[Custom Descriptors] Fix accidental placeholder use in GTO (#7914)

tlively · web-flow · commit e6f3dec17730 · 2025-09-23T14:23:55.000-07:00
GTO inserts placeholder describee types by overriding getSortedTypes
and returning a list of types with extra structs added where the
placeholders will go. Previously we used the empty struct to reserve
space in the list for the placeholders, but when the empty struct was a
public type (and therefore did not appear after the placeholders in the
sorted list of rebuilt types), this had the unfortunate effect of
replacing the empty struct with one of the placeholders throughout the
module. This did not happen when the emptry struct was a private type
because then it would appear later in the list of sorted types and its
type-to-index mapping in GlobalTypeRewriter::rebuildTypes would be
updated to map to the non-placeholder index. When the type is public,
this later entry does not exist and the type ends up being mapped to the
placeholder index.

To fix the problem, change how we save space for placeholder describees
in the list of sorted types to ensure the placeholder is represented by
a private type that will appear later in the list of types. This will
ensure that the final mapping of types to indices will always map types
to the index of their "real" appearance rather than the index of a
placeholder type, and will also ensure that public types are never
mapped to anything else. Specifically, we now save space for a described
type using the descriptor type that will eventually describe it.

While refactoring this, also simplify things by placing the placeholder
describee types directly before their descriptor types in the sorted
list. This saves us from having to map from descriptor types to the
index of their placeholders since we can determine the placeholder's
index from its descriptor's index.
diff --git a/src/passes/GlobalTypeOptimization.cpp b/src/passes/GlobalTypeOptimization.cpp
@@ -31,7 +31,6 @@
 #include "ir/subtypes.h"
 #include "ir/type-updating.h"
 #include "pass.h"
-#include "support/insert_ordered.h"
 #include "support/permutations.h"
 #include "wasm-type-ordering.h"
 #include "wasm-type.h"
@@ -141,7 +140,7 @@ struct GlobalTypeOptimization : public Pass {
   // still need to be descriptors for their own subtypes and supertypes to be
   // valid. We will keep them descriptors by having them describe trivial new
   // placeholder types.
-  std::vector<HeapType> descriptorsOfPlaceholders;
+  std::unordered_set<HeapType> descriptorsOfPlaceholders;
 
   void run(Module* module) override {
     if (!module->features.hasGC()) {
@@ -465,15 +464,13 @@ struct GlobalTypeOptimization : public Pass {
       descPropagator.propagateToSuperAndSubTypes(remainingDesciptors);
 
       // Determine the set of descriptor types that will need placeholder
-      // describees. Do not iterate directly on remainingDescriptors because it
-      // is not deterministically ordered.
-      for (auto type : subTypes.types) {
-        if (auto it = remainingDesciptors.find(type);
-            it != remainingDesciptors.end() && it->second.value) {
+      // describees.
+      for (auto [type, kept] : remainingDesciptors) {
+        if (kept.value) {
           auto desc = type.getDescribedType();
           assert(desc);
           if (haveUnneededDescriptors.count(*desc)) {
-            descriptorsOfPlaceholders.push_back(type);
+            descriptorsOfPlaceholders.insert(type);
           }
         }
       }
@@ -497,31 +494,39 @@ struct GlobalTypeOptimization : public Pass {
   void updateTypes(Module& wasm) {
     class TypeRewriter : public GlobalTypeRewriter {
       GlobalTypeOptimization& parent;
-      InsertOrderedMap<HeapType, Index> placeholderIndices;
-      InsertOrderedMap<HeapType, Index>::iterator placeholderIt;
+      // Differentiate the first occurrence of a descriptor of a placeholder
+      // type, which is actually saving space for the placeholder itself, and
+      // the next occurrence, which is real.
+      bool sawPlaceholder = false;
 
     public:
       TypeRewriter(Module& wasm, GlobalTypeOptimization& parent)
-        : GlobalTypeRewriter(wasm), parent(parent),
-          placeholderIt(placeholderIndices.begin()) {}
+        : GlobalTypeRewriter(wasm), parent(parent) {}
 
       std::vector<HeapType> getSortedTypes(PredecessorGraph preds) override {
         auto types = GlobalTypeRewriter::getSortedTypes(std::move(preds));
-        // Some of the descriptors of placeholders may not end up being used at
-        // all, so we will not rebuild them. Record the used types that need
-        // placeholder describees and assign them placeholder indices.
-        std::unordered_set<HeapType> typeSet(types.begin(), types.end());
-        for (auto desc : parent.descriptorsOfPlaceholders) {
-          if (typeSet.count(desc)) {
-            placeholderIndices.insert({desc, placeholderIndices.size()});
+        // Intersperse placeholder types throughout the sorted types. Each
+        // descriptor type that needs a placeholder describee will be duplicated
+        // in the list of sorted types. The first appearance will be modified to
+        // become the placeholder describee and the subsequent appearance will
+        // be modified to describe the preceding placeholder. We represent the
+        // placeholder slots here using their intended descriptor types for two
+        // reasons: first, it lets us easily recognize the placeholder slots
+        // in modifyTypeBuilderEntry. Second, it ensures that the type-to-index
+        // mapping created in GlobalTypeRewriter::rebuiltTypes does not end up
+        // mapping the placeholder types to any index, since their mappings are
+        // immediately overwritten by the following "real" occurrences of the
+        // descriptor types.
+        std::vector<HeapType> typesWithPlaceholders;
+        for (auto type : types) {
+          if (parent.descriptorsOfPlaceholders.count(type)) {
+            // Insert the type an extra time to make space for the placeholder.
+            typesWithPlaceholders.push_back(type);
           }
+          typesWithPlaceholders.push_back(type);
         }
-        placeholderIt = placeholderIndices.begin();
-        // Prefix the types with placeholders to be overwritten with the
-        // placeholder describees.
-        HeapType placeholder = Struct{};
-        types.insert(types.begin(), placeholderIndices.size(), placeholder);
-        return types;
+
+        return typesWithPlaceholders;
       }
 
       void modifyStruct(HeapType oldStructType, Struct& struct_) override {
@@ -584,33 +589,36 @@ struct GlobalTypeOptimization : public Pass {
           return;
         }
 
-        // Until we've created all the placeholders, create a placeholder
-        // describee type for the next descriptor that needs one.
-        if (placeholderIt != placeholderIndices.end()) {
-          auto descriptor = placeholderIt->first;
-          typeBuilder[i].descriptor(getTempHeapType(descriptor));
-          typeBuilder[i].setShared(descriptor.getShared());
-
-          ++placeholderIt;
-          return;
+        // Remove an unneeded descriptor.
+        if (parent.haveUnneededDescriptors.count(oldType)) {
+          typeBuilder[i].descriptor(std::nullopt);
         }
 
         // Remove an unneeded describee or describe a placeholder type.
         if (auto described = oldType.getDescribedType()) {
           if (parent.haveUnneededDescriptors.count(*described)) {
-            if (auto it = placeholderIndices.find(oldType);
-                it != placeholderIndices.end()) {
-              typeBuilder[i].describes(typeBuilder[it->second]);
+            if (parent.descriptorsOfPlaceholders.count(oldType)) {
+              if (!sawPlaceholder) {
+                // This is the placeholder describee. Set its descriptor to be
+                // the succeeding real descriptor type.
+                typeBuilder[i] = Struct{};
+                typeBuilder[i].setShared(described->getShared());
+                typeBuilder[i].descriptor(typeBuilder[i + 1]);
+                typeBuilder[i].describes(std::nullopt);
+                typeBuilder[i].subTypeOf(std::nullopt);
+                sawPlaceholder = true;
+              } else {
+                // This is the real placedholder-describing descriptor type.
+                // Have it describe the preceding placeholder describee.
+                typeBuilder[i].describes(typeBuilder[i - 1]);
+                sawPlaceholder = false;
+              }
             } else {
+              // This type no longer needs its describee.
               typeBuilder[i].describes(std::nullopt);
             }
           }
         }
-
-        // Remove an unneeded descriptor.
-        if (parent.haveUnneededDescriptors.count(oldType)) {
-          typeBuilder.setDescriptor(i, std::nullopt);
-        }
       }
     };
 
diff --git a/test/lit/passes/gto-desc-tnh.wast b/test/lit/passes/gto-desc-tnh.wast
@@ -103,13 +103,13 @@
 (module
   (rec
     ;; CHECK:      (rec
-    ;; CHECK-NEXT:  (type $0 (descriptor $A.desc (struct)))
-
-    ;; CHECK:       (type $A (sub (struct)))
+    ;; CHECK-NEXT:  (type $A (sub (struct)))
     ;; T_N_H:      (rec
     ;; T_N_H-NEXT:  (type $A (sub (struct)))
     (type $A (sub (descriptor $A.desc (struct))))
-    ;; CHECK:       (type $A.desc (sub (describes $0 (struct))))
+    ;; CHECK:       (type $1 (sub (descriptor $A.desc (struct))))
+
+    ;; CHECK:       (type $A.desc (sub (describes $1 (struct))))
     ;; T_N_H:       (type $A.desc (sub (struct)))
     (type $A.desc (sub (describes $A (struct ))))
 
@@ -155,13 +155,9 @@
 (module
   (rec
     ;; CHECK:      (rec
-    ;; CHECK-NEXT:  (type $0 (descriptor $B.desc (struct)))
-
-    ;; CHECK:       (type $A (sub (descriptor $A.desc (struct))))
+    ;; CHECK-NEXT:  (type $A (sub (descriptor $A.desc (struct))))
     ;; T_N_H:      (rec
-    ;; T_N_H-NEXT:  (type $0 (descriptor $B.desc (struct)))
-
-    ;; T_N_H:       (type $A (sub (descriptor $A.desc (struct))))
+    ;; T_N_H-NEXT:  (type $A (sub (descriptor $A.desc (struct))))
     (type $A (sub (descriptor $A.desc (struct))))
     ;; CHECK:       (type $A.desc (sub (describes $A (struct))))
     ;; T_N_H:       (type $A.desc (sub (describes $A (struct))))
@@ -170,8 +166,12 @@
     ;; CHECK:       (type $B (sub (struct)))
     ;; T_N_H:       (type $B (sub (struct)))
     (type $B (sub (descriptor $B.desc (struct))))
-    ;; CHECK:       (type $B.desc (sub $A.desc (describes $0 (struct))))
-    ;; T_N_H:       (type $B.desc (sub $A.desc (describes $0 (struct))))
+    ;; CHECK:       (type $3 (sub (descriptor $B.desc (struct))))
+
+    ;; CHECK:       (type $B.desc (sub $A.desc (describes $3 (struct))))
+    ;; T_N_H:       (type $3 (sub (descriptor $B.desc (struct))))
+
+    ;; T_N_H:       (type $B.desc (sub $A.desc (describes $3 (struct))))
     (type $B.desc (sub $A.desc (describes $B (struct))))
   )
 
diff --git a/test/lit/passes/gto-desc.wast b/test/lit/passes/gto-desc.wast
@@ -869,11 +869,11 @@
 (module
   (rec
     ;; CHECK:      (rec
-    ;; CHECK-NEXT:  (type $0 (descriptor $A.desc (struct)))
-
-    ;; CHECK:       (type $A (sub (struct)))
+    ;; CHECK-NEXT:  (type $A (sub (struct)))
     (type $A (sub (descriptor $A.desc (struct))))
-    ;; CHECK:       (type $A.desc (sub (describes $0 (struct))))
+    ;; CHECK:       (type $1 (sub (descriptor $A.desc (struct))))
+
+    ;; CHECK:       (type $A.desc (sub (describes $1 (struct))))
     (type $A.desc (sub (describes $A (struct))))
 
     ;; CHECK:       (type $B (sub $A (descriptor $B.desc (struct))))
@@ -950,18 +950,18 @@
 (module
   (rec
     ;; CHECK:      (rec
-    ;; CHECK-NEXT:  (type $0 (descriptor $A.desc (struct)))
-
-    ;; CHECK:       (type $1 (descriptor $B.desc (struct)))
-
-    ;; CHECK:       (type $A (sub (struct)))
+    ;; CHECK-NEXT:  (type $A (sub (struct)))
     (type $A (sub (descriptor $A.desc (struct))))
-    ;; CHECK:       (type $A.desc (sub (describes $0 (struct))))
+    ;; CHECK:       (type $1 (sub (descriptor $A.desc (struct))))
+
+    ;; CHECK:       (type $A.desc (sub (describes $1 (struct))))
     (type $A.desc (sub (describes $A (struct))))
 
     ;; CHECK:       (type $B (sub $A (struct)))
     (type $B (sub $A (descriptor $B.desc (struct))))
-    ;; CHECK:       (type $B.desc (sub $A.desc (describes $1 (struct))))
+    ;; CHECK:       (type $4 (sub (descriptor $B.desc (struct))))
+
+    ;; CHECK:       (type $B.desc (sub $A.desc (describes $4 (struct))))
     (type $B.desc (sub $A.desc (describes $B (struct))))
 
     ;; CHECK:       (type $C (sub $B (descriptor $C.desc (struct))))
@@ -1079,11 +1079,11 @@
   )
   (rec
     ;; CHECK:      (rec
-    ;; CHECK-NEXT:  (type $1 (descriptor $unused.desc (struct)))
-
-    ;; CHECK:       (type $unused (sub $public (struct)))
+    ;; CHECK-NEXT:  (type $unused (sub $public (struct)))
     (type $unused (sub $public (descriptor $unused.desc (struct))))
-    ;; CHECK:       (type $unused.desc (sub (describes $1 (struct))))
+    ;; CHECK:       (type $2 (sub (descriptor $unused.desc (struct))))
+
+    ;; CHECK:       (type $unused.desc (sub (describes $2 (struct))))
     (type $unused.desc (sub (describes $unused (struct))))
 
     ;; CHECK:       (type $used (sub $unused (descriptor $used.desc (struct))))
@@ -1116,11 +1116,11 @@
 (module
   (rec
     ;; CHECK:      (rec
-    ;; CHECK-NEXT:  (type $0 (shared (descriptor $A.desc (struct))))
-
-    ;; CHECK:       (type $A (sub (shared (struct))))
+    ;; CHECK-NEXT:  (type $A (sub (shared (struct))))
     (type $A (sub (shared (descriptor $A.desc (struct)))))
-    ;; CHECK:       (type $A.desc (sub (shared (describes $0 (struct)))))
+    ;; CHECK:       (type $1 (sub (shared (descriptor $A.desc (struct)))))
+
+    ;; CHECK:       (type $A.desc (sub (shared (describes $1 (struct)))))
     (type $A.desc (sub (shared (describes $A (struct)))))
 
     ;; CHECK:       (type $B (sub $A (shared (descriptor $B.desc (struct)))))
@@ -1176,23 +1176,108 @@
 ;; Here we would optimize $unused with a placeholder, except that we don't
 ;; include it in the output at all because it is unused. We should not get
 ;; confused and try to emit a placeholder for it anyway.
+(module
+  (rec
+    ;; CHECK:      (rec
+    ;; CHECK-NEXT:  (type $public (sub (descriptor $public.desc (struct))))
+    (type $public (sub (descriptor $public.desc (struct))))
+    ;; CHECK:       (type $public.desc (sub (describes $public (struct))))
+    (type $public.desc (sub (describes $public (struct))))
+  )
+  (rec
+    (type $unused (descriptor $unused.desc (struct)))
+    (type $unused.desc (sub $public.desc (describes $unused (struct))))
+    ;; CHECK:      (type $private (struct))
+    (type $private (struct))
+  )
+
+  ;; CHECK:      (global $public (ref null $public) (ref.null none))
+  (global $public (export "public") (ref null $public) (ref.null none))
+  ;; CHECK:      (global $private (ref null $private) (ref.null none))
+  (global $private (ref null $private) (ref.null none))
+)
+
+;; Regression test for a bug where we accidentally replaced empty struct types
+;; with placeholders.
+;; CHECK:      (export "public" (global $public))
+(module
+  ;; CHECK:      (type $public (struct))
+  (type $public (struct))
+  (rec
+    ;; CHECK:      (rec
+    ;; CHECK-NEXT:  (type $super (sub (struct)))
+    (type $super (sub (descriptor $super.desc (struct))))
+    ;; CHECK:       (type $2 (sub (descriptor $super.desc (struct))))
+
+    ;; CHECK:       (type $super.desc (sub (describes $2 (struct))))
+    (type $super.desc (sub (describes $super (struct))))
+    ;; CHECK:       (type $sub (sub $super (descriptor $sub.desc (struct))))
+    (type $sub (sub $super (descriptor $sub.desc (struct))))
+    ;; CHECK:       (type $sub.desc (sub $super.desc (describes $sub (struct))))
+    (type $sub.desc (sub $super.desc (describes $sub (struct))))
+  )
+
+  ;; CHECK:       (type $6 (func (param (ref $sub))))
+
+  ;; CHECK:      (global $public (ref null $public) (ref.null none))
+  (global $public (export "public") (ref null $public) (ref.null none))
+
+  ;; CHECK:      (export "public" (global $public))
+
+  ;; CHECK:      (func $test (type $6) (param $sub (ref $sub))
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (ref.get_desc $sub
+  ;; CHECK-NEXT:    (local.get $sub)
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (struct.new_default $public)
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT: )
+  (func $test (param $sub (ref $sub))
+    ;; Use $sub's descriptor to keep it a descriptor. This forces $super.desc to
+    ;; describe a placeholder.
+    (drop
+      (ref.get_desc $sub
+        (local.get $sub)
+      )
+    )
+    ;; We should not accidentally replace this trivial struct with the
+    ;; placeholder, which would cause a validation failure because we do not
+    ;; supply a descriptor in this allocation.
+    (drop
+      (struct.new_default $public)
+    )
+  )
+)
+
+;; Regression test for a bug where a placeholder was not set up to be described
+;; by its intended descriptor if that intended descriptor also happened to have
+;; its own unneeded descriptor.
 (module
  (rec
   ;; CHECK:      (rec
-  ;; CHECK-NEXT:  (type $public (sub (descriptor $public.desc (struct))))
-  (type $public (sub (descriptor $public.desc (struct))))
+  ;; CHECK-NEXT:  (type $public (descriptor $public.desc (struct)))
+  (type $public (descriptor $public.desc (struct)))
   ;; CHECK:       (type $public.desc (sub (describes $public (struct))))
   (type $public.desc (sub (describes $public (struct))))
  )
  (rec
-  (type $unused (descriptor $unused.desc (struct)))
-  (type $unused.desc (sub $public.desc (describes $unused (struct))))
-  ;; CHECK:      (type $private (struct))
-  (type $private (struct))
+  ;; CHECK:      (rec
+  ;; CHECK-NEXT:  (type $private (struct))
+  (type $private (descriptor $private.desc (struct)))
+  ;; CHECK:       (type $3 (sub (descriptor $private.desc (struct))))
+
+  ;; CHECK:       (type $private.desc (sub $public.desc (describes $3 (struct))))
+  (type $private.desc (sub $public.desc (describes $private (descriptor $private.meta (struct)))))
+  ;; CHECK:       (type $private.meta (struct))
+  (type $private.meta (describes $private.desc (struct)))
  )
 
+ ;; Force $private.desc to remain a descriptor.
  ;; CHECK:      (global $public (ref null $public) (ref.null none))
  (global $public (export "public") (ref null $public) (ref.null none))
+
  ;; CHECK:      (global $private (ref null $private) (ref.null none))
  (global $private (ref null $private) (ref.null none))
 )
