Fix typing of struct RMW ops with null references (#7214)

tlively · web-flow · commit 98129d1f8052 · 2025-01-14T17:13:47.000-08:00
When the struct reference is null, there is no struct type from which to
look up the proper field type when finalizing a struct RMW or cmpxchg
expression. We previously reused code for this case from StructGet, but
unlike StructGet, the RMW operations have additional operands that can
constrain the type of the retrieved struct field. Take these operands
into account when computing a type for the RMW expressions.
diff --git a/scripts/test/fuzzing.py b/scripts/test/fuzzing.py
@@ -80,6 +80,7 @@
     'typed_continuations_suspend.wast',
     # the fuzzer does not support struct RMW ops
     'gc-atomics.wast',
+    'gc-atomics-null-refs.wast',
     # contains too many segments to run in a wasm VM
     'limit-segments_disable-bulk-memory.wast',
     # https://github.com/WebAssembly/binaryen/issues/7176
diff --git a/src/wasm/wasm.cpp b/src/wasm/wasm.cpp
@@ -1168,10 +1168,10 @@ void StructRMW::finalize() {
   if (ref->type == Type::unreachable || value->type == Type::unreachable) {
     type = Type::unreachable;
   } else if (ref->type.isNull()) {
-    // See comment on CallRef for explanation.
-    if (type.isRef()) {
-      type = Type(type.getHeapType().getBottom(), NonNullable);
-    }
+    // We have no struct type to read the field off of, but the most precise
+    // possible option is the type of the value we are using to make the
+    // modification.
+    type = value->type;
   } else {
     type = ref->type.getHeapType().getStruct().fields[index].type;
   }
@@ -1182,10 +1182,9 @@ void StructCmpxchg::finalize() {
       replacement->type == Type::unreachable) {
     type = Type::unreachable;
   } else if (ref->type.isNull()) {
-    // See comment on CallRef for explanation.
-    if (type.isRef()) {
-      type = Type(type.getHeapType().getBottom(), NonNullable);
-    }
+    // Like StructRMW, but the most precise possible field type is the LUB of
+    // the expected and replacement values.
+    type = Type::getLeastUpperBound(expected->type, replacement->type);
   } else {
     type = ref->type.getHeapType().getStruct().fields[index].type;
   }
diff --git a/test/lit/basic/gc-atomics-null-refs.wast b/test/lit/basic/gc-atomics-null-refs.wast
@@ -0,0 +1,117 @@
+;; NOTE: Assertions have been generated by update_lit_checks.py and should not be edited.
+
+;; RUN: wasm-opt -all %s -S -o - | filecheck %s
+;; RUN: wasm-opt -all %s --roundtrip -S -o - | filecheck %s --check-prefix=RTRIP
+
+(module
+  (type $struct-i32 (struct (field (mut i32))))
+  (type $struct-eq (struct (field (mut eqref))))
+
+  ;; CHECK:      (func $rmw-null (type $1) (result i32)
+  ;; CHECK-NEXT:  (block ;; (replaces unreachable StructRMW we can't emit)
+  ;; CHECK-NEXT:   (drop
+  ;; CHECK-NEXT:    (ref.null none)
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:   (drop
+  ;; CHECK-NEXT:    (i32.const 1)
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:   (unreachable)
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT: )
+  ;; RTRIP:      (func $rmw-null (type $1) (result i32)
+  ;; RTRIP-NEXT:  (drop
+  ;; RTRIP-NEXT:   (ref.null none)
+  ;; RTRIP-NEXT:  )
+  ;; RTRIP-NEXT:  (drop
+  ;; RTRIP-NEXT:   (i32.const 1)
+  ;; RTRIP-NEXT:  )
+  ;; RTRIP-NEXT:  (unreachable)
+  ;; RTRIP-NEXT: )
+  (func $rmw-null (result i32)
+    (struct.atomic.rmw.add $struct-i32 0
+      (ref.null none)
+      (i32.const 1)
+    )
+  )
+
+  ;; CHECK:      (func $cmpxchg-null (type $0) (result i31ref)
+  ;; CHECK-NEXT:  (block ;; (replaces unreachable StructCmpxchg we can't emit)
+  ;; CHECK-NEXT:   (drop
+  ;; CHECK-NEXT:    (ref.null none)
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:   (drop
+  ;; CHECK-NEXT:    (ref.null none)
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:   (drop
+  ;; CHECK-NEXT:    (ref.i31
+  ;; CHECK-NEXT:     (i32.const 0)
+  ;; CHECK-NEXT:    )
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:   (unreachable)
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT: )
+  ;; RTRIP:      (func $cmpxchg-null (type $0) (result i31ref)
+  ;; RTRIP-NEXT:  (drop
+  ;; RTRIP-NEXT:   (ref.null none)
+  ;; RTRIP-NEXT:  )
+  ;; RTRIP-NEXT:  (drop
+  ;; RTRIP-NEXT:   (ref.null none)
+  ;; RTRIP-NEXT:  )
+  ;; RTRIP-NEXT:  (drop
+  ;; RTRIP-NEXT:   (ref.i31
+  ;; RTRIP-NEXT:    (i32.const 0)
+  ;; RTRIP-NEXT:   )
+  ;; RTRIP-NEXT:  )
+  ;; RTRIP-NEXT:  (unreachable)
+  ;; RTRIP-NEXT: )
+  (func $cmpxchg-null (result i31ref)
+    ;; This is technically invalid because the result should be eqref, but we
+    ;; lose that type information after parsing. Test that we compute a
+    ;; sufficiently general result type from the expected and replacement
+    ;; values.
+    (struct.atomic.rmw.cmpxchg $struct-eq 0
+      (ref.null none)
+      (ref.null none)
+      (ref.i31 (i32.const 0))
+    )
+  )
+
+  ;; CHECK:      (func $cmpxchg-null-2 (type $0) (result i31ref)
+  ;; CHECK-NEXT:  (block ;; (replaces unreachable StructCmpxchg we can't emit)
+  ;; CHECK-NEXT:   (drop
+  ;; CHECK-NEXT:    (ref.null none)
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:   (drop
+  ;; CHECK-NEXT:    (ref.i31
+  ;; CHECK-NEXT:     (i32.const 0)
+  ;; CHECK-NEXT:    )
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:   (drop
+  ;; CHECK-NEXT:    (ref.null none)
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:   (unreachable)
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT: )
+  ;; RTRIP:      (func $cmpxchg-null-2 (type $0) (result i31ref)
+  ;; RTRIP-NEXT:  (drop
+  ;; RTRIP-NEXT:   (ref.null none)
+  ;; RTRIP-NEXT:  )
+  ;; RTRIP-NEXT:  (drop
+  ;; RTRIP-NEXT:   (ref.i31
+  ;; RTRIP-NEXT:    (i32.const 0)
+  ;; RTRIP-NEXT:   )
+  ;; RTRIP-NEXT:  )
+  ;; RTRIP-NEXT:  (drop
+  ;; RTRIP-NEXT:   (ref.null none)
+  ;; RTRIP-NEXT:  )
+  ;; RTRIP-NEXT:  (unreachable)
+  ;; RTRIP-NEXT: )
+  (func $cmpxchg-null-2 (result i31ref)
+    ;; Same as above, but with the expected and replacement types reversed.
+    (struct.atomic.rmw.cmpxchg $struct-eq 0
+      (ref.null none)
+      (ref.i31 (i32.const 0))
+      (ref.null none)
+    )
+  )
+)
