wat2wasm internal corruption due to presence of functor type

[imofftoseethewizard]

A function type which references another function type as a parameter type corrupts the internal state of wat2wasm, causing type lookup to fail, apparently returning (-1 / 0xffffffff / 4294967295) internally. The module and output are included below. This happens both with the current HEAD of the main branch and with the package version for Ubuntu 20.04. Removing the line that defines $T2 alllows wat2wasm to complete successfully.

Module:

(module

 (type $T1 (func (result i32)))
 (type $T2 (func (param (ref $T1)) (result i32)))

 (func (param $f (ref $T1)) (result i32)
   (call_ref (local.get $f))))

Output follows:

pat@quercus:~/src/crack$ wat2wasm --enable-function-references scratch2.wat -o scratch2.wasm
scratch2.wat:7:5: error: function type variable out of range: 4294967295 (max 2)
   (call_ref (local.get $f))
    ^^^^^^^^
scratch2.wat:7:5: error: type mismatch in implicit return, expected [i32] but got []
   (call_ref (local.get $f))
    ^^^^^^^^

pat@quercus:~/src/crack$ wat2wasm --version
1.0.27

pat@quercus:~/src/crack$ ../wabt/bin/wat2wasm --enable-function-references scratch2.wat -o scratch2.wasm
scratch2.wat:7:5: error: function type variable out of range: 4294967295 (max 2)
   (call_ref (local.get $f))
    ^^^^^^^^
scratch2.wat:7:5: error: type mismatch in implicit return, expected [i32] but got []
   (call_ref (local.get $f))))
    ^^^^^^^^

pat@quercus:~/src/crack$ ../wabt/bin/wat2wasm --version
1.0.31 (git~1.0.31-22-ged0b720c)

[keithw]

Thanks. As in #2097 and #1986 and #1987, AFAIK support for the function-references proposal remains a work in progress in WABT -- we're not running the function-references tests and we don't even mention function references in the README yet. I think somebody who is interested in pushing this forward will have to complete support for the function-references proposal (and add the proposal spec tests to WABT's testsuite and a line in the README) before we'd expect this to work.