[Custom Descriptors] Fix allocations with optimized descs in AbstractTypeRefining (#7769)

tlively · web-flow · commit 53ab5f5261a9 · 2025-07-30T17:36:29.000Z
Previously When AbstractTypeRefining optimized a descriptor type, it
left any allocation of its described type with an invalid, mismatched
descriptor type. Avoid this problem by preoptimizing these allocations,
since we know they cannot possibly succeed. In function contexts, we
can drop their children and replace them with unreachables. Outside
function contexts, we can replace the descriptors will null values.
diff --git a/src/passes/AbstractTypeRefining.cpp b/src/passes/AbstractTypeRefining.cpp
@@ -35,6 +35,7 @@
 
 #include <memory>
 
+#include "ir/drop.h"
 #include "ir/localize.h"
 #include "ir/module-utils.h"
 #include "ir/subtypes.h"
@@ -269,7 +270,9 @@ struct AbstractTypeRefining : public Pass {
       return;
     }
 
-    fixupCasts(*module, mapping);
+    // We may need to apply some preliminary optimizations to ensure we maintain
+    // validity and correctness when we rewrite the types.
+    preoptimize(*module, mapping);
 
     // Rewriting types can usually rewrite subtype relationships. For example,
     // if we have this:
@@ -302,44 +305,22 @@ struct AbstractTypeRefining : public Pass {
     ReFinalize().run(getPassRunner(), module);
   }
 
-  void fixupCasts(Module& module, const TypeMapper::TypeUpdates& mapping) {
+  void preoptimize(Module& module, const TypeMapper::TypeUpdates& mapping) {
     if (!module.features.hasCustomDescriptors()) {
-      // No descriptor or exact casts to fix up.
+      // No descriptor casts, exact casts, or allocations with descriptors to
+      // fix up.
       return;
     }
 
-    // We may have casts like this:
-    //
-    //   (ref.cast_desc (ref null $optimized-to-bottom)
-    //     (some struct...)
-    //     (some desc...)
-    //   )
-    //
-    // We will optimize the cast target to nullref, but then ReFinalize would
-    // fix up the cast target back to $optimized-to-bottom. Optimize out the
-    // cast (which we know must either be a null check or unconditional trap)
-    // to avoid this reintroduction of the optimized type.
-    //
-    // Separately, we may have exact casts like this:
-    //
-    //   (br_on_cast anyref $l (ref (exact $uninstantiated)) ... )
-    //
-    // We know such casts will fail (or will pass only for null values), but
-    // with traps-never-happen, we might optimize them to this:
-    //
-    //   (br_on_cast anyref $l (ref (exact $instantiated-subtype)) ... )
-    //
-    // This might cause the casts to incorrectly start succeeding. To avoid
-    // that, optimize them out first.
-    struct CastFixer : WalkerPass<PostWalker<CastFixer>> {
+    struct Preoptimizer : WalkerPass<PostWalker<Preoptimizer>> {
       const TypeMapper::TypeUpdates& mapping;
 
-      CastFixer(const TypeMapper::TypeUpdates& mapping) : mapping(mapping) {}
+      Preoptimizer(const TypeMapper::TypeUpdates& mapping) : mapping(mapping) {}
 
       bool isFunctionParallel() override { return true; }
 
       std::unique_ptr<Pass> create() override {
-        return std::make_unique<CastFixer>(mapping);
+        return std::make_unique<Preoptimizer>(mapping);
       }
 
       Block* localizeChildren(Expression* curr) {
@@ -361,6 +342,29 @@ struct AbstractTypeRefining : public Pass {
         return it->second;
       }
 
+      // We may have casts like this:
+      //
+      //   (ref.cast_desc (ref null $optimized-to-bottom)
+      //     (some struct...)
+      //     (some desc...)
+      //   )
+      //
+      // We will optimize the cast target to nullref, but then ReFinalize would
+      // fix up the cast target back to $optimized-to-bottom. Optimize out the
+      // cast (which we know must either be a null check or unconditional trap)
+      // to avoid this reintroduction of the optimized type.
+      //
+      // Separately, we may have exact casts like this:
+      //
+      //   (br_on_cast anyref $l (ref (exact $uninstantiated)) ... )
+      //
+      // We know such casts will fail (or will pass only for null values), but
+      // with traps-never-happen, we might optimize them to this:
+      //
+      //   (br_on_cast anyref $l (ref (exact $instantiated-subtype)) ... )
+      //
+      // This might cause the casts to incorrectly start succeeding. To avoid
+      // that, optimize them out first.
       void visitRefCast(RefCast* curr) {
         auto optimized = getOptimized(curr->type);
         if (!optimized) {
@@ -426,8 +430,34 @@ struct AbstractTypeRefining : public Pass {
           }
         }
       }
-    } fixer(mapping);
-    fixer.run(getPassRunner(), &module);
+
+      void visitStructNew(StructNew* curr) {
+        if (!curr->desc) {
+          return;
+        }
+        auto optimized = getOptimized(curr->desc->type);
+        if (!optimized) {
+          return;
+        }
+        // The descriptor type is not instantiated, so there is no way this
+        // allocation can succeed. We need to remove it to avoid leaving it with
+        // a mismatched descriptor type after type rewriting. If we are in a
+        // function context, replace it with unreachable, taking care to
+        // preserve any side effects. If we're not in a function context, then
+        // we cannot use things like blocks or drops, but there are also no
+        // effects besides traps, so we can just replace the descriptor with a
+        // null.
+        Builder builder(*getModule());
+        if (getFunction()) {
+          replaceCurrent(getDroppedChildrenAndAppend(
+            curr, *getModule(), getPassOptions(), builder.makeUnreachable()));
+        } else {
+          curr->desc = builder.makeRefNull(HeapType::none);
+        }
+      }
+    } preoptimizer(mapping);
+    preoptimizer.run(getPassRunner(), &module);
+    preoptimizer.runOnModuleCode(getPassRunner(), &module);
   }
 };
 
diff --git a/test/lit/passes/abstract-type-refining-desc.wast b/test/lit/passes/abstract-type-refining-desc.wast
@@ -844,3 +844,179 @@
     (unreachable)
   )
 )
+
+(module
+  ;; We will optimize the descriptor type, so we must take care not to leave
+  ;; invalid allocations of its described type.
+  (rec
+    ;; YESTNH:      (rec
+    ;; YESTNH-NEXT:  (type $struct (descriptor $uninstantiated (struct)))
+    ;; NO_TNH:      (rec
+    ;; NO_TNH-NEXT:  (type $struct (descriptor $uninstantiated (struct)))
+    (type $struct (descriptor $uninstantiated (struct)))
+    ;; YESTNH:       (type $uninstantiated (sub (describes $struct (struct))))
+    ;; NO_TNH:       (type $uninstantiated (sub (describes $struct (struct))))
+    (type $uninstantiated (sub (describes $struct (struct))))
+    ;; YESTNH:       (type $other (descriptor $instantiated (struct)))
+    ;; NO_TNH:       (type $other (descriptor $instantiated (struct)))
+    (type $other (descriptor $instantiated (struct)))
+    ;; YESTNH:       (type $instantiated (sub $uninstantiated (describes $other (struct))))
+    ;; NO_TNH:       (type $instantiated (sub $uninstantiated (describes $other (struct))))
+    (type $instantiated (sub $uninstantiated (describes $other (struct))))
+  )
+
+  ;; YESTNH:       (type $4 (func (result (ref $struct))))
+
+  ;; YESTNH:      (type $5 (func))
+
+  ;; YESTNH:      (import "" "" (func $effect (type $5)))
+  ;; NO_TNH:       (type $4 (func (result (ref $struct))))
+
+  ;; NO_TNH:      (type $5 (func))
+
+  ;; NO_TNH:      (import "" "" (func $effect (type $5)))
+  (import "" "" (func $effect))
+
+  ;; YESTNH:      (global $instantiated (ref $instantiated) (struct.new_default $instantiated))
+  ;; NO_TNH:      (global $instantiated (ref $instantiated) (struct.new_default $instantiated))
+  (global $instantiated (ref $instantiated) (struct.new $instantiated))
+
+  ;; YESTNH:      (global $fake-desc (ref null (exact $instantiated)) (ref.null none))
+  ;; NO_TNH:      (global $fake-desc (ref null (exact $uninstantiated)) (ref.null none))
+  (global $fake-desc (ref null (exact $uninstantiated)) (ref.null none))
+
+  ;; YESTNH:      (global $impossible (ref $struct) (struct.new_default $struct
+  ;; YESTNH-NEXT:  (ref.null none)
+  ;; YESTNH-NEXT: ))
+  ;; NO_TNH:      (global $impossible (ref $struct) (struct.new_default $struct
+  ;; NO_TNH-NEXT:  (global.get $fake-desc)
+  ;; NO_TNH-NEXT: ))
+  (global $impossible (ref $struct)
+    (struct.new $struct
+      (global.get $fake-desc)
+    )
+  )
+
+  ;; YESTNH:      (func $impossible (type $4) (result (ref $struct))
+  ;; YESTNH-NEXT:  (unreachable)
+  ;; YESTNH-NEXT: )
+  ;; NO_TNH:      (func $impossible (type $4) (result (ref $struct))
+  ;; NO_TNH-NEXT:  (struct.new_default $struct
+  ;; NO_TNH-NEXT:   (global.get $fake-desc)
+  ;; NO_TNH-NEXT:  )
+  ;; NO_TNH-NEXT: )
+  (func $impossible (result (ref $struct))
+    (struct.new $struct
+      (global.get $fake-desc)
+    )
+  )
+
+  ;; YESTNH:      (func $impossible-effect (type $4) (result (ref $struct))
+  ;; YESTNH-NEXT:  (drop
+  ;; YESTNH-NEXT:   (block (result (ref null (exact $instantiated)))
+  ;; YESTNH-NEXT:    (call $effect)
+  ;; YESTNH-NEXT:    (global.get $fake-desc)
+  ;; YESTNH-NEXT:   )
+  ;; YESTNH-NEXT:  )
+  ;; YESTNH-NEXT:  (unreachable)
+  ;; YESTNH-NEXT: )
+  ;; NO_TNH:      (func $impossible-effect (type $4) (result (ref $struct))
+  ;; NO_TNH-NEXT:  (struct.new_default $struct
+  ;; NO_TNH-NEXT:   (block (result (ref null (exact $uninstantiated)))
+  ;; NO_TNH-NEXT:    (call $effect)
+  ;; NO_TNH-NEXT:    (global.get $fake-desc)
+  ;; NO_TNH-NEXT:   )
+  ;; NO_TNH-NEXT:  )
+  ;; NO_TNH-NEXT: )
+  (func $impossible-effect (result (ref $struct))
+    (struct.new $struct
+      (block (result (ref null (exact $uninstantiated)))
+        (call $effect)
+        (global.get $fake-desc)
+      )
+    )
+  )
+)
+
+(module
+  ;; Same, but now we're optimizing the descriptor to bottom, so we don't need
+  ;; to do any preoptimization to ensure validity. We optimize anyway because
+  ;; we can.
+  (rec
+    ;; YESTNH:      (rec
+    ;; YESTNH-NEXT:  (type $struct (descriptor $uninstantiated (struct)))
+    ;; NO_TNH:      (rec
+    ;; NO_TNH-NEXT:  (type $struct (descriptor $uninstantiated (struct)))
+    (type $struct (descriptor $uninstantiated (struct)))
+    ;; YESTNH:       (type $uninstantiated (describes $struct (struct)))
+    ;; NO_TNH:       (type $uninstantiated (describes $struct (struct)))
+    (type $uninstantiated (describes $struct (struct)))
+  )
+
+  ;; YESTNH:       (type $2 (func (result (ref $struct))))
+
+  ;; YESTNH:      (type $3 (func))
+
+  ;; YESTNH:      (import "" "" (func $effect (type $3)))
+  ;; NO_TNH:       (type $2 (func (result (ref $struct))))
+
+  ;; NO_TNH:      (type $3 (func))
+
+  ;; NO_TNH:      (import "" "" (func $effect (type $3)))
+  (import "" "" (func $effect))
+
+  ;; YESTNH:      (global $fake-desc nullref (ref.null none))
+  ;; NO_TNH:      (global $fake-desc nullref (ref.null none))
+  (global $fake-desc (ref null (exact $uninstantiated)) (ref.null none))
+
+  ;; YESTNH:      (global $impossible (ref $struct) (struct.new_default $struct
+  ;; YESTNH-NEXT:  (ref.null none)
+  ;; YESTNH-NEXT: ))
+  ;; NO_TNH:      (global $impossible (ref $struct) (struct.new_default $struct
+  ;; NO_TNH-NEXT:  (ref.null none)
+  ;; NO_TNH-NEXT: ))
+  (global $impossible (ref $struct)
+    (struct.new $struct
+      (global.get $fake-desc)
+    )
+  )
+
+  ;; YESTNH:      (func $impossible (type $2) (result (ref $struct))
+  ;; YESTNH-NEXT:  (unreachable)
+  ;; YESTNH-NEXT: )
+  ;; NO_TNH:      (func $impossible (type $2) (result (ref $struct))
+  ;; NO_TNH-NEXT:  (unreachable)
+  ;; NO_TNH-NEXT: )
+  (func $impossible (result (ref $struct))
+    (struct.new $struct
+      (global.get $fake-desc)
+    )
+  )
+
+  ;; YESTNH:      (func $impossible-effect (type $2) (result (ref $struct))
+  ;; YESTNH-NEXT:  (drop
+  ;; YESTNH-NEXT:   (block (result nullref)
+  ;; YESTNH-NEXT:    (call $effect)
+  ;; YESTNH-NEXT:    (global.get $fake-desc)
+  ;; YESTNH-NEXT:   )
+  ;; YESTNH-NEXT:  )
+  ;; YESTNH-NEXT:  (unreachable)
+  ;; YESTNH-NEXT: )
+  ;; NO_TNH:      (func $impossible-effect (type $2) (result (ref $struct))
+  ;; NO_TNH-NEXT:  (drop
+  ;; NO_TNH-NEXT:   (block (result nullref)
+  ;; NO_TNH-NEXT:    (call $effect)
+  ;; NO_TNH-NEXT:    (global.get $fake-desc)
+  ;; NO_TNH-NEXT:   )
+  ;; NO_TNH-NEXT:  )
+  ;; NO_TNH-NEXT:  (unreachable)
+  ;; NO_TNH-NEXT: )
+  (func $impossible-effect (result (ref $struct))
+    (struct.new $struct
+      (block (result (ref null (exact $uninstantiated)))
+        (call $effect)
+        (global.get $fake-desc)
+      )
+    )
+  )
+)
