Fuzzer: Fix cross-module call_ref from JS (#7969)

kripken · web-flow · commit 0ccf2800a2b8 · 2025-10-15T16:56:05.000-07:00
The "call_ref" import was getting the function in the current module
from the reference, but the target might be in another.

To fix this, make `callFunctionAsJS` receive a lambda that does the
call, and do the right thing in both cases.
diff --git a/src/tools/execution-results.h b/src/tools/execution-results.h
@@ -236,25 +236,34 @@ struct LoggingExternalInterface : public ShellExternalInterface {
       // No callable export.
       throwJSException();
     }
-    return callFunctionAsJS(*exp->getInternalName());
+    auto funcName = *exp->getInternalName();
+    return callFunctionAsJS(
+      [&](Literals arguments) {
+        return instance->callFunction(funcName, arguments);
+      },
+      wasm.getFunction(funcName)->type.getHeapType());
   }
 
   Literals callRefAsJS(Literal ref) {
     if (!ref.isFunction()) {
       // Not a callable ref.
       throwJSException();
     }
-    return callFunctionAsJS(ref.getFunc());
+    return callFunctionAsJS(
+      [&](Literals arguments) { return ref.getFuncData()->doCall(arguments); },
+      ref.type.getHeapType());
   }
 
   // Call a function in a "JS-ey" manner, adding arguments as needed, and
-  // throwing if necessary, the same way JS does.
-  Literals callFunctionAsJS(Name name) {
-    auto* func = wasm.getFunction(name);
+  // throwing if necessary, the same way JS does. We are given a method that
+  // does the actual call, and the type we are calling.
+  Literals callFunctionAsJS(std::function<Flow(Literals)> doCall,
+                            HeapType type) {
+    auto sig = type.getSignature();
 
     // Send default values as arguments, or error if we need anything else.
     Literals arguments;
-    for (const auto& param : func->getParams()) {
+    for (const auto& param : sig.params) {
       // An i64 param can work from JS, but fuzz_shell provides 0, which errors
       // on attempts to convert it to BigInt. v128 and exnref are disalloewd.
       if (param == Type::i64 || param == Type::v128 || param.isExn()) {
@@ -268,7 +277,7 @@ struct LoggingExternalInterface : public ShellExternalInterface {
 
     // Error on illegal results. Note that this happens, as per JS semantics,
     // *before* the call.
-    for (const auto& result : func->getResults()) {
+    for (const auto& result : sig.results) {
       // An i64 result is fine: a BigInt will be provided. But v128 and exnref
       // still error.
       if (result == Type::v128 || result.isExn()) {
@@ -277,7 +286,7 @@ struct LoggingExternalInterface : public ShellExternalInterface {
     }
 
     // Call the function.
-    auto flow = instance->callFunction(func->name, arguments);
+    auto flow = doCall(arguments);
     // Suspending through JS is not valid.
     if (flow.suspendTag) {
       throwJSException();
diff --git a/test/lit/exec/call_ref-import-cross-module.wast b/test/lit/exec/call_ref-import-cross-module.wast
@@ -0,0 +1,26 @@
+;; RUN: wasm-opt %s -all --fuzz-exec-before --fuzz-exec-second=%s.second -q -o /dev/null 2>&1 | filecheck %s
+
+;; Test for confusion regarding internal function names when using call_ref from
+;; JS. This module returns a funcref, which the other module will get, then
+;; send to JS to be call_ref'd.
+
+(module $primary
+ (import "fuzzing-support" "log-i32" (func $log (param i32)))
+
+ (func $get (export "get") (result funcref)
+  (call $log (i32.const 10))
+  (ref.func $get)
+ )
+)
+
+;; First we call $get from this module. When we run the second module, we call
+;; it once to get a ref to itself, then call_ref it, logging 10 twice.
+
+;; CHECK: [fuzz-exec] calling get
+;; CHECK-NEXT: [LoggingExternalInterface logging 10]
+;; CHECK-NEXT: [fuzz-exec] note result: get => function
+;; CHECK-NEXT: [fuzz-exec] running second module
+;; CHECK-NEXT: [fuzz-exec] calling run
+;; CHECK-NEXT: [LoggingExternalInterface logging 10]
+;; CHECK-NEXT: [LoggingExternalInterface logging 10]
+
diff --git a/test/lit/exec/call_ref-import-cross-module.wast.second b/test/lit/exec/call_ref-import-cross-module.wast.second
@@ -0,0 +1,12 @@
+(module
+ (import "fuzzing-support" "call-ref" (func $call-ref (param funcref i32)))
+ (import "primary" "get" (func $primary-get (result funcref)))
+
+ (func $run (export "run")
+  (call $call-ref
+   (call $primary-get)
+   (i32.const 0)
+  )
+ )
+)
+
