diff options
| author | Alon Zakai <azakai@google.com> | 2023-06-08 08:26:07 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-06-08 15:26:07 +0000 |
| commit | bffd98c80ef2d2ea20b49618e8e345406c8f451c (patch) | |
| tree | 9a4b27ca5ae4f9a8ca925da978df151e0a05503f /src | |
| parent | 1daa10fb356cb01d80eaa3fd13c8c1d9a53ea343 (diff) | |
| download | binaryen-bffd98c80ef2d2ea20b49618e8e345406c8f451c.tar.gz binaryen-bffd98c80ef2d2ea20b49618e8e345406c8f451c.tar.bz2 binaryen-bffd98c80ef2d2ea20b49618e8e345406c8f451c.zip | |
TypeRefining: Fix a bug with chains of StructGets (#5757)
If we have
(struct.get $A
(struct.get $B
then if both types end up refined we may have a problem. If the inner one is
refined to emit nullref then the outer one no longer knows what type it is,
since it depends on the type of the ref child for that in our IR. We can't just
skip updating it, as the outside may depend on its new refined type to
validate. To avoid errors here, just make this code that is effectively
unreachable also actually unreachable.
Diffstat (limited to 'src')
| -rw-r--r-- | src/passes/TypeRefining.cpp | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/src/passes/TypeRefining.cpp b/src/passes/TypeRefining.cpp index 87366e148..7fd039411 100644 --- a/src/passes/TypeRefining.cpp +++ b/src/passes/TypeRefining.cpp @@ -250,7 +250,29 @@ struct TypeRefining : public Pass { } void visitStructGet(StructGet* curr) { - if (curr->ref->type == Type::unreachable || curr->ref->type.isNull()) { + if (curr->ref->type == Type::unreachable) { + return; + } + + if (curr->ref->type.isNull()) { + // This get will trap. In theory we could leave this for later + // optimizations to do, but we must actually handle it here, because + // of the situation where this get's type is refined, and the input + // type is the result of a refining: + // + // (struct.get $A ;; should be refined to something + // (struct.get $B ;; just refined to nullref + // + // If the input has become a nullref then we can't just return out of + // this function, as we'd be leaving a struct.get of $A with the + // wrong type. But we can't find the right type since in Binaryen IR + // we use the ref's type to see what is being read, and that just + // turned into nullref. To avoid that corner case, just turn this code + // into unreachable code now, and the later refinalize will turn all + // the parents unreachable, avoiding any type-checking problems. + Builder builder(*getModule()); + replaceCurrent(builder.makeSequence(builder.makeDrop(curr->ref), + builder.makeUnreachable())); return; } |