GUFA: Fix handling of public tags (#7278)

kripken · web-flow · commit 3ec10245f7b8 · 2025-02-11T14:44:40.000-08:00
When a tag is imported or exported, it might be written to (an exception
thrown with a value in the tag) from the outside, so we should not
assume it is unreachable.
diff --git a/src/ir/possible-contents.cpp b/src/ir/possible-contents.cpp
@@ -2309,6 +2309,26 @@ Flower::Flower(Module& wasm, const PassOptions& options)
     }
   }
 
+  // Exported/imported tags are modifiable from the outside. TODO: should that
+  // not be possible in closed world?
+  std::unordered_set<Name> publicTags;
+  for (auto& tag : wasm.tags) {
+    if (tag->imported()) {
+      publicTags.insert(tag->name);
+    }
+  }
+  for (auto& ex : wasm.exports) {
+    if (ex->kind == ExternalKind::Tag) {
+      publicTags.insert(ex->value);
+    }
+  }
+  for (auto tag : publicTags) {
+    auto params = wasm.getTag(tag)->params();
+    for (Index i = 0; i < params.size(); i++) {
+      roots[TagLocation{tag, i}] = PossibleContents::fromType(params[i]);
+    }
+  }
+
 #ifdef POSSIBLE_CONTENTS_DEBUG
   std::cout << "struct phase\n";
 #endif
diff --git a/test/lit/passes/gufa-cast-all.wast b/test/lit/passes/gufa-cast-all.wast
@@ -146,3 +146,155 @@
     )
   )
 )
+
+;; Imported tags may be written to from places we do not see.
+(module
+  ;; CHECK:      (type $0 (func (param i32)))
+
+  ;; CHECK:      (type $1 (func))
+
+  ;; CHECK:      (import "fuzzing-support" "throw" (func $throw (type $0) (param i32)))
+  (import "fuzzing-support" "throw" (func $throw (param i32)))
+  ;; CHECK:      (import "fuzzing-support" "tag" (tag $tag (type $0) (param i32)))
+  (import "fuzzing-support" "tag" (tag $tag (param i32)))
+
+  ;; CHECK:      (export "func" (func $func))
+
+  ;; CHECK:      (func $func (type $1)
+  ;; CHECK-NEXT:  (try
+  ;; CHECK-NEXT:   (do
+  ;; CHECK-NEXT:    (call $throw
+  ;; CHECK-NEXT:     (i32.const 1)
+  ;; CHECK-NEXT:    )
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:   (catch $tag
+  ;; CHECK-NEXT:    (drop
+  ;; CHECK-NEXT:     (pop i32)
+  ;; CHECK-NEXT:    )
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT: )
+  (func $func (export "func")
+    (try
+      (do
+        (call $throw
+          (i32.const 1)
+        )
+      )
+      (catch $tag
+        ;; If we thought no value was possible to pop here (if no exception were
+        ;; created of this tag) then we'd put an unreachable after it. As it is
+        ;; imported, a value might be there, so we do not.
+        (drop
+          (pop i32)
+        )
+      )
+    )
+  )
+)
+
+;; As above, but with an exported tag. Also test a tag with multiple params.
+(module
+  ;; CHECK:      (type $0 (func (param i32 f64)))
+
+  ;; CHECK:      (type $1 (func (param i32)))
+
+  ;; CHECK:      (type $2 (func))
+
+  ;; CHECK:      (import "fuzzing-support" "throw" (func $throw (type $1) (param i32)))
+  (import "fuzzing-support" "throw" (func $throw (param i32)))
+
+  ;; CHECK:      (tag $tag (type $0) (param i32 f64))
+  (tag $tag (param i32 f64))
+
+  ;; CHECK:      (export "func" (func $func))
+
+  ;; CHECK:      (export "tag" (tag $tag))
+  (export "tag" (tag $tag))
+
+  ;; CHECK:      (func $func (type $2)
+  ;; CHECK-NEXT:  (try
+  ;; CHECK-NEXT:   (do
+  ;; CHECK-NEXT:    (call $throw
+  ;; CHECK-NEXT:     (i32.const 1)
+  ;; CHECK-NEXT:    )
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:   (catch $tag
+  ;; CHECK-NEXT:    (tuple.drop 2
+  ;; CHECK-NEXT:     (pop (tuple i32 f64))
+  ;; CHECK-NEXT:    )
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT: )
+  (func $func (export "func")
+    (try
+      (do
+        (call $throw
+          (i32.const 1)
+        )
+      )
+      (catch $tag
+        ;; Once more, we do not optimize to unreachable here.
+        (tuple.drop 2
+          (pop (tuple i32 f64))
+        )
+      )
+    )
+  )
+)
+
+;; Private tags are optimizable.
+(module
+  ;; CHECK:      (type $0 (func (param i32)))
+
+  ;; CHECK:      (type $1 (func))
+
+  ;; CHECK:      (import "fuzzing-support" "throw" (func $throw (type $0) (param i32)))
+  (import "fuzzing-support" "throw" (func $throw (param i32)))
+
+  ;; CHECK:      (tag $tag (type $0) (param i32))
+  (tag $tag (param i32))
+
+  ;; CHECK:      (export "func" (func $func))
+
+  ;; CHECK:      (func $func (type $1)
+  ;; CHECK-NEXT:  (local $0 i32)
+  ;; CHECK-NEXT:  (try
+  ;; CHECK-NEXT:   (do
+  ;; CHECK-NEXT:    (call $throw
+  ;; CHECK-NEXT:     (i32.const 1)
+  ;; CHECK-NEXT:    )
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:   (catch $tag
+  ;; CHECK-NEXT:    (local.set $0
+  ;; CHECK-NEXT:     (pop i32)
+  ;; CHECK-NEXT:    )
+  ;; CHECK-NEXT:    (drop
+  ;; CHECK-NEXT:     (block
+  ;; CHECK-NEXT:      (drop
+  ;; CHECK-NEXT:       (local.get $0)
+  ;; CHECK-NEXT:      )
+  ;; CHECK-NEXT:      (unreachable)
+  ;; CHECK-NEXT:     )
+  ;; CHECK-NEXT:    )
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT: )
+  (func $func (export "func")
+    (try
+      (do
+        (call $throw
+          (i32.const 1)
+        )
+      )
+      (catch $tag
+        ;; The tag is neither imported nor exported, so we can optimize to
+        ;; unreachable.
+        (drop
+          (pop i32)
+        )
+      )
+    )
+  )
+)
+
