[Custom Descriptors] Fix descriptor subtyping rules

We previously allowed one descriptor type to be a subtype of another
descriptor type even if their described types were unrelated, but this
was unsound because it let descriptor casts successfully cast the type
described by the descriptor subtype to the unrelated type described by
the descriptor supertype.

Fix the soundness problem by requiring that the type described by the
supertype descriptor be the declared supertype of the type described by
the subtype descriptor.

Update the heap type fuzzer to avoid emitting newly invalid types. Also
update tests for various passes to make them valid or delete them if
they were testing situations that can no longer happen.

Author: tlively

src/tools/fuzzing/heap-types.cpp

@@ -196,24 +196,22 @@ struct HeapTypeGeneratorImpl {
     assert(remaining >= numPlannedDescriptors);
     size_t remainingUncommitted = remaining - numPlannedDescriptors;
 
-    if (!super && i >= numRoots && rand.oneIn(2)) {
-      // Try to pick a supertype. The supertype must be a descriptor type if and
-      // only if we are currently generating a descriptor type. Furthermore, we
-      // must have space left in the current chain if it exists, or else in the
-      // rec group, to mirror the supertype's descriptor chain, if it has one.
-      // Finally, if this is a descriptor, the sharedness of the described type
-      // and supertype must match.
-      size_t maxChain =
-        isDescriptor ? descriptorChainLengths[i] : remainingUncommitted;
+    // Possibly choose a supertype. If the current type is a descriptor type,
+    // then either we already determined its supertype based on its described
+    // type, or there is no valid supertype to give it. A valid supertype would
+    // have to describe the supertype of the current described type, but if the
+    // supertype chain had such an entry, we would already have found it above.
+    if (!super && !isDescriptor && i >= numRoots && rand.oneIn(2)) {
+      // Try to pick a supertype. The supertype must not be a descriptor type,
+      // and we must have space left in the rec group to mirror the supertype's
+      // descriptor chain, if it has one.
       std::vector<Index> candidates;
       candidates.reserve(i);
       for (Index candidate = 0; candidate < i; ++candidate) {
-        bool descMatch = bool(describedIndices[candidate]) == isDescriptor;
-        bool chainMatch = descriptorChainLengths[candidate] <= maxChain;
-        bool shareMatch = !isDescriptor ||
-                          HeapType(builder[candidate]).getShared() ==
-                            HeapType(builder[*describedIndices[i]]).getShared();
-        if (descMatch && chainMatch && shareMatch) {
+        if (describedIndices[candidate]) {
+          continue;
+        }
+        if (descriptorChainLengths[candidate] <= remainingUncommitted) {
           candidates.push_back(candidate);
         }
       }

src/wasm/wasm-type.cpp

@@ -2389,10 +2389,12 @@ bool isValidSupertype(const HeapTypeInfo& sub, const HeapTypeInfo& super) {
       return false;
     }
   }
-  // A supertype of a type must have a describes clause iff the type has a
-  // describes clause.
-  if (bool(sub.described) != bool(super.described)) {
-    return false;
+  // A supertype of a type with a (describes $x) clause must have a (describes
+  // $y) clause where $y is the declared supertype of $x.
+  if (sub.described) {
+    if (!super.described || sub.described->supertype != super.described) {
+      return false;
+    }
   }
   SubTyper typer;
   switch (sub.kind) {

test/lit/fuzz-types.test

@@ -3,58 +3,62 @@
 ;; CHECK:      Running with seed 0
 ;; CHECK-NEXT: Built 20 types:
 ;; CHECK-NEXT: (rec
-;; CHECK-NEXT:  (type $0 (sub (shared (array (mut i32)))))
-;; CHECK-NEXT:  (type $1 (sub (shared (array (ref null $7)))))
-;; CHECK-NEXT:  (type $2 (sub (shared (func (result (ref $0))))))
-;; CHECK-NEXT:  (type $3 (sub $0 (shared (array (mut i32)))))
-;; CHECK-NEXT:  (type $4 (sub (array f32)))
-;; CHECK-NEXT:  (type $5 (sub $0 (shared (array (mut i32)))))
-;; CHECK-NEXT:  (type $6 (sub $2 (shared (func (result (ref $3))))))
-;; CHECK-NEXT:  (type $7 (sub (shared (descriptor $9 (struct (field (mut f32)) (field f64) (field (mut i32)))))))
-;; CHECK-NEXT:  (type $8 (sub $2 (shared (func (result (ref $0))))))
-;; CHECK-NEXT:  (type $9 (shared (describes $7 (descriptor $12 (struct (field (ref $5)) (field i64) (field (mut f32)) (field (mut (ref null $0))) (field (mut f64)) (field i64))))))
-;; CHECK-NEXT:  (type $10 (sub (struct (field i8) (field f32))))
-;; CHECK-NEXT:  (type $11 (sub (shared (struct (field i64) (field v128) (field (mut i16)) (field i32) (field (mut (ref (shared array))))))))
-;; CHECK-NEXT:  (type $12 (shared (describes $9 (struct))))
+;; CHECK-NEXT:  (type $0 (sub (shared (array i8))))
+;; CHECK-NEXT:  (type $1 (shared (array (ref $1))))
+;; CHECK-NEXT:  (type $2 (sub (shared (func (param i64 (ref null $5) i64) (result (ref $2))))))
+;; CHECK-NEXT:  (type $3 (sub $0 (shared (array i8))))
+;; CHECK-NEXT:  (type $4 (sub (array (ref null $9))))
+;; CHECK-NEXT:  (type $5 (sub final $0 (shared (array i8))))
+;; CHECK-NEXT:  (type $6 (sub $2 (shared (func (param i64 (ref null (shared eq)) i64) (result (ref $8))))))
+;; CHECK-NEXT:  (type $7 (sub (shared (descriptor $9 (struct (field (ref null $7)) (field (mut i64)) (field (mut i8)) (field i32) (field (mut i32)))))))
+;; CHECK-NEXT:  (type $8 (sub $2 (shared (func (param i64 (ref null $0) i64) (result (ref $8))))))
+;; CHECK-NEXT:  (type $9 (shared (describes $7 (descriptor $12 (struct (field i32) (field (mut (ref $8))) (field f64))))))
+;; CHECK-NEXT:  (type $10 (sub (array (mut externref))))
+;; CHECK-NEXT:  (type $11 (sub $4 (array (ref $9))))
+;; CHECK-NEXT:  (type $12 (sub (shared (describes $9 (struct (field (mut f64)) (field (mut i32)) (field (mut f64)))))))
 ;; CHECK-NEXT: )
-;; CHECK-NEXT: (type $13 (array (ref $11)))
 ;; CHECK-NEXT: (rec
-;; CHECK-NEXT:  (type $14 (sub final $10 (struct (field i8) (field f32) (field (ref null (shared any))))))
-;; CHECK-NEXT:  (type $15 (sub (shared (struct (field i64) (field (ref (shared array))) (field (ref $0)) (field (mut i32)) (field i64)))))
+;; CHECK-NEXT:  (type $13 (sub (struct (field (mut i16)) (field i64) (field (mut (ref (shared func)))))))
+;; CHECK-NEXT:  (type $14 (sub (shared (array (ref null $14)))))
 ;; CHECK-NEXT: )
 ;; CHECK-NEXT: (rec
-;; CHECK-NEXT:  (type $16 (sub (shared (struct (field (ref $1))))))
-;; CHECK-NEXT:  (type $17 (sub $5 (shared (array (mut i32)))))
-;; CHECK-NEXT:  (type $18 (sub final $3 (shared (array (mut i32)))))
+;; CHECK-NEXT:  (type $15 (shared (array (ref null (shared extern)))))
+;; CHECK-NEXT:  (type $16 (sub final $14 (shared (array (ref null $16)))))
+;; CHECK-NEXT: )
+;; CHECK-NEXT: (rec
+;; CHECK-NEXT:  (type $17 (shared (struct (field (mut (ref null $2))) (field i32) (field (mut (ref $14))))))
+;; CHECK-NEXT:  (type $18 (sub $11 (array (ref $9))))
+;; CHECK-NEXT:  (type $19 (sub $2 (shared (func (param i64 (ref null $0) i64) (result (ref $6))))))
 ;; CHECK-NEXT: )
-;; CHECK-NEXT: (type $19 (sub final $16 (shared (struct (field (ref $1)) (field (mut v128)) (field (mut (ref $17))) (field v128)))))
 ;; CHECK-NEXT: 
 ;; CHECK-NEXT: Inhabitable types:
 ;; CHECK-NEXT: 
 ;; CHECK-NEXT: Built 20 types:
 ;; CHECK-NEXT: (rec
-;; CHECK-NEXT:  (type $0 (sub (shared (array (mut i32)))))
-;; CHECK-NEXT:  (type $1 (sub (shared (array (ref null $7)))))
-;; CHECK-NEXT:  (type $2 (sub (shared (func (result (ref $0))))))
-;; CHECK-NEXT:  (type $3 (sub $0 (shared (array (mut i32)))))
-;; CHECK-NEXT:  (type $4 (sub (array f32)))
-;; CHECK-NEXT:  (type $5 (sub $0 (shared (array (mut i32)))))
-;; CHECK-NEXT:  (type $6 (sub $2 (shared (func (result (ref $3))))))
-;; CHECK-NEXT:  (type $7 (sub (shared (descriptor $9 (struct (field (mut f32)) (field f64) (field (mut i32)))))))
-;; CHECK-NEXT:  (type $8 (sub $2 (shared (func (result (ref $0))))))
-;; CHECK-NEXT:  (type $9 (shared (describes $7 (descriptor $12 (struct (field (ref $5)) (field i64) (field (mut f32)) (field (mut (ref null $0))) (field (mut f64)) (field i64))))))
-;; CHECK-NEXT:  (type $10 (sub (struct (field i8) (field f32))))
-;; CHECK-NEXT:  (type $11 (sub (shared (struct (field i64) (field v128) (field (mut i16)) (field i32) (field (mut (ref (shared array))))))))
-;; CHECK-NEXT:  (type $12 (shared (describes $9 (struct))))
+;; CHECK-NEXT:  (type $0 (sub (shared (array i8))))
+;; CHECK-NEXT:  (type $1 (shared (array (ref null $1))))
+;; CHECK-NEXT:  (type $2 (sub (shared (func (param i64 (ref null $5) i64) (result (ref $2))))))
+;; CHECK-NEXT:  (type $3 (sub $0 (shared (array i8))))
+;; CHECK-NEXT:  (type $4 (sub (array (ref null $9))))
+;; CHECK-NEXT:  (type $5 (sub final $0 (shared (array i8))))
+;; CHECK-NEXT:  (type $6 (sub $2 (shared (func (param i64 (ref null (shared eq)) i64) (result (ref $8))))))
+;; CHECK-NEXT:  (type $7 (sub (shared (descriptor $9 (struct (field (ref null $7)) (field (mut i64)) (field (mut i8)) (field i32) (field (mut i32)))))))
+;; CHECK-NEXT:  (type $8 (sub $2 (shared (func (param i64 (ref null $0) i64) (result (ref $8))))))
+;; CHECK-NEXT:  (type $9 (shared (describes $7 (descriptor $12 (struct (field i32) (field (mut (ref $8))) (field f64))))))
+;; CHECK-NEXT:  (type $10 (sub (array (mut externref))))
+;; CHECK-NEXT:  (type $11 (sub $4 (array (ref $9))))
+;; CHECK-NEXT:  (type $12 (sub (shared (describes $9 (struct (field (mut f64)) (field (mut i32)) (field (mut f64)))))))
 ;; CHECK-NEXT: )
-;; CHECK-NEXT: (type $13 (array (ref $11)))
 ;; CHECK-NEXT: (rec
-;; CHECK-NEXT:  (type $14 (sub final $10 (struct (field i8) (field f32) (field (ref null (shared any))))))
-;; CHECK-NEXT:  (type $15 (sub (shared (struct (field i64) (field (ref (shared array))) (field (ref $0)) (field (mut i32)) (field i64)))))
+;; CHECK-NEXT:  (type $13 (sub (struct (field (mut i16)) (field i64) (field (mut (ref (shared func)))))))
+;; CHECK-NEXT:  (type $14 (sub (shared (array (ref null $14)))))
 ;; CHECK-NEXT: )
 ;; CHECK-NEXT: (rec
-;; CHECK-NEXT:  (type $16 (sub (shared (struct (field (ref $1))))))
-;; CHECK-NEXT:  (type $17 (sub $5 (shared (array (mut i32)))))
-;; CHECK-NEXT:  (type $18 (sub final $3 (shared (array (mut i32)))))
+;; CHECK-NEXT:  (type $15 (shared (array (ref null (shared extern)))))
+;; CHECK-NEXT:  (type $16 (sub final $14 (shared (array (ref null $16)))))
 ;; CHECK-NEXT: )
-;; CHECK-NEXT: (type $19 (sub final $16 (shared (struct (field (ref $1)) (field (mut v128)) (field (mut (ref $17))) (field v128)))))
+;; CHECK-NEXT: (rec
+;; CHECK-NEXT:  (type $17 (shared (struct (field (mut (ref null $2))) (field i32) (field (mut (ref $14))))))
+;; CHECK-NEXT:  (type $18 (sub $11 (array (ref $9))))
+;; CHECK-NEXT:  (type $19 (sub $2 (shared (func (param i64 (ref null $0) i64) (result (ref $6))))))
+;; CHECK-NEXT: )

test/lit/passes/abstract-type-refining-desc.wast

@@ -850,19 +850,19 @@
   ;; invalid allocations of its described type.
   (rec
     ;; YESTNH:      (rec
-    ;; YESTNH-NEXT:  (type $struct (descriptor $uninstantiated (struct)))
+    ;; YESTNH-NEXT:  (type $struct (sub (descriptor $uninstantiated (struct))))
     ;; NO_TNH:      (rec
-    ;; NO_TNH-NEXT:  (type $struct (descriptor $uninstantiated (struct)))
-    (type $struct (descriptor $uninstantiated (struct)))
+    ;; NO_TNH-NEXT:  (type $struct (sub (descriptor $uninstantiated (struct))))
+    (type $struct (sub (descriptor $uninstantiated (struct))))
     ;; YESTNH:       (type $uninstantiated (sub (describes $struct (struct))))
     ;; NO_TNH:       (type $uninstantiated (sub (describes $struct (struct))))
     (type $uninstantiated (sub (describes $struct (struct))))
-    ;; YESTNH:       (type $other (descriptor $instantiated (struct)))
-    ;; NO_TNH:       (type $other (descriptor $instantiated (struct)))
-    (type $other (descriptor $instantiated (struct)))
-    ;; YESTNH:       (type $instantiated (sub $uninstantiated (describes $other (struct))))
-    ;; NO_TNH:       (type $instantiated (sub $uninstantiated (describes $other (struct))))
-    (type $instantiated (sub $uninstantiated (describes $other (struct))))
+    ;; YESTNH:       (type $sub (sub $struct (descriptor $instantiated (struct))))
+    ;; NO_TNH:       (type $sub (sub $struct (descriptor $instantiated (struct))))
+    (type $sub (sub $struct (descriptor $instantiated (struct))))
+    ;; YESTNH:       (type $instantiated (sub $uninstantiated (describes $sub (struct))))
+    ;; NO_TNH:       (type $instantiated (sub $uninstantiated (describes $sub (struct))))
+    (type $instantiated (sub $uninstantiated (describes $sub (struct))))
   )
 
   ;; YESTNH:       (type $4 (func (result (ref $struct))))

test/lit/passes/type-merging-desc.wast

@@ -434,59 +434,3 @@
   ;; CHECK:      (export "public" (global $public))
   (export "public" (global $public))
 )
-
-(module
-  ;; In principle we could merge the $B chain into the $A chain, because $A and
-  ;; $B are mergeable as siblings and $B.desc is mergeable into its supertype
-  ;; A.desc. However we do not currently do this kind of merge in either phase.
-  (rec
-    ;; CHECK:      (rec
-    ;; CHECK-NEXT:  (type $A (sub (descriptor $A.desc (struct))))
-    (type $A (sub (descriptor $A.desc (struct))))
-    ;; CHECK:       (type $A.desc (sub (describes $A (struct))))
-    (type $A.desc (sub (describes $A (struct))))
-    ;; CHECK:       (type $B (sub (descriptor $B.desc (struct))))
-    (type $B (sub (descriptor $B.desc (struct))))
-    ;; CHECK:       (type $B.desc (sub $A.desc (describes $B (struct))))
-    (type $B.desc (sub $A.desc (describes $B (struct))))
-  )
-
-  ;; CHECK:      (global $B.desc (ref null $B.desc) (ref.null none))
-  (global $B.desc (ref null $B.desc) (ref.null none))
-)
-
-(module
-  (rec
-    ;; Like above, but now we have an unrelated C chain. We have these chains:
-    ;;
-    ;; A -> A.desc
-    ;;        ^
-    ;; B -> B.desc
-    ;;
-    ;; C -> C.desc
-    ;;
-    ;; The C chain should not be considered a sibling of the B chain because
-    ;; C.desc is not a subtype of A.desc, even though they would look like
-    ;; siblings if you only considered the base type in the chain.
-    ;; CHECK:      (rec
-    ;; CHECK-NEXT:  (type $A (descriptor $A.desc (struct)))
-    (type $A (descriptor $A.desc (struct)))
-    ;; CHECK:       (type $A.desc (sub (describes $A (struct))))
-    (type $A.desc (sub (describes $A (struct))))
-    ;; CHECK:       (type $B (descriptor $B.desc (struct)))
-    (type $B (descriptor $B.desc (struct)))
-    ;; CHECK:       (type $B.desc (sub $A.desc (describes $B (struct))))
-    (type $B.desc (sub $A.desc (describes $B (struct))))
-    ;; CHECK:       (type $C (descriptor $C.desc (struct)))
-    (type $C (descriptor $C.desc (struct)))
-    ;; CHECK:       (type $C.desc (describes $C (struct)))
-    (type $C.desc (describes $C (struct)))
-  )
-
-  ;; CHECK:      (global $C (ref null $C) (ref.null none))
-  (global $C (ref null $C) (ref.null none))
-
-  ;; This would become invalid if $B.desc were merged into $C.desc.
-  ;; CHECK:      (global $A.desc (ref null $A.desc) (struct.new_default $B.desc))
-  (global $A.desc (ref null $A.desc) (struct.new_default $B.desc))
-)

test/lit/passes/unsubtyping-desc.wast

@@ -1242,22 +1242,3 @@
     )
   )
 )
-
-(module
-;; This will be invalid soon, but in the meantime we should not be confused when
-;; the types described by two related descriptors are unrelated.
-  (rec
-    ;; CHECK:      (rec
-    ;; CHECK-NEXT:  (type $A (descriptor $super (struct)))
-    (type $A (descriptor $super (struct)))
-    ;; CHECK:       (type $B (descriptor $sub (struct)))
-    (type $B (descriptor $sub (struct)))
-    ;; CHECK:       (type $super (sub (describes $A (struct))))
-    (type $super (sub (describes $A (struct))))
-    ;; CHECK:       (type $sub (sub $super (describes $B (struct))))
-    (type $sub (sub $super (describes $B (struct))))
-  )
-  ;; CHECK:      (global $public (ref null $B) (ref.null none))
-  (global $public (export "public") (ref null $B) (ref.null none))
-)
-;; CHECK:      (export "public" (global $public))

test/spec/descriptors.wast

@@ -95,16 +95,19 @@
   )
 )
 
-(module
-  (type $super (sub (struct)))
-  (rec
-    (type $other (sub (descriptor $super-desc (struct))))
-    (type $super-desc (sub (describes $other (struct))))
-  )
-  (rec
-    (type $sub (sub $super (descriptor $sub-desc (struct))))
-    (type $sub-desc (sub $super-desc (describes $sub (struct))))
+(assert_invalid
+  (module
+    (type $super (sub (struct)))
+    (rec
+      (type $other (sub (descriptor $super-desc (struct))))
+      (type $super-desc (sub (describes $other (struct))))
+    )
+    (rec
+      (type $sub (sub $super (descriptor $sub-desc (struct))))
+      (type $sub-desc (sub $super-desc (describes $sub (struct))))
+    )
   )
+  "supertype of descriptor type must describe supertype of described type"
 )
 
 (assert_invalid