Perform (ref null none) loads that can trap

fitzgen · fitzgen · commit d3f752cc2b13 · 2025-03-11T11:35:18.000-07:00
As an optimization, we were previously avoiding the load and instead simply materializing the null reference value, since that is the only value that inhabits `(ref null none)`. However, in certain situations, such as when loading from a table when Spectre mitigations are enabled, we rely on that load being attempted and resulting in a trap if the table index is out of bounds. This commit makes it so that we will always perform the load if our given `ir::MemFlags` can trap. Fixes bytecodealliance#10353
diff --git a/crates/cranelift/src/gc/enabled/drc.rs b/crates/cranelift/src/gc/enabled/drc.rs
@@ -436,13 +436,29 @@ impl GcCompiler for DrcCompiler {
         // null, or we are in dynamically unreachable code and should just trap.
         if let WasmHeapType::None = ty.heap_type {
             let null = builder.ins().iconst(reference_type, 0);
+
+            // If the `flags` can trap, then we need to do an actual load. We
+            // might be relying on, e.g., this load trapping to raise a
+            // out-of-bounds-table-index trap, rather than successfully loading
+            // a null `noneref`.
+            //
+            // That said, while we will do the load, we won't use the loaded
+            // value, and will still use our null constant below. This will
+            // avoid an unnecessary load dependency, slightly improving the code
+            // we ultimately emit. This probably doesn't matter, but it is easy
+            // to do and can only improve things, so we do it.
+            if flags.trap_code().is_some() {
+                let _ = builder.ins().load(reference_type, flags, src, 0);
+            }
+
             if !ty.nullable {
                 // NB: Don't use an unconditional trap instruction, since that
                 // is a block terminator, and we still need to integrate with
                 // the rest of the surrounding code.
                 let zero = builder.ins().iconst(ir::types::I32, 0);
                 builder.ins().trapz(zero, TRAP_INTERNAL_ASSERT);
             }
+
             return Ok(null);
         };
 
diff --git a/tests/misc_testsuite/gc/issue-10353.wast b/tests/misc_testsuite/gc/issue-10353.wast
@@ -0,0 +1,11 @@
+;;! gc = true
+
+(module
+  (table $t 10 (ref null none))
+  (func (export "f") (result (ref null none))
+    (i32.const 99)
+    (table.get $t)
+  )
+)
+
+(assert_trap (invoke "f") "out of bounds table access")
