Type allocations as exact (#7589)

Update RefFunc, StructNew, ArrayNew*, ContNew, and ContBind expression
to have exact reference types, as they will under the custom descriptors
proposal. Even without that proposal enabled, using exact types in the
IR can help better optimize casts and generally allows us to propagate
more precise type information.

Update the fuzzer to avoid assertion failures and invalid output now
that it can observe exact types via allocations. Update test output to
contain newly emitted exact types.

Author: tlively

src/literal.h

@@ -88,7 +88,7 @@ class Literal {
   explicit Literal(const std::array<Literal, 4>&);
   explicit Literal(const std::array<Literal, 2>&);
   explicit Literal(Name func, HeapType type)
-    : func(func), type(type, NonNullable) {
+    : func(func), type(type, NonNullable, Exact) {
     assert(type.isSignature());
   }
   explicit Literal(std::shared_ptr<GCData> gcData, HeapType type);

src/passes/FuncCastEmulation.cpp

@@ -178,8 +178,7 @@ struct FuncCastEmulation : public Pass {
         }
         auto* thunk = iter->second;
         ref->func = thunk->name;
-        // TODO: Make this exact.
-        ref->type = Type(thunk->type, NonNullable);
+        ref->finalize(thunk->type);
       }
     }
 

src/passes/LegalizeJSInterface.cpp

@@ -148,8 +148,7 @@ struct LegalizeJSInterface : public Pass {
           }
 
           curr->func = iter->second->name;
-          // TODO: Make this exact.
-          curr->type = Type(iter->second->type, NonNullable);
+          curr->finalize(iter->second->type);
         }
       };
 

src/passes/TypeSSA.cpp

@@ -437,7 +437,7 @@ struct TypeSSA : public Pass {
       auto* curr = newsToModify[i];
       auto oldType = curr->type.getHeapType();
       auto newType = newTypes[i];
-      curr->type = Type(newType, NonNullable);
+      curr->type = Type(newType, NonNullable, Exact);
 
       // If the old type has a nice name, make a nice name for the new one.
       if (typeNames.count(oldType)) {

src/tools/fuzzing/fuzzing.cpp

@@ -4801,12 +4801,17 @@ Expression* TranslateToFuzzReader::makeRefTest(Type type) {
       // This unreachable avoids a warning on refType being possibly undefined.
       WASM_UNREACHABLE("bad case");
   }
+  if (!wasm.features.hasCustomDescriptors()) {
+    // Exact cast targets disallowed without custom descriptors.
+    castType = castType.with(Inexact);
+  }
   return builder.makeRefTest(make(refType), castType);
 }
 
 Expression* TranslateToFuzzReader::makeRefCast(Type type) {
   assert(type.isRef());
   assert(wasm.features.hasReferenceTypes() && wasm.features.hasGC());
+  assert(type.isInexact() || wasm.features.hasCustomDescriptors());
   // As with RefTest, use possibly related types. Unlike there, we are given the
   // output type, which is the cast type, so just generate the ref's type.
   Type refType;
@@ -4907,6 +4912,10 @@ Expression* TranslateToFuzzReader::makeBrOn(Type type) {
       // nullability, so the combination of the two must be a subtype of
       // targetType.
       castType = getSubType(targetType);
+      if (!wasm.features.hasCustomDescriptors()) {
+        // Exact cast targets disallowed without custom descriptors.
+        castType = castType.with(Inexact);
+      }
       // The ref's type must be castable to castType, or we'd not validate. But
       // it can also be a subtype, which will trivially also succeed (so do that
       // more rarely). Pick subtypes rarely, as they make the cast trivial.
@@ -4933,6 +4942,10 @@ Expression* TranslateToFuzzReader::makeBrOn(Type type) {
       refType = getSubType(targetType);
       // See above on BrOnCast, but flipped.
       castType = oneIn(5) ? getSuperType(refType) : getSubType(refType);
+      if (!wasm.features.hasCustomDescriptors()) {
+        // Exact cast targets disallowed without custom descriptors.
+        castType = castType.with(Inexact);
+      }
       // There is no nullability to adjust: if targetType is non-nullable then
       // both refType and castType are as well, as subtypes of it. But we can
       // also allow castType to be nullable (it is not sent to the target).
@@ -5546,7 +5559,8 @@ Type TranslateToFuzzReader::getSubType(Type type) {
       heapType = getSubType(heapType);
     }
     auto nullability = getSubType(type.getNullability());
-    auto exactness = getSubType(type.getExactness());
+    auto exactness =
+      heapType.isBasic() ? Inexact : getSubType(type.getExactness());
     auto subType = Type(heapType, nullability, exactness);
     // We don't want to emit lots of uninhabitable types like (ref none), so
     // avoid them with high probability. Specifically, if the original type was

src/wasm-builder.h

@@ -908,21 +908,21 @@ class Builder {
                            std::initializer_list<Expression*> args) {
     auto* ret = wasm.allocator.alloc<StructNew>();
     ret->operands.set(args);
-    ret->type = Type(type, NonNullable);
+    ret->type = Type(type, NonNullable, Exact);
     ret->finalize();
     return ret;
   }
   StructNew* makeStructNew(HeapType type, ExpressionList&& args) {
     auto* ret = wasm.allocator.alloc<StructNew>();
     ret->operands = std::move(args);
-    ret->type = Type(type, NonNullable);
+    ret->type = Type(type, NonNullable, Exact);
     ret->finalize();
     return ret;
   }
   template<typename T> StructNew* makeStructNew(HeapType type, const T& args) {
     auto* ret = wasm.allocator.alloc<StructNew>();
     ret->operands.set(args);
-    ret->type = Type(type, NonNullable);
+    ret->type = Type(type, NonNullable, Exact);
     ret->finalize();
     return ret;
   }
@@ -985,7 +985,7 @@ class Builder {
     auto* ret = wasm.allocator.alloc<ArrayNew>();
     ret->size = size;
     ret->init = init;
-    ret->type = Type(type, NonNullable);
+    ret->type = Type(type, NonNullable, Exact);
     ret->finalize();
     return ret;
   }
@@ -997,7 +997,7 @@ class Builder {
     ret->segment = seg;
     ret->offset = offset;
     ret->size = size;
-    ret->type = Type(type, NonNullable);
+    ret->type = Type(type, NonNullable, Exact);
     ret->finalize();
     return ret;
   }
@@ -1009,15 +1009,15 @@ class Builder {
     ret->segment = seg;
     ret->offset = offset;
     ret->size = size;
-    ret->type = Type(type, NonNullable);
+    ret->type = Type(type, NonNullable, Exact);
     ret->finalize();
     return ret;
   }
   template<typename T>
   ArrayNewFixed* makeArrayNewFixed(HeapType type, const T& values) {
     auto* ret = wasm.allocator.alloc<ArrayNewFixed>();
     ret->values.set(values);
-    ret->type = Type(type, NonNullable);
+    ret->type = Type(type, NonNullable, Exact);
     ret->finalize();
     return ret;
   }
@@ -1185,7 +1185,7 @@ class Builder {
   }
   ContNew* makeContNew(HeapType type, Expression* func) {
     auto* ret = wasm.allocator.alloc<ContNew>();
-    ret->type = Type(type, NonNullable);
+    ret->type = Type(type, NonNullable, Exact);
     ret->func = func;
     ret->finalize();
     return ret;
@@ -1194,7 +1194,7 @@ class Builder {
                          ExpressionList&& operands,
                          Expression* cont) {
     auto* ret = wasm.allocator.alloc<ContBind>();
-    ret->type = Type(targetType, NonNullable);
+    ret->type = Type(targetType, NonNullable, Exact);
     ret->operands = std::move(operands);
     ret->cont = cont;
     ret->finalize();

src/wasm/literal.cpp

@@ -72,8 +72,9 @@ Literal::Literal(const uint8_t init[16]) : type(Type::v128) {
 }
 
 Literal::Literal(std::shared_ptr<GCData> gcData, HeapType type)
-  : gcData(gcData), type(type, gcData ? NonNullable : Nullable) {
-  // TODO: Use exact types for gcData.
+  : gcData(gcData), type(type,
+                         gcData ? NonNullable : Nullable,
+                         gcData && !type.isBasic() ? Exact : Inexact) {
   // The type must be a proper type for GC data: either a struct, array, or
   // string; or an externalized version of the same; or a null; or an
   // internalized string (which appears as an anyref).

src/wasm/wasm-ir-builder.cpp

@@ -2120,7 +2120,7 @@ Result<> IRBuilder::makeBrOn(
 
 Result<> IRBuilder::makeStructNew(HeapType type) {
   StructNew curr(wasm.allocator);
-  curr.type = Type(type, NonNullable);
+  curr.type = Type(type, NonNullable, Exact);
   // Differentiate from struct.new_default with a non-empty expression list.
   curr.operands.resize(type.getStruct().fields.size());
   CHECK_ERR(visitStructNew(&curr));
@@ -2181,7 +2181,7 @@ IRBuilder::makeStructCmpxchg(HeapType type, Index field, MemoryOrder order) {
 
 Result<> IRBuilder::makeArrayNew(HeapType type) {
   ArrayNew curr;
-  curr.type = Type(type, NonNullable);
+  curr.type = Type(type, NonNullable, Exact);
   // Differentiate from array.new_default with dummy initializer.
   curr.init = (Expression*)0x01;
   CHECK_ERR(visitArrayNew(&curr));

src/wasm/wasm-validator.cpp

@@ -502,7 +502,7 @@ struct FunctionValidator : public WalkerPass<PostWalker<FunctionValidator>> {
   void visitStructRMW(StructRMW* curr);
   void visitStructCmpxchg(StructCmpxchg* curr);
   void visitArrayNew(ArrayNew* curr);
-  template<typename ArrayNew> void visitArrayNew(ArrayNew* curr);
+  template<typename ArrayNew> void visitArrayNewSegment(ArrayNew* curr);
   void visitArrayNewData(ArrayNewData* curr);
   void visitArrayNewElem(ArrayNewElem* curr);
   void visitArrayNewFixed(ArrayNewFixed* curr);
@@ -2375,6 +2375,8 @@ void FunctionValidator::visitRefFunc(RefFunc* curr) {
   shouldBeTrue(func->type == curr->type.getHeapType(),
                curr,
                "function reference type must match referenced function type");
+  shouldBeTrue(
+    curr->type.isExact(), curr, "function reference should be exact");
 }
 
 void FunctionValidator::visitRefEq(RefEq* curr) {
@@ -3022,6 +3024,7 @@ void FunctionValidator::visitStructNew(StructNew* curr) {
                     "struct.new should have a non-nullable reference type")) {
     return;
   }
+  shouldBeTrue(curr->type.isExact(), curr, "struct.new should be exact");
   auto heapType = curr->type.getHeapType();
   if (!shouldBeTrue(
         heapType.isStruct(), curr, "struct.new heap type must be struct")) {
@@ -3260,6 +3263,7 @@ void FunctionValidator::visitArrayNew(ArrayNew* curr) {
                     "array.new should have a non-nullable reference type")) {
     return;
   }
+  shouldBeTrue(curr->type.isExact(), curr, "array.new* should be exact");
   auto heapType = curr->type.getHeapType();
   if (!shouldBeTrue(
         heapType.isArray(), curr, "array.new heap type must be array")) {
@@ -3284,7 +3288,7 @@ void FunctionValidator::visitArrayNew(ArrayNew* curr) {
 }
 
 template<typename ArrayNew>
-void FunctionValidator::visitArrayNew(ArrayNew* curr) {
+void FunctionValidator::visitArrayNewSegment(ArrayNew* curr) {
   shouldBeTrue(getModule()->features.hasGC(),
                curr,
                "array.new_{data, elem} requires gc [--enable-gc]");
@@ -3307,6 +3311,8 @@ void FunctionValidator::visitArrayNew(ArrayNew* curr) {
         "array.new_{data, elem} type should be an array reference")) {
     return;
   }
+  shouldBeTrue(
+    curr->type.isExact(), curr, "array.new_{data, elem} should be exact");
   auto heapType = curr->type.getHeapType();
   if (!shouldBeTrue(
         heapType.isArray(),
@@ -3317,7 +3323,7 @@ void FunctionValidator::visitArrayNew(ArrayNew* curr) {
 }
 
 void FunctionValidator::visitArrayNewData(ArrayNewData* curr) {
-  visitArrayNew(curr);
+  visitArrayNewSegment(curr);
 
   shouldBeTrue(
     getModule()->features.hasBulkMemory(),
@@ -3340,7 +3346,7 @@ void FunctionValidator::visitArrayNewData(ArrayNewData* curr) {
 }
 
 void FunctionValidator::visitArrayNewElem(ArrayNewElem* curr) {
-  visitArrayNew(curr);
+  visitArrayNewSegment(curr);
 
   if (!shouldBeTrue(getModule()->getElementSegment(curr->segment),
                     curr,
@@ -3363,21 +3369,22 @@ void FunctionValidator::visitArrayNewElem(ArrayNewElem* curr) {
 void FunctionValidator::visitArrayNewFixed(ArrayNewFixed* curr) {
   shouldBeTrue(getModule()->features.hasGC(),
                curr,
-               "array.init requires gc [--enable-gc]");
+               "array.new_fixed requires gc [--enable-gc]");
   if (curr->type == Type::unreachable) {
     return;
   }
+  shouldBeTrue(curr->type.isExact(), curr, "array.new_fixed should be exact");
   auto heapType = curr->type.getHeapType();
   if (!shouldBeTrue(
-        heapType.isArray(), curr, "array.init heap type must be array")) {
+        heapType.isArray(), curr, "array.new_fixed heap type must be array")) {
     return;
   }
   const auto& element = heapType.getArray().element;
   for (auto* value : curr->values) {
     shouldBeSubType(value->type,
                     element.type,
                     curr,
-                    "array.init value must have proper type");
+                    "array.new_fixed value must have proper type");
   }
 }
 
@@ -3699,6 +3706,7 @@ void FunctionValidator::visitContNew(ContNew* curr) {
                     "cont.new should have a non-nullable reference type")) {
     return;
   }
+  shouldBeTrue(curr->type.isExact(), curr, "cont.new should be exact");
 
   shouldBeTrue(curr->type.isContinuation() &&
                  curr->type.getHeapType().getContinuation().type.isSignature(),
@@ -3735,6 +3743,7 @@ void FunctionValidator::visitContBind(ContBind* curr) {
                     "cont.bind should have a non-nullable reference type")) {
     return;
   }
+  shouldBeTrue(curr->type.isExact(), curr, "cont.bind should be exact");
 }
 
 void FunctionValidator::visitSuspend(Suspend* curr) {

src/wasm/wasm.cpp

@@ -830,7 +830,7 @@ void RefFunc::finalize() {
 }
 
 void RefFunc::finalize(HeapType heapType) {
-  type = Type(heapType, NonNullable);
+  type = Type(heapType, NonNullable, Exact);
 }
 
 void RefEq::finalize() {

test/binaryen.js/expressions.js

@@ -1997,7 +1997,8 @@ console.log("# RefFunc");
   assert(theRefFunc instanceof binaryen.RefFunc);
   assert(theRefFunc instanceof binaryen.Expression);
   assert(theRefFunc.func === func);
-  assert(theRefFunc.type === type);
+  // TODO: assert that the type is a non-nullable, exact reference to the
+  // function type once we can express that in the JS API.
 
   var info = binaryen.getExpressionInfo(theRefFunc);
   assert(info.id === theRefFunc.id);
@@ -2007,7 +2008,8 @@ console.log("# RefFunc");
   theRefFunc.func = func = "b";
   assert(theRefFunc.func === func);
   theRefFunc.finalize();
-  assert(theRefFunc.type === type);
+  // TODO: assert that the type is a non-nullable, exact reference to the
+  // function type once we can express that in the JS API.
 
   info = binaryen.getExpressionInfo(theRefFunc);
   assert(info.type === theRefFunc.type);
@@ -2223,7 +2225,8 @@ console.log("# StructNew");
   assert(theStructNew instanceof binaryen.Expression);
   assertDeepEqual(theStructNew.operands, operands);
   assertDeepEqual(theStructNew.getOperands(), operands);
-  assert(theStructNew.type === type);
+  // TODO: assert that the type is a non-nullable, exact reference to the
+  // function type once we can express that in the JS API.
 
   var info = binaryen.getExpressionInfo(theStructNew);
   assert(info.id === theStructNew.id);
@@ -2405,7 +2408,8 @@ console.log("# ArrayNew");
   assert(theArrayNew instanceof binaryen.Expression);
   assert(theArrayNew.size === size);
   assert(theArrayNew.init === init);
-  assert(theArrayNew.type === type);
+  // TODO: assert that the type is a non-nullable, exact reference to the
+  // function type once we can express that in the JS API.
 
   var info = binaryen.getExpressionInfo(theArrayNew);
   assert(info.id === theArrayNew.id);
@@ -2458,7 +2462,8 @@ console.log("# ArrayNewFixed");
   assert(theArrayNewFixed instanceof binaryen.Expression);
   assertDeepEqual(theArrayNewFixed.values, values);
   assertDeepEqual(theArrayNewFixed.getValues(), values);
-  assert(theArrayNewFixed.type === type);
+  // TODO: assert that the type is a non-nullable, exact reference to the
+  // function type once we can express that in the JS API.
 
   var info = binaryen.getExpressionInfo(theArrayNewFixed);
   assert(info.id === theArrayNewFixed.id);
@@ -2519,7 +2524,8 @@ console.log("# ArrayNewData");
   assert(theArrayNewData.segment === segment);
   assert(theArrayNewData.offset === offset);
   assert(theArrayNewData.size === size);
-  assert(theArrayNewData.type === type);
+  // TODO: assert that the type is a non-nullable, exact reference to the
+  // function type once we can express that in the JS API.
 
   var info = binaryen.getExpressionInfo(theArrayNewData);
   assert(info.id === theArrayNewData.id);
@@ -2576,7 +2582,8 @@ console.log("# ArrayNewElem");
   assert(theArrayNewElem.segment === segment);
   assert(theArrayNewElem.offset === offset);
   assert(theArrayNewElem.size === size);
-  assert(theArrayNewElem.type === type);
+  // TODO: assert that the type is a non-nullable, exact reference to the
+  // function type once we can express that in the JS API.
 
   var info = binaryen.getExpressionInfo(theArrayNewElem);
   assert(info.id === theArrayNewElem.id);

test/binaryen.js/kitchen-sink.js.txt

@@ -2089,7 +2089,7 @@ getExpressionInfo(tuple[3])={"id":14,"type":5,"value":3.7}
        )
       )
       (drop
-       (select (result (ref null $0))
+       (select (result (ref null (exact $0)))
         (ref.null nofunc)
         (ref.func $foobar)
         (i32.const 1)