ReFinalize fix (#1742)

Handle a corner case in ReFinalize, which incrementally re-types code after changes. The problem is that if we need to figure out the type of a block, we look to the last element flowing out, or to breaks with values. If there is no such last element, and the breaks are not taken - they have unreachable values - then they don't tell us the block's proper type. We asserted that in such a case the block still had a type, and didn't handle this.

To fix it, we could look on the parent to see what type would fit. However, it seem simpler to just remove untaken breaks/switches as part of ReFinalization - they carry no useful info anyhow. After removing them, if the block has no other signal of a concrete type, it can just be unreachable.

This bug existed for at least 1.5 years - I didn't look back further. I think it was noticed by the fuzzer now due to recent fuzzing improvements and optimizer improvements, as I just saw this bug found a second time.

1 files changed, 6 insertions, 10 deletions

diff --git a/test/wasm2js/br.2asm.js b/test/wasm2js/br.2asm.js
index a877618a1..bea5cf57b 100644
--- a/test/wasm2js/br.2asm.js
+++ b/test/wasm2js/br.2asm.js
@@ -510,7 +510,7 @@ function asmFunc(global, env, buffer) {
  }
  
  function $54() {
-  var $0 = 0, $1_1 = 0;
+  var $0 = 0;
   block : {
    block0 : {
     $0 = 8;
@@ -523,10 +523,8 @@ function asmFunc(global, env, buffer) {
  function $55() {
   var $0 = 0, $1_1 = 0;
   block : {
-   block1 : {
-    $0 = 8;
-    break block;
-   };
+   $0 = 8;
+   break block;
   };
   return 1 + $0 | 0 | 0;
  }
@@ -541,12 +539,10 @@ function asmFunc(global, env, buffer) {
  }
  
  function $57() {
-  var $0 = 0, $1_1 = 0;
+  var $0 = 0;
   block : {
-   block2 : {
-    $0 = 8;
-    break block;
-   };
+   $0 = 8;
+   break block;
   };
   return 1 + $0 | 0 | 0;
  }