[Custom Descriptors] Better handle unreachable ref.cast_desc (#7937)

Validate that the descriptor operand of ref.cast_desc is always a
descriptor reference (or a nullref or unreachable), even if the ref
operand and therefore the ref.cast_desc are unreachable. This removes an
edge case passes might otherwise have to consider where the descriptor
operand is not actually a descriptor. Update GTO to preserve this new
validation invariant.

Also print an unreachable ref.cast_desc instruction when we can
determine its type from a concrete, non-null descriptor operand rather
than bailing out and printing an unreachable block. This allows us to
preserve such IR through text round trips, which can help e.g. test case
reduction.

Author: tlively

src/passes/Print.cpp

@@ -321,7 +321,8 @@ struct PrintSExpression : public UnifiedExpressionVisitor<PrintSExpression> {
   void printUnreachableReplacement(Expression* curr);
   bool maybePrintUnreachableReplacement(Expression* curr, Type type);
   void visitRefCast(RefCast* curr) {
-    if (!maybePrintUnreachableReplacement(curr, curr->type)) {
+    if ((curr->desc && curr->desc->type != Type::unreachable) ||
+        !maybePrintUnreachableReplacement(curr, curr->type)) {
       visitExpression(curr);
     }
   }
@@ -2224,7 +2225,20 @@ struct PrintExpressionContents
     } else {
       printMedium(o, "ref.cast ");
     }
-    printType(curr->type);
+    if (curr->type != Type::unreachable) {
+      printType(curr->type);
+    } else {
+      // We can still recover a valid result type from the type of the
+      // descriptor.
+      auto described = curr->desc->type.getHeapType().getDescribedType();
+      if (described) {
+        printType(
+          Type(*described, NonNullable, curr->desc->type.getExactness()));
+      } else {
+        // Invalid, so it doesn't matter what we print.
+        printType(Type::unreachable);
+      }
+    }
   }
   void visitRefGetDesc(RefGetDesc* curr) {
     printMedium(o, "ref.get_desc ");

src/wasm/wasm-validator.cpp

@@ -2944,6 +2944,18 @@ void FunctionValidator::visitRefTest(RefTest* curr) {
 void FunctionValidator::visitRefCast(RefCast* curr) {
   shouldBeTrue(
     getModule()->features.hasGC(), curr, "ref.cast requires gc [--enable-gc]");
+
+  // Require descriptors to be valid even if the ref is unreachable.
+  if (curr->desc && curr->desc->type != Type::unreachable) {
+    auto descType = curr->desc->type;
+    bool isNull = descType.isNull();
+    bool isDescriptor =
+      descType.isRef() && descType.getHeapType().getDescribedType();
+    shouldBeTrue(isNull || isDescriptor,
+                 curr,
+                 "ref.cast_desc descriptor must be a descriptor reference");
+  }
+
   if (curr->type == Type::unreachable) {
     return;
   }
@@ -3006,11 +3018,7 @@ void FunctionValidator::visitRefCast(RefCast* curr) {
   }
 
   auto described = descriptor.getDescribedType();
-  if (!shouldBeTrue(bool(described),
-                    curr,
-                    "ref.cast_desc descriptor should have a described type")) {
-    return;
-  }
+  assert(described && "already checked descriptor");
   shouldBeEqual(*described,
                 curr->type.getHeapType(),
                 curr,

test/gtest/validator.cpp

@@ -22,6 +22,7 @@
 #include "support/string.h"
 #include "wasm-binary.h"
 #include "wasm-builder.h"
+#include "wasm-features.h"
 #include "wasm-validator.h"
 #include "gtest/gtest.h"
 
@@ -65,3 +66,27 @@ TEST(ValidatorTest, ReturnUnreachable) {
     WasmValidator::FlagValues::Globally | WasmValidator::FlagValues::Quiet;
   EXPECT_FALSE(WasmValidator{}.validate(func.get(), module, flags));
 }
+
+TEST(ValidatorTest, UnreachableCastDesc) {
+  // The parser will error trying to parse a ref.cast_desc with a non-matching
+  // descriptor type, so we must construct the IR directly to test the
+  // validator.
+  Module module;
+  module.features = FeatureSet::All;
+  Builder builder(module);
+
+  auto func = builder.makeFunction(
+    "func",
+    {},
+    Signature(Type::none, Type::none),
+    {},
+    builder.makeDrop(builder.makeRefCast(builder.makeUnreachable(),
+                                         builder.makeStructNew(Struct{}, {}),
+                                         Type::unreachable)));
+
+  ASSERT_EQ(func->body->type, Type(Type::unreachable));
+
+  auto flags =
+    WasmValidator::FlagValues::Globally | WasmValidator::FlagValues::Quiet;
+  EXPECT_FALSE(WasmValidator{}.validate(func.get(), module, flags));
+}