[liftoff][fuzzer] Do not throw before frame setup

Delay the "max steps" check until the frame is fully set up. This means that the work is already done at the point where we check the maximum number of steps, but the additional work is limited by the maximum number of locals and parameters. R=thibaudm@chromium.org Bug: chromium:1404619 Change-Id: I4919c837feea92af84f99182a571edf96e4728ac Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4135890 Auto-Submit: Clemens Backes <clemensb@chromium.org> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org> Reviewed-by: Thibaud Michaud <thibaudm@chromium.org> Cr-Commit-Position: refs/heads/main@{#85098}
2023-01-04 16:07:16 +01:00 · 2023-01-04 16:07:16 +01:00 · 05a76791c4
commit 05a76791c4
parent 6adfc3856f
2 changed files with 8 additions and 6 deletions
--- a/src/wasm/baseline/liftoff-compiler.cc
+++ b/src/wasm/baseline/liftoff-compiler.cc
@ -901,12 +901,6 @@ class LiftoffCompiler {

    if (for_debugging_) __ ResetOSRTarget();

-    if (V8_UNLIKELY(max_steps_)) {
-      // Subtract 16 steps for the function call itself (including the function
-      // prologue), plus 1 for each local (including parameters).
-      CheckMaxSteps(decoder, 16 + __ num_locals());
-    }
-
    if (num_params) {
      CODE_COMMENT("process parameters");
      ParameterProcessor processor(this, num_params);
@ -960,6 +954,14 @@ class LiftoffCompiler {
    // is never a position of any instruction in the function.
    StackCheck(decoder, 0);

+    if (V8_UNLIKELY(max_steps_)) {
+      // Subtract 16 steps for the function call itself (including the function
+      // prologue), plus 1 for each local (including parameters).
+      // Do this only *after* setting up the frame completely, even though we
+      // already executed the work then.
+      CheckMaxSteps(decoder, 16 + __ num_locals());
+    }
+
    if (v8_flags.trace_wasm) TraceFunctionEntry(decoder);
  }

--- a/test/fuzzer/wasm/regress-1404619.wasm
+++ b/test/fuzzer/wasm/regress-1404619.wasm