Handle exact types on JS boundary in Unsubtyping (#8451)

By considering exactness of types flowing in from JS, we can optimize
more precisely because exact casts require fewer subtype relationships
to be kept.

Author: tlively

src/passes/Unsubtyping.cpp

@@ -171,9 +171,9 @@ struct TypeTree {
     // The index of the described and descriptor types, if they are necessary.
     std::optional<Index> described;
     std::optional<Index> descriptor;
-    // Whether this type might flow out to JS from a JS-called function or via
-    // extern.convert_any.
-    bool exposedToJS = false;
+    // Whether subtypes of this type might flow out to JS from a JS-called
+    // function or via extern.convert_any.
+    bool subtypesExposedToJS = false;
 
     Node(HeapType type, Index index) : type(type), parent(index) {}
   };
@@ -251,17 +251,17 @@ struct TypeTree {
     return std::nullopt;
   }
 
-  void setExposedToJS(HeapType type) {
+  void setSubtypesExposedToJS(HeapType type) {
     auto index = getIndex(type);
-    nodes[index].exposedToJS = true;
+    nodes[index].subtypesExposedToJS = true;
   }
 
-  bool isExposedToJS(HeapType type) const {
+  bool areSubtypesExposedToJS(HeapType type) const {
     auto index = maybeGetIndex(type);
     if (!index) {
       return false;
     }
-    return nodes[*index].exposedToJS;
+    return nodes[*index].subtypesExposedToJS;
   }
 
   struct SupertypeIterator {
@@ -614,13 +614,22 @@ struct Unsubtyping : Pass, Noter<Unsubtyping> {
     work.push_back({Kind::Descriptor, described, descriptor});
   }
 
-  void noteExposedToJS(HeapType type) {
-    types.setExposedToJS(type);
+  void noteExposedToJS(Type type) {
+    if (!type.isRef()) {
+      return;
+    }
+    noteExposedToJS(type.getHeapType(), type.getExactness());
+  }
+
+  void noteExposedToJS(HeapType type, Exactness exact = Inexact) {
     // Keep any descriptor that may configure a prototype.
     if (auto desc = type.getDescriptorType();
         desc && StructUtils::hasPossibleJSPrototypeField(*desc)) {
       noteDescriptor(type, *desc);
     }
+    if (exact == Inexact) {
+      types.setSubtypesExposedToJS(type);
+    }
   }
 
   void analyzePublicTypes(Module& wasm) {
@@ -653,9 +662,8 @@ struct Unsubtyping : Pass, Noter<Unsubtyping> {
     // prototypes.
     auto flowOut = [&](Type type) {
       if (Type::isSubType(type, anyref)) {
-        auto heapType = type.getHeapType();
-        noteSubtype(heapType, HeapType::any);
-        noteExposedToJS(heapType);
+        noteSubtype(type.getHeapType(), HeapType::any);
+        noteExposedToJS(type);
       }
     };
 
@@ -751,7 +759,7 @@ struct Unsubtyping : Pass, Noter<Unsubtyping> {
       Set<std::pair<HeapType, HeapType>> descriptors;
 
       // Observed externalized types.
-      Set<HeapType> exposedToJS;
+      Set<Type> exposedToJS;
     };
 
     struct Collector
@@ -854,7 +862,7 @@ struct Unsubtyping : Pass, Noter<Unsubtyping> {
         // extern.convert_any makes its operand type visible to JS, which may
         // require us to keep descriptors that configure prototypes.
         if (curr->op == ExternConvertAny && curr->value->type.isRef()) {
-          info.exposedToJS.insert(curr->value->type.getHeapType());
+          info.exposedToJS.insert(curr->value->type);
         }
       }
     };
@@ -945,7 +953,7 @@ struct Unsubtyping : Pass, Noter<Unsubtyping> {
     types.setSupertype(sub, super);
 
     // If the supertype is exposed to JS, the subtype potentially is as well.
-    if (types.isExposedToJS(super)) {
+    if (types.areSubtypesExposedToJS(super)) {
       noteExposedToJS(sub);
     }
 

test/lit/passes/unsubtyping-jsinterop.wast

@@ -542,6 +542,33 @@
   )
 )
 
+(module
+  ;; Same, but now with an exact type flowing in.
+  ;; CHECK:      (type $super (sub (struct)))
+  (type $super (sub (struct)))
+  (rec
+    ;; CHECK:      (rec
+    ;; CHECK-NEXT:  (type $sub (sub (descriptor $desc) (struct (field i32))))
+    (type $sub (sub $super (descriptor $desc) (struct (field i32))))
+    ;; CHECK:       (type $desc (describes $sub) (struct (field externref)))
+    (type $desc (describes $sub) (struct (field externref)))
+  )
+  ;; CHECK:      (type $3 (func (param (ref (exact $super))) (result anyref)))
+
+  ;; CHECK:      (export "test" (func $test))
+
+  ;; CHECK:      (func $test (type $3) (param $0 (ref (exact $super))) (result anyref)
+  ;; CHECK-NEXT:  (local $sub (ref null $sub))
+  ;; CHECK-NEXT:  (local.get $sub)
+  ;; CHECK-NEXT: )
+  (func $test (export "test") (param (ref (exact $super))) (result anyref)
+    (local $sub (ref null $sub))
+    ;; Now the cast when $super flows in from JS is exact, so we do not need to
+    ;; keep $sub a subtype of $super.
+    (local.get $sub)
+  )
+)
+
 (module
   ;; Imported function. Parameters flow out and results flow in.
   ;; CHECK:      (type $super (sub (struct)))
@@ -580,6 +607,44 @@
   )
 )
 
+(module
+  ;; Same, but now with an exact type flowing in.
+  ;; CHECK:      (type $super (sub (struct)))
+  (type $super (sub (struct)))
+  (rec
+    ;; CHECK:      (rec
+    ;; CHECK-NEXT:  (type $sub (sub (descriptor $desc) (struct (field i32))))
+    (type $sub (sub $super (descriptor $desc) (struct (field i32))))
+    ;; CHECK:       (type $desc (describes $sub) (struct (field externref)))
+    (type $desc (describes $sub) (struct (field externref)))
+  )
+  ;; CHECK:       (type $3 (func))
+
+  ;; CHECK:      (type $4 (func (param anyref) (result (ref (exact $super)))))
+
+  ;; CHECK:      (import "" "" (func $import (type $4) (param anyref) (result (ref (exact $super)))))
+  (import "" "" (func $import (param anyref) (result (ref (exact $super)))))
+  ;; CHECK:      (func $test (type $3)
+  ;; CHECK-NEXT:  (local $sub (ref null $sub))
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (call $import
+  ;; CHECK-NEXT:    (local.get $sub)
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT: )
+  (func $test
+    (local $sub (ref null $sub))
+    ;; Now $sub flows out via the parameter and $super flows back in via the
+    ;; result. But because the cast on the way back in is exact, we do not need
+    ;; to keep $sub a subtype of $super.
+    (drop
+      (call $import
+        (local.get $sub)
+      )
+    )
+  )
+)
+
 (module
   ;; Exported immutable global flows out.
   ;; CHECK:      (type $super (sub (struct)))
@@ -678,6 +743,55 @@
   )
 )
 
+(module
+  ;; Same, but now with an exact global type.
+  ;; CHECK:      (type $super (sub (struct)))
+  (type $super (sub (struct)))
+  (rec
+    ;; CHECK:      (rec
+    ;; CHECK-NEXT:  (type $sub-in (sub (struct)))
+    (type $sub-in (sub $super (struct)))
+    ;; CHECK:       (type $sub-out (sub $super (struct (field i32))))
+    (type $sub-out (sub $super (descriptor $desc) (struct (field i32))))
+    (type $desc (describes $sub-out) (struct (field externref)))
+  )
+
+  ;; $super flows out via the exported global and also flows back in because the
+  ;; global is mutable.
+  ;; CHECK:       (type $3 (func (result anyref)))
+
+  ;; CHECK:       (type $4 (func (result (ref null $super))))
+
+  ;; CHECK:      (global $g (mut (ref null (exact $super))) (ref.null none))
+  (global $g (export "g") (mut (ref null (exact $super))) (ref.null none))
+
+  ;; CHECK:      (export "g" (global $g))
+
+  ;; CHECK:      (func $test-in (type $3) (result anyref)
+  ;; CHECK-NEXT:  (local $sub-in (ref null $sub-in))
+  ;; CHECK-NEXT:  (local.get $sub-in)
+  ;; CHECK-NEXT: )
+  (func $test-in (result anyref)
+    (local $sub-in (ref null $sub-in))
+    ;; This requires that $sub-in is a subtype of any. Since $super flows in
+    ;; from JS, it is cast from any to $super. But because that cast is exact,
+    ;; we do not need $sub-in to remain a subtype of $super.
+    (local.get $sub-in)
+  )
+
+  ;; CHECK:      (func $test-out (type $4) (result (ref null $super))
+  ;; CHECK-NEXT:  (local $sub-out (ref null $sub-out))
+  ;; CHECK-NEXT:  (local.get $sub-out)
+  ;; CHECK-NEXT: )
+  (func $test-out (result (ref null $super))
+    (local $sub-out (ref null $sub-out))
+    ;; This requires that $sub-out is a subtype of $super. Since only exact
+    ;; $super flows out to JS, $sub-out does not flow out and does not need to
+    ;; keep its descriptor.
+    (local.get $sub-out)
+  )
+)
+
 (module
   ;; Imported immutable global flows in.
   ;; CHECK:      (type $super (sub (struct)))
@@ -866,3 +980,50 @@
     (local.get $sub-out)
   )
 )
+
+(module
+  ;; Same, but with an exact table type.
+  ;; CHECK:      (type $super (sub (struct)))
+  (type $super (sub (struct)))
+  (rec
+    ;; CHECK:      (rec
+    ;; CHECK-NEXT:  (type $sub-in (sub (struct)))
+    (type $sub-in (sub $super (struct)))
+    ;; CHECK:       (type $sub-out (sub $super (struct (field i32))))
+    (type $sub-out (sub $super (descriptor $desc) (struct (field i32))))
+    (type $desc (describes $sub-out) (struct (field externref)))
+  )
+
+  ;; $super flows in via the imported table and also flows back out because
+  ;; tables are mutable.
+  ;; CHECK:       (type $3 (func (result anyref)))
+
+  ;; CHECK:       (type $4 (func (result (ref null $super))))
+
+  ;; CHECK:      (import "" "" (table $t 1 (ref null (exact $super))))
+  (import "" "" (table $t 1 (ref null (exact $super))))
+
+  ;; CHECK:      (func $test-in (type $3) (result anyref)
+  ;; CHECK-NEXT:  (local $sub-in (ref null $sub-in))
+  ;; CHECK-NEXT:  (local.get $sub-in)
+  ;; CHECK-NEXT: )
+  (func $test-in (result anyref)
+    (local $sub-in (ref null $sub-in))
+    ;; This requires that $sub-in is a subtype of any. Since $super flows in
+    ;; from JS, it is cast from any to $super. But because that cast is exact,
+    ;; we do not need $sub-in to remain a subtype of $super.
+    (local.get $sub-in)
+  )
+
+  ;; CHECK:      (func $test-out (type $4) (result (ref null $super))
+  ;; CHECK-NEXT:  (local $sub-out (ref null $sub-out))
+  ;; CHECK-NEXT:  (local.get $sub-out)
+  ;; CHECK-NEXT: )
+  (func $test-out (result (ref null $super))
+    (local $sub-out (ref null $sub-out))
+    ;; This requires that $sub-out is a subtype of $super. Since only exact
+    ;; $super flows out to JS, $sub-out does not flow out and does not need to
+    ;; keep its descriptor.
+    (local.get $sub-out)
+  )
+)