[wasm] Fix checking of unreachable code (clear stack after unreachable).

R=rossberg@chromium.org
BUG=chromium:682659

Review-Url: https://codereview.chromium.org/2638383004
Cr-Commit-Position: refs/heads/master@{#42502}

src/wasm/function-body-decoder.cc

@@ -1241,7 +1241,15 @@ class WasmFullDecoder : public WasmDecoder {
     if (pc_ > end_ && ok()) error("Beyond end of code");
   }
 
-  void EndControl() { ssa_env_->Kill(SsaEnv::kControlEnd); }
+  void EndControl() {
+    ssa_env_->Kill(SsaEnv::kControlEnd);
+    if (control_.empty()) {
+      stack_.clear();
+    } else {
+      DCHECK_LE(control_.back().stack_depth, stack_.size());
+      stack_.resize(control_.back().stack_depth);
+    }
+  }
 
   void SetBlockType(Control* c, BlockTypeOperand& operand) {
     c->merge.arity = operand.arity;

test/mjsunit/wasm/unreachable-validation.js

@@ -96,9 +96,10 @@ run(I, "(block U) 0f 0 iadd drop", [...block_unr, ...f32, ...zero, iadd, drop]);
 run(I, "(loop U) 0f 0 iadd drop", [...loop_unr, ...f32, ...zero, iadd, drop]);
 run(I, "(block (block U)) 0f 0 iadd drop", [...block_block_unr, ...f32, ...zero, iadd, drop]);
 
-// TODO(titzer): these are actually incorrect in V8.
-run(I, "0f U iadd drop", [...f32, unr, iadd, drop]);
-run(I, "0f 0 U iadd drop", [...f32, ...zero, unr, iadd, drop]);
+run(V, "0f U iadd drop", [...f32, unr, iadd, drop]);
+run(V, "0f 0 U iadd drop", [...f32, ...zero, unr, iadd, drop]);
 run(I, "0f 0 (block U) iadd drop", [...f32, ...zero, ...block_unr, iadd, drop]);
-run(I, "0f U 0 iadd drop", [...f32, unr, ...zero, iadd, drop]);
+run(V, "0f U 0 iadd drop", [...f32, unr, ...zero, iadd, drop]);
+run(I, "0 U 0f iadd drop", [...zero, unr, ...zero, ...f32, iadd, drop]);
 run(I, "0f (block U) 0 iadd drop", [...f32, ...block_unr, ...zero, iadd, drop]);
+run(I, "0 (block U) 0f iadd drop", [...zero, ...block_unr, ...f32, iadd, drop]);