Properly validate ref.cast when lacking a common supertype (#6741)

When lacking a common supertype the GLB operation makes the type of the cast
unreachable, which errors on getHeapType in the later code.

Fixes #6738

2 files changed, 25 insertions, 0 deletions

diff --git a/src/wasm/wasm-validator.cpp b/src/wasm/wasm-validator.cpp
index 287ab2e8f..3abb106b3 100644
--- a/src/wasm/wasm-validator.cpp
+++ b/src/wasm/wasm-validator.cpp
@@ -2780,6 +2780,21 @@ void FunctionValidator::visitRefCast(RefCast* curr) {
         curr->ref->type.isRef(), curr, "ref.cast ref must have ref type")) {
     return;
   }
+  // If the cast is unreachable but not the ref (we ruled out the former
+  // earlier), then the cast is unreachable because the cast type had no
+  // common supertype with the ref, which is invalid. This is the same as the
+  // check below us, but we must do it first (as getHeapType fails otherwise).
+  if (!shouldBeUnequal(
+        curr->type,
+        Type(Type::unreachable),
+        curr,
+        "ref.cast target type and ref type must have a common supertype")) {
+    return;
+  }
+  // Also error (more generically) on i32 and anything else invalid here.
+  if (!shouldBeTrue(curr->type.isRef(), curr, "ref.cast must have ref type")) {
+    return;
+  }
   shouldBeEqual(
     curr->type.getHeapType().getBottom(),
     curr->ref->type.getHeapType().getBottom(),
diff --git a/test/spec/ref_cast.wast b/test/spec/ref_cast.wast
index 927d82ebc..c51e6b057 100644
--- a/test/spec/ref_cast.wast
+++ b/test/spec/ref_cast.wast
@@ -170,6 +170,16 @@
   "common supertype"
 )
 
+(assert_invalid
+  (module
+    (type $t0 (struct))
+    (func (export "test-ref-cast-extern") (result anyref)
+      (ref.cast (ref extern) (struct.new $t0))
+    )
+  )
+  "common supertype"
+)
+
 (assert_malformed
   (module quote "(func (ref.cast i32 (unreachable)))")
   "expected reftype"