Validate strings in types (#8314)

tlively · web-flow · commit bc4838edd5ce · 2026-02-12T21:54:52.000Z
Return an error when building a type that contains a string type when
strings are not enabled. This prevents the fuzzer from trying to run
modules that contain string types on V8.
diff --git a/src/wasm-type.h b/src/wasm-type.h
@@ -906,6 +906,8 @@ struct TypeBuilder {
     InvalidFuncType,
     // A shared type with shared-everything disabled.
     InvalidSharedType,
+    // A string type with strings disabled.
+    InvalidStringType,
     // A non-shared field of a shared heap type.
     InvalidUnsharedField,
     // A describes clause on a non-struct type.
diff --git a/src/wasm/wasm-type.cpp b/src/wasm/wasm-type.cpp
@@ -1447,6 +1447,8 @@ std::ostream& operator<<(std::ostream& os, TypeBuilder::ErrorReason reason) {
       return os << "Continuation has invalid function type";
     case TypeBuilder::ErrorReason::InvalidSharedType:
       return os << "Shared types require shared-everything";
+    case TypeBuilder::ErrorReason::InvalidStringType:
+      return os << "String types require strings feature";
     case TypeBuilder::ErrorReason::InvalidUnsharedField:
       return os << "Heap type has an invalid unshared field";
     case TypeBuilder::ErrorReason::NonStructDescribes:
@@ -2435,6 +2437,9 @@ validateType(Type type, FeatureSet feats, bool isShared) {
     if (heapType.isShared() && !feats.hasSharedEverything()) {
       return TypeBuilder::ErrorReason::InvalidSharedType;
     }
+    if (heapType.isString() && !feats.hasStrings()) {
+      return TypeBuilder::ErrorReason::InvalidStringType;
+    }
   }
   return std::nullopt;
 }
diff --git a/test/lit/passes/gto-jsinterop.wast b/test/lit/passes/gto-jsinterop.wast
@@ -206,38 +206,6 @@
   )
 )
 
-(module
-  (rec
-    ;; CHECK:      (rec
-    ;; CHECK-NEXT:  (type $struct (descriptor $desc) (struct))
-    (type $struct (descriptor $desc) (struct))
-    ;; Strings cannot be prototypes. If the prototype field holds a string, it
-    ;; will appear as a null prototype. That is the default prototype value, so
-    ;; we can optimize out prototype fields if we know they will be strings.
-    ;; CHECK:       (type $desc (describes $struct) (struct))
-    (type $desc (describes $struct) (struct (field stringref)))
-  )
-
-  ;; CHECK:       (type $2 (func))
-
-  ;; CHECK:      (func $externalize (type $2)
-  ;; CHECK-NEXT:  (local $struct (ref null $struct))
-  ;; CHECK-NEXT:  (drop
-  ;; CHECK-NEXT:   (extern.convert_any
-  ;; CHECK-NEXT:    (local.get $struct)
-  ;; CHECK-NEXT:   )
-  ;; CHECK-NEXT:  )
-  ;; CHECK-NEXT: )
-  (func $externalize
-    (local $struct (ref null $struct))
-    (drop
-      (extern.convert_any
-        (local.get $struct)
-      )
-    )
-  )
-)
-
 (module
   (rec
     ;; CHECK:      (rec
diff --git a/test/lit/passes/gto-strings-jsinterop.wast b/test/lit/passes/gto-strings-jsinterop.wast
@@ -0,0 +1,35 @@
+;; NOTE: Assertions have been generated by update_lit_checks.py --all-items and should not be edited.
+
+;; RUN: foreach %s %t wasm-opt -all --closed-world --gto --preserve-type-order -S -o - | filecheck %s
+
+(module
+  (rec
+    ;; CHECK:      (rec
+    ;; CHECK-NEXT:  (type $struct (descriptor $desc) (struct))
+    (type $struct (descriptor $desc) (struct))
+    ;; Strings cannot be prototypes. If the prototype field holds a string, it
+    ;; will appear as a null prototype. That is the default prototype value, so
+    ;; we can optimize out prototype fields if we know they will be strings.
+    ;; CHECK:       (type $desc (describes $struct) (struct))
+    (type $desc (describes $struct) (struct (field stringref)))
+  )
+
+  ;; CHECK:       (type $2 (func))
+
+  ;; CHECK:      (func $externalize (type $2)
+  ;; CHECK-NEXT:  (local $struct (ref null $struct))
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (extern.convert_any
+  ;; CHECK-NEXT:    (local.get $struct)
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT: )
+  (func $externalize
+    (local $struct (ref null $struct))
+    (drop
+      (extern.convert_any
+        (local.get $struct)
+      )
+    )
+  )
+)
diff --git a/test/lit/validation/strings-in-types.wast b/test/lit/validation/strings-in-types.wast
@@ -0,0 +1,12 @@
+;; Test that string heap types require strings to be enabled.
+
+;; RUN: not wasm-opt %s 2>&1 | filecheck %s --check-prefix NO-STRINGS
+;; RUN: wasm-opt %s --enable-reference-types --enable-strings -o - -S | filecheck %s --check-prefix STRINGS
+
+;; NO-STRINGS: invalid type: String types require strings feature
+;; STRINGS: (type $s (func (param stringref)))
+
+(module
+  (type $s (func (param stringref)))
+  (global $g (ref null $s) (ref.null nofunc))
+)

Original file line number	Diff line number	Diff line change
`@@ -1447,6 +1447,8 @@ std::ostream& operator<<(std::ostream& os, TypeBuilder::ErrorReason reason) {`
`1447`	`1447`	`return os << "Continuation has invalid function type";`
`1448`	`1448`	`case TypeBuilder::ErrorReason::InvalidSharedType:`
`1449`	`1449`	`return os << "Shared types require shared-everything";`
	`1450`	`+ case TypeBuilder::ErrorReason::InvalidStringType:`
	`1451`	`+ return os << "String types require strings feature";`
`1450`	`1452`	`case TypeBuilder::ErrorReason::InvalidUnsharedField:`
`1451`	`1453`	`return os << "Heap type has an invalid unshared field";`
`1452`	`1454`	`case TypeBuilder::ErrorReason::NonStructDescribes:`
`@@ -2435,6 +2437,9 @@ validateType(Type type, FeatureSet feats, bool isShared) {`
`2435`	`2437`	`if (heapType.isShared() && !feats.hasSharedEverything()) {`
`2436`	`2438`	`return TypeBuilder::ErrorReason::InvalidSharedType;`
`2437`	`2439`	`}`
	`2440`	`+ if (heapType.isString() && !feats.hasStrings()) {`
	`2441`	`+ return TypeBuilder::ErrorReason::InvalidStringType;`
	`2442`	`+ }`
`2438`	`2443`	`}`
`2439`	`2444`	`return std::nullopt;`
`2440`	`2445`	`}`