Avoid invalid exact casts in TypeRefining (#7529)

tlively · web-flow · commit eb00324e8ee7 · 2025-04-21T14:29:59.000-07:00
TypeRefining (both the normal and GUFA variants) is able to infer that a
field can be more precise than is immediately apparent from the type of
an expression set to that field. In these cases, the pass inserts a cast
to recover the more precise type information. When custom descriptors
are not enabled, casts to exact types invalid, so avoid introducing new
exactness that might need such invalid casts in that case.
diff --git a/scripts/test/fuzzing.py b/scripts/test/fuzzing.py
@@ -122,6 +122,8 @@
     'signature-refining-exact.wast',
     'gufa-cast-all-exact.wast',
     'type-merging-exact.wast',
+    'type-refining-exact.wast',
+    'type-refining-gufa-exact.wast',
     # TODO: fuzzer support for custom descriptors
     'custom-descriptors.wast',
 ]
diff --git a/src/passes/TypeRefining.cpp b/src/passes/TypeRefining.cpp
@@ -61,7 +61,13 @@ struct FieldInfoScanner
                       HeapType type,
                       Index index,
                       FieldInfo& info) {
-    info.note(expr->type);
+    auto noted = expr->type;
+    // Do not introduce new exact fields that might requires invalid
+    // casts. Keep any existing exact fields, though.
+    if (type.getStruct().fields[index].type.isInexact()) {
+      noted = noted.withInexactIfNoCustomDescs(getModule()->features);
+    }
+    info.note(noted);
   }
 
   void
@@ -185,6 +191,11 @@ struct TypeRefining : public Pass {
         auto& infos = finalInfos[type];
         for (Index i = 0; i < fields.size(); i++) {
           auto gufaType = oracle.getContents(DataLocation{type, i}).getType();
+          // Do not introduce new exact fields that might requires invalid
+          // casts. Keep any existing exact fields, though.
+          if (!fields[i].type.isExact()) {
+            gufaType = gufaType.withInexactIfNoCustomDescs(module->features);
+          }
           infos[i] = LUBFinder(gufaType);
         }
       }
diff --git a/test/lit/passes/type-refining-exact.wast b/test/lit/passes/type-refining-exact.wast
@@ -0,0 +1,105 @@
+;; NOTE: Assertions have been generated by update_lit_checks.py and should not be edited.
+
+;; Check that we don't refine in ways that might require invalid exact casts
+;; when custom descriptors is disabled.
+
+;; RUN: wasm-opt %s -all                              --closed-world --preserve-type-order \
+;; RUN:     --type-refining -S -o - | filecheck %s
+
+;; RUN: wasm-opt %s -all --disable-custom-descriptors --closed-world --preserve-type-order \
+;; RUN:     --type-refining -S -o - | filecheck %s --check-prefix=NO_CD
+
+(module
+  ;; CHECK:      (rec
+  ;; CHECK-NEXT:  (type $foo (struct))
+  ;; NO_CD:      (rec
+  ;; NO_CD-NEXT:  (type $foo (struct))
+  (type $foo (struct))
+  ;; CHECK:       (type $bar (struct (field (mut (ref (exact $foo))))))
+  ;; NO_CD:       (type $bar (struct (field (mut (ref $foo)))))
+  (type $bar (struct (field (mut (ref null $foo)))))
+
+  ;; CHECK:       (type $already-exact (struct (field (ref (exact $foo)))))
+  ;; NO_CD:       (type $already-exact (struct (field (ref (exact $foo)))))
+  (type $already-exact (struct (field (ref (exact $foo)))))
+
+  ;; CHECK:      (tag $e (type $3))
+  ;; NO_CD:      (tag $e (type $3))
+  (tag $e)
+
+  ;; CHECK:      (func $struct.new (type $4) (param $inexact (ref null $foo)) (param $exact (ref (exact $foo))) (result anyref)
+  ;; CHECK-NEXT:  (struct.new $bar
+  ;; CHECK-NEXT:   (ref.cast (ref (exact $foo))
+  ;; CHECK-NEXT:    (try (result (ref null $foo))
+  ;; CHECK-NEXT:     (do
+  ;; CHECK-NEXT:      (struct.get $bar 0
+  ;; CHECK-NEXT:       (struct.new $bar
+  ;; CHECK-NEXT:        (local.get $exact)
+  ;; CHECK-NEXT:       )
+  ;; CHECK-NEXT:      )
+  ;; CHECK-NEXT:     )
+  ;; CHECK-NEXT:     (catch $e
+  ;; CHECK-NEXT:      (local.get $inexact)
+  ;; CHECK-NEXT:     )
+  ;; CHECK-NEXT:    )
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT: )
+  ;; NO_CD:      (func $struct.new (type $4) (param $inexact (ref null $foo)) (param $exact (ref (exact $foo))) (result anyref)
+  ;; NO_CD-NEXT:  (struct.new $bar
+  ;; NO_CD-NEXT:   (ref.cast (ref $foo)
+  ;; NO_CD-NEXT:    (try (result (ref null $foo))
+  ;; NO_CD-NEXT:     (do
+  ;; NO_CD-NEXT:      (struct.get $bar 0
+  ;; NO_CD-NEXT:       (struct.new $bar
+  ;; NO_CD-NEXT:        (local.get $exact)
+  ;; NO_CD-NEXT:       )
+  ;; NO_CD-NEXT:      )
+  ;; NO_CD-NEXT:     )
+  ;; NO_CD-NEXT:     (catch $e
+  ;; NO_CD-NEXT:      (local.get $inexact)
+  ;; NO_CD-NEXT:     )
+  ;; NO_CD-NEXT:    )
+  ;; NO_CD-NEXT:   )
+  ;; NO_CD-NEXT:  )
+  ;; NO_CD-NEXT: )
+  (func $struct.new (param $inexact (ref null $foo)) (param $exact (ref (exact $foo))) (result anyref)
+    (struct.new $bar
+      (try (result (ref null $foo))
+        (do
+          (struct.get $bar 0
+            (struct.new $bar
+              (local.get $exact)
+            )
+          )
+        )
+        (catch $e
+          (local.get $inexact)
+        )
+      )
+    )
+  )
+
+  ;; CHECK:      (func $make-already-exact (type $5) (param $0 (ref (exact $foo))) (result (ref (exact $foo)))
+  ;; CHECK-NEXT:  (struct.get $already-exact 0
+  ;; CHECK-NEXT:   (struct.new $already-exact
+  ;; CHECK-NEXT:    (local.get $0)
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT: )
+  ;; NO_CD:      (func $make-already-exact (type $5) (param $0 (ref (exact $foo))) (result (ref (exact $foo)))
+  ;; NO_CD-NEXT:  (struct.get $already-exact 0
+  ;; NO_CD-NEXT:   (struct.new $already-exact
+  ;; NO_CD-NEXT:    (local.get $0)
+  ;; NO_CD-NEXT:   )
+  ;; NO_CD-NEXT:  )
+  ;; NO_CD-NEXT: )
+  (func $make-already-exact (param (ref (exact $foo))) (result (ref (exact $foo)))
+    ;; We should not accidentally remove exactness from a field that is already exact.
+    (struct.get $already-exact 0
+      (struct.new $already-exact
+        (local.get 0)
+      )
+    )
+  )
+)
diff --git a/test/lit/passes/type-refining-gufa-exact.wast b/test/lit/passes/type-refining-gufa-exact.wast
@@ -0,0 +1,80 @@
+;; NOTE: Assertions have been generated by update_lit_checks.py and should not be edited.
+
+;; Check that we don't refine in ways that might require invalid exact casts
+;; when custom descriptors is disabled.
+
+;; RUN: wasm-opt %s -all                              --closed-world --preserve-type-order \
+;; RUN:     --type-refining-gufa -S -o - | filecheck %s
+
+;; RUN: wasm-opt %s -all --disable-custom-descriptors --closed-world --preserve-type-order \
+;; RUN:     --type-refining-gufa -S -o - | filecheck %s --check-prefix=NO_CD
+
+(module
+  ;; CHECK:      (type $foo (struct))
+  ;; NO_CD:      (type $foo (struct))
+  (type $foo (struct))
+  ;; CHECK:      (rec
+  ;; CHECK-NEXT:  (type $bar (struct (field (ref (exact $foo)))))
+  ;; NO_CD:      (rec
+  ;; NO_CD-NEXT:  (type $bar (struct (field (ref $foo))))
+  (type $bar (struct (field (ref null $foo))))
+
+  ;; CHECK:       (type $already-exact (struct (field (ref (exact $foo)))))
+  ;; NO_CD:       (type $already-exact (struct (field (ref (exact $foo)))))
+  (type $already-exact (struct (field (ref (exact $foo)))))
+
+  ;; CHECK:      (import "" "" (global $exact (ref (exact $foo))))
+  ;; NO_CD:      (import "" "" (global $exact (ref (exact $foo))))
+  (import "" "" (global $exact (ref (exact $foo))))
+
+  ;; CHECK:      (global $g (ref $foo) (global.get $exact))
+  ;; NO_CD:      (global $g (ref $foo) (global.get $exact))
+  (global $g (ref $foo) (global.get $exact))
+
+  ;; CHECK:      (func $make-bar (type $3)
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (struct.new $bar
+  ;; CHECK-NEXT:    (ref.cast (ref (exact $foo))
+  ;; CHECK-NEXT:     (global.get $g)
+  ;; CHECK-NEXT:    )
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT: )
+  ;; NO_CD:      (func $make-bar (type $3)
+  ;; NO_CD-NEXT:  (drop
+  ;; NO_CD-NEXT:   (struct.new $bar
+  ;; NO_CD-NEXT:    (global.get $g)
+  ;; NO_CD-NEXT:   )
+  ;; NO_CD-NEXT:  )
+  ;; NO_CD-NEXT: )
+  (func $make-bar
+    (drop
+      (struct.new $bar
+        (global.get $g)
+      )
+    )
+  )
+
+  ;; CHECK:      (func $make-already-exact (type $4) (result (ref (exact $foo)))
+  ;; CHECK-NEXT:  (struct.get $already-exact 0
+  ;; CHECK-NEXT:   (struct.new $already-exact
+  ;; CHECK-NEXT:    (global.get $exact)
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT: )
+  ;; NO_CD:      (func $make-already-exact (type $4) (result (ref (exact $foo)))
+  ;; NO_CD-NEXT:  (struct.get $already-exact 0
+  ;; NO_CD-NEXT:   (struct.new $already-exact
+  ;; NO_CD-NEXT:    (global.get $exact)
+  ;; NO_CD-NEXT:   )
+  ;; NO_CD-NEXT:  )
+  ;; NO_CD-NEXT: )
+  (func $make-already-exact (result (ref (exact $foo)))
+    ;; We should not accidentally remove exactness from a field that is already exact.
+    (struct.get $already-exact 0
+      (struct.new $already-exact
+        (global.get $exact)
+      )
+    )
+  )
+)

Original file line number	Diff line number	Diff line change
`@@ -122,6 +122,8 @@`
`122`	`122`	`'signature-refining-exact.wast',`
`123`	`123`	`'gufa-cast-all-exact.wast',`
`124`	`124`	`'type-merging-exact.wast',`
	`125`	`+ 'type-refining-exact.wast',`
	`126`	`+ 'type-refining-gufa-exact.wast',`
`125`	`127`	`# TODO: fuzzer support for custom descriptors`
`126`	`128`	`'custom-descriptors.wast',`
`127`	`129`	`]`