[GC] Fix casts of non-GC data (#3483)

kripken · web-flow · commit dc7184afcbdc · 2021-01-12T14:50:54.000-08:00
The code previously assumed it could always call getGCData, but
that assumes the input is an array or a struct. It could also be an
anyref etc. that contains something other than GC data.
diff --git a/src/wasm-interpreter.h b/src/wasm-interpreter.h
@@ -1433,11 +1433,19 @@ class ExpressionRunner : public OverriddenVisitor<SubType, Flow> {
       return cast;
     }
     cast.originalRef = ref.getSingleValue();
-    auto gcData = cast.originalRef.getGCData();
-    if (!gcData) {
+    if (cast.originalRef.isNull()) {
       cast.outcome = cast.Null;
       return cast;
     }
+    // The input may not be a struct or an array; for example it could be an
+    // anyref of null (already handled above) or anything else (handled here,
+    // but this is for future use as atm the binaryen interpreter cannot
+    // represent external references).
+    if (!cast.originalRef.isGCData()) {
+      cast.outcome = cast.Failure;
+      return cast;
+    }
+    auto gcData = cast.originalRef.getGCData();
     auto refRtt = gcData->rtt;
     auto intendedRtt = rtt.getSingleValue();
     if (!refRtt.isSubRtt(intendedRtt)) {
diff --git a/test/passes/Oz_fuzz-exec_all-features.txt b/test/passes/Oz_fuzz-exec_all-features.txt
@@ -21,6 +21,8 @@
 [fuzz-exec] calling br_on_cast
 [LoggingExternalInterface logging 3]
 [trap unreachable]
+[fuzz-exec] calling cast-null-anyref-to-gc
+[LoggingExternalInterface logging 0]
 (module
  (type ${mut:i32} (struct (field (mut i32))))
  (type $none_=>_none (func))
@@ -32,6 +34,7 @@
  (export "arrays" (func $1))
  (export "rtts" (func $2))
  (export "br_on_cast" (func $3))
+ (export "cast-null-anyref-to-gc" (func $4))
  (func $0 (; has Stack IR ;)
   (local $0 (ref null ${mut:i32}))
   (call $log
@@ -194,6 +197,11 @@
   )
   (unreachable)
  )
+ (func $4 (; has Stack IR ;)
+  (call $log
+   (i32.const 0)
+  )
+ )
 )
 [fuzz-exec] calling structs
 [LoggingExternalInterface logging 0]
@@ -218,3 +226,5 @@
 [fuzz-exec] calling br_on_cast
 [LoggingExternalInterface logging 3]
 [trap unreachable]
+[fuzz-exec] calling cast-null-anyref-to-gc
+[LoggingExternalInterface logging 0]
diff --git a/test/passes/Oz_fuzz-exec_all-features.wast b/test/passes/Oz_fuzz-exec_all-features.wast
@@ -179,4 +179,15 @@
    )
   )
  )
+ (func "cast-null-anyref-to-gc"
+  ;; a null anyref is a literal which is not even of GC data, as it's not an
+  ;; array or a struct, so our casting code should not assume it is. it is ok
+  ;; to try to cast it, and the result should be 0.
+  (call $log
+   (ref.test $struct
+    (ref.null any)
+    (rtt.canon $struct)
+   )
+  )
+ )
 )

Original file line number	Diff line number	Diff line change
`@@ -179,4 +179,15 @@`
`179`	`179`	`)`
`180`	`180`	`)`
`181`	`181`	`)`
	`182`	`+ (func "cast-null-anyref-to-gc"`
	`183`	`+ ;; a null anyref is a literal which is not even of GC data, as it's not an`
	`184`	`+ ;; array or a struct, so our casting code should not assume it is. it is ok`
	`185`	`+ ;; to try to cast it, and the result should be 0.`
	`186`	`+ (call $log`
	`187`	`+ (ref.test $struct`
	`188`	`+ (ref.null any)`
	`189`	`+ (rtt.canon $struct)`
	`190`	`+ )`
	`191`	`+ )`
	`192`	`+ )`
`182`	`193`	`)`