Heap2Local: Fix Array2Struct missing handlers for ArrayRMW, ArrayCmpxchg (#8305)

sumleo · web-flow · commit 4017ddd0135d · 2026-02-20T10:36:58.000-08:00
The escape analysis in Heap2Local accepted `ArrayRMW` and `ArrayCmpxchg`
as `FullyConsumes`, allowing non-escaping arrays with these operations
through to the `Array2Struct` transformation. However, `Array2Struct`
had no `visitArrayRMW` or `visitArrayCmpxchg` handlers. This caused
these operations to be left unrewritten after the array-to-struct
conversion, and the type rewriting infrastructure replaced them with
unreachable blocks — silently turning working code into unconditional
traps.
diff --git a/src/passes/Heap2Local.cpp b/src/passes/Heap2Local.cpp
@@ -462,12 +462,18 @@ struct EscapeAnalyzer {
         fullyConsumes = true;
       }
       void visitArrayRMW(ArrayRMW* curr) {
+        if (!curr->index->is<Const>()) {
+          return;
+        }
         if (curr->ref == child) {
           escapes = false;
           fullyConsumes = true;
         }
       }
       void visitArrayCmpxchg(ArrayCmpxchg* curr) {
+        if (!curr->index->is<Const>()) {
+          return;
+        }
         if (curr->ref == child || curr->expected == child) {
           escapes = false;
           fullyConsumes = true;
@@ -1353,6 +1359,45 @@ struct Array2Struct : PostWalker<Array2Struct> {
       index, curr->ref, MemoryOrder::Unordered, curr->type, curr->signed_));
   }
 
+  void visitArrayRMW(ArrayRMW* curr) {
+    if (analyzer.getInteraction(curr) == ParentChildInteraction::None) {
+      return;
+    }
+
+    auto index = getIndex(curr->index);
+    if (index >= numFields) {
+      replaceCurrent(builder.makeBlock({builder.makeDrop(curr->ref),
+                                        builder.makeDrop(curr->value),
+                                        builder.makeUnreachable()}));
+      refinalize = true;
+      return;
+    }
+
+    // Convert the ArrayRMW into a StructRMW.
+    replaceCurrent(builder.makeStructRMW(
+      curr->op, index, curr->ref, curr->value, curr->order));
+  }
+
+  void visitArrayCmpxchg(ArrayCmpxchg* curr) {
+    if (analyzer.getInteraction(curr) == ParentChildInteraction::None) {
+      return;
+    }
+
+    auto index = getIndex(curr->index);
+    if (index >= numFields) {
+      replaceCurrent(builder.makeBlock({builder.makeDrop(curr->ref),
+                                        builder.makeDrop(curr->expected),
+                                        builder.makeDrop(curr->replacement),
+                                        builder.makeUnreachable()}));
+      refinalize = true;
+      return;
+    }
+
+    // Convert the ArrayCmpxchg into a StructCmpxchg.
+    replaceCurrent(builder.makeStructCmpxchg(
+      index, curr->ref, curr->expected, curr->replacement, curr->order));
+  }
+
   // Some additional operations need special handling
 
   void visitRefTest(RefTest* curr) {
diff --git a/test/lit/passes/heap2local-rmw.wast b/test/lit/passes/heap2local-rmw.wast
@@ -7,7 +7,6 @@
   (type $i64 (struct (field (mut i64))))
   ;; CHECK:      (type $struct (struct (field (mut (ref null $struct)))))
   (type $struct (struct (field (mut (ref null $struct)))))
-
   ;; CHECK:      (type $1 (func (result i32)))
 
   ;; CHECK:      (type $2 (func (result i64)))
@@ -16,6 +15,11 @@
 
   ;; CHECK:      (type $4 (func (param (ref null $struct) (ref null $struct)) (result (ref null $struct))))
 
+  ;; CHECK:      (type $5 (func (param i32) (result i32)))
+
+  ;; CHECK:      (type $arr (array (mut i32)))
+  (type $arr (array (mut i32)))
+
   ;; CHECK:      (func $escape-rmw (type $3) (param $0 (ref null $struct)) (result (ref null $struct))
   ;; CHECK-NEXT:  (struct.atomic.rmw.xchg $struct 0
   ;; CHECK-NEXT:   (local.get $0)
@@ -750,4 +754,188 @@
       (i32.const 1)
     )
   )
+
+  ;; CHECK:      (func $array-rmw-add (type $1) (result i32)
+  ;; CHECK-NEXT:  (local $0 i32)
+  ;; CHECK-NEXT:  (local $1 i32)
+  ;; CHECK-NEXT:  (local $2 i32)
+  ;; CHECK-NEXT:  (local $3 i32)
+  ;; CHECK-NEXT:  (local $4 i32)
+  ;; CHECK-NEXT:  (local $5 i32)
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (block (result nullref)
+  ;; CHECK-NEXT:    (local.set $2
+  ;; CHECK-NEXT:     (i32.const 0)
+  ;; CHECK-NEXT:    )
+  ;; CHECK-NEXT:    (local.set $3
+  ;; CHECK-NEXT:     (i32.const 0)
+  ;; CHECK-NEXT:    )
+  ;; CHECK-NEXT:    (local.set $0
+  ;; CHECK-NEXT:     (local.get $2)
+  ;; CHECK-NEXT:    )
+  ;; CHECK-NEXT:    (local.set $1
+  ;; CHECK-NEXT:     (local.get $3)
+  ;; CHECK-NEXT:    )
+  ;; CHECK-NEXT:    (ref.null none)
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (local.set $5
+  ;; CHECK-NEXT:   (i32.const 1)
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (local.set $4
+  ;; CHECK-NEXT:   (local.get $0)
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (local.set $0
+  ;; CHECK-NEXT:   (i32.add
+  ;; CHECK-NEXT:    (local.get $0)
+  ;; CHECK-NEXT:    (local.get $5)
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (local.get $4)
+  ;; CHECK-NEXT: )
+  (func $array-rmw-add (result i32)
+    ;; Array atomic RMW on a non-escaping fixed-size array should be
+    ;; optimized: the array is converted to a struct, then to locals.
+    (array.atomic.rmw.add $arr
+      (array.new_fixed $arr 2
+        (i32.const 0)
+        (i32.const 0)
+      )
+      (i32.const 0)
+      (i32.const 1)
+    )
+  )
+
+  ;; CHECK:      (func $array-cmpxchg (type $1) (result i32)
+  ;; CHECK-NEXT:  (local $0 i32)
+  ;; CHECK-NEXT:  (local $1 i32)
+  ;; CHECK-NEXT:  (local $2 i32)
+  ;; CHECK-NEXT:  (local $3 i32)
+  ;; CHECK-NEXT:  (local $4 i32)
+  ;; CHECK-NEXT:  (local $5 i32)
+  ;; CHECK-NEXT:  (local $6 i32)
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (block (result nullref)
+  ;; CHECK-NEXT:    (local.set $2
+  ;; CHECK-NEXT:     (i32.const 0)
+  ;; CHECK-NEXT:    )
+  ;; CHECK-NEXT:    (local.set $3
+  ;; CHECK-NEXT:     (i32.const 0)
+  ;; CHECK-NEXT:    )
+  ;; CHECK-NEXT:    (local.set $0
+  ;; CHECK-NEXT:     (local.get $2)
+  ;; CHECK-NEXT:    )
+  ;; CHECK-NEXT:    (local.set $1
+  ;; CHECK-NEXT:     (local.get $3)
+  ;; CHECK-NEXT:    )
+  ;; CHECK-NEXT:    (ref.null none)
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (local.set $5
+  ;; CHECK-NEXT:   (i32.const 10)
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (local.set $6
+  ;; CHECK-NEXT:   (i32.const 20)
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (local.set $4
+  ;; CHECK-NEXT:   (local.get $0)
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (if
+  ;; CHECK-NEXT:   (i32.eq
+  ;; CHECK-NEXT:    (local.get $0)
+  ;; CHECK-NEXT:    (local.get $5)
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:   (then
+  ;; CHECK-NEXT:    (local.set $0
+  ;; CHECK-NEXT:     (local.get $6)
+  ;; CHECK-NEXT:    )
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (local.get $4)
+  ;; CHECK-NEXT: )
+  (func $array-cmpxchg (result i32)
+    ;; Array atomic cmpxchg on a non-escaping fixed-size array should be
+    ;; optimized similarly.
+    (array.atomic.rmw.cmpxchg $arr
+      (array.new_fixed $arr 2
+        (i32.const 0)
+        (i32.const 0)
+      )
+      (i32.const 0)
+      (i32.const 10)
+      (i32.const 20)
+    )
+  )
+
+  ;; CHECK:      (func $array-rmw-nonconstant-index (type $5) (param $idx i32) (result i32)
+  ;; CHECK-NEXT:  (array.atomic.rmw.add $arr
+  ;; CHECK-NEXT:   (array.new_fixed $arr 2
+  ;; CHECK-NEXT:    (i32.const 0)
+  ;; CHECK-NEXT:    (i32.const 0)
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:   (local.get $idx)
+  ;; CHECK-NEXT:   (i32.const 1)
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT: )
+  (func $array-rmw-nonconstant-index (param $idx i32) (result i32)
+    ;; A non-constant index prevents the optimization, since Array2Struct
+    ;; needs to know which struct field to access at compile time.
+    (array.atomic.rmw.add $arr
+      (array.new_fixed $arr 2
+        (i32.const 0)
+        (i32.const 0)
+      )
+      (local.get $idx)
+      (i32.const 1)
+    )
+  )
+
+  ;; CHECK:      (func $array-rmw-oob (type $1) (result i32)
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (block (result nullref)
+  ;; CHECK-NEXT:    (ref.null none)
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (i32.const 1)
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (unreachable)
+  ;; CHECK-NEXT: )
+  (func $array-rmw-oob (result i32)
+    ;; An out-of-bounds index on a zero-size array. The access will always
+    ;; trap, so we emit drops for operands and an unreachable.
+    (array.atomic.rmw.add $arr
+      (array.new_default $arr
+        (i32.const 0)
+      )
+      (i32.const 0)
+      (i32.const 1)
+    )
+  )
+
+  ;; CHECK:      (func $array-cmpxchg-oob (type $1) (result i32)
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (block (result nullref)
+  ;; CHECK-NEXT:    (ref.null none)
+  ;; CHECK-NEXT:   )
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (i32.const 10)
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (i32.const 20)
+  ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (unreachable)
+  ;; CHECK-NEXT: )
+  (func $array-cmpxchg-oob (result i32)
+    ;; As above, but for cmpxchg with an out-of-bounds index.
+    (array.atomic.rmw.cmpxchg $arr
+      (array.new_default $arr
+        (i32.const 0)
+      )
+      (i32.const 0)
+      (i32.const 10)
+      (i32.const 20)
+    )
+  )
 )
