Handle sharedness in Heap2Local's Array2Struct (WebAssembly#8515)

tlively · web-flow · commit df5c0e0ed8cc · 2026-03-26T16:29:25.000-07:00
Heap2Local uses an internal utility called Array2Struct to turn
non-escaping array allocations into struct allocations so they can
subsequently be optimized by the Heap2Local struct optimizations. It
previously used a non-shared struct type, even for shared array types,
but this could cause problems when the non-shared struct type became a
non-shared null in places that required a shared type to
validate. This could specifically occur when the allocation flowed into
a StructCmpxchg `expected` field that needed to be a subtype of shared
eqref.

As a drive-by to make the regression test parse correctly, fix
child-typer for StructCmpxchg to correctly handle sharedness in the
expected field as well.
diff --git a/scripts/test/fuzzing.py b/scripts/test/fuzzing.py
@@ -83,6 +83,7 @@
     'unsubtyping-cmpxchg.wast',
     'struct-atomic-threads.wast',
     'type-refining-gufa-rmw.wast',
+    'struct-cmpxchg-shared-expected.wast',
     'precompute-gc-atomics-rmw.wast',
     # contains too many segments to run in a wasm VM
     'limit-segments_disable-bulk-memory.wast',
diff --git a/src/ir/child-typer.h b/src/ir/child-typer.h
@@ -1002,8 +1002,12 @@ template<typename Subtype> struct ChildTyper : OverriddenVisitor<Subtype> {
     assert(curr->index < fields.size());
     note(&curr->ref, Type(*ht, Nullable));
     auto type = fields[curr->index].type;
-    // TODO: (shared eq) as appropriate.
-    note(&curr->expected, type.isRef() ? Type(HeapType::eq, Nullable) : type);
+    auto expectedType = type;
+    if (expectedType.isRef()) {
+      expectedType =
+        Type(HeapTypes::eq.getBasic(type.getHeapType().getShared()), Nullable);
+    }
+    note(&curr->expected, expectedType);
     note(&curr->replacement, type);
   }
 
diff --git a/src/passes/Heap2Local.cpp b/src/passes/Heap2Local.cpp
@@ -1250,7 +1250,10 @@ struct Array2Struct : PostWalker<Array2Struct> {
     for (Index i = 0; i < numFields; i++) {
       fields.push_back(element);
     }
-    structType = Struct(fields);
+    TypeBuilder typeBuilder(1);
+    typeBuilder[0] = Struct(fields);
+    typeBuilder[0].setShared(arrayType.getShared());
+    structType = (*typeBuilder.build())[0];
 
     // Generate a StructNew to replace the ArrayNew*.
     if (auto* arrayNew = allocation->dynCast<ArrayNew>()) {
diff --git a/test/lit/basic/struct-cmpxchg-shared-expected.wast b/test/lit/basic/struct-cmpxchg-shared-expected.wast
@@ -0,0 +1,24 @@
+;; NOTE: Assertions have been generated by update_lit_checks.py and should not be edited.
+
+;; RUN: wasm-opt -all %s -S -o -| filecheck %s
+
+(module
+  ;; CHECK:      (type $shared-struct (shared (struct (field (mut (ref null (shared eq)))))))
+  (type $shared-struct (shared (struct (field (mut (ref null (shared eq)))))))
+  ;; CHECK:      (func $cmpxchg-shared-expected (type $1) (param $shared-struct (ref $shared-struct))
+  ;; CHECK-NEXT:  (struct.atomic.rmw.cmpxchg $shared-struct 0
+  ;; CHECK-NEXT:   (local.get $shared-struct)
+  ;; CHECK-NEXT:   (struct.new_default $shared-struct)
+  ;; CHECK-NEXT:   (unreachable)
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT: )
+  (func $cmpxchg-shared-expected (param $shared-struct (ref $shared-struct))
+    (struct.atomic.rmw.cmpxchg $shared-struct 0
+      (local.get $shared-struct)
+      ;; We should expect a shared eqref here, so we can parse this as written
+      ;; rather than dropping the operands and replacing them with unreachables.
+      (struct.new_default $shared-struct)
+      (unreachable)
+    )
+  )
+)
diff --git a/test/lit/passes/heap2local-rmw.wast b/test/lit/passes/heap2local-rmw.wast
@@ -1283,3 +1283,38 @@
     )
   )
 )
+
+(module
+  (type $array (shared (array i8)))
+  ;; CHECK:      (type $struct (shared (struct (field (mut (ref null (shared array)))))))
+  (type $struct (shared (struct (field (mut (ref null (shared array)))))))
+
+  ;; CHECK:      (type $1 (func (param (ref $struct))))
+
+  ;; CHECK:      (func $unreachable-shared-expected (type $1) (param $struct (ref $struct))
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (struct.atomic.rmw.cmpxchg $struct 0
+  ;; CHECK-NEXT:    (local.get $struct)
+  ;; CHECK-NEXT:    (block (result (ref null (shared none)))
+  ;; CHECK-NEXT:     (ref.null (shared none))
+  ;; CHECK-NEXT:    )
+  ;; CHECK-NEXT:    (unreachable)
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT: )
+  (func $unreachable-shared-expected (param $struct (ref $struct))
+    (drop
+      ;; This cmpxchg will not be optimized because it is unreachable.
+      (struct.atomic.rmw.cmpxchg $struct 0
+        (local.get $struct)
+        ;; This `expected` allocation does not escape, so it will be optimized.
+        ;; When we convert the array to a struct, we have to make sure it
+        ;; becomes a shared struct so that when we later optimize out the
+        ;; allocation, we know to replace it with a shared null. If we don't, we
+        ;; will end up with a non-shared null here, which would be invalid.
+        (array.new_fixed $array 0)
+        (unreachable)
+      )
+    )
+  )
+)
