fix tail call mismutation

Author: kripken

src/tools/fuzzing/fuzzing.cpp

@@ -2428,6 +2428,12 @@ void TranslateToFuzzReader::mutateJSBoundary() {
       if (getModule()->getFunction(curr->target)->imported()) {
         map[curr->target].callImports.push_back(curr);
       }
+
+      // Return calls add a dependency similar to references: we cannot refine
+      // the callee without coordination with the caller.
+      if (curr->isReturn) {
+        map[curr->target].reffed = true;
+      }
     }
 
     void visitRefFunc(RefFunc* curr) { map[curr->func].reffed = true; }

test/unit/input/fuzz.wat

@@ -45,4 +45,25 @@
   (func $export-reffed (export "export-reffed") (param $0 i32) (param $1 anyref) (result eqref)
     (struct.new $A)
   )
+
+  ;; An export without a ref.func but that has a tail call, which also prevents
+  ;; us from refining its results. The called function and the caller both
+  ;; return nullref initially, and each might be refined to a conflicting type,
+  ;; if we are not careful here.
+
+  (func $tail-called (export "tail-called") (result nullref)
+    (ref.null $A)
+  )
+
+  (func $tail-caller (export "tail-caller") (param $x i32) (result nullref)
+    (if
+      (local.get $x)
+      (then
+        (return
+          (ref.null $B)
+        )
+      )
+    )
+    (return_call $tail-called)
+  )
 )