[wasm] Stop decoding sections once an error occured

We went on decoding the next section, which happened to be the start section. But since the function section had an error, the signature pointer was not still {nullptr} on the start function, leading to a segfault. Drive-by fix: Improve decoder trace output. R=ahaas@chromium.org BUG=chromium:708714, chromium:708787 Change-Id: I5ae2adb32764b9d154f1ca878019f26ac31839b4 Reviewed-on: https://chromium-review.googlesource.com/472847Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#44521}

[wasm] Stop decoding sections once an error occured
We went on decoding the next section, which happened to be the start section. But since the function section had an error, the signature pointer was not still {nullptr} on the start function, leading to a segfault. Drive-by fix: Improve decoder trace output. R=ahaas@chromium.org BUG=chromium:708714, chromium:708787 Change-Id: I5ae2adb32764b9d154f1ca878019f26ac31839b4 Reviewed-on: https://chromium-review.googlesource.com/472847Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#44521}
88e169dc · Clemens Hammacher · Commit Bot · 186bfbb1 · 88e169dc · 88e169dc
Commit 88e169dc authored Apr 10, 2017 by Clemens Hammacher Committed by Commit Bot Apr 10, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 30 additions and 5 deletions

decoder.h src/wasm/decoder.h +4 -4

module-decoder.cc src/wasm/module-decoder.cc +3 -1

regression-708714.js test/mjsunit/regress/wasm/regression-708714.js +23 -0

No files found.
--- a/src/wasm/decoder.h
+++ b/src/wasm/decoder.h
@@ -281,9 +281,10 @@ class Decoder {
    int shift = 0;
    byte b = 0;
    IntType result = 0;
-    for (;;) {
+    do {
      if (checked && V8_UNLIKELY(ptr >= end)) {
-        TRACE_IF(trace, "<end> ");
+        TRACE_IF(trace,
+                 ptr == pc + kMaxLength ? "<length overflow> " : "<end> ");
        errorf(ptr, "expected %s", name);
        result = 0;
        break;
@@ -293,8 +294,7 @@ class Decoder {
      TRACE_IF(trace, "%02x ", b);
      result = result | ((static_cast<IntType>(b) & 0x7F) << shift);
      shift += 7;
-      if ((b & 0x80) == 0) break;
-    }
+    } while (b & 0x80);
    DCHECK_LE(ptr - pc, kMaxLength);
    *length = static_cast<unsigned>(ptr - pc);
    if (advance_pc) pc_ = ptr;

--- a/src/wasm/module-decoder.cc
+++ b/src/wasm/module-decoder.cc
@@ -190,7 +190,9 @@ class WasmSectionIterator {
                        section_code);
        section_code = kUnknownSectionCode;
      }
-      section_code_ = static_cast<SectionCode>(section_code);
+      section_code_ = decoder_.failed()
+                          ? kUnknownSectionCode
+                          : static_cast<SectionCode>(section_code);

      TRACE("Section: %s\n", SectionName(section_code_));
      if (section_code_ == kUnknownSectionCode &&

--- a/test/mjsunit/regress/wasm/regression-708714.js
+++ b/test/mjsunit/regress/wasm/regression-708714.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+load("test/mjsunit/wasm/wasm-constants.js");
+load("test/mjsunit/wasm/wasm-module-builder.js");
+
+var builder = new WasmModuleBuilder();
+
+builder.addExplicitSection([kFunctionSectionCode,
+  // length
+  7,
+  // functions count
+  1,
+  // signature index (invalid LEB)
+  0xff, 0xff, 0xff, 0xff, 0xff]);
+builder.addExplicitSection([kStartSectionCode,
+  // length
+  1,
+  // index
+  0]);
+
+assertThrows(() => builder.instantiate(), WebAssembly.CompileError);