Disallow exact casts without custom descriptors enabled (#7510)

tlively · web-flow · commit da4652b3ac3c · 2025-04-17T09:29:11.000-07:00
When we emit modules containing exact types without custom descriptors
enabled, we generalize those types to be inexact so the written module
is valid for the feature set. This fudging of the types changes the
behavior of casts, though; casts to exact types that should have failed
at runtime may in fact succeed after the binary is written and the cast
target type is fudged to be inexact. To avoid the binary writer
introducing this change in behavior, disallow casts to exact types when
custom descriptors is not enabled.

This will require optimizations to avoid introducing casts to exact
types when custom descriptors is not enabled. We hypothesize that this
will be simpler than the alternative, which would be to have all
optimizations (and the interpreter) treat casts to exact types as casts
to inexact types when custom descriptors is disabled.

Test the new validation errors and and update an existing test that this
change invalidates by splitting off the part that depended on custom
descriptors being disabled into a separate test.
diff --git a/scripts/test/fuzzing.py b/scripts/test/fuzzing.py
@@ -113,6 +113,8 @@
     'vacuum-stack-switching.wast',
     # TODO: fuzzer support for exact references
     'exact-references.wast',
+    'exact-references-lowering.wast',
+    'exact-casts.wast',
     'optimize-instructions-exact.wast',
     'local-subtyping-exact.wast',
     'remove-unused-types-exact.wast',
diff --git a/src/wasm/wasm-validator.cpp b/src/wasm/wasm-validator.cpp
@@ -2903,6 +2903,12 @@ void FunctionValidator::visitRefTest(RefTest* curr) {
     curr->ref->type.getHeapType().getBottom(),
     curr,
     "ref.test target type and ref type must have a common supertype");
+
+  shouldBeTrue(curr->castType.isInexact() ||
+                 getModule()->features.hasCustomDescriptors(),
+               curr,
+               "ref.test of exact type requires custom descriptors "
+               "[--enable-custom-descriptors]");
 }
 
 void FunctionValidator::visitRefCast(RefCast* curr) {
@@ -2941,6 +2947,12 @@ void FunctionValidator::visitRefCast(RefCast* curr) {
   shouldBeTrue(curr->ref->type.isNullable() || curr->type.isNonNullable(),
                curr,
                "ref.cast null of non-nullable references are not allowed");
+
+  shouldBeTrue(curr->type.isInexact() ||
+                 getModule()->features.hasCustomDescriptors(),
+               curr,
+               "ref.cast to exact type requires custom descriptors "
+               "[--enable-custom-descriptors]");
 }
 
 void FunctionValidator::visitBrOn(BrOn* curr) {
@@ -2970,6 +2982,11 @@ void FunctionValidator::visitBrOn(BrOn* curr) {
       curr->ref->type,
       curr,
       "br_on_cast* target type must be a subtype of its input type");
+    shouldBeTrue(curr->castType.isInexact() ||
+                   getModule()->features.hasCustomDescriptors(),
+                 curr,
+                 "br_on_cast* to exact type requires custom descriptors "
+                 "[--enable-custom-descriptors]");
   } else {
     shouldBeEqual(curr->castType,
                   Type(Type::none),
diff --git a/test/lit/basic/exact-references-lowering.wast b/test/lit/basic/exact-references-lowering.wast
@@ -0,0 +1,24 @@
+;; NOTE: Assertions have been generated by update_lit_checks.py --all-items and should not be edited.
+
+;; Check that if we emit a binary without custom descriptors enabled, the exact
+;; types are generalized to be inexact.
+
+;; RUN: wasm-opt %s -all --disable-custom-descriptors -g -o %t.noexact.wasm
+;; RUN: wasm-opt %t.noexact.wasm -all -S -o - | filecheck %s
+
+(module
+  ;; CHECK:      (type $foo (struct (field (ref null $foo)) (field (ref $foo))))
+  (type $foo (struct (field (ref null (exact $foo)) (ref (exact $foo)))))
+
+  ;; CHECK:      (type $1 (func (param (ref $foo))))
+
+  ;; CHECK:      (global $g (ref null $foo) (ref.null none))
+  (global $g (ref null (exact $foo)) (ref.null none))
+
+  ;; CHECK:      (func $f (type $1) (param $0 (ref $foo))
+  ;; CHECK-NEXT:  (local $1 (ref null $foo))
+  ;; CHECK-NEXT: )
+  (func $f (param (ref (exact $foo)))
+    (local (ref null (exact $foo)))
+  )
+)
diff --git a/test/lit/basic/exact-references.wast b/test/lit/basic/exact-references.wast
@@ -9,36 +9,26 @@
 ;; RUN: cat %t.bin.wast | filecheck %s --check-prefix=CHECK-BIN
 ;; RUN: cat %t.bin.nodebug.wast | filecheck %s --check-prefix=CHECK-BIN-NODEBUG
 
-;; Also check that if we emit a binary without custom descriptors enabled, the
-;; types are generalized to be inexact.
-
-;; RUN: wasm-opt %s -all --disable-custom-descriptors -g -o %t.noexact.wasm
-;; RUN: wasm-opt %t.noexact.wasm -all -S -o - | filecheck %s --check-prefix=NO-EXACT
-
 (module
   ;; CHECK-TEXT:      (type $foo (struct (field (ref null (exact $foo))) (field (ref (exact $foo)))))
   ;; CHECK-BIN:      (type $foo (struct (field (ref null (exact $foo))) (field (ref (exact $foo)))))
-  ;; NO-EXACT:      (type $foo (struct (field (ref null $foo)) (field (ref $foo))))
   (type $foo (struct (field (ref null (exact $foo)) (ref (exact $foo)))))
 
   (rec
     ;; CHECK-TEXT:      (rec
     ;; CHECK-TEXT-NEXT:  (type $super (sub (struct)))
     ;; CHECK-BIN:      (rec
     ;; CHECK-BIN-NEXT:  (type $super (sub (struct)))
-    ;; NO-EXACT:      (rec
-    ;; NO-EXACT-NEXT:  (type $super (sub (struct)))
     (type $super (sub (struct)))
     ;; CHECK-TEXT:       (type $sub1 (sub $super (struct)))
     ;; CHECK-BIN:       (type $sub1 (sub $super (struct)))
-    ;; NO-EXACT:       (type $sub1 (sub $super (struct)))
     (type $sub1 (sub $super (struct)))
     ;; CHECK-TEXT:       (type $sub2 (sub $super (struct)))
     ;; CHECK-BIN:       (type $sub2 (sub $super (struct)))
-    ;; NO-EXACT:       (type $sub2 (sub $super (struct)))
     (type $sub2 (sub $super (struct)))
   )
 
+
   ;; CHECK-TEXT:      (type $4 (func (param (ref null (exact $foo))) (result (ref (exact $foo)))))
 
   ;; CHECK-TEXT:      (type $5 (func (param (ref null (exact $foo)))))
@@ -61,22 +51,10 @@
   ;; CHECK-BIN:      (type $8 (func (param (ref null (exact $foo))) (result (ref null (exact $foo)))))
 
   ;; CHECK-BIN:      (import "" "g1" (global $g1 (ref null (exact $foo))))
-  ;; NO-EXACT:      (type $4 (func (param (ref null $foo)) (result (ref $foo))))
-
-  ;; NO-EXACT:      (type $5 (func (param (ref null $foo))))
-
-  ;; NO-EXACT:      (type $6 (func (param (ref null $super)) (result (ref null $super))))
-
-  ;; NO-EXACT:      (type $7 (func (param (ref null $sub1))))
-
-  ;; NO-EXACT:      (type $8 (func (param (ref null $foo)) (result (ref null $foo))))
-
-  ;; NO-EXACT:      (import "" "g1" (global $g1 (ref null $foo)))
   (import "" "g1" (global $g1 (ref null (exact $foo))))
 
   ;; CHECK-TEXT:      (import "" "g2" (global $g2 (ref (exact $foo))))
   ;; CHECK-BIN:      (import "" "g2" (global $g2 (ref (exact $foo))))
-  ;; NO-EXACT:      (import "" "g2" (global $g2 (ref $foo)))
   (import "" "g2" (global $g2 (ref (exact $foo))))
 
   ;; CHECK-TEXT:      (func $ref-test (type $5) (param $0 (ref null (exact $foo)))
@@ -103,18 +81,6 @@
   ;; CHECK-BIN-NEXT:   )
   ;; CHECK-BIN-NEXT:  )
   ;; CHECK-BIN-NEXT: )
-  ;; NO-EXACT:      (func $ref-test (type $5) (param $0 (ref null $foo))
-  ;; NO-EXACT-NEXT:  (drop
-  ;; NO-EXACT-NEXT:   (ref.test (ref $foo)
-  ;; NO-EXACT-NEXT:    (local.get $0)
-  ;; NO-EXACT-NEXT:   )
-  ;; NO-EXACT-NEXT:  )
-  ;; NO-EXACT-NEXT:  (drop
-  ;; NO-EXACT-NEXT:   (ref.test (ref null $foo)
-  ;; NO-EXACT-NEXT:    (local.get $0)
-  ;; NO-EXACT-NEXT:   )
-  ;; NO-EXACT-NEXT:  )
-  ;; NO-EXACT-NEXT: )
   (func $ref-test (param (ref null (exact $foo)))
     (drop
       (ref.test (ref (exact $foo))
@@ -162,23 +128,6 @@
   ;; CHECK-BIN-NEXT:   )
   ;; CHECK-BIN-NEXT:  )
   ;; CHECK-BIN-NEXT: )
-  ;; NO-EXACT:      (func $ref-cast (type $7) (param $0 (ref null $sub1))
-  ;; NO-EXACT-NEXT:  (drop
-  ;; NO-EXACT-NEXT:   (ref.cast (ref $sub1)
-  ;; NO-EXACT-NEXT:    (local.get $0)
-  ;; NO-EXACT-NEXT:   )
-  ;; NO-EXACT-NEXT:  )
-  ;; NO-EXACT-NEXT:  (drop
-  ;; NO-EXACT-NEXT:   (ref.cast (ref null $sub1)
-  ;; NO-EXACT-NEXT:    (local.get $0)
-  ;; NO-EXACT-NEXT:   )
-  ;; NO-EXACT-NEXT:  )
-  ;; NO-EXACT-NEXT:  (drop
-  ;; NO-EXACT-NEXT:   (ref.cast (ref none)
-  ;; NO-EXACT-NEXT:    (local.get $0)
-  ;; NO-EXACT-NEXT:   )
-  ;; NO-EXACT-NEXT:  )
-  ;; NO-EXACT-NEXT: )
   (func $ref-cast (param (ref null (exact $sub1)))
     (drop
       (ref.cast (ref (exact $sub1))
@@ -227,21 +176,6 @@
   ;; CHECK-BIN-NEXT:   (local.get $0)
   ;; CHECK-BIN-NEXT:  )
   ;; CHECK-BIN-NEXT: )
-  ;; NO-EXACT:      (func $br-on-cast (type $6) (param $0 (ref null $super)) (result (ref null $super))
-  ;; NO-EXACT-NEXT:  (block $block (result (ref null $super))
-  ;; NO-EXACT-NEXT:   (drop
-  ;; NO-EXACT-NEXT:    (br_on_cast $block (ref null $super) (ref null $sub1)
-  ;; NO-EXACT-NEXT:     (local.get $0)
-  ;; NO-EXACT-NEXT:    )
-  ;; NO-EXACT-NEXT:   )
-  ;; NO-EXACT-NEXT:   (drop
-  ;; NO-EXACT-NEXT:    (br_on_cast $block (ref null $super) (ref $sub1)
-  ;; NO-EXACT-NEXT:     (local.get $0)
-  ;; NO-EXACT-NEXT:    )
-  ;; NO-EXACT-NEXT:   )
-  ;; NO-EXACT-NEXT:   (local.get $0)
-  ;; NO-EXACT-NEXT:  )
-  ;; NO-EXACT-NEXT: )
   (func $br-on-cast (param (ref null $super)) (result (ref null $super))
     (drop
       (br_on_cast 0 anyref (ref null (exact $sub1))
@@ -286,21 +220,6 @@
   ;; CHECK-BIN-NEXT:   (local.get $0)
   ;; CHECK-BIN-NEXT:  )
   ;; CHECK-BIN-NEXT: )
-  ;; NO-EXACT:      (func $br-on-cast-fail (type $6) (param $0 (ref null $super)) (result (ref null $super))
-  ;; NO-EXACT-NEXT:  (block $block (result (ref null $super))
-  ;; NO-EXACT-NEXT:   (drop
-  ;; NO-EXACT-NEXT:    (br_on_cast_fail $block (ref null $super) (ref null $sub1)
-  ;; NO-EXACT-NEXT:     (local.get $0)
-  ;; NO-EXACT-NEXT:    )
-  ;; NO-EXACT-NEXT:   )
-  ;; NO-EXACT-NEXT:   (drop
-  ;; NO-EXACT-NEXT:    (br_on_cast_fail $block (ref null $super) (ref $sub1)
-  ;; NO-EXACT-NEXT:     (local.get $0)
-  ;; NO-EXACT-NEXT:    )
-  ;; NO-EXACT-NEXT:   )
-  ;; NO-EXACT-NEXT:   (local.get $0)
-  ;; NO-EXACT-NEXT:  )
-  ;; NO-EXACT-NEXT: )
   (func $br-on-cast-fail (param (ref null $super)) (result (ref null $super))
     (drop
       (br_on_cast_fail 0 anyref (ref null (exact $sub1))
@@ -325,11 +244,6 @@
   ;; CHECK-BIN-NEXT:   (local.get $0)
   ;; CHECK-BIN-NEXT:  )
   ;; CHECK-BIN-NEXT: )
-  ;; NO-EXACT:      (func $valid-ref-as-non-null (type $4) (param $0 (ref null $foo)) (result (ref $foo))
-  ;; NO-EXACT-NEXT:  (ref.as_non_null
-  ;; NO-EXACT-NEXT:   (local.get $0)
-  ;; NO-EXACT-NEXT:  )
-  ;; NO-EXACT-NEXT: )
   (func $valid-ref-as-non-null (param (ref null (exact $foo))) (result (ref (exact $foo)))
     (ref.as_non_null
       (local.get 0)
@@ -356,15 +270,6 @@
   ;; CHECK-BIN-NEXT:   )
   ;; CHECK-BIN-NEXT:  )
   ;; CHECK-BIN-NEXT: )
-  ;; NO-EXACT:      (func $valid-br-on-null (type $5) (param $0 (ref null $foo))
-  ;; NO-EXACT-NEXT:  (block $block
-  ;; NO-EXACT-NEXT:   (drop
-  ;; NO-EXACT-NEXT:    (br_on_null $block
-  ;; NO-EXACT-NEXT:     (local.get $0)
-  ;; NO-EXACT-NEXT:    )
-  ;; NO-EXACT-NEXT:   )
-  ;; NO-EXACT-NEXT:  )
-  ;; NO-EXACT-NEXT: )
   (func $valid-br-on-null (param (ref null (exact $foo)))
     (drop
       (block (result (ref (exact $foo)))
@@ -391,14 +296,6 @@
   ;; CHECK-BIN-NEXT:   (unreachable)
   ;; CHECK-BIN-NEXT:  )
   ;; CHECK-BIN-NEXT: )
-  ;; NO-EXACT:      (func $valid-br-on-non-null (type $4) (param $0 (ref null $foo)) (result (ref $foo))
-  ;; NO-EXACT-NEXT:  (block $block (result (ref $foo))
-  ;; NO-EXACT-NEXT:   (br_on_non_null $block
-  ;; NO-EXACT-NEXT:    (local.get $0)
-  ;; NO-EXACT-NEXT:   )
-  ;; NO-EXACT-NEXT:   (unreachable)
-  ;; NO-EXACT-NEXT:  )
-  ;; NO-EXACT-NEXT: )
   (func $valid-br-on-non-null (param (ref null (exact $foo))) (result (ref (exact $foo)))
     (br_on_non_null 0
       (local.get 0)
@@ -428,16 +325,6 @@
   ;; CHECK-BIN-NEXT:   (unreachable)
   ;; CHECK-BIN-NEXT:  )
   ;; CHECK-BIN-NEXT: )
-  ;; NO-EXACT:      (func $valid-br-on-cast (type $8) (param $0 (ref null $foo)) (result (ref null $foo))
-  ;; NO-EXACT-NEXT:  (block $block (result (ref null $foo))
-  ;; NO-EXACT-NEXT:   (drop
-  ;; NO-EXACT-NEXT:    (br_on_cast $block (ref null $foo) (ref null $foo)
-  ;; NO-EXACT-NEXT:     (local.get $0)
-  ;; NO-EXACT-NEXT:    )
-  ;; NO-EXACT-NEXT:   )
-  ;; NO-EXACT-NEXT:   (unreachable)
-  ;; NO-EXACT-NEXT:  )
-  ;; NO-EXACT-NEXT: )
   (func $valid-br-on-cast (param (ref null (exact $foo))) (result (ref null (exact $foo)))
     (drop
       (block (result (ref (exact $foo)))
@@ -471,16 +358,6 @@
   ;; CHECK-BIN-NEXT:   (unreachable)
   ;; CHECK-BIN-NEXT:  )
   ;; CHECK-BIN-NEXT: )
-  ;; NO-EXACT:      (func $valid-br-on-cast-fail (type $4) (param $0 (ref null $foo)) (result (ref $foo))
-  ;; NO-EXACT-NEXT:  (block $block (result (ref $foo))
-  ;; NO-EXACT-NEXT:   (drop
-  ;; NO-EXACT-NEXT:    (br_on_cast_fail $block (ref null $foo) (ref null $foo)
-  ;; NO-EXACT-NEXT:     (local.get $0)
-  ;; NO-EXACT-NEXT:    )
-  ;; NO-EXACT-NEXT:   )
-  ;; NO-EXACT-NEXT:   (unreachable)
-  ;; NO-EXACT-NEXT:  )
-  ;; NO-EXACT-NEXT: )
   (func $valid-br-on-cast-fail (param (ref null (exact $foo))) (result (ref (exact $foo)))
     (drop
       (block (result (ref null (exact $foo)))
diff --git a/test/lit/validation/exact-casts.wast b/test/lit/validation/exact-casts.wast
@@ -0,0 +1,52 @@
+;; Test that casting to exact types without custom descriptors is a validation
+;; error.
+
+;; RUN: not wasm-opt %s -all --disable-custom-descriptors 2>&1 | filecheck %s
+
+;; CHECK: [wasm-validator error in function ref.cast] unexpected false: ref.cast to exact type requires custom descriptors [--enable-custom-descriptors],
+
+;; CHECK: [wasm-validator error in function ref.test] unexpected false: ref.test of exact type requires custom descriptors [--enable-custom-descriptors],
+
+;; CHECK: [wasm-validator error in function br_on_cast] unexpected false: br_on_cast* to exact type requires custom descriptors [--enable-custom-descriptors],
+
+;; CHECK: [wasm-validator error in function br_on_cast_fail] unexpected false: br_on_cast* to exact type requires custom descriptors [--enable-custom-descriptors],
+
+(module
+  (type $foo (struct))
+
+  (func $ref.cast (param anyref)
+    (drop
+      (ref.cast (ref null (exact $foo))
+        (local.get 0)
+      )
+    )
+  )
+
+  (func $ref.test (param anyref)
+    (drop
+      (ref.test (ref (exact $foo))
+        (local.get 0)
+      )
+    )
+  )
+
+  (func $br_on_cast (param anyref)
+    (drop
+      (block (result anyref)
+        (br_on_cast 0 anyref (ref null (exact $foo))
+          (local.get 0)
+        )
+      )
+    )
+  )
+
+  (func $br_on_cast_fail (param anyref)
+    (drop
+      (block (result anyref)
+        (br_on_cast_fail 0 anyref (ref (exact $foo))
+          (local.get 0)
+        )
+      )
+    )
+  )
+)
