Implement bottom heap types (#5115)

These types, `none`, `nofunc`, and `noextern` are uninhabited, so references to
them can only possibly be null. To simplify the IR and increase type precision,
introduce new invariants that all `ref.null` instructions must be typed with one
of these new bottom types and that `Literals` have a bottom type iff they
represent null values. These new invariants requires several additional changes.

First, it is now possible that the `ref` or `target` child of a `StructGet`,
`StructSet`, `ArrayGet`, `ArraySet`, or `CallRef` instruction has a bottom
reference type, so it is not possible to determine what heap type annotation to
emit in the binary or text formats. (The bottom types are not valid type
annotations since they do not have indices in the type section.)

To fix that problem, update the printer and binary emitter to emit unreachables
instead of the instruction with undetermined type annotation. This is a valid
transformation because the only possible value that could flow into those
instructions in that case is null, and all of those instructions trap on nulls.

That fix uncovered a latent bug in the binary parser in which new unreachables
within unreachable code were handled incorrectly. This bug was not previously
found by the fuzzer because we generally stop emitting code once we encounter an
instruction with type `unreachable`. Now, however, it is possible to emit an
`unreachable` for instructions that do not have type `unreachable` (but are
known to trap at runtime), so we will continue emitting code. See the new
test/lit/parse-double-unreachable.wast for details.

Update other miscellaneous code that creates `RefNull` expressions and null
`Literals` to maintain the new invariants as well.

1 files changed, 12 insertions, 1 deletions

diff --git a/src/wasm-type.h b/src/wasm-type.h
index 940009cbe..dbdbe3d31 100644
--- a/src/wasm-type.h
+++ b/src/wasm-type.h
@@ -169,6 +169,8 @@ public:
   // is irrelevant. (For that reason, this is only the negation of isNullable()
   // on references, but both return false on non-references.)
   bool isNonNullable() const;
+  // Whether this type is only inhabited by null values.
+  bool isNull() const;
   bool isStruct() const;
   bool isArray() const;
   bool isDefaultable() const;
@@ -326,8 +328,11 @@ public:
     stringview_wtf8,
     stringview_wtf16,
     stringview_iter,
+    none,
+    noext,
+    nofunc,
   };
-  static constexpr BasicHeapType _last_basic_type = stringview_iter;
+  static constexpr BasicHeapType _last_basic_type = nofunc;
 
   // BasicHeapType can be implicitly upgraded to HeapType
   constexpr HeapType(BasicHeapType id) : id(id) {}
@@ -358,6 +363,7 @@ public:
   bool isSignature() const;
   bool isStruct() const;
   bool isArray() const;
+  bool isBottom() const;
 
   Signature getSignature() const;
   const Struct& getStruct() const;
@@ -371,6 +377,9 @@ public:
   // number of supertypes in its supertype chain.
   size_t getDepth() const;
 
+  // Get the bottom heap type for this heap type's hierarchy.
+  BasicHeapType getBottom() const;
+
   // Get the recursion group for this non-basic type.
   RecGroup getRecGroup() const;
   size_t getRecGroupIndex() const;
@@ -421,6 +430,8 @@ public:
   std::string toString() const;
 };
 
+inline bool Type::isNull() const { return isRef() && getHeapType().isBottom(); }
+
 // A recursion group consisting of one or more HeapTypes. HeapTypes with single
 // members are encoded without using any additional memory, which is why
 // `getHeapTypes` has to return a vector by value; it might have to create one