gc_fuzz: Add support for casting and testing references

[khagankhan]

Summary

Add support for reference casting and testing in the GC fuzzer.

• Upcasts from a subtype to a supertype, emitted as ref.cast.
• Fallible downcasts from a supertype to a subtype, lowered in a non-trapping form using ref.test, ref.cast, and ref.null.
• Skipped br_on_cast_fail and br_on_cast (We will have these later).

Fixup preserves the operand already on the stack:

• For upcasts, it keeps the subtype fixed and repairs the supertype if needed.
• For downcasts, it keeps the supertype fixed and repairs the subtype if needed.

Fixup repairs casts in three cases:

1. If the existing sub <: super relation is already valid, it keeps the cast unchanged.
2. If the relation is invalid but a direct related type exists, it repairs the cast to use that direct supertype or subtype.
3. If no related type can be found, it falls back to a self-cast.

Downcasts are emitted in a trap-free form like:

...
local.tee 7
ref.test (ref null 5)
if (result (ref null 5))
  local.get 7
  ref.cast (ref null 5)
else
  ref.null 5
end
...

New tests have been added to test the new features.

+cc @fitzgen @eeide

[github-actions]

Subscribe to Label Action

cc @fitzgen

Details

This issue or pull request has been labeled: "fuzzing"

Thus the following users have been cc'd because of the following labels:

• fitzgen: fuzzing

To subscribe or unsubscribe from this label, edit the .github/subscribe-to-label.json configuration file.

Learn more.

[khagankhan]

The the bug I mentioned turns out to be false positive. I was running standalone version of the fuzzer

[fitzgen]

LGTM, let me know when you diagnose+fix the trap you saw locally, or if you need another set of eyes on it

[khagankhan]

Thanks! @fitzgen that bug was not from this PR but on local which has more features. I think this is good to be merged after ~1 hour of fuzzing with no crashes