Fix validation error in wasm-reduce (#8715)

When removing functions, wasm-reduce replaces calls to those functions
using `builder.replaceWithIdenticalType`. That method can modify the
input expression in-place to have a different types (e.g. replacing a
reference with a null), so when the previous code read `curr->type` to
set the type of the replacement block, it was possible to get a more
refined type, leading to validation failures. Fix the bug by explicitly
using the original type.

Fixes #8713.

Author: tlively

src/tools/wasm-reduce/wasm-reduce.cpp

@@ -1102,6 +1102,7 @@ struct Reducer
           auto* block =
             ChildLocalizer(curr, getFunction(), *getModule(), getPassOptions())
               .getChildrenReplacement();
+          auto originalType = curr->type;
           auto* replacement = builder.replaceWithIdenticalType(curr);
           // We may have failed to come up with a replacement (e.g. for
           // non-nullable references), so manually add an `unreachable` in that
@@ -1110,7 +1111,7 @@ struct Reducer
             replacement = builder.makeUnreachable();
           }
           block->list.push_back(replacement);
-          block->type = curr->type;
+          block->type = originalType;
           replaceCurrent(block);
         }
         void visitRefFunc(RefFunc* curr) {

test/lit/wasm-reduce/reduce-validation-error.wast

@@ -0,0 +1,20 @@
+;; This is a regression test for a crash in wasm-reduce where in-place mutation
+;; of a Call node during replaceWithIdenticalType caused the replacement block
+;; type to be set incorrectly to nullref instead of the original type, leading
+;; to a validation error.
+
+;; TODO: Why does this fail on CI without --force?
+;; RUN: wasm-reduce %s -t %t.t.wast -w %t.w.wast --force \
+;; RUN:   --command='wasm-opt %t.t.wast -all --fuzz-exec'
+
+(module
+  (func $to_remove (result anyref)
+    (ref.null none)
+  )
+
+  (func $main (export "main") (result anyref)
+    ;; This will be replaced with a nullref. This should not cause validation
+    ;; failures and cause wasm-reduce to crash.
+    (call $to_remove)
+  )
+)