[Webkit-unassigned] [Bug 247536] New: [Wasm-GC] Fix some interactions between subtyping and recursion

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Nov 5 15:51:52 PDT 2022 

https://bugs.webkit.org/show_bug.cgi?id=247536

            Bug ID: 247536
           Summary: [Wasm-GC] Fix some interactions between subtyping and
                    recursion
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebAssembly
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: asumu at igalia.com

Recently both subtyping and recursive types were added for Wasm GC support. There are a few cases of interactions between these two features that don't quite work as intended. In particular, when the parent type of a `sub` declaration is a recursive type, the display-based subtyping check and also the structural subtyping check between type definitions can crash due to assertion failures.

Example test cases (can be added to `JSTests/wasm/gc/sub.js`):

```
  // This type-checks in the reference interpreter.
  instantiate(`
    (module
      (rec (type (func (result (ref 0)))))
      (rec (type (sub 0 (func (result (ref 1))))))
      (type (sub 1 (func (result (ref 1))))) ;; parent is a recursive subtype, whose parent is also a recursive type

      (func (result (ref null 0))
        (ref.null 2))
    )
  `);
```

Another example is from the Wasm GC spec tests:

```
  // This fails because during the structural type-check between a `sub` clause and its
  // parent, the parent is not a projection (because the recursion group has not been
  // created at that point), but then the recursive references cannot be resolved correctly.
  // This requires the structural type-check to bring in the entire recursion group and
  // expanding parent references if needed, or some variation on that strategy.
  instantiate(`
    (module
      (rec
        (type $t1 (func (param i32 (ref $t3))))
        (type $t2 (sub $t1 (func (param i32 (ref $t2)))))
        (type $t3 (sub $t2 (func (param i32 (ref $t1)))))
      )

      (func $f1 (param $r (ref $t1))
        (call $f1 (local.get $r)))
    )
  `);
```

The problems all seem to stem from `sub` clause parent references needing to point to the projection to the whole recursion group (and this also needs to be factored in for creating the displays for fast subtype checks).

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221105/b72753d3/attachment-0001.htm>

More information about the webkit-unassigned mailing list