Validator: Check features for ref.null's type (#4677)

3 files changed, 26 insertions, 0 deletions

diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp
index 22006a6a1..01196540b 100644
--- a/src/tools/fuzzing/fuzzing.cpp
+++ b/src/tools/fuzzing/fuzzing.cpp
@@ -3045,6 +3045,8 @@ HeapType TranslateToFuzzReader::getSubType(HeapType type) {
                  HeapType::data));
       case HeapType::eq:
         // TODO: nontrivial types as well.
+        assert(wasm.features.hasReferenceTypes());
+        assert(wasm.features.hasGC());
         return pick(HeapType::eq, HeapType::i31, HeapType::data);
       case HeapType::i31:
         return HeapType::i31;
diff --git a/src/wasm/wasm-validator.cpp b/src/wasm/wasm-validator.cpp
index 39eb996ea..c74d95fdd 100644
--- a/src/wasm/wasm-validator.cpp
+++ b/src/wasm/wasm-validator.cpp
@@ -1999,6 +1999,11 @@ void FunctionValidator::visitRefNull(RefNull* curr) {
                "ref.null requires reference-types to be enabled");
   shouldBeTrue(
     curr->type.isNullable(), curr, "ref.null types must be nullable");
+
+  // The type of the null must also be valid for the features.
+  shouldBeTrue(curr->type.getFeatures() <= getModule()->features,
+               curr->type,
+               "ref.null type should be allowed");
 }
 
 void FunctionValidator::visitRefIs(RefIs* curr) {
diff --git a/test/lit/validation/eqref.wast b/test/lit/validation/eqref.wast
new file mode 100644
index 000000000..78b6e75d2
--- /dev/null
+++ b/test/lit/validation/eqref.wast
@@ -0,0 +1,19 @@
+;; Test for eqref validating only with GC, and not just reference types, even
+;; when only declared in a null.
+
+;; RUN: not wasm-opt --enable-reference-types %s 2>&1 | filecheck %s --check-prefix NO-GC
+;; RUN:     wasm-opt --enable-reference-types --enable-gc %s -o - -S | filecheck %s --check-prefix GC
+
+;; NO-GC: ref.null type should be allowed
+
+;; GC:   (drop
+;; GC:    (ref.null eq)
+;; GC:   )
+
+(module
+  (func $foo
+    (drop
+      (ref.null eq)
+    )
+  )
+)