RefFunc: Validate that the type is non-nullable, and avoid possible bugs in the builder (WebAssembly#3790)

kripken · web-flow · commit 8498027da4e0 · 2021-04-08T18:06:15.000-07:00
The builder can receive a HeapType so that callers don't need to set non-nullability
themselves.

Not NFC as some of the callers were in fact still making it nullable.
diff --git a/src/binaryen-c.cpp b/src/binaryen-c.cpp
@@ -1283,9 +1283,10 @@ BinaryenExpressionRef BinaryenRefAs(BinaryenModuleRef module,
 
 BinaryenExpressionRef
 BinaryenRefFunc(BinaryenModuleRef module, const char* func, BinaryenType type) {
+  // TODO: consider changing the C API to receive a heap type
   Type type_(type);
   return static_cast<Expression*>(
-    Builder(*(Module*)module).makeRefFunc(func, type_));
+    Builder(*(Module*)module).makeRefFunc(func, type_.getHeapType()));
 }
 
 BinaryenExpressionRef BinaryenRefEq(BinaryenModuleRef module,
@@ -3485,9 +3486,8 @@ BinaryenAddActiveElementSegment(BinaryenModuleRef module,
     if (func == nullptr) {
       Fatal() << "invalid function '" << funcNames[i] << "'.";
     }
-    Type type(HeapType(func->sig), Nullable);
     segment->data.push_back(
-      Builder(*(Module*)module).makeRefFunc(funcNames[i], type));
+      Builder(*(Module*)module).makeRefFunc(funcNames[i], func->sig));
   }
   return ((Module*)module)->addElementSegment(std::move(segment));
 }
@@ -3503,9 +3503,8 @@ BinaryenAddPassiveElementSegment(BinaryenModuleRef module,
     if (func == nullptr) {
       Fatal() << "invalid function '" << funcNames[i] << "'.";
     }
-    Type type(HeapType(func->sig), Nullable);
     segment->data.push_back(
-      Builder(*(Module*)module).makeRefFunc(funcNames[i], type));
+      Builder(*(Module*)module).makeRefFunc(funcNames[i], func->sig));
   }
   return ((Module*)module)->addElementSegment(std::move(segment));
 }
diff --git a/src/ir/module-splitting.cpp b/src/ir/module-splitting.cpp
@@ -105,8 +105,7 @@ template<class F> void forEachElement(Module& module, F f) {
 
 static RefFunc* makeRefFunc(Module& wasm, Function* func) {
   // FIXME: make the type NonNullable when we support it!
-  return Builder(wasm).makeRefFunc(func->name,
-                                   Type(HeapType(func->sig), Nullable));
+  return Builder(wasm).makeRefFunc(func->name, func->sig);
 }
 
 struct TableSlotManager {
diff --git a/src/ir/table-utils.h b/src/ir/table-utils.h
@@ -87,9 +87,7 @@ inline Index append(Table& table, Name name, Module& wasm) {
 
   auto* func = wasm.getFunctionOrNull(name);
   assert(func != nullptr && "Cannot append non-existing function to a table.");
-  // FIXME: make the type NonNullable when we support it!
-  auto type = Type(HeapType(func->sig), Nullable);
-  segment->data.push_back(Builder(wasm).makeRefFunc(name, type));
+  segment->data.push_back(Builder(wasm).makeRefFunc(name, func->sig));
   table.initial = table.initial + 1;
   return tableIndex;
 }
diff --git a/src/tools/fuzzing.h b/src/tools/fuzzing.h
@@ -738,7 +738,7 @@ class TranslateToFuzzReader {
     }
     // add some to an elem segment
     while (oneIn(3) && !finishedInput) {
-      auto type = Type(HeapType(func->sig), Nullable);
+      auto type = Type(HeapType(func->sig), NonNullable);
       std::vector<ElementSegment*> compatibleSegments;
       ModuleUtils::iterActiveElementSegments(
         wasm, [&](ElementSegment* segment) {
@@ -747,8 +747,7 @@ class TranslateToFuzzReader {
           }
         });
       auto& randomElem = compatibleSegments[upTo(compatibleSegments.size())];
-      // FIXME: make the type NonNullable when we support it!
-      randomElem->data.push_back(builder.makeRefFunc(func->name, type));
+      randomElem->data.push_back(builder.makeRefFunc(func->name, func->sig));
     }
     numAddedFunctions++;
     return func;
@@ -1523,10 +1522,9 @@ class TranslateToFuzzReader {
     for (const auto& type : target->sig.params) {
       args.push_back(make(type));
     }
-    auto targetType = Type(HeapType(target->sig), NonNullable);
     // TODO: half the time make a completely random item with that type.
     return builder.makeCallRef(
-      builder.makeRefFunc(target->name, targetType), args, type, isReturn);
+      builder.makeRefFunc(target->name, target->sig), args, type, isReturn);
   }
 
   Expression* makeLocalGet(Type type) {
@@ -2115,8 +2113,7 @@ class TranslateToFuzzReader {
         if (!wasm.functions.empty() && !oneIn(wasm.functions.size())) {
           target = pick(wasm.functions).get();
         }
-        auto type = Type(HeapType(target->sig), Nullable);
-        return builder.makeRefFunc(target->name, type);
+        return builder.makeRefFunc(target->name, target->sig);
       }
       if (type == Type::i31ref) {
         return builder.makeI31New(makeConst(Type::i32));
@@ -2138,7 +2135,7 @@ class TranslateToFuzzReader {
       // TODO: randomize the order
       for (auto& func : wasm.functions) {
         if (type == Type(HeapType(func->sig), NonNullable)) {
-          return builder.makeRefFunc(func->name, type);
+          return builder.makeRefFunc(func->name, func->sig);
         }
       }
       // We failed to find a function, so create a null reference if we can.
@@ -2160,7 +2157,7 @@ class TranslateToFuzzReader {
         sig,
         {},
         builder.makeUnreachable()));
-      return builder.makeRefFunc(func->name, type);
+      return builder.makeRefFunc(func->name, heapType);
     }
     if (type.isRtt()) {
       return builder.makeRtt(type);
diff --git a/src/wasm-builder.h b/src/wasm-builder.h
@@ -618,10 +618,10 @@ class Builder {
     ret->finalize();
     return ret;
   }
-  RefFunc* makeRefFunc(Name func, Type type) {
+  RefFunc* makeRefFunc(Name func, HeapType heapType) {
     auto* ret = wasm.allocator.alloc<RefFunc>();
     ret->func = func;
-    ret->finalize(type);
+    ret->finalize(Type(heapType, NonNullable));
     return ret;
   }
   RefEq* makeRefEq(Expression* left, Expression* right) {
@@ -870,7 +870,7 @@ class Builder {
       return makeRefNull(type);
     }
     if (type.isFunction()) {
-      return makeRefFunc(value.getFunc(), type);
+      return makeRefFunc(value.getFunc(), type.getHeapType());
     }
     if (type.isRtt()) {
       return makeRtt(value.type);
diff --git a/src/wasm/wasm-binary.cpp b/src/wasm/wasm-binary.cpp
@@ -2856,8 +2856,7 @@ void WasmBinaryBuilder::readElementSegments() {
         Index index = getU32LEB();
         auto sig = getSignatureByFunctionIndex(index);
         // Use a placeholder name for now
-        auto* refFunc = Builder(wasm).makeRefFunc(
-          Name::fromInt(index), Type(HeapType(sig), Nullable));
+        auto* refFunc = Builder(wasm).makeRefFunc(Name::fromInt(index), sig);
         functionRefs[index].push_back(refFunc);
         segmentData.push_back(refFunc);
       }
diff --git a/src/wasm/wasm-s-parser.cpp b/src/wasm/wasm-s-parser.cpp
@@ -3354,8 +3354,8 @@ ElementSegment* SExpressionWasmBuilder::parseElemFinish(
   } else {
     for (; i < s.size(); i++) {
       auto func = getFunctionName(*s[i]);
-      segment->data.push_back(Builder(wasm).makeRefFunc(
-        func, Type(HeapType(functionSignatures[func]), Nullable)));
+      segment->data.push_back(
+        Builder(wasm).makeRefFunc(func, functionSignatures[func]));
     }
   }
   return wasm.addElementSegment(std::move(segment));
diff --git a/src/wasm/wasm-validator.cpp b/src/wasm/wasm-validator.cpp
@@ -2001,6 +2001,8 @@ void FunctionValidator::visitRefFunc(RefFunc* curr) {
   shouldBeTrue(curr->type.isFunction(),
                curr,
                "ref.func must have a function reference type");
+  shouldBeTrue(
+    !curr->type.isNullable(), curr, "ref.func must have non-nullable type");
   // TODO: verify it also has a typed function references type, and the right
   // one,
   //   curr->type.getHeapType().getSignature()
diff --git a/test/binaryen.js/expressions.js b/test/binaryen.js/expressions.js
@@ -1448,7 +1448,9 @@ console.log("# RefFunc");
   assert(theRefFunc instanceof binaryen.RefFunc);
   assert(theRefFunc instanceof binaryen.Expression);
   assert(theRefFunc.func === func);
-  assert(theRefFunc.type === binaryen.funcref);
+  // TODO: check the type. the type is (ref func), that is, a non-nullable func,
+  //       which differs from funcref. we don't have the ability to create such
+  //       a type in the C/JS APIs yet.
 
   theRefFunc.func = func = "b";
   assert(theRefFunc.func === func);

Original file line number	Diff line number	Diff line change
`@@ -1283,9 +1283,10 @@ BinaryenExpressionRef BinaryenRefAs(BinaryenModuleRef module,`
`1283`	`1283`
`1284`	`1284`	`BinaryenExpressionRef`
`1285`	`1285`	`BinaryenRefFunc(BinaryenModuleRef module, const char* func, BinaryenType type) {`
	`1286`	`+ // TODO: consider changing the C API to receive a heap type`
`1286`	`1287`	`Type type_(type);`
`1287`	`1288`	`return static_cast<Expression*>(`
`1288`		`- Builder((Module)module).makeRefFunc(func, type_));`
	`1289`	`+ Builder((Module)module).makeRefFunc(func, type_.getHeapType()));`
`1289`	`1290`	`}`
`1290`	`1291`
`1291`	`1292`	`BinaryenExpressionRef BinaryenRefEq(BinaryenModuleRef module,`
`@@ -3485,9 +3486,8 @@ BinaryenAddActiveElementSegment(BinaryenModuleRef module,`
`3485`	`3486`	`if (func == nullptr) {`
`3486`	`3487`	`Fatal() << "invalid function '" << funcNames[i] << "'.";`
`3487`	`3488`	`}`
`3488`		`- Type type(HeapType(func->sig), Nullable);`
`3489`	`3489`	`segment->data.push_back(`
`3490`		`- Builder((Module)module).makeRefFunc(funcNames[i], type));`
	`3490`	`+ Builder((Module)module).makeRefFunc(funcNames[i], func->sig));`
`3491`	`3491`	`}`
`3492`	`3492`	`return ((Module*)module)->addElementSegment(std::move(segment));`
`3493`	`3493`	`}`
`@@ -3503,9 +3503,8 @@ BinaryenAddPassiveElementSegment(BinaryenModuleRef module,`
`3503`	`3503`	`if (func == nullptr) {`
`3504`	`3504`	`Fatal() << "invalid function '" << funcNames[i] << "'.";`
`3505`	`3505`	`}`
`3506`		`- Type type(HeapType(func->sig), Nullable);`
`3507`	`3506`	`segment->data.push_back(`
`3508`		`- Builder((Module)module).makeRefFunc(funcNames[i], type));`
	`3507`	`+ Builder((Module)module).makeRefFunc(funcNames[i], func->sig));`
`3509`	`3508`	`}`
`3510`	`3509`	`return ((Module*)module)->addElementSegment(std::move(segment));`
`3511`	`3510`	`}`
Original file line number	Diff line number	Diff line change
`@@ -105,8 +105,7 @@ template<class F> void forEachElement(Module& module, F f) {`
`105`	`105`
`106`	`106`	`static RefFunc* makeRefFunc(Module& wasm, Function* func) {`
`107`	`107`	`// FIXME: make the type NonNullable when we support it!`
`108`		`- return Builder(wasm).makeRefFunc(func->name,`
`109`		`- Type(HeapType(func->sig), Nullable));`
	`108`	`+ return Builder(wasm).makeRefFunc(func->name, func->sig);`
`110`	`109`	`}`
`111`	`110`
`112`	`111`	`struct TableSlotManager {`
Original file line number	Diff line number	Diff line change
`@@ -738,7 +738,7 @@ class TranslateToFuzzReader {`
`738`	`738`	`}`
`739`	`739`	`// add some to an elem segment`
`740`	`740`	`while (oneIn(3) && !finishedInput) {`
`741`		`- auto type = Type(HeapType(func->sig), Nullable);`
	`741`	`+ auto type = Type(HeapType(func->sig), NonNullable);`
`742`	`742`	`std::vector<ElementSegment*> compatibleSegments;`
`743`	`743`	`ModuleUtils::iterActiveElementSegments(`
`744`	`744`	`wasm, [&](ElementSegment* segment) {`
`@@ -747,8 +747,7 @@ class TranslateToFuzzReader {`
`747`	`747`	`}`
`748`	`748`	`});`
`749`	`749`	`auto& randomElem = compatibleSegments[upTo(compatibleSegments.size())];`
`750`		`- // FIXME: make the type NonNullable when we support it!`
`751`		`- randomElem->data.push_back(builder.makeRefFunc(func->name, type));`
	`750`	`+ randomElem->data.push_back(builder.makeRefFunc(func->name, func->sig));`
`752`	`751`	`}`
`753`	`752`	`numAddedFunctions++;`
`754`	`753`	`return func;`
`@@ -1523,10 +1522,9 @@ class TranslateToFuzzReader {`
`1523`	`1522`	`for (const auto& type : target->sig.params) {`
`1524`	`1523`	`args.push_back(make(type));`
`1525`	`1524`	`}`
`1526`		`- auto targetType = Type(HeapType(target->sig), NonNullable);`
`1527`	`1525`	`// TODO: half the time make a completely random item with that type.`
`1528`	`1526`	`return builder.makeCallRef(`
`1529`		`- builder.makeRefFunc(target->name, targetType), args, type, isReturn);`
	`1527`	`+ builder.makeRefFunc(target->name, target->sig), args, type, isReturn);`
`1530`	`1528`	`}`
`1531`	`1529`
`1532`	`1530`	`Expression* makeLocalGet(Type type) {`
`@@ -2115,8 +2113,7 @@ class TranslateToFuzzReader {`
`2115`	`2113`	`if (!wasm.functions.empty() && !oneIn(wasm.functions.size())) {`
`2116`	`2114`	`target = pick(wasm.functions).get();`
`2117`	`2115`	`}`
`2118`		`- auto type = Type(HeapType(target->sig), Nullable);`
`2119`		`- return builder.makeRefFunc(target->name, type);`
	`2116`	`+ return builder.makeRefFunc(target->name, target->sig);`
`2120`	`2117`	`}`
`2121`	`2118`	`if (type == Type::i31ref) {`
`2122`	`2119`	`return builder.makeI31New(makeConst(Type::i32));`
`@@ -2138,7 +2135,7 @@ class TranslateToFuzzReader {`
`2138`	`2135`	`// TODO: randomize the order`
`2139`	`2136`	`for (auto& func : wasm.functions) {`
`2140`	`2137`	`if (type == Type(HeapType(func->sig), NonNullable)) {`
`2141`		`- return builder.makeRefFunc(func->name, type);`
	`2138`	`+ return builder.makeRefFunc(func->name, func->sig);`
`2142`	`2139`	`}`
`2143`	`2140`	`}`
`2144`	`2141`	`// We failed to find a function, so create a null reference if we can.`
`@@ -2160,7 +2157,7 @@ class TranslateToFuzzReader {`
`2160`	`2157`	`sig,`
`2161`	`2158`	`{},`
`2162`	`2159`	`builder.makeUnreachable()));`
`2163`		`- return builder.makeRefFunc(func->name, type);`
	`2160`	`+ return builder.makeRefFunc(func->name, heapType);`
`2164`	`2161`	`}`
`2165`	`2162`	`if (type.isRtt()) {`
`2166`	`2163`	`return builder.makeRtt(type);`
Original file line number	Diff line number	Diff line change
`@@ -618,10 +618,10 @@ class Builder {`
`618`	`618`	`ret->finalize();`
`619`	`619`	`return ret;`
`620`	`620`	`}`
`621`		`- RefFunc* makeRefFunc(Name func, Type type) {`
	`621`	`+ RefFunc* makeRefFunc(Name func, HeapType heapType) {`
`622`	`622`	`auto* ret = wasm.allocator.alloc<RefFunc>();`
`623`	`623`	`ret->func = func;`
`624`		`- ret->finalize(type);`
	`624`	`+ ret->finalize(Type(heapType, NonNullable));`
`625`	`625`	`return ret;`
`626`	`626`	`}`
`627`	`627`	`RefEq* makeRefEq(Expression* left, Expression* right) {`
`@@ -870,7 +870,7 @@ class Builder {`
`870`	`870`	`return makeRefNull(type);`
`871`	`871`	`}`
`872`	`872`	`if (type.isFunction()) {`
`873`		`- return makeRefFunc(value.getFunc(), type);`
	`873`	`+ return makeRefFunc(value.getFunc(), type.getHeapType());`
`874`	`874`	`}`
`875`	`875`	`if (type.isRtt()) {`
`876`	`876`	`return makeRtt(value.type);`
Original file line number	Diff line number	Diff line change
`@@ -3354,8 +3354,8 @@ ElementSegment* SExpressionWasmBuilder::parseElemFinish(`
`3354`	`3354`	`} else {`
`3355`	`3355`	`for (; i < s.size(); i++) {`
`3356`	`3356`	`auto func = getFunctionName(*s[i]);`
`3357`		`- segment->data.push_back(Builder(wasm).makeRefFunc(`
`3358`		`- func, Type(HeapType(functionSignatures[func]), Nullable)));`
	`3357`	`+ segment->data.push_back(`
	`3358`	`+ Builder(wasm).makeRefFunc(func, functionSignatures[func]));`
`3359`	`3359`	`}`
`3360`	`3360`	`}`
`3361`	`3361`	`return wasm.addElementSegment(std::move(segment));`