Only set `supertype` if nominal typing is enabled (#3958)

The code for printing and emitting the experimental nominal type constructors
added in #3933 assumes that supertypes were only returned from `getSuperType`
when nominal typing was enabled. `getSuperType` in turn was assuming that the
supertype field would only be set if nominal typing was enabled, but this was
not the case. This bug caused use-after-free errors because equirecursive
canonicalization left the supertype field pointing to a temporary HeapTypeInfo
that would be freed at the end of parsing but then accessed during module
writing.

To fix the issue, only set `supertype` if nominal typing is enabled, as
originally intended.

1 files changed, 5 insertions, 3 deletions

diff --git a/src/wasm/wasm-type.cpp b/src/wasm/wasm-type.cpp
index 9bae42e98..eb1bd14b1 100644
--- a/src/wasm/wasm-type.cpp
+++ b/src/wasm/wasm-type.cpp
@@ -2278,9 +2278,11 @@ Type TypeBuilder::getTempRttType(Rtt rtt) {
 
 void TypeBuilder::setSubType(size_t i, size_t j) {
   assert(i < size() && j < size() && "index out of bounds");
-  HeapTypeInfo* sub = impl->entries[i].info.get();
-  HeapTypeInfo* super = impl->entries[j].info.get();
-  sub->supertype = super;
+  if (typeSystem == TypeSystem::Nominal) {
+    HeapTypeInfo* sub = impl->entries[i].info.get();
+    HeapTypeInfo* super = impl->entries[j].info.get();
+    sub->supertype = super;
+  }
 }
 
 namespace {