Validate descriptor declarations (#7392)

To ensure soundness, there are very particular rules about how described
and descriptor type declarations must relate to one another and their
supertypes. Implement and test these rules.

Author: tlively

src/wasm-type.h

@@ -816,6 +816,20 @@ struct TypeBuilder {
     InvalidFuncType,
     // A non-shared field of a shared heap type.
     InvalidUnsharedField,
+    // A describes clause on a non-struct type.
+    NonStructDescribes,
+    // The described type is an invalid forward reference.
+    ForwardDescribesReference,
+    // The described type does not have this type as a descriptor.
+    MismatchedDescribes,
+    // A descriptor clause on a non-struct type.
+    NonStructDescriptor,
+    // The descriptor type does not describe this type.
+    MismatchedDescriptor,
+    // A non-shared descriptor on a shared type.
+    InvalidUnsharedDescriptor,
+    // A non-shared type described by a shared type.
+    InvalidUnsharedDescribes,
   };
 
   struct Error {

src/wasm/wasm-type.cpp

@@ -1464,6 +1464,20 @@ std::ostream& operator<<(std::ostream& os, TypeBuilder::ErrorReason reason) {
       return os << "Continuation has invalid function type";
     case TypeBuilder::ErrorReason::InvalidUnsharedField:
       return os << "Heap type has an invalid unshared field";
+    case TypeBuilder::ErrorReason::NonStructDescribes:
+      return os << "Describes clause on a non-struct type";
+    case TypeBuilder::ErrorReason::ForwardDescribesReference:
+      return os << "Describes clause is a forward reference";
+    case TypeBuilder::ErrorReason::MismatchedDescribes:
+      return os << "Described type is not a matching descriptor";
+    case TypeBuilder::ErrorReason::NonStructDescriptor:
+      return os << "Descriptor clause on a non-struct type";
+    case TypeBuilder::ErrorReason::MismatchedDescriptor:
+      return os << "Descriptor type does not describe heap type";
+    case TypeBuilder::ErrorReason::InvalidUnsharedDescriptor:
+      return os << "Heap type has an invalid unshared descriptor";
+    case TypeBuilder::ErrorReason::InvalidUnsharedDescribes:
+      return os << "Heap type describes an invalid unshared type";
   }
   WASM_UNREACHABLE("Unexpected error reason");
 }
@@ -2370,6 +2384,25 @@ bool isValidSupertype(const HeapTypeInfo& sub, const HeapTypeInfo& super) {
   if (sub.kind != super.kind) {
     return false;
   }
+  if (sub.descriptor) {
+    // A supertype of a type with a (descriptor $x) must either not have a
+    // descriptor or have a (descriptor $y) where $y is the declared supertype
+    // of $x.
+    if (super.descriptor && sub.descriptor->supertype != super.descriptor) {
+      return false;
+    }
+  } else {
+    // A supertype of a type without a descriptor must also not have a
+    // descriptor.
+    if (super.descriptor) {
+      return false;
+    }
+  }
+  // A supertype of a type must have a describes clause iff the type has a
+  // describes clause.
+  if (bool(sub.described) != bool(super.described)) {
+    return false;
+  }
   SubTyper typer;
   switch (sub.kind) {
     case HeapTypeKind::Func:
@@ -2399,12 +2432,38 @@ validateType(HeapTypeInfo& info, std::unordered_set<HeapType>& seenTypes) {
       return TypeBuilder::ErrorReason::InvalidSupertype;
     }
   }
+  if (auto* desc = info.described) {
+    if (info.kind != HeapTypeKind::Struct) {
+      return TypeBuilder::ErrorReason::NonStructDescribes;
+    }
+    assert(desc->isTemp && "unexpected canonical described type");
+    if (!seenTypes.count(HeapType(uintptr_t(desc)))) {
+      return TypeBuilder::ErrorReason::ForwardDescribesReference;
+    }
+    if (desc->descriptor != &info) {
+      return TypeBuilder::ErrorReason::MismatchedDescribes;
+    }
+  }
+  if (auto* desc = info.descriptor) {
+    if (info.kind != HeapTypeKind::Struct) {
+      return TypeBuilder::ErrorReason::NonStructDescriptor;
+    }
+    if (desc->described != &info) {
+      return TypeBuilder::ErrorReason::MismatchedDescriptor;
+    }
+  }
   if (info.isContinuation()) {
     if (!info.continuation.type.isSignature()) {
       return TypeBuilder::ErrorReason::InvalidFuncType;
     }
   }
   if (info.share == Shared) {
+    if (info.described && info.described->share != Shared) {
+      return TypeBuilder::ErrorReason::InvalidUnsharedDescribes;
+    }
+    if (info.descriptor && info.descriptor->share != Shared) {
+      return TypeBuilder::ErrorReason::InvalidUnsharedDescriptor;
+    }
     switch (info.kind) {
       case HeapTypeKind::Func:
         // TODO: Figure out and enforce shared function rules.

test/spec/descriptors.wast

@@ -0,0 +1,158 @@
+(module
+  (rec
+    (type (descriptor 1 (struct)))
+    (type (describes 0 (struct)))
+  )
+)
+
+(assert_invalid
+  (module
+    (rec
+      (type (descriptor 1 (struct)))
+      (type (struct))
+    )
+  )
+  "descriptor with no matching describes"
+)
+
+
+(assert_invalid
+  (module
+    (rec
+      (type (struct))
+      (type (describes 0 (struct)))
+    )
+  )
+  "describes with no matching descriptor"
+)
+
+(assert_invalid
+  (module
+    (rec
+      (type (describes 1 (struct)))
+      (type (descriptor 0 (struct)))
+    )
+  )
+  "forward describes reference"
+)
+
+(assert_invalid
+  (module
+    (rec
+      (type (descriptor 1 (array i8)))
+      (type (describes 0 (struct)))
+    )
+  )
+  "descriptor clause on non-struct type"
+)
+
+(assert_invalid
+  (module
+    (rec
+      (type (descriptor 1 (struct)))
+      (type (describes 0 (array i8)))
+    )
+  )
+  "describes clause on non-struct type"
+)
+
+(module
+  (rec
+    (type (shared (descriptor 1 (struct))))
+    (type (shared (describes 0 (struct))))
+  )
+)
+
+(assert_invalid
+  (module
+    (rec
+      (type (shared (descriptor 1 (struct))))
+      (type (describes 0 (struct)))
+    )
+  )
+  "unshared descriptor type"
+)
+
+;; TODO: allow this?
+(assert_invalid
+  (module
+    (rec
+      (type (descriptor 1 (struct)))
+      (type (shared (describes 0 (struct))))
+    )
+  )
+  "unshared described types"
+)
+
+(module
+  (rec
+    (type $super (sub (descriptor $super-desc (struct))))
+    (type $super-desc (sub (describes $super (struct))))
+  )
+  (rec
+    (type $sub (sub $super (descriptor $sub-desc (struct))))
+    (type $sub-desc (sub $super-desc (describes $sub (struct))))
+  )
+)
+
+(module
+  (type $super (sub (struct)))
+  (rec
+    (type $other (sub (descriptor $super-desc (struct))))
+    (type $super-desc (sub (describes $other (struct))))
+  )
+  (rec
+    (type $sub (sub $super (descriptor $sub-desc (struct))))
+    (type $sub-desc (sub $super-desc (describes $sub (struct))))
+  )
+)
+
+(assert_invalid
+  (module
+    (type $super (sub (struct)))
+    (type $super-desc (sub (struct)))
+    (rec
+      (type $sub (sub $super (descriptor $sub-desc (struct))))
+      (type $sub-desc (sub $super-desc (describes $sub (struct))))
+    )
+  )
+  "supertype of descriptor must be a descriptor"
+)
+
+(assert_invalid
+  (module
+    (rec
+      (type $other (sub (descriptor $super-desc (struct))))
+      (type $super-desc (sub (describes $other (struct))))
+      (type $super (sub (descriptor $other-desc (struct))))
+      (type $other-desc (sub (describes $super (struct))))
+    )
+    (rec
+      (type $sub (sub $super (descriptor $sub-desc (struct))))
+      (type $sub-desc (sub $super-desc (describes $sub (struct))))
+    )
+  )
+  "supertype of described type must be described by supertype of descriptor"
+)
+
+(assert_invalid
+  (module
+    (rec
+      (type $super (sub (descriptor $super-desc (struct))))
+      (type $super-desc (sub (describes $super (struct))))
+    )
+    (type $sub (sub $super (struct)))
+  )
+  "supertype of type without descriptor cannot have descriptor"
+)
+
+(assert_invalid
+  (module
+    (rec
+      (type $super (sub (descriptor $super-desc (struct))))
+      (type $super-desc (sub (describes $super (struct))))
+    )
+    (type $sub (sub $super-desc (struct)))
+  )
+  "supertype of non-descriptor type cannot be a descriptor"
+)