opcode,
1080         InstructionFormat::Shuffle => insert_shuffle,
1081         InstructionFormat::StackLoad => insert_stack_load,
1082         InstructionFormat::StackStore => insert_stack_store,
1083         InstructionFormat::Store => insert_load_store,
1084         InstructionFormat::StoreNoOffset => insert_load_store,
1085         InstructionFormat::Ternary => insert_opcode,
1086         InstructionFormat::TernaryImm8 => insert_ins_ext_lane,
1087         InstructionFormat::Trap => todo!(),
1088         InstructionFormat::Unary => insert_opcode,
1089         InstructionFormat::UnaryConst => insert_const,
1090         InstructionFormat::UnaryGlobalValue => todo!(),
1091         InstructionFormat::UnaryIeee16 => insert_const,
1092         InstructionFormat::UnaryIeee32 => insert_const,
1093         InstructionFormat::UnaryIeee64 => insert_const,
1094         InstructionFormat::UnaryImm => insert_const,
1095 
1096         InstructionFormat::BranchTable
1097         | InstructionFormat::Brif
1098         | InstructionFormat::Jump
1099         | InstructionFormat::MultiAry => {
1100             panic!("Control-flow instructions should be handled by 'insert_terminator': {fmt:?}")
1101         }
1102     }
1103 }
1104 
1105 pub struct FunctionGenerator<'r, 'data>
1106 where
1107     'data: 'r,
1108 {
1109     u: &'r mut Unstructured<'data>,
1110     config: &'r Config,
1111     resources: Resources,
1112     isa: OwnedTargetIsa,
1113     name: UserFuncName,
1114     signature: Signature,
1115 }
1116 
1117 #[derive(Debug, Clone)]
1118 enum BlockTerminator {
1119     Return,
1120     Jump(Block),
1121     Br(Block, Block),
1122     BrTable(Block, Vec<Block>),
1123     Switch(Type, Block, HashMap<u128, Block>),
1124     TailCall(FuncRef),
1125     TailCallIndirect(FuncRef),
1126 }
1127 
1128 #[derive(Debug, Clone)]
1129 enum BlockTerminatorKind {
1130     Return,
1131     Jump,
1132     Br,
1133     BrTable,
1134     Switch,
1135     TailCall,
1136     TailCallIndirect,
1137 }
1138 
1139 /// Alias Analysis Category
1140 ///
1141 /// Our alias analysis pass supports 4 categories of accesses to distinguish
1142 /// different regions. The "Other" region is the general case, and is the default
1143 /// Although they have highly suggestive names there is no difference between any
1144 /// of the categories.
1145 ///
1146 /// We assign each stack slot a category when we first generate them, and then
1147 /// ensure that all accesses to that stack slot are correctly tagged. We already
1148 /// ensure that memory accesses never cross stack slots, so there is no risk
1149 /// of a memory access being tagged with the wrong category.
1150 #[derive(Debug, PartialEq, Clone, Copy)]
1151 enum AACategory {
1152     Other,
1153     Heap,
1154     Table,
1155     VmCtx,
1156 }
1157 
1158 impl AACategory {
1159     pub fn all() -> &'static [Self] {
1160         &[
1161             AACategory::Other,
1162             AACategory::Heap,
1163             AACategory::Table,
1164             AACategory::VmCtx,
1165         ]
1166     }
1167 
1168     pub fn update_memflags(&self, flags: &mut MemFlags) {
1169         flags.set_alias_region(match self {
1170             AACategory::Other => None,
1171             AACategory::Heap => Some(AliasRegion::Heap),
1172             AACategory::Table => Some(AliasRegion::Table),
1173             AACategory::VmCtx => Some(AliasRegion::Vmctx),
1174         })
1175     }
1176 }
1177 
1178 pub type StackAlignment = StackSize;
1179 
1180 #[derive(Default)]
1181 struct Resources {
1182     vars: HashMap<Type, Vec<Variable>>,
1183     blocks: Vec<(Block, BlockSignature)>,
1184     blocks_without_params: Vec<Block>,
1185     block_terminators: Vec<BlockTerminator>,
1186     func_refs: Vec<(Signature, SigRef, FuncRef)>,
1187     /// This field is required to be sorted by stack slot size at all times.
1188     /// We use this invariant when searching for stack slots with a given size.
1189     /// See [FunctionGenerator::stack_slot_with_size]
1190     stack_slots: Vec<(StackSlot, StackSize, StackAlignment, AACategory)>,
1191     usercalls: Vec<(UserExternalName, Signature)>,
1192     libcalls: Vec<LibCall>,
1193 }
1194 
1195 impl Resources {
1196     /// Partitions blocks at `block`. Only blocks that can be targeted by branches are considered.
1197     ///
1198     /// The first slice includes all blocks up to and including `block`.
1199     /// The second slice includes all remaining blocks.
1200     fn partition_target_blocks(
1201         &self,
1202         block: Block,
1203     ) -> (&[(Block, BlockSignature)], &[(Block, BlockSignature)]) {
1204         // Blocks are stored in-order and have no gaps, this means that we can simply index them by
1205         // their number. We also need to exclude the entry block since it isn't a valid target.
1206         let target_blocks = &self.blocks[1..];
1207         target_blocks.split_at(block.as_u32() as usize)
1208     }
1209 
1210     /// Returns blocks forward of `block`. Only blocks that can be targeted by branches are considered.
1211     fn forward_blocks(&self, block: Block) -> &[(Block, BlockSignature)] {
1212         let (_, forward_blocks) = self.partition_target_blocks(block);
1213         forward_blocks
1214     }
1215 
1216     /// Generates a slice of `blocks_without_params` ahead of `block`
1217     fn forward_blocks_without_params(&self, block: Block) -> &[Block] {
1218         let partition_point = self.blocks_without_params.partition_point(|b| *b <= block);
1219         &self.blocks_without_params[partition_point..]
1220     }
1221 
1222     /// Generates an iterator of all valid tail call targets. This includes all functions with both
1223     ///  the `tail` calling convention and the same return values as the caller.
1224     fn tail_call_targets<'a>(
1225         &'a self,
1226         caller_sig: &'a Signature,
1227     ) -> impl Iterator<Item = &'a (Signature, SigRef, FuncRef)> {
1228         self.func_refs.iter().filter(|(sig, _, _)| {
1229             sig.call_conv == CallConv::Tail && sig.returns == caller_sig.returns
1230         })
1231     }
1232 }
1233 
1234 impl<'r, 'data> FunctionGenerator<'r, 'data>
1235 where
1236     'data: 'r,
1237 {
1238     pub fn new(
1239         u: &'r mut Unstructured<'data>,
1240         config: &'r Config,
1241         isa: OwnedTargetIsa,
1242         name: UserFuncName,
1243         signature: Signature,
1244         usercalls: Vec<(UserExternalName, Signature)>,
1245         libcalls: Vec<LibCall>,
1246     ) -> Self {
1247         Self {
1248             u,
1249             config,
1250             resources: Resources {
1251                 usercalls,
1252                 libcalls,
1253                 ..Resources::default()
1254             },
1255             isa,
1256             name,
1257             signature,
1258         }
1259     }
1260 
1261     /// Generates a random value for config `param`
1262     fn param(&mut self, param: &RangeInclusive<usize>) -> Result<usize> {
1263         Ok(self.u.int_in_range(param.clone())?)
1264     }
1265 
1266     fn system_callconv(&mut self) -> CallConv {
1267         // TODO: This currently only runs on linux, so this is the only choice
1268         // We should improve this once we generate flags and targets
1269         CallConv::SystemV
1270     }
1271 
1272     /// Finds a stack slot with size of at least n bytes
1273     fn stack_slot_with_size(
1274         &mut self,
1275         n: u32,
1276     ) -> Result<(StackSlot, StackSize, StackAlignment, AACategory)> {
1277         let first = self
1278             .resources
1279             .stack_slots
1280             .partition_point(|&(_slot, size, _align, _category)| size < n);
1281         Ok(*self.u.choose(&self.resources.stack_slots[first..])?)
1282     }
1283 
1284     /// Generates an address that should allow for a store or a load.
1285     ///
1286     /// Addresses aren't generated like other values. They are never stored in variables so that
1287     /// we don't run the risk of returning them from a function, which would make the fuzzer
1288     /// complain since they are different from the interpreter to the backend.
1289     ///
1290     /// `min_size`: Controls the amount of space that the address should have.
1291     ///
1292     /// `aligned`: When passed as true, the resulting address is guaranteed to be aligned
1293     /// on an 8 byte boundary.
1294     ///
1295     /// Returns a valid address and the maximum possible offset that still respects `min_size`.
1296     fn generate_load_store_address(
1297         &mut self,
1298         builder: &mut FunctionBuilder,
1299         min_size: u32,
1300         aligned: bool,
1301     ) -> Result<(Value, u32, AACategory)> {
1302         // TODO: Currently our only source of addresses is stack_addr, but we
1303         // should add global_value, symbol_value eventually
1304         let (addr, available_size, category) = {
1305             let (ss, slot_size, _align, category) = self.stack_slot_with_size(min_size)?;
1306 
1307             // stack_slot_with_size guarantees that slot_size >= min_size
1308             let max_offset = slot_size - min_size;
1309             let offset = if aligned {
1310                 self.u.int_in_range(0..=max_offset / min_size)? * min_size
1311             } else {
1312                 self.u.int_in_range(0..=max_offset)?
1313             };
1314 
1315             let base_addr = builder.ins().stack_addr(I64, ss, offset as i32);
1316             let available_size = slot_size.saturating_sub(offset);
1317             (base_addr, available_size, category)
1318         };
1319 
1320         // TODO: Insert a bunch of amode opcodes here to modify the address!
1321 
1322         // Now that we have an address and a size, we just choose a random offset to return to the
1323         // caller. Preserving min_size bytes.
1324         let max_offset = available_size.saturating_sub(min_size);
1325         Ok((addr, max_offset, category))
1326     }
1327 
1328     // Generates an address and memflags for a load or store.
1329     fn generate_address_and_memflags(
1330         &mut self,
1331         builder: &mut FunctionBuilder,
1332         min_size: u32,
1333         is_atomic: bool,
1334     ) -> Result<(Value, MemFlags, Offset32)> {
1335         // Should we generate an aligned address
1336         // Some backends have issues with unaligned atomics.
1337         // AArch64: https://github.com/bytecodealliance/wasmtime/issues/5483
1338         // RISCV: https://github.com/bytecodealliance/wasmtime/issues/5882
1339         let requires_aligned_atomics = matches!(
1340             self.isa.triple().architecture,
1341             Architecture::Aarch64(_) | Architecture::Riscv64(_)
1342         );
1343         let aligned = if is_atomic && requires_aligned_atomics {
1344             true
1345         } else if min_size > 8 {
1346             // TODO: We currently can't guarantee that a stack_slot will be aligned on a 16 byte
1347             // boundary. We don't have a way to specify alignment when creating stack slots, and
1348             // cranelift only guarantees 8 byte alignment between stack slots.
1349             // See: https://github.com/bytecodealliance/wasmtime/issues/5922#issuecomment-1457926624
1350             false
1351         } else {
1352             bool::arbitrary(self.u)?
1353         };
1354 
1355         let mut flags = MemFlags::new();
1356         // Even if we picked an aligned address, we can always generate unaligned memflags
1357         if aligned && bool::arbitrary(self.u)? {
1358             flags.set_aligned();
1359         }
1360         // If the address is aligned, then we know it won't trap
1361         if aligned && bool::arbitrary(self.u)? {
1362             flags.set_notrap();
1363         }
1364 
1365         let (address, max_offset, category) =
1366             self.generate_load_store_address(builder, min_size, aligned)?;
1367 
1368         // Set the Alias Analysis bits on the memflags
1369         category.update_memflags(&mut flags);
1370 
1371         // Pick an offset to pass into the load/store.
1372         let offset = if aligned {
1373             0
1374         } else {
1375             self.u.int_in_range(0..=max_offset)? as i32
1376         }
1377         .into();
1378 
1379         Ok((address, flags, offset))
1380     }
1381 
1382     /// Get a variable of type `ty` from the current function
1383     fn get_variable_of_type(&mut self, ty: Type) -> Result<Variable> {
1384         let opts = self.resources.vars.get(&ty).map_or(&[][..], Vec::as_slice);
1385         let var = self.u.choose(opts)?;
1386         Ok(*var)
1387     }
1388 
1389     /// Generates an instruction(`iconst`/`fconst`/etc...) to introduce a constant value
1390     fn generate_const(&mut self, builder: &mut FunctionBuilder, ty: Type) -> Result<Value> {
1391         Ok(match self.u.datavalue(ty)? {
1392             DataValue::I8(i) => builder.ins().iconst(ty, i as u8 as i64),
1393             DataValue::I16(i) => builder.ins().iconst(ty, i as u16 as i64),
1394             DataValue::I32(i) => builder.ins().iconst(ty, i as u32 as i64),
1395             DataValue::I64(i) => builder.ins().iconst(ty, i),
1396             DataValue::I128(i) => {
1397                 let hi = builder.ins().iconst(I64, (i >> 64) as i64);
1398                 let lo = builder.ins().iconst(I64, i as i64);
1399                 builder.ins().iconcat(lo, hi)
1400             }
1401             DataValue::F16(f) => builder.ins().f16const(f),
1402             DataValue::F32(f) => builder.ins().f32const(f),
1403             DataValue::F64(f) => builder.ins().f64const(f),
1404             DataValue::F128(f) => {
1405                 let handle = builder.func.dfg.constants.insert(f.into());
1406                 builder.ins().f128const(handle)
1407             }
1408             DataValue::V128(bytes) => {
1409                 let data = bytes.to_vec().into();
1410                 let handle = builder.func.dfg.constants.insert(data);
1411                 builder.ins().vconst(ty, handle)
1412             }
1413             _ => unimplemented!(),
1414         })
1415     }
1416 
1417     /// Chooses a random block which can be targeted by a jump / branch.
1418     /// This means any block that is not the first block.
1419     fn generate_target_block(&mut self, source_block: Block) -> Result<Block> {
1420         // We try to mostly generate forward branches to avoid generating an excessive amount of
1421         // infinite loops. But they are still important, so give them a small chance of existing.
1422         let (backwards_blocks, forward_blocks) =
1423             self.resources.partition_target_blocks(source_block);
1424         let ratio = self.config.backwards_branch_ratio;
1425         let block_targets = if !backwards_blocks.is_empty() && self.u.ratio(ratio.0, ratio.1)? {
1426             backwards_blocks
1427         } else {
1428             forward_blocks
1429         };
1430         assert!(!block_targets.is_empty());
1431 
1432         let (block, _) = self.u.choose(block_targets)?.clone();
1433         Ok(block)
1434     }
1435 
1436     fn generate_values_for_block(
1437         &mut self,
1438         builder: &mut FunctionBuilder,
1439         block: Block,
1440     ) -> Result<Vec<Value>> {
1441         let (_, sig) = self.resources.blocks[block.as_u32() as usize].clone();
1442         self.generate_values_for_signature(builder, sig.iter().copied())
1443     }
1444 
1445     fn generate_values_for_signature<I: Iterator<Item = Type>>(
1446         &mut self,
1447         builder: &mut FunctionBuilder,
1448         signature: I,
1449     ) -> Result<Vec<Value>> {
1450         signature
1451             .map(|ty| {
1452                 let var = self.get_variable_of_type(ty)?;
1453                 let val = builder.use_var(var);
1454                 Ok(val)
1455             })
1456             .collect()
1457     }
1458 
1459     /// The terminator that we need to insert has already been picked ahead of time
1460     /// we just need to build the instructions for it
1461     fn insert_terminator(
1462         &mut self,
1463         builder: &mut FunctionBuilder,
1464         source_block: Block,
1465     ) -> Result<()> {
1466         let terminator = self.resources.block_terminators[source_block.as_u32() as usize].clone();
1467 
1468         match terminator {
1469             BlockTerminator::Return => {
1470                 let types: Vec<Type> = {
1471                     let rets = &builder.func.signature.returns;
1472                     rets.iter().map(|p| p.value_type).collect()
1473                 };
1474                 let vals = self.generate_values_for_signature(builder, types.into_iter())?;
1475 
1476                 builder.ins().return_(&vals[..]);
1477             }
1478             BlockTerminator::Jump(target) => {
1479                 let args = self.generate_values_for_block(builder, target)?;
1480                 builder.ins().jump(target, &args[..]);
1481             }
1482             BlockTerminator::Br(left, right) => {
1483                 let left_args = self.generate_values_for_block(builder, left)?;
1484                 let right_args = self.generate_values_for_block(builder, right)?;
1485 
1486                 let condbr_types = [I8, I16, I32, I64, I128];
1487                 let _type = *self.u.choose(&condbr_types[..])?;
1488                 let val = builder.use_var(self.get_variable_of_type(_type)?);
1489                 builder
1490                     .ins()
1491                     .brif(val, left, &left_args[..], right, &right_args[..]);
1492             }
1493             BlockTerminator::BrTable(default, targets) => {
1494                 // Create jump tables on demand
1495                 let mut jt = Vec::with_capacity(targets.len());
1496                 for block in targets {
1497                     let args = self.generate_values_for_block(builder, block)?;
1498                     jt.push(builder.func.dfg.block_call(block, &args))
1499                 }
1500 
1501                 let args = self.generate_values_for_block(builder, default)?;
1502                 let jt_data = JumpTableData::new(builder.func.dfg.block_call(default, &args), &jt);
1503                 let jt = builder.create_jump_table(jt_data);
1504 
1505                 // br_table only supports I32
1506                 let val = builder.use_var(self.get_variable_of_type(I32)?);
1507 
1508                 builder.ins().br_table(val, jt);
1509             }
1510             BlockTerminator::Switch(_type, default, entries) => {
1511                 let mut switch = Switch::new();
1512                 for (&entry, &block) in entries.iter() {
1513                     switch.set_entry(entry, block);
1514                 }
1515 
1516                 let switch_val = builder.use_var(self.get_variable_of_type(_type)?);
1517 
1518                 switch.emit(builder, switch_val, default);
1519             }
1520             BlockTerminator::TailCall(target) | BlockTerminator::TailCallIndirect(target) => {
1521                 let (sig, sig_ref, func_ref) = self
1522                     .resources
1523                     .func_refs
1524                     .iter()
1525                     .find(|(_, _, f)| *f == target)
1526                     .expect("Failed to find previously selected function")
1527                     .clone();
1528 
1529                 let opcode = match terminator {
1530                     BlockTerminator::TailCall(_) => Opcode::ReturnCall,
1531                     BlockTerminator::TailCallIndirect(_) => Opcode::ReturnCallIndirect,
1532                     _ => unreachable!(),
1533                 };
1534 
1535                 insert_call_to_function(self, builder, opcode, &sig, sig_ref, func_ref)?;
1536             }
1537         }
1538 
1539         Ok(())
1540     }
1541 
1542     /// Fills the current block with random instructions
1543     fn generate_instructions(&mut self, builder: &mut FunctionBuilder) -> Result<()> {
1544         for _ in 0..self.param(&self.config.instructions_per_block)? {
1545             let (op, args, rets) = self.u.choose(&OPCODE_SIGNATURES)?;
1546 
1547             // We filter out instructions that aren't supported by the target at this point instead
1548             // of building a single vector of valid instructions at the beginning of function
1549             // generation, to avoid invalidating the corpus when instructions are enabled/disabled.
1550             if !valid_for_target(&self.isa.triple(), *op, &args, &rets) {
1551                 return Err(arbitrary::Error::IncorrectFormat.into());
1552             }
1553 
1554             let inserter = inserter_for_format(op.format());
1555             inserter(self, builder, *op, &args, &rets)?;
1556         }
1557 
1558         Ok(())
1559     }
1560 
1561     fn generate_funcrefs(&mut self, builder: &mut FunctionBuilder) -> Result<()> {
1562         let usercalls: Vec<(ExternalName, Signature)> = self
1563             .resources
1564             .usercalls
1565             .iter()
1566             .map(|(name, signature)| {
1567                 let user_func_ref = builder.func.declare_imported_user_function(name.clone());
1568                 let name = ExternalName::User(user_func_ref);
1569                 (name, signature.clone())
1570             })
1571             .collect();
1572 
1573         let lib_callconv = self.system_callconv();
1574         let libcalls: Vec<(ExternalName, Signature)> = self
1575             .resources
1576             .libcalls
1577             .iter()
1578             .map(|libcall| {
1579                 let pointer_type = Type::int_with_byte_size(
1580                     self.isa.triple().pointer_width().unwrap().bytes().into(),
1581                 )
1582                 .unwrap();
1583                 let signature = libcall.signature(lib_callconv, pointer_type);
1584                 let name = ExternalName::LibCall(*libcall);
1585                 (name, signature)
1586             })
1587             .collect();
1588 
1589         for (name, signature) in usercalls.into_iter().chain(libcalls) {
1590             let sig_ref = builder.import_signature(signature.clone());
1591             let func_ref = builder.import_function(ExtFuncData {
1592                 name,
1593                 signature: sig_ref,
1594                 colocated: self.u.arbitrary()?,
1595             });
1596 
1597             self.resources
1598                 .func_refs
1599                 .push((signature, sig_ref, func_ref));
1600         }
1601 
1602         Ok(())
1603     }
1604 
1605     fn generate_stack_slots(&mut self, builder: &mut FunctionBuilder) -> Result<()> {
1606         for _ in 0..self.param(&self.config.static_stack_slots_per_function)? {
1607             let bytes = self.param(&self.config.static_stack_slot_size)? as u32;
1608             let alignment = self.param(&self.config.stack_slot_alignment_log2)? as u8;
1609             let alignment_bytes = 1 << alignment;
1610 
1611             let ss_data = StackSlotData::new(StackSlotKind::ExplicitSlot, bytes, alignment);
1612             let slot = builder.create_sized_stack_slot(ss_data);
1613 
1614             // Generate one Alias Analysis Category for each slot
1615             let category = *self.u.choose(AACategory::all())?;
1616 
1617             self.resources
1618                 .stack_slots
1619                 .push((slot, bytes, alignment_bytes, category));
1620         }
1621 
1622         self.resources
1623             .stack_slots
1624             .sort_unstable_by_key(|&(_slot, bytes, _align, _category)| bytes);
1625 
1626         Ok(())
1627     }
1628 
1629     /// Zero initializes the stack slot by inserting `stack_store`'s.
1630     fn initialize_stack_slots(&mut self, builder: &mut FunctionBuilder) -> Result<()> {
1631         let i8_zero = builder.ins().iconst(I8, 0);
1632         let i16_zero = builder.ins().iconst(I16, 0);
1633         let i32_zero = builder.ins().iconst(I32, 0);
1634         let i64_zero = builder.ins().iconst(I64, 0);
1635         let i128_zero = builder.ins().uextend(I128, i64_zero);
1636 
1637         for &(slot, init_size, _align, category) in self.resources.stack_slots.iter() {
1638             let mut size = init_size;
1639 
1640             // Insert the largest available store for the remaining size.
1641             while size != 0 {
1642                 let offset = (init_size - size) as i32;
1643                 let (val, filled) = match size {
1644                     sz if sz / 16 > 0 => (i128_zero, 16),
1645                     sz if sz / 8 > 0 => (i64_zero, 8),
1646                     sz if sz / 4 > 0 => (i32_zero, 4),
1647                     sz if sz / 2 > 0 => (i16_zero, 2),
1648                     _ => (i8_zero, 1),
1649                 };
1650                 let addr = builder.ins().stack_addr(I64, slot, offset);
1651 
1652                 // Each stack slot has an associated category, that means we have to set the
1653                 // correct memflags for it. So we can't use `stack_store` directly.
1654                 let mut flags = MemFlags::new();
1655                 flags.set_notrap();
1656                 category.update_memflags(&mut flags);
1657 
1658                 builder.ins().store(flags, val, addr, 0);
1659 
1660                 size -= filled;
1661             }
1662         }
1663         Ok(())
1664     }
1665 
1666     /// Creates a random amount of blocks in this function
1667     fn generate_blocks(&mut self, builder: &mut FunctionBuilder) -> Result<()> {
1668         let extra_block_count = self.param(&self.config.blocks_per_function)?;
1669 
1670         // We must always have at least one block, so we generate the "extra" blocks and add 1 for
1671         // the entry block.
1672         let block_count = 1 + extra_block_count;
1673 
1674         // Blocks need to be sorted in ascending order
1675         self.resources.blocks = (0..block_count)
1676             .map(|i| {
1677                 let is_entry = i == 0;
1678                 let block = builder.create_block();
1679 
1680                 // Optionally mark blocks that are not the entry block as cold
1681                 if !is_entry {
1682                     if bool::arbitrary(self.u)? {
1683                         builder.set_cold_block(block);
1684                     }
1685                 }
1686 
1687                 // The first block has to have the function signature, but for the rest of them we generate
1688                 // a random signature;
1689                 if is_entry {
1690                     builder.append_block_params_for_function_params(block);
1691                     Ok((
1692                         block,
1693                         self.signature.params.iter().map(|a| a.value_type).collect(),
1694                     ))
1695                 } else {
1696                     let sig = self.generate_block_signature()?;
1697                     sig.iter().for_each(|ty| {
1698                         builder.append_block_param(block, *ty);
1699                     });
1700                     Ok((block, sig))
1701                 }
1702             })
1703             .collect::<Result<Vec<_>>>()?;
1704 
1705         // Valid blocks for jump tables have to have no parameters in the signature, and must also
1706         // not be the first block.
1707         self.resources.blocks_without_params = self.resources.blocks[1..]
1708             .iter()
1709             .filter(|(_, sig)| sig.len() == 0)
1710             .map(|(b, _)| *b)
1711             .collect();
1712 
1713         // Compute the block CFG
1714         //
1715         // cranelift-frontend requires us to never generate unreachable blocks
1716         // To ensure this property we start by constructing a main "spine" of blocks. So block1 can
1717         // always jump to block2, and block2 can always jump to block3, etc...
1718         //
1719         // That is not a very interesting CFG, so we introduce variations on that, but always
1720         // ensuring that the property of pointing to the next block is maintained whatever the
1721         // branching mechanism we use.
1722         let blocks = self.resources.blocks.clone();
1723         self.resources.block_terminators = blocks
1724             .iter()
1725             .map(|&(block, _)| {
1726                 let next_block = Block::with_number(block.as_u32() + 1).unwrap();
1727                 let forward_blocks = self.resources.forward_blocks(block);
1728                 let paramless_targets = self.resources.forward_blocks_without_params(block);
1729                 let has_paramless_targets = !paramless_targets.is_empty();
1730                 let next_block_is_paramless = paramless_targets.contains(&next_block);
1731 
1732                 let mut valid_terminators = vec![];
1733 
1734                 if forward_blocks.is_empty() {
1735                     // Return is only valid on the last block.
1736                     valid_terminators.push(BlockTerminatorKind::Return);
1737                 } else {
1738                     // If we have more than one block we can allow terminators that target blocks.
1739                     // TODO: We could add some kind of BrReturn here, to explore edges where we
1740                     // exit in the middle of the function
1741                     valid_terminators.extend_from_slice(&[
1742                         BlockTerminatorKind::Jump,
1743                         BlockTerminatorKind::Br,
1744                         BlockTerminatorKind::BrTable,
1745                     ]);
1746                 }
1747 
1748                 // As the Switch interface only allows targeting blocks without params we need
1749                 // to ensure that the next block has no params, since that one is guaranteed to be
1750                 // picked in either case.
1751                 if has_paramless_targets && next_block_is_paramless {
1752                     valid_terminators.push(BlockTerminatorKind::Switch);
1753                 }
1754 
1755                 // Tail Calls are a block terminator, so we should insert them as any other block
1756                 // terminator. We should ensure that we can select at least one target before considering
1757                 // them as candidate instructions.
1758                 let has_tail_callees = self
1759                     .resources
1760                     .tail_call_targets(&self.signature)
1761                     .next()
1762                     .is_some();
1763                 let is_tail_caller = self.signature.call_conv == CallConv::Tail;
1764 
1765                 let supports_tail_calls = match self.isa.triple().architecture {
1766                     Architecture::Aarch64(_) | Architecture::Riscv64(_) => true,
1767                     // TODO: x64 currently requires frame pointers for tail calls.
1768                     Architecture::X86_64 => self.isa.flags().preserve_frame_pointers(),
1769                     // TODO: Other platforms do not support tail calls yet.
1770                     _ => false,
1771                 };
1772 
1773                 if is_tail_caller && has_tail_callees && supports_tail_calls {
1774                     valid_terminators.extend([
1775                         BlockTerminatorKind::TailCall,
1776                         BlockTerminatorKind::TailCallIndirect,
1777                     ]);
1778                 }
1779 
1780                 let terminator = self.u.choose(&valid_terminators)?;
1781 
1782                 // Choose block targets for the terminators that we picked above
1783                 Ok(match terminator {
1784                     BlockTerminatorKind::Return => BlockTerminator::Return,
1785                     BlockTerminatorKind::Jump => BlockTerminator::Jump(next_block),
1786                     BlockTerminatorKind::Br => {
1787                         BlockTerminator::Br(next_block, self.generate_target_block(block)?)
1788                     }
1789                     // TODO: Allow generating backwards branches here
1790                     BlockTerminatorKind::BrTable => {
1791                         // Make the default the next block, and then we don't have to worry
1792                         // that we can reach it via the targets
1793                         let default = next_block;
1794 
1795                         let target_count = self.param(&self.config.jump_table_entries)?;
1796                         let targets = Result::from_iter(
1797                             (0..target_count).map(|_| self.generate_target_block(block)),
1798                         )?;
1799 
1800                         BlockTerminator::BrTable(default, targets)
1801                     }
1802                     BlockTerminatorKind::Switch => {
1803                         // Make the default the next block, and then we don't have to worry
1804                         // that we can reach it via the entries below
1805                         let default_block = next_block;
1806 
1807                         let _type = *self.u.choose(&[I8, I16, I32, I64, I128][..])?;
1808 
1809                         // Build this into a HashMap since we cannot have duplicate entries.
1810                         let mut entries = HashMap::new();
1811                         for _ in 0..self.param(&self.config.switch_cases)? {
1812                             // The Switch API only allows for entries that are addressable by the index type
1813                             // so we need to limit the range of values that we generate.
1814                             let (ty_min, ty_max) = _type.bounds(false);
1815                             let range_start = self.u.int_in_range(ty_min..=ty_max)?;
1816 
1817                             // We can either insert a contiguous range of blocks or a individual block
1818                             // This is done because the Switch API specializes contiguous ranges.
1819                             let range_size = if bool::arbitrary(self.u)? {
1820                                 1
1821                             } else {
1822                                 self.param(&self.config.switch_max_range_size)?
1823                             } as u128;
1824 
1825                             // Build the switch entries
1826                             for i in 0..range_size {
1827                                 let index = range_start.wrapping_add(i) % ty_max;
1828                                 let block = *self
1829                                     .u
1830                                     .choose(self.resources.forward_blocks_without_params(block))?;
1831 
1832                                 entries.insert(index, block);
1833                             }
1834                         }
1835 
1836                         BlockTerminator::Switch(_type, default_block, entries)
1837                     }
1838                     BlockTerminatorKind::TailCall => {
1839                         let targets = self
1840                             .resources
1841                             .tail_call_targets(&self.signature)
1842                             .collect::<Vec<_>>();
1843                         let (_, _, funcref) = *self.u.choose(&targets[..])?;
1844                         BlockTerminator::TailCall(*funcref)
1845                     }
1846                     BlockTerminatorKind::TailCallIndirect => {
1847                         let targets = self
1848                             .resources
1849                             .tail_call_targets(&self.signature)
1850                             .collect::<Vec<_>>();
1851                         let (_, _, funcref) = *self.u.choose(&targets[..])?;
1852                         BlockTerminator::TailCallIndirect(*funcref)
1853                     }
1854                 })
1855             })
1856             .collect::<Result<_>>()?;
1857 
1858         Ok(())
1859     }
1860 
1861     fn generate_block_signature(&mut self) -> Result<BlockSignature> {
1862         let param_count = self.param(&self.config.block_signature_params)?;
1863 
1864         let mut params = Vec::with_capacity(param_count);
1865         for _ in 0..param_count {
1866             params.push(self.u._type((&*self.isa).supports_simd())?);
1867         }
1868         Ok(params)
1869     }
1870 
1871     fn build_variable_pool(&mut self, builder: &mut FunctionBuilder) -> Result<()> {
1872         let block = builder.current_block().unwrap();
1873 
1874         // Define variables for the function signature
1875         let mut vars: Vec<_> = builder
1876             .func
1877             .signature
1878             .params
1879             .iter()
1880             .map(|param| param.value_type)
1881             .zip(builder.block_params(block).iter().copied())
1882             .collect();
1883 
1884         // Create a pool of vars that are going to be used in this function
1885         for _ in 0..self.param(&self.config.vars_per_function)? {
1886             let ty = self.u._type((&*self.isa).supports_simd())?;
1887             let value = self.generate_const(builder, ty)?;
1888             vars.push((ty, value));
1889         }
1890 
1891         for (id, (ty, value)) in vars.into_iter().enumerate() {
1892             let var = Variable::new(id);
1893             builder.declare_var(var, ty);
1894             builder.def_var(var, value);
1895 
1896             // Randomly declare variables as needing a stack map.
1897             // We limit these to only types that have fewer than 16 bytes
1898             // since the stack map mechanism does not support larger types.
1899             if ty.bytes() <= 16 && self.u.arbitrary()? {
1900                 builder.declare_var_needs_stack_map(var);
1901             }
1902 
1903             self.resources
1904                 .vars
1905                 .entry(ty)
1906                 .or_insert_with(Vec::new)
1907                 .push(var);
1908         }
1909 
1910         Ok(())
1911     }
1912 
1913     /// We generate a function in multiple stages:
1914     ///
1915     /// * First we generate a random number of empty blocks
1916     /// * Then we generate a random pool of variables to be used throughout the function
1917     /// * We then visit each block and generate random instructions
1918     ///
1919     /// Because we generate all blocks and variables up front we already know everything that
1920     /// we need when generating instructions (i.e. jump targets / variables)
1921     pub fn generate(mut self) -> Result<Function> {
1922         let mut fn_builder_ctx = FunctionBuilderContext::new();
1923         let mut func = Function::with_name_signature(self.name.clone(), self.signature.clone());
1924 
1925         let mut builder = FunctionBuilder::new(&mut func, &mut fn_builder_ctx);
1926 
1927         // Build the function references before generating the block CFG since we store
1928         // function references in the CFG.
1929         self.generate_funcrefs(&mut builder)?;
1930         self.generate_blocks(&mut builder)?;
1931 
1932         // Function preamble
1933         self.generate_stack_slots(&mut builder)?;
1934 
1935         // Main instruction generation loop
1936         for (block, block_sig) in self.resources.blocks.clone().into_iter() {
1937             let is_block0 = block.as_u32() == 0;
1938             builder.switch_to_block(block);
1939 
1940             if is_block0 {
1941                 // The first block is special because we must create variables both for the
1942                 // block signature and for the variable pool. Additionally, we must also define
1943                 // initial values for all variables that are not the function signature.
1944                 self.build_variable_pool(&mut builder)?;
1945 
1946                 // Stack slots have random bytes at the beginning of the function
1947                 // initialize them to a constant value so that execution stays predictable.
1948                 self.initialize_stack_slots(&mut builder)?;
1949             } else {
1950                 // Define variables for the block params
1951                 for (i, ty) in block_sig.iter().enumerate() {
1952                     let var = self.get_variable_of_type(*ty)?;
1953                     let block_param = builder.block_params(block)[i];
1954                     builder.def_var(var, block_param);
1955                 }
1956             }
1957 
1958             // Generate block instructions
1959             self.generate_instructions(&mut builder)?;
1960 
1961             // Insert a terminator to safely exit the block
1962             self.insert_terminator(&mut builder, block)?;
1963         }
1964 
1965         builder.seal_all_blocks();
1966         builder.finalize();
1967 
1968         Ok(func)
1969     }
1970 }
1971