3 files changed, 18 insertions, 37 deletions

diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp
index 831d80c04..828f80693 100644
--- a/src/tools/fuzzing/fuzzing.cpp
+++ b/src/tools/fuzzing/fuzzing.cpp
@@ -1984,17 +1984,7 @@ Expression* TranslateToFuzzReader::makeConstBasicRef(Type type) {
       // Choose a subtype we can materialize a constant for. We cannot
       // materialize non-nullable refs to func or i31 in global contexts.
       Nullability nullability = getSubType(type.getNullability());
-      HeapType subtype;
-      if (funcContext || nullability == Nullable) {
-        subtype = pick(FeatureOptions<HeapType>()
-                         .add(FeatureSet::ReferenceTypes, HeapType::func)
-                         .add(FeatureSet::ReferenceTypes | FeatureSet::GC,
-                              HeapType::func,
-                              HeapType::i31,
-                              HeapType::data));
-      } else {
-        subtype = HeapType::func;
-      }
+      HeapType subtype = oneIn(2) ? HeapType::i31 : HeapType::data;
       return makeConst(Type(subtype, nullability));
     }
     case HeapType::eq: {
@@ -2017,13 +2007,10 @@ Expression* TranslateToFuzzReader::makeConstBasicRef(Type type) {
     }
     case HeapType::i31: {
       assert(wasm.features.hasGC());
-      // i31.new is not allowed in initializer expressions.
-      if (funcContext) {
-        return builder.makeI31New(makeConst(Type::i32));
-      } else {
-        assert(type.isNullable());
+      if (type.isNullable() && oneIn(4)) {
         return builder.makeRefNull(type);
       }
+      return builder.makeI31New(makeConst(Type::i32));
     }
     case HeapType::data: {
       assert(wasm.features.hasGC());
@@ -2986,9 +2973,11 @@ Type TranslateToFuzzReader::getSingleConcreteType() {
                 .add(FeatureSet::SIMD, WeightedOption{Type::v128, Important})
                 .add(FeatureSet::ReferenceTypes,
                      Type(HeapType::func, Nullable),
-                     Type(HeapType::any, Nullable))
+                     Type(HeapType::ext, Nullable))
                 .add(FeatureSet::ReferenceTypes | FeatureSet::GC,
                      // Type(HeapType::func, NonNullable),
+                     // Type(HeapType::ext, NonNullable),
+                     Type(HeapType::any, Nullable),
                      // Type(HeapType::any, NonNullable),
                      Type(HeapType::eq, Nullable),
                      Type(HeapType::eq, NonNullable),
@@ -3000,8 +2989,7 @@ Type TranslateToFuzzReader::getSingleConcreteType() {
 
 Type TranslateToFuzzReader::getReferenceType() {
   return pick(FeatureOptions<Type>()
-                // Avoid Type::anyref without GC enabled, see
-                // TranslateToFuzzReader::getSingleConcreteType.
+                // TODO: Add externref here.
                 .add(FeatureSet::ReferenceTypes, Type(HeapType::func, Nullable))
                 .add(FeatureSet::ReferenceTypes | FeatureSet::GC,
                      Type(HeapType::func, NonNullable),
@@ -3102,14 +3090,9 @@ HeapType TranslateToFuzzReader::getSubType(HeapType type) {
         return HeapType::ext;
       case HeapType::any:
         // TODO: nontrivial types as well.
-        return pick(
-          FeatureOptions<HeapType>()
-            .add(FeatureSet::ReferenceTypes, HeapType::func /*, HeapType::ext*/)
-            .add(FeatureSet::ReferenceTypes | FeatureSet::GC,
-                 HeapType::any,
-                 HeapType::eq,
-                 HeapType::i31,
-                 HeapType::data));
+        assert(wasm.features.hasReferenceTypes());
+        assert(wasm.features.hasGC());
+        return pick(HeapType::any, HeapType::eq, HeapType::i31, HeapType::data);
       case HeapType::eq:
         // TODO: nontrivial types as well.
         assert(wasm.features.hasReferenceTypes());
diff --git a/src/tools/fuzzing/heap-types.cpp b/src/tools/fuzzing/heap-types.cpp
index 5a8f0fc0e..f5b5bdf9c 100644
--- a/src/tools/fuzzing/heap-types.cpp
+++ b/src/tools/fuzzing/heap-types.cpp
@@ -343,14 +343,10 @@ struct HeapTypeGeneratorImpl {
   }
 
   HeapType pickSubAny() {
-    switch (rand.upTo(4)) {
+    switch (rand.upTo(2)) {
       case 0:
-        return HeapType::func;
-      case 1:
         return HeapType::eq;
-      case 2:
-        return pickSubFunc();
-      case 3:
+      case 1:
         return pickSubEq();
     }
     WASM_UNREACHABLE("unexpected index");
diff --git a/src/wasm/wasm-type.cpp b/src/wasm/wasm-type.cpp
index f9ccea9f6..1bced53e4 100644
--- a/src/wasm/wasm-type.cpp
+++ b/src/wasm/wasm-type.cpp
@@ -584,8 +584,8 @@ std::optional<HeapType> getBasicHeapTypeLUB(HeapType::BasicHeapType a,
   }
   switch (a) {
     case HeapType::ext:
-      return {};
     case HeapType::func:
+      return {};
     case HeapType::any:
       return {HeapType::any};
     case HeapType::eq:
@@ -1072,6 +1072,10 @@ FeatureSet Type::getFeatures() const {
       }
       if (heapType.isBasic()) {
         switch (heapType.getBasic()) {
+          case HeapType::BasicHeapType::ext:
+          case HeapType::BasicHeapType::func:
+            return FeatureSet::ReferenceTypes;
+          case HeapType::BasicHeapType::any:
           case HeapType::BasicHeapType::eq:
           case HeapType::BasicHeapType::i31:
           case HeapType::BasicHeapType::data:
@@ -1081,7 +1085,6 @@ FeatureSet Type::getFeatures() const {
           case HeapType::stringview_wtf16:
           case HeapType::stringview_iter:
             return FeatureSet::ReferenceTypes | FeatureSet::Strings;
-          default: {}
         }
       }
       // Note: Technically typed function references also require the typed
@@ -1624,8 +1627,7 @@ bool SubTyper::isSubType(HeapType a, HeapType b) {
       case HeapType::func:
         return a.isSignature();
       case HeapType::any:
-        // TODO: exclude functions as well.
-        return a != HeapType::ext;
+        return a != HeapType::ext && !a.isFunction();
       case HeapType::eq:
         return a == HeapType::i31 || a.isData();
       case HeapType::i31: