[GC] Fix global handling in TypeRefiningGUFA (#7451)

kripken · web-flow · commit 63186dcf7023 · 2025-04-04T12:48:01.000-07:00
TypeRefiningGUFA refines struct types based on the types that flow into fields,
and looks past the immediate types in the IR. As a result, it can require
casts when we end up storing something that appears not-sufficiently-
refined to wasm validation rules, in ways that cannot occur with normal
TypeRefining.

The specific problem that can happen is that casts are disallowed in
globals, so we must be careful to not refine too much there.
diff --git a/src/passes/TypeRefining.cpp b/src/passes/TypeRefining.cpp
@@ -25,6 +25,7 @@
 // themselves.
 //
 
+#include "ir/find_all.h"
 #include "ir/lubs.h"
 #include "ir/possible-contents.h"
 #include "ir/struct-utils.h"
@@ -191,6 +192,39 @@ struct TypeRefining : public Pass {
 
     // Propagate to supertypes, so no field is less refined than its super.
     propagator.propagateToSuperTypes(finalInfos);
+
+    // Take into account possible problems. This pass only refines struct
+    // fields, and when we refine in a way that exceeds the wasm type system
+    // then we fix that up with a cast (see below). However, we cannot use casts
+    // in all places, specifically in globals, so we must account for that.
+    for (auto& global : module->globals) {
+      if (global->imported()) {
+        continue;
+      }
+
+      // Find StructNews, which are the one thing that can appear in a global
+      // init that is affected by our optimizations.
+      for (auto* structNew : FindAll<StructNew>(global->init).list) {
+        if (structNew->isWithDefault()) {
+          continue;
+        }
+
+        auto type = structNew->type.getHeapType();
+        auto& infos = finalInfos[type];
+        auto& fields = type.getStruct().fields;
+        for (Index i = 0; i < fields.size(); i++) {
+          // We are in a situation like this:
+          //
+          //  (struct.new $A
+          //   (global.get or such
+          //
+          // To avoid ending up requiring a cast later, the type of our child
+          // must fit perfectly in the field it is written to.
+          auto childType = structNew->operands[i]->type;
+          infos[i].note(childType);
+        }
+      }
+    }
   }
 
   void useFinalInfos(Module* module, Propagator& propagator) {
diff --git a/test/lit/passes/type-refining-gufa.wast b/test/lit/passes/type-refining-gufa.wast
@@ -296,3 +296,90 @@
   )
 )
 
+;; GUFA can infer the first global contains a $func, so the struct type's field
+;; can be refined. However, doing so would require adding a cast from the
+;; global's declared type (ref func) to the refined type, so that the struct.new
+;; validates. (Alternatively, we would need to refine the global's type at the
+;; same time we refine the struct, but this pass only refines structs.) The type
+;; of the struct's field should only refine as much as is valid, which is the
+;; type of the global, (ref func), and not the declared type $func. Both GUFA
+;; and normal type refining succeed here (-O3 removes the entire module, and is
+;; not interesting here).
+(module
+  ;; NRML:      (rec
+  ;; NRML-NEXT:  (type $struct (struct (field (ref func))))
+  ;; GUFA:      (rec
+  ;; GUFA-NEXT:  (type $struct (struct (field (ref func))))
+  (type $struct (struct (field funcref)))
+
+  ;; NRML:       (type $func (func))
+  ;; GUFA:       (type $func (func))
+  (type $func (func))
+
+  ;; NRML:      (global $A (ref func) (ref.func $func))
+  ;; GUFA:      (global $A (ref func) (ref.func $func))
+  (global $A (ref func) (ref.func $func))
+
+  ;; NRML:      (global $B (ref $struct) (struct.new $struct
+  ;; NRML-NEXT:  (global.get $A)
+  ;; NRML-NEXT: ))
+  ;; GUFA:      (global $B (ref $struct) (struct.new $struct
+  ;; GUFA-NEXT:  (global.get $A)
+  ;; GUFA-NEXT: ))
+  (global $B (ref $struct) (struct.new $struct
+    (global.get $A)
+  ))
+
+  ;; NRML:      (func $func (type $func)
+  ;; NRML-NEXT: )
+  ;; GUFA:      (func $func (type $func)
+  ;; GUFA-NEXT: )
+  (func $func (type $func)
+  )
+)
+
+;; As above, but now the global has a refined type, so we can refine fully.
+(module
+  ;; NRML:      (rec
+  ;; NRML-NEXT:  (type $struct (struct (field (ref $func))))
+  ;; GUFA:      (rec
+  ;; GUFA-NEXT:  (type $struct (struct (field (ref $func))))
+  (type $struct (struct (field funcref)))
+
+  ;; NRML:       (type $func (func))
+  ;; GUFA:       (type $func (func))
+  (type $func (func))
+
+  ;; NRML:      (global $A (ref $func) (ref.func $func))
+  ;; GUFA:      (global $A (ref $func) (ref.func $func))
+  (global $A (ref $func) (ref.func $func))  ;; the type here changed
+
+  ;; NRML:      (global $B (ref $struct) (struct.new $struct
+  ;; NRML-NEXT:  (global.get $A)
+  ;; NRML-NEXT: ))
+  ;; GUFA:      (global $B (ref $struct) (struct.new $struct
+  ;; GUFA-NEXT:  (global.get $A)
+  ;; GUFA-NEXT: ))
+  (global $B (ref $struct) (struct.new $struct
+    (global.get $A)
+  ))
+
+  ;; NRML:      (func $func (type $func)
+  ;; NRML-NEXT: )
+  ;; GUFA:      (func $func (type $func)
+  ;; GUFA-NEXT: )
+  (func $func (type $func)
+  )
+)
+
+;; Check we do not error on struct.new_default in a global. Here we can refine
+;; the field to nullref.
+(module
+  ;; NRML:      (type $struct (struct (field nullfuncref)))
+  ;; GUFA:      (type $struct (struct (field nullfuncref)))
+  (type $struct (struct (field funcref)))
+
+  ;; NRML:      (global $C (ref $struct) (struct.new_default $struct))
+  ;; GUFA:      (global $C (ref $struct) (struct.new_default $struct))
+  (global $C (ref $struct) (struct.new_default $struct))
+)
