Fix TypeGeneralizing stack corruption and crash (WebAssembly#8310)

sumleo · web-flow · commit e3adbad6e5f3 · 2026-02-12T11:32:19.000-08:00
## Summary

Two bugs in the experimental `TypeGeneralizing` pass's backward
analysis:

### 1. `visitStructSet` pushes non-ref field types onto the stack

`visitStructSet` unconditionally pushes the struct field type as a type
requirement onto the backward analysis stack (line 690). When the field
is a non-reference type (i32, f64, etc.), this corrupts the stack
because non-ref producers (like `visitConst`, `visitBinary`) are no-ops
that don't pop. The spurious non-ref value on the stack causes
subsequent `pop()` calls to retrieve wrong type requirements.

The analogous methods all correctly guard with `isRef()`:
- `visitArraySet` (line 792): `if (elemType.isRef())`
- `visitStructNew` (line 620): `if (field.type.isRef())`
- `handleCall` (line 364): `if (param.isRef())`

**Fix:** Add `if (fieldType.isRef())` guard before pushing.

### 2. `visitRefAs` crashes on `Type::none` from empty stack

When the backward analysis stack is empty (no downstream consumer
imposes a type requirement), `pop()` returns `Type::none`. `visitRefAs`
then calls `type.getHeapType()` on `Type::none`, triggering
`assert(isRef())` — crashing on any `ref.as_non_null` whose result is
dropped.

**Fix:** Check for `Type::none` before accessing heap type, and
propagate "no requirement" through.

Both bugs are in the experimental (not-yet-sound) pass and do not affect
production optimization pipelines.

## Test plan

- [x] New lit test `type-generalizing-fixes.wast` covering:
- `struct.set` on non-ref field followed by ref field (stack alignment)
  - `drop(ref.as_non_null(...))` (empty stack crash)
- `drop(any.convert_extern(extern.convert_any(...)))` (empty stack with
convert ops)
- [x] All 309 unit tests pass
diff --git a/src/passes/TypeGeneralizing.cpp b/src/passes/TypeGeneralizing.cpp
@@ -687,7 +687,10 @@ struct TransferFn : OverriddenVisitor<TransferFn> {
     }
     auto generalized = generalizeStructType(type, curr->index);
     push(Type(generalized, Nullable));
-    push(generalized.getStruct().fields[curr->index].type);
+    auto fieldType = generalized.getStruct().fields[curr->index].type;
+    if (fieldType.isRef()) {
+      push(fieldType);
+    }
   }
 
   void visitStructRMW(StructRMW* curr) { WASM_UNREACHABLE("TODO"); }
@@ -861,6 +864,11 @@ struct TransferFn : OverriddenVisitor<TransferFn> {
 
   void visitRefAs(RefAs* curr) {
     auto type = pop();
+    if (type == Type::none) {
+      // No downstream requirement, so no requirement for the input either.
+      push(Type::none);
+      return;
+    }
     switch (curr->op) {
       case RefAsNonNull:
         push(Type(type.getHeapType(), Nullable));
diff --git a/test/lit/passes/type-generalizing-fixes.wast b/test/lit/passes/type-generalizing-fixes.wast
@@ -0,0 +1,83 @@
+;; NOTE: Assertions have been generated by update_lit_checks.py --all-items and should not be edited.
+
+;; RUN: foreach %s %t wasm-opt --experimental-type-generalizing -all -S -o - | filecheck %s
+
+;; Test that visitStructSet correctly handles structs with non-ref fields
+;; without corrupting the backward analysis stack.
+(module
+  ;; CHECK:      (type $s (struct (field $x (mut i32)) (field $r (mut anyref))))
+  (type $s (struct (field $x (mut i32)) (field $r (mut anyref))))
+
+  ;; CHECK:      (type $1 (func (param (ref null $s) anyref)))
+
+  ;; CHECK:      (func $struct-set-nonref-field (type $1) (param $obj (ref null $s)) (param $r anyref)
+  ;; CHECK-NEXT:  (struct.set $s $x
+  ;; CHECK-NEXT:   (local.get $obj)
+  ;; CHECK-NEXT:   (i32.const 10)
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (struct.set $s $r
+  ;; CHECK-NEXT:   (local.get $obj)
+  ;; CHECK-NEXT:   (local.get $r)
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT: )
+  (func $struct-set-nonref-field (param $obj (ref null $s)) (param $r anyref)
+    ;; Setting a non-ref field (i32) should not push i32 onto the type
+    ;; requirement stack, which would corrupt subsequent ref type tracking.
+    (struct.set $s $x
+      (local.get $obj)
+      (i32.const 10)
+    )
+    (struct.set $s $r
+      (local.get $obj)
+      (local.get $r)
+    )
+  )
+)
+
+;; Test that visitRefAs handles the case where the stack is empty (no
+;; downstream type requirement) without crashing.
+(module
+  ;; CHECK:      (type $0 (func (param anyref)))
+
+  ;; CHECK:      (func $ref-as-non-null-dropped (type $0) (param $x anyref)
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (ref.as_non_null
+  ;; CHECK-NEXT:    (local.get $x)
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT: )
+  (func $ref-as-non-null-dropped (param $x anyref)
+    ;; The result of ref.as_non_null is dropped, so no downstream type
+    ;; requirement exists. This should not crash.
+    (drop
+      (ref.as_non_null
+        (local.get $x)
+      )
+    )
+  )
+)
+
+;; Test extern.convert_any with dropped result.
+(module
+  ;; CHECK:      (type $0 (func (param anyref)))
+
+  ;; CHECK:      (func $any-convert-extern-dropped (type $0) (param $x anyref)
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (any.convert_extern
+  ;; CHECK-NEXT:    (extern.convert_any
+  ;; CHECK-NEXT:     (local.get $x)
+  ;; CHECK-NEXT:    )
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT: )
+  (func $any-convert-extern-dropped (param $x anyref)
+    ;; Dropped extern.convert_any / any.convert_extern chain should not crash.
+    (drop
+      (any.convert_extern
+        (extern.convert_any
+          (local.get $x)
+        )
+      )
+    )
+  )
+)
