[Custom Descriptors] Handle global effects in GTO (#7698)

tlively · web-flow · commit 8844b1f261cb · 2025-07-07T09:03:29.000-07:00
GTO uses ChildLocalizer to ensure that removing children from a
struct.new does not drop any side effects. But that does not work
outside function contexts. This was previously not a problem because
there were no side effects possible outside function contexts, but now
with custom descriptors it is possible for struct.news in constant
expressions to trap due to being given null descriptors.

To preserve side effects during instantiation, put expressions that
might trap and that have been removed outside function contexts into new
globals. This ensures that their side effects, if any, are still
executed during instantiation.
diff --git a/scripts/test/fuzzing.py b/scripts/test/fuzzing.py
@@ -127,6 +127,7 @@
     'gc-desc.wast',
     'simplify-locals-desc.wast',
     'optimize-instructions-desc.wast',
+    'gto-desc.wast',
     # TODO: fix split_wast() on tricky escaping situations like a string ending
     #       in \\" (the " is not escaped - there is an escaped \ before it)
     'string-lifting-section.wast',
diff --git a/src/passes/GlobalTypeOptimization.cpp b/src/passes/GlobalTypeOptimization.cpp
@@ -25,6 +25,7 @@
 #include "ir/eh-utils.h"
 #include "ir/localize.h"
 #include "ir/module-utils.h"
+#include "ir/names.h"
 #include "ir/ordering.h"
 #include "ir/struct-utils.h"
 #include "ir/subtypes.h"
@@ -461,6 +462,11 @@ struct GlobalTypeOptimization : public Pass {
 
       bool needEHFixups = false;
 
+      // Expressions that might trap that have been removed from module-level
+      // initializers. These need to be placed in new globals to preserve any
+      // instantiation-time traps.
+      std::vector<Expression*> removedTrappingInits;
+
       void visitStructNew(StructNew* curr) {
         if (curr->type == Type::unreachable) {
           return;
@@ -481,22 +487,31 @@ struct GlobalTypeOptimization : public Pass {
 
         // Ensure any children with non-trivial effects are replaced with
         // local.gets, so that we can remove/reorder to our hearts' content.
-        ChildLocalizer localizer(
-          curr, getFunction(), *getModule(), getPassOptions());
-        replaceCurrent(localizer.getReplacement());
-        // Adding a block here requires EH fixups.
-        needEHFixups = true;
+        // We can only do this inside functions. Outside of functions, we
+        // preserve traps during instantiation by creating new globals to hold
+        // removed and potentially-trapping operands instead.
+        auto* func = getFunction();
+        if (func) {
+          ChildLocalizer localizer(curr, func, *getModule(), getPassOptions());
+          replaceCurrent(localizer.getReplacement());
+          // Adding a block here requires EH fixups.
+          needEHFixups = true;
+        }
 
         // Remove and reorder operands.
         Index removed = 0;
         std::vector<Expression*> old(operands.begin(), operands.end());
-        for (Index i = 0; i < operands.size(); i++) {
+        for (Index i = 0; i < operands.size(); ++i) {
           auto newIndex = indexesAfterRemoval[i];
           if (newIndex != RemovedField) {
             assert(newIndex < operands.size());
             operands[newIndex] = old[i];
           } else {
-            removed++;
+            ++removed;
+            if (!func &&
+                EffectAnalyzer(getPassOptions(), *getModule(), old[i]).trap) {
+              removedTrappingInits.push_back(old[i]);
+            }
           }
         }
         if (removed) {
@@ -573,6 +588,16 @@ struct GlobalTypeOptimization : public Pass {
     FieldRemover remover(*this);
     remover.run(getPassRunner(), &wasm);
     remover.runOnModuleCode(getPassRunner(), &wasm);
+
+    // Insert globals necessary to preserve instantiation-time trapping of
+    // removed expressions.
+    for (Index i = 0; i < remover.removedTrappingInits.size(); ++i) {
+      auto* curr = remover.removedTrappingInits[i];
+      auto name = Names::getValidGlobalName(
+        wasm, std::string("gto-removed-") + std::to_string(i));
+      wasm.addGlobal(
+        Builder::makeGlobal(name, curr->type, curr, Builder::Immutable));
+    }
   }
 };
 
diff --git a/test/lit/passes/gto-desc.wast b/test/lit/passes/gto-desc.wast
@@ -0,0 +1,130 @@
+;; NOTE: Assertions have been generated by update_lit_checks.py --all-items and should not be edited.
+
+;; RUN: wasm-opt %s -all --closed-world --gto --preserve-type-order -S -o - | filecheck %s
+
+(module
+  (rec
+    ;; CHECK:      (rec
+    ;; CHECK-NEXT:  (type $struct (descriptor $desc (struct (field i32))))
+    (type $struct (descriptor $desc (struct (field i32))))
+    ;; CHECK:       (type $desc (describes $struct (struct)))
+    (type $desc (describes $struct (struct)))
+    ;; CHECK:       (type $pair (struct))
+    (type $pair (struct (field (ref $struct)) (field (ref $struct))))
+    ;; CHECK:       (type $used-pair (struct (field (ref $struct)) (field (ref $struct))))
+    (type $used-pair (struct (field (ref $struct)) (field (ref $struct))))
+  )
+
+  ;; CHECK:       (type $4 (func (param (ref $struct) (ref $used-pair))))
+
+  ;; CHECK:      (global $nullable-desc (ref null (exact $desc)) (struct.new_default $desc))
+  (global $nullable-desc (ref null (exact $desc)) (struct.new $desc))
+
+  ;; Check that we generate fresh names for added globals.
+  ;; CHECK:      (global $gto-removed-1 nullref (ref.null none))
+  (global $gto-removed-1 nullref (ref.null none))
+
+  ;; CHECK:      (global $second-traps (ref $pair) (struct.new_default $pair))
+  (global $second-traps (ref $pair)
+    ;; Both fields will be removed, but only the second can trap, so only the
+    ;; second will be moved to a new global.
+    (struct.new $pair
+      (struct.new $struct
+        (i32.const 0)
+        (struct.new $desc)
+      )
+      (struct.new $struct
+        (i32.const 1)
+        (ref.null none)
+      )
+    )
+  )
+
+  ;; CHECK:      (global $first-traps (ref $pair) (struct.new_default $pair))
+  (global $first-traps (ref $pair)
+    ;; Same as above, but now the first traps (or at least we assume it can
+    ;; based on its type).
+    (struct.new $pair
+      (struct.new $struct
+        (i32.const 2)
+        (global.get $nullable-desc)
+      )
+      (struct.new $struct
+        (i32.const 3)
+        (struct.new $desc)
+      )
+    )
+  )
+
+  ;; CHECK:      (global $used-traps (ref $used-pair) (struct.new $used-pair
+  ;; CHECK-NEXT:  (struct.new $struct
+  ;; CHECK-NEXT:   (i32.const 4)
+  ;; CHECK-NEXT:   (ref.null none)
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (struct.new $struct
+  ;; CHECK-NEXT:   (i32.const 5)
+  ;; CHECK-NEXT:   (ref.null none)
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT: ))
+  (global $used-traps (ref $used-pair)
+    ;; Now both trap, but they are also used, so they will not be removed and no
+    ;; globals will be created.
+    (struct.new $used-pair
+      (struct.new $struct
+        (i32.const 4)
+        (ref.null none)
+      )
+      (struct.new $struct
+        (i32.const 5)
+        (ref.null none)
+      )
+    )
+  )
+
+  ;; CHECK:      (global $gto-removed-0 (ref (exact $struct)) (struct.new $struct
+  ;; CHECK-NEXT:  (i32.const 1)
+  ;; CHECK-NEXT:  (ref.null none)
+  ;; CHECK-NEXT: ))
+
+  ;; CHECK:      (global $gto-removed-1_6 (ref (exact $struct)) (struct.new $struct
+  ;; CHECK-NEXT:  (i32.const 2)
+  ;; CHECK-NEXT:  (global.get $nullable-desc)
+  ;; CHECK-NEXT: ))
+
+  ;; CHECK:      (func $use-struct-fields (type $4) (param $0 (ref $struct)) (param $1 (ref $used-pair))
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (struct.get $struct 0
+  ;; CHECK-NEXT:    (local.get $0)
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (struct.get $used-pair 0
+  ;; CHECK-NEXT:    (local.get $1)
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (struct.get $used-pair 1
+  ;; CHECK-NEXT:    (local.get $1)
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT: )
+  (func $use-struct-fields (param (ref $struct)) (param (ref $used-pair))
+    ;; Prevent the i32s in the initializers from being removed.
+    (drop
+      (struct.get $struct 0
+        (local.get 0)
+      )
+    )
+    ;; Prevent the fields in used-pair from being removed.
+    (drop
+      (struct.get $used-pair 0
+        (local.get 1)
+      )
+    )
+    (drop
+      (struct.get $used-pair 1
+        (local.get 1)
+      )
+    )
+  )
+)
