[wasm] Type check brtable if it's not unreachable

There was a bug in the function body decoder where type checking of brtable only happened if the brtable instruction is reachable. However, type checking is required in all cases where brtable "not unreachable". The difference between reachable and "not unreachable" is a state called spec-reachable where a clever compiler can already infer that the code will be unreachable (e.g. a memory access is out of bounds just by the offset and therefore unconditionally traps), but the spec can not. If an instruction is only spec-reachable, it still has to be type checked. R=clemensb@chromium.org FIX=chromium:1046472 Change-Id: I7e9f1108597871615c0d443a0e94de35a0207b5e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2027990 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#66049}

[wasm] Type check brtable if it's not unreachable
There was a bug in the function body decoder where type checking of brtable only happened if the brtable instruction is reachable. However, type checking is required in all cases where brtable "not unreachable". The difference between reachable and "not unreachable" is a state called spec-reachable where a clever compiler can already infer that the code will be unreachable (e.g. a memory access is out of bounds just by the offset and therefore unconditionally traps), but the spec can not. If an instruction is only spec-reachable, it still has to be type checked. R=clemensb@chromium.org FIX=chromium:1046472 Change-Id: I7e9f1108597871615c0d443a0e94de35a0207b5e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2027990 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#66049}
8ff14f5b · Andreas Haas · Commit Bot · 8e6e3afc · 8ff14f5b · 8ff14f5b
Commit 8ff14f5b authored Jan 30, 2020 by Andreas Haas Committed by Commit Bot Jan 30, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 34 additions and 1 deletion

function-body-decoder-impl.h src/wasm/function-body-decoder-impl.h +1 -1

regress-1046472.js test/mjsunit/regress/wasm/regress-1046472.js +33 -0

No files found.
--- a/src/wasm/function-body-decoder-impl.h
+++ b/src/wasm/function-body-decoder-impl.h
@@ -2601,7 +2601,7 @@ class WasmFullDecoder : public WasmDecoder<validate> {

  bool TypeCheckBrTable(const std::vector<ValueType>& result_types) {
    int br_arity = static_cast<int>(result_types.size());
-    if (V8_LIKELY(control_.back().reachable())) {
+    if (V8_LIKELY(!control_.back().unreachable())) {
      int available =
          static_cast<int>(stack_.size()) - control_.back().stack_depth;
      // There have to be enough values on the stack.

--- a/test/mjsunit/regress/wasm/regress-1046472.js
+++ b/test/mjsunit/regress/wasm/regress-1046472.js
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --liftoff --no-wasm-tier-up --wasm-staging
+
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+(function() {
+  const builder = new WasmModuleBuilder();
+  builder.addMemory(16, 32, false);
+  builder.addType(makeSig([kWasmI32, kWasmI32, kWasmI32], [kWasmI32]));
+  // Generate function 1 (out of 1).
+  builder.addFunction(undefined, 0 /* sig */)
+    .addBodyWithEnd([
+// signature: i_iii
+// body:
+kExprI32Const, 0x20,
+kExprI64LoadMem, 0x00, 0xce, 0xf2, 0xff, 0x01,
+kExprBlock, kWasmF32,   // @9 f32
+  kExprI32Const, 0x04,
+  kExprI32Const, 0x01,
+  kExprBrTable, 0x01, 0x01, 0x00, // entries=1
+  kExprEnd,   // @19
+kExprUnreachable,
+kExprEnd,   // @21
+            ]);
+  builder.addExport('main', 0);
+  assertThrows(
+      () => {builder.toModule()}, WebAssembly.CompileError,
+      'WebAssembly.Module(): Compiling function #0 failed: type error in ' +
+          'merge[0] (expected <bot>, got i32) @+57');
+})();