[Stack Switching] Fix validation of cont.* that receive nullref inputs (#7809)

kripken · web-flow · commit 91f38e9a20cd · 2025-08-11T11:52:01.000-07:00
diff --git a/src/wasm/wasm-stack.cpp b/src/wasm/wasm-stack.cpp
@@ -2770,14 +2770,20 @@ void BinaryInstWriter::visitSuspend(Suspend* curr) {
 }
 
 void BinaryInstWriter::visitContBind(ContBind* curr) {
-  assert(curr->cont->type.isContinuation() && curr->type.isContinuation());
+  if (curr->cont->type.isNull()) {
+    emitUnreachable();
+    return;
+  }
   o << int8_t(BinaryConsts::ContBind);
   parent.writeIndexedHeapType(curr->cont->type.getHeapType());
   parent.writeIndexedHeapType(curr->type.getHeapType());
 }
 
 void BinaryInstWriter::visitResume(Resume* curr) {
-  assert(curr->cont->type.isContinuation());
+  if (curr->cont->type.isNull()) {
+    emitUnreachable();
+    return;
+  }
   o << int8_t(BinaryConsts::Resume);
   parent.writeIndexedHeapType(curr->cont->type.getHeapType());
 
@@ -2798,7 +2804,10 @@ void BinaryInstWriter::visitResume(Resume* curr) {
 }
 
 void BinaryInstWriter::visitResumeThrow(ResumeThrow* curr) {
-  assert(curr->cont->type.isContinuation());
+  if (curr->cont->type.isNull()) {
+    emitUnreachable();
+    return;
+  }
   o << int8_t(BinaryConsts::ResumeThrow);
   parent.writeIndexedHeapType(curr->cont->type.getHeapType());
   o << U32LEB(parent.getTagIndex(curr->tag));
@@ -2820,7 +2829,10 @@ void BinaryInstWriter::visitResumeThrow(ResumeThrow* curr) {
 }
 
 void BinaryInstWriter::visitStackSwitch(StackSwitch* curr) {
-  assert(curr->cont->type.isContinuation());
+  if (curr->cont->type.isNull()) {
+    emitUnreachable();
+    return;
+  }
   o << int8_t(BinaryConsts::Switch);
   parent.writeIndexedHeapType(curr->cont->type.getHeapType());
   o << U32LEB(parent.getTagIndex(curr->tag));
diff --git a/src/wasm/wasm-validator.cpp b/src/wasm/wasm-validator.cpp
@@ -3991,24 +3991,27 @@ void FunctionValidator::visitContBind(ContBind* curr) {
                curr,
                "cont.bind requires stack-switching [--enable-stack-switching]");
 
+  if (curr->cont->type.isRef() &&
+      curr->cont->type.getHeapType().isMaybeShared(HeapType::nocont)) {
+    return;
+  }
+
+  if (curr->type == Type::unreachable) {
+    return;
+  }
+
   shouldBeTrue(
-    (curr->cont->type.isContinuation() &&
-     curr->cont->type.getHeapType().getContinuation().type.isSignature()) ||
-      curr->cont->type == Type::unreachable,
+    curr->cont->type.isContinuation() &&
+      curr->cont->type.getHeapType().getContinuation().type.isSignature(),
     curr,
     "the first type annotation on cont.bind must be a continuation type");
 
   shouldBeTrue(
-    (curr->type.isContinuation() &&
-     curr->type.getHeapType().getContinuation().type.isSignature()) ||
-      curr->type == Type::unreachable,
+    curr->type.isContinuation() &&
+      curr->type.getHeapType().getContinuation().type.isSignature(),
     curr,
     "the second type annotation on cont.bind must be a continuation type");
 
-  if (curr->type == Type::unreachable) {
-    return;
-  }
-
   if (!shouldBeTrue(curr->type.isNonNullable(),
                     curr,
                     "cont.bind should have a non-nullable reference type")) {
@@ -4035,6 +4038,11 @@ void FunctionValidator::visitResume(Resume* curr) {
     curr,
     "sentTypes cache in resume instruction has not been initialized");
 
+  if (curr->cont->type.isRef() &&
+      curr->cont->type.getHeapType().isMaybeShared(HeapType::nocont)) {
+    return;
+  }
+
   shouldBeTrue(
     (curr->cont->type.isContinuation() &&
      curr->cont->type.getHeapType().getContinuation().type.isSignature()) ||
@@ -4057,17 +4065,22 @@ void FunctionValidator::visitResumeThrow(ResumeThrow* curr) {
     curr,
     "sentTypes cache in resume_throw instruction has not been initialized");
 
+  auto* tag = getModule()->getTagOrNull(curr->tag);
+  if (!shouldBeTrue(!!tag, curr, "resume_throw exception tag must exist")) {
+    return;
+  }
+
+  if (curr->cont->type.isRef() &&
+      curr->cont->type.getHeapType().isMaybeShared(HeapType::nocont)) {
+    return;
+  }
+
   shouldBeTrue(
     (curr->cont->type.isContinuation() &&
      curr->cont->type.getHeapType().getContinuation().type.isSignature()) ||
       curr->type == Type::unreachable,
     curr,
     "resume_throw must be annotated with a continuation type");
-
-  auto* tag = getModule()->getTagOrNull(curr->tag);
-  if (!shouldBeTrue(!!tag, curr, "resume_throw must be annotated with a tag")) {
-    return;
-  }
 }
 
 void FunctionValidator::visitStackSwitch(StackSwitch* curr) {
@@ -4076,17 +4089,22 @@ void FunctionValidator::visitStackSwitch(StackSwitch* curr) {
                curr,
                "switch requires stack-switching [--enable-stack-switching]");
 
+  auto* tag = getModule()->getTagOrNull(curr->tag);
+  if (!shouldBeTrue(!!tag, curr, "switch tag must exist")) {
+    return;
+  }
+
+  if (curr->cont->type.isRef() &&
+      curr->cont->type.getHeapType().isMaybeShared(HeapType::nocont)) {
+    return;
+  }
+
   shouldBeTrue(
     (curr->cont->type.isContinuation() &&
      curr->cont->type.getHeapType().getContinuation().type.isSignature()) ||
       curr->type == Type::unreachable,
     curr,
     "switch must be annotated with a continuation type");
-
-  auto* tag = getModule()->getTagOrNull(curr->tag);
-  if (!shouldBeTrue(!!tag, curr, "switch must be annotated with a tag")) {
-    return;
-  }
 }
 
 void FunctionValidator::visitFunction(Function* curr) {
diff --git a/test/spec/cont.wast b/test/spec/cont.wast
@@ -564,3 +564,80 @@
 
 (assert_return (invoke "sum" (i64.const 10) (i64.const 20)) (i64.const 165))
 
+;; Subtyping
+(module
+  (type $ft1 (func (param i32)))
+  (type $ct1 (sub (cont $ft1)))
+
+  (type $ft0 (func))
+  (type $ct0 (sub (cont $ft0)))
+
+  (func $test (param $x (ref $ct1))
+    (i32.const 123)
+    (local.get $x)
+    (cont.bind $ct1 $ct0)
+    (drop)
+  )
+)
+
+(module
+    (type $f1 (sub (func (result anyref))))
+    (type $f2 (sub $f1 (func (result eqref))))
+    (type $c1 (sub (cont $f1)))
+    (type $c2 (sub $c1 (cont $f2)))
+)
+
+;; Globals
+(module
+  (type $ft (func))
+  (type $ct (cont $ft))
+
+  (global $k (mut (ref null $ct)) (ref.null $ct))
+  (global $g (ref null $ct) (ref.null $ct))
+
+  (func $f)
+  (elem declare func $f)
+
+  (func (export "set-global")
+    (global.set $k (cont.new $ct (ref.func $f))))
+)
+(assert_return (invoke "set-global"))
+
+(assert_invalid
+  (module
+    (rec
+      (type $ft (func (param (ref null $ct))))
+      (type $ct (cont $ft)))
+    (type $ft2 (func))
+    (type $ct2 (cont $ft2))
+
+    (tag $swap)
+    (func $f (type $ft)
+      (switch $ct $swap (cont.new $ct2 (ref.null $ft2)))
+      (drop)))
+   "type mismatch")
+
+(module
+  (rec
+    (type $ft (func (param (ref null $ct))))
+    (type $ct (cont $ft)))
+
+  (tag $t)
+
+  (func
+    (cont.new $ct (ref.null $ft))
+    (unreachable))
+  (func
+    (cont.bind $ct $ct (ref.null $ct))
+    (unreachable))
+  (func
+    (resume $ct (ref.null $ct) (ref.null $ct))
+    (unreachable))
+  (func
+    (resume_throw $ct $t (ref.null $ct))
+    (unreachable))
+  (func
+    (switch $ct $t (ref.null $ct))
+    (unreachable))
+)
+
