Allow null-checking exact casts without custom descriptors (#7520)

tlively · web-flow · commit 60cc9c554895 · 2025-04-18T11:24:46.000-07:00
We previously allowed trivial exact casts (i.e. those where the input
and target types are the same) to validate even without custom
descriptors enabled to ensure that finalization always produces valid
casts. But validation can also produce casts where the cast target is a
non-nullable exact reference and the input type is a nullable exact
reference to the same heap type. Update validation to allow these casts.

This is safe because erasing the exactness of the input and cast types
does not change the results of these casts. They succeed iff the input
is a non-null value.
diff --git a/src/wasm/wasm-validator.cpp b/src/wasm/wasm-validator.cpp
@@ -2904,13 +2904,14 @@ void FunctionValidator::visitRefTest(RefTest* curr) {
     curr,
     "ref.test target type and ref type must have a common supertype");
 
-  // If custom descriptors is not enabled, only trivial exact casts are allowed,
-  // i.e. those where the operand has the same exact type. The result of these
-  // trivial exact casts does not change when the types are made inexact during
-  // binary writing.
+  // If custom descriptors is not enabled, only trivial and null-checking exact
+  // casts are allowed, i.e. those where the operand is also exact and has the
+  // same heap type, but may differ in nullability. The result of these trivial
+  // exact casts does not change when the types are made inexact during binary
+  // writing.
   if (!getModule()->features.hasCustomDescriptors()) {
-    shouldBeTrue(curr->castType.isInexact() ||
-                   curr->castType == curr->ref->type,
+    shouldBeTrue(curr->castType.isInexact() || curr->castType.with(Nullable) ==
+                                                 curr->ref->type.with(Nullable),
                  curr,
                  "ref.test of exact type requires custom descriptors "
                  "[--enable-custom-descriptors]");
@@ -2956,7 +2957,8 @@ void FunctionValidator::visitRefCast(RefCast* curr) {
 
   // See comment about exactness on visitRefTest.
   if (!getModule()->features.hasCustomDescriptors()) {
-    shouldBeTrue(curr->type.isInexact() || curr->type == curr->ref->type,
+    shouldBeTrue(curr->type.isInexact() ||
+                   curr->type.with(Nullable) == curr->ref->type.with(Nullable),
                  curr,
                  "ref.cast to exact type requires custom descriptors "
                  "[--enable-custom-descriptors]");
@@ -2993,7 +2995,8 @@ void FunctionValidator::visitBrOn(BrOn* curr) {
     // See comment about exactness on visitRefTest.
     if (!getModule()->features.hasCustomDescriptors()) {
       shouldBeTrue(curr->castType.isInexact() ||
-                     curr->castType == curr->ref->type,
+                     curr->castType.with(Nullable) ==
+                       curr->ref->type.with(Nullable),
                    curr,
                    "br_on_cast* to exact type requires custom descriptors "
                    "[--enable-custom-descriptors]");
diff --git a/test/lit/validation/exact-casts-trivial.wast b/test/lit/validation/exact-casts-trivial.wast
@@ -9,71 +9,215 @@
   ;; CHECK:      (type $foo (struct))
   (type $foo (struct))
 
-  ;; CHECK:      (func $ref.cast (type $1) (param $0 (ref null (exact $foo)))
+  ;; CHECK:      (func $ref.cast (type $1) (param $0 (ref (exact $foo))) (param $1 (ref null (exact $foo)))
   ;; CHECK-NEXT:  (drop
-  ;; CHECK-NEXT:   (ref.cast (ref null (exact $foo))
+  ;; CHECK-NEXT:   (ref.cast (ref (exact $foo))
   ;; CHECK-NEXT:    (local.get $0)
   ;; CHECK-NEXT:   )
   ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (ref.cast (ref (exact $foo))
+  ;; CHECK-NEXT:    (local.get $0)
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (ref.cast (ref null (exact $foo))
+  ;; CHECK-NEXT:    (local.get $1)
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (ref.cast (ref (exact $foo))
+  ;; CHECK-NEXT:    (local.get $1)
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
   ;; CHECK-NEXT: )
-  (func $ref.cast (param (ref null (exact $foo)))
+  (func $ref.cast (param (ref (exact $foo)) (ref null (exact $foo)))
     (drop
       (ref.cast anyref
         (local.get 0)
       )
     )
+    (drop
+      (ref.cast (ref any)
+        (local.get 0)
+      )
+    )
+    (drop
+      (ref.cast anyref
+        (local.get 1)
+      )
+    )
+    (drop
+      (ref.cast (ref any)
+        (local.get 1)
+      )
+    )
   )
 
-  ;; CHECK:      (func $ref.test (type $2) (param $0 (ref (exact $foo)))
+  ;; CHECK:      (func $ref.test (type $1) (param $0 (ref (exact $foo))) (param $1 (ref null (exact $foo)))
   ;; CHECK-NEXT:  (drop
   ;; CHECK-NEXT:   (ref.test (ref (exact $foo))
   ;; CHECK-NEXT:    (local.get $0)
   ;; CHECK-NEXT:   )
   ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (ref.test (ref (exact $foo))
+  ;; CHECK-NEXT:    (local.get $0)
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (ref.test (ref null (exact $foo))
+  ;; CHECK-NEXT:    (local.get $1)
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (ref.test (ref (exact $foo))
+  ;; CHECK-NEXT:    (local.get $1)
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
   ;; CHECK-NEXT: )
-  (func $ref.test (param (ref (exact $foo)))
+  (func $ref.test (param (ref (exact $foo)) (ref null (exact $foo)))
     (drop
       (ref.test anyref
         (local.get 0)
       )
     )
+    (drop
+      (ref.test (ref any)
+        (local.get 0)
+      )
+    )
+    (drop
+      (ref.test anyref
+        (local.get 1)
+      )
+    )
+    (drop
+      (ref.test (ref any)
+        (local.get 1)
+      )
+    )
   )
 
-  ;; CHECK:      (func $br_on_cast (type $1) (param $0 (ref null (exact $foo)))
+  ;; CHECK:      (func $br_on_cast (type $2) (param $0 (ref null (exact $foo))) (param $1 (ref null (exact $foo)))
   ;; CHECK-NEXT:  (drop
   ;; CHECK-NEXT:   (block $block (result anyref)
   ;; CHECK-NEXT:    (br_on_cast $block (ref null (exact $foo)) (ref null (exact $foo))
   ;; CHECK-NEXT:     (local.get $0)
   ;; CHECK-NEXT:    )
   ;; CHECK-NEXT:   )
   ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (block $block1 (result anyref)
+  ;; CHECK-NEXT:    (br_on_cast $block1 (ref null (exact $foo)) (ref (exact $foo))
+  ;; CHECK-NEXT:     (local.get $0)
+  ;; CHECK-NEXT:    )
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (block $block2 (result anyref)
+  ;; CHECK-NEXT:    (br_on_cast $block2 (ref null (exact $foo)) (ref null (exact $foo))
+  ;; CHECK-NEXT:     (local.get $1)
+  ;; CHECK-NEXT:    )
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (block $block3 (result anyref)
+  ;; CHECK-NEXT:    (br_on_cast $block3 (ref null (exact $foo)) (ref (exact $foo))
+  ;; CHECK-NEXT:     (local.get $1)
+  ;; CHECK-NEXT:    )
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
   ;; CHECK-NEXT: )
-  (func $br_on_cast (param (ref null (exact $foo)))
+  (func $br_on_cast (param (ref null (exact $foo)) (ref null (exact $foo)))
     (drop
       (block (result anyref)
         (br_on_cast 0 anyref anyref
           (local.get 0)
         )
       )
     )
+    (drop
+      (block (result anyref)
+        (br_on_cast 0 anyref (ref any)
+          (local.get 0)
+        )
+      )
+    )
+    (drop
+      (block (result anyref)
+        (br_on_cast 0 anyref anyref
+          (local.get 1)
+        )
+      )
+    )
+    (drop
+      (block (result anyref)
+        (br_on_cast 0 anyref (ref any)
+          (local.get 1)
+        )
+      )
+    )
   )
 
-  ;; CHECK:      (func $br_on_cast_fail (type $2) (param $0 (ref (exact $foo)))
+  ;; CHECK:      (func $br_on_cast_fail (type $1) (param $0 (ref (exact $foo))) (param $1 (ref null (exact $foo)))
   ;; CHECK-NEXT:  (drop
   ;; CHECK-NEXT:   (block $block (result anyref)
   ;; CHECK-NEXT:    (br_on_cast_fail $block (ref (exact $foo)) (ref (exact $foo))
   ;; CHECK-NEXT:     (local.get $0)
   ;; CHECK-NEXT:    )
   ;; CHECK-NEXT:   )
   ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (block $block1 (result anyref)
+  ;; CHECK-NEXT:    (br_on_cast_fail $block1 (ref (exact $foo)) (ref (exact $foo))
+  ;; CHECK-NEXT:     (local.get $0)
+  ;; CHECK-NEXT:    )
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (block $block2 (result anyref)
+  ;; CHECK-NEXT:    (br_on_cast_fail $block2 (ref null (exact $foo)) (ref null (exact $foo))
+  ;; CHECK-NEXT:     (local.get $1)
+  ;; CHECK-NEXT:    )
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (block $block3 (result anyref)
+  ;; CHECK-NEXT:    (br_on_cast_fail $block3 (ref null (exact $foo)) (ref (exact $foo))
+  ;; CHECK-NEXT:     (local.get $1)
+  ;; CHECK-NEXT:    )
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
   ;; CHECK-NEXT: )
-  (func $br_on_cast_fail (param (ref (exact $foo)))
+  (func $br_on_cast_fail (param (ref (exact $foo)) (ref null (exact $foo)))
     (drop
       (block (result anyref)
         (br_on_cast_fail 0 anyref anyref
           (local.get 0)
         )
       )
     )
+    (drop
+      (block (result anyref)
+        (br_on_cast_fail 0 anyref (ref any)
+          (local.get 0)
+        )
+      )
+    )
+    (drop
+      (block (result anyref)
+        (br_on_cast_fail 0 anyref anyref
+          (local.get 1)
+        )
+      )
+    )
+    (drop
+      (block (result anyref)
+        (br_on_cast_fail 0 anyref (ref any)
+          (local.get 1)
+        )
+      )
+    )
   )
 )
