[wasm] Fix br_table in the wasm interpreter to use varuint32.

The wasm interpreter crashed because it interpreted the table of
br_table as a table of uint8, but according to the spec it is a table of
varint32. Therefore the wasm interpreter misinterpreted 0x80 0x00 as 128
and not as 0, which caused a crash.

R=tizer@chromium.org
BUG=chromium:660262
TEST=cctest/test-run-wasm/RunWasmInterpreted_Regression_660262

Review-Url: https://codereview.chromium.org/2463063002
Cr-Commit-Position: refs/heads/master@{#40708}

src/wasm/wasm-interpreter.cc

@@ -1331,9 +1331,15 @@ class ThreadImpl : public WasmInterpreter::Thread {
         }
         case kExprBrTable: {
           BranchTableOperand operand(&decoder, code->at(pc));
+          BranchTableIterator iterator(&decoder, operand);
           uint32_t key = Pop().to<uint32_t>();
+          uint32_t depth = 0;
           if (key >= operand.table_count) key = operand.table_count;
-          len = key + DoBreak(code, pc + key, operand.table[key]);
+          for (uint32_t i = 0; i <= key; i++) {
+            DCHECK(iterator.has_next());
+            depth = iterator.next();
+          }
+          len = key + DoBreak(code, pc + key, static_cast<size_t>(depth));
           TRACE("  br[%u] => @%zu\n", key, pc + key + len);
           break;
         }

test/cctest/wasm/test-run-wasm.cc

@@ -905,6 +905,15 @@ WASM_EXEC_TEST(Br_height) {
   }
 }
 
+WASM_EXEC_TEST(Regression_660262) {
+  TestingModule module(execution_mode);
+  module.AddMemoryElems<int32_t>(8);
+  WasmRunner<int32_t> r(&module);
+  BUILD(r, kExprI8Const, 0x00, kExprI8Const, 0x00, kExprI32LoadMem, 0x00, 0x0f,
+        kExprBrTable, 0x00, 0x80, 0x00);  // entries=0
+  r.Call();
+}
+
 WASM_EXEC_TEST(BrTable0a) {
   WasmRunner<int32_t> r(execution_mode, MachineType::Int32());
   BUILD(r, B1(B1(WASM_BR_TABLE(WASM_GET_LOCAL(0), 0, BR_TARGET(0)))),