[wasm] Interface should only be called for 'br' if ok()

See also: https://chromium-review.googlesource.com/c/v8/v8/+/2557515 Bug: chromium:1152937 Change-Id: I8043f88f3a64a3e45e00c8e6848cb6e4ec6f8a42 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2562239 Commit-Queue: Manos Koukoutos <manoskouk@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#71444}

[wasm] Interface should only be called for 'br' if ok()
See also: https://chromium-review.googlesource.com/c/v8/v8/+/2557515 Bug: chromium:1152937 Change-Id: I8043f88f3a64a3e45e00c8e6848cb6e4ec6f8a42 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2562239 Commit-Queue: Manos Koukoutos <manoskouk@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#71444}
304fd7cc · Manos Koukoutos · Commit Bot · 755f1417 · 304fd7cc · 304fd7cc
Commit 304fd7cc authored Nov 26, 2020 by Manos Koukoutos Committed by Commit Bot Nov 27, 2020
Show whitespace changes
Inline Side-by-side

Showing with 20 additions and 2 deletions

function-body-decoder-impl.h src/wasm/function-body-decoder-impl.h +6 -2

regress-1152937.js test/mjsunit/regress/wasm/regress-1152937.js +14 -0

No files found.
--- a/src/wasm/function-body-decoder-impl.h
+++ b/src/wasm/function-body-decoder-impl.h
@@ -2651,6 +2651,7 @@ class WasmFullDecoder : public WasmDecoder<validate> {
  DECODE(Br) {
    BranchDepthImmediate<validate> imm(this, this->pc_ + 1);
+    if (this->failed()) return 0;
    if (!this->Validate(this->pc_ + 1, imm, control_.size())) return 0;
    Control* c = control_at(imm.depth);
    TypeCheckBranchResult check_result = TypeCheckBranch(c, false);
@@ -4403,8 +4404,6 @@ class WasmFullDecoder : public WasmDecoder<validate> {
  }
  bool TypeCheckMergeValues(Control* c, Merge<Value>* merge) {
-    // This is a CHECK instead of a DCHECK because {validate} is a constexpr,
-    // and a CHECK makes the whole function unreachable.
    static_assert(validate, "Call this function only within VALIDATE");
    DCHECK(merge == &c->start_merge || merge == &c->end_merge);
    DCHECK_GE(stack_size(), c->stack_depth + merge->arity);
@@ -4485,6 +4484,11 @@ class WasmFullDecoder : public WasmDecoder<validate> {
    kInvalidStack,
  };
+  // If the type code is reachable, check if the current stack values are
+  // compatible with a jump to {c}, based on their number and types.
+  // Otherwise, we have a polymorphic stack: check if any values that may exist
+  // on top of the stack are compatible with {c}, and push back to the stack
+  // values based on the type of {c}.
  TypeCheckBranchResult TypeCheckBranch(Control* c, bool conditional_branch) {
    if (V8_LIKELY(control_.back().reachable())) {
      // We only do type-checking here. This is only needed during validation.

--- a/test/mjsunit/regress/wasm/regress-1152937.js
+++ b/test/mjsunit/regress/wasm/regress-1152937.js
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+// Test that decoding of 'br' exits early and does not invoke the codegen
+// interface when reading the LEB128 branch target fails.
+load('test/mjsunit/wasm/wasm-module-builder.js');
+const builder = new WasmModuleBuilder();
+builder.addFunction(undefined, kSig_v_v)
+  .addBodyWithEnd([kExprBr, 0xFF]);
+assertThrows(() => builder.instantiate(), WebAssembly.CompileError);