[wasm] Follow-up fixes for decoder stack handling

Follow-up to 1b5c7e15 / r73193. ClusterFuzz is going to be _so_ happy about this... Fixed: chromium:1184928, chromium:1184966, chromium:1184991 Fixed: chromium:1185045, chromium:1185126, chromium:1185322 Fixed: chromium:1185443 Change-Id: I0adc50b4a0fc2d62eb8034c23102c61163b73f74 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2739586 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Auto-Submit: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#73253}
2021-03-08 11:31:51 +01:00 · 2021-03-08 11:31:51 +01:00 · 1e55665ac2
commit 1e55665ac2
parent 25e5892f1e
1 changed files with 2 additions and 0 deletions
--- a/src/wasm/function-body-decoder-impl.h
+++ b/src/wasm/function-body-decoder-impl.h
@ -3548,6 +3548,7 @@ class WasmFullDecoder : public WasmDecoder<validate> {
    // be caused by finding non-unreachable values in the wrong slot, so we
    // replace the entire current scope's values.
    Drop(static_cast<int>(stack_size() - limit));
+    EnsureStackSpace(count + limit - stack_size());
    while (stack_size() < count + limit) {
      Push(UnreachableValue(this->pc_));
    }
@ -3612,6 +3613,7 @@ class WasmFullDecoder : public WasmDecoder<validate> {
    // In unreachable code, we may run out of stack.
    uint32_t stack_depth =
        stack_size() >= drop_values ? stack_size() - drop_values : 0;
+    stack_depth = std::max(stack_depth, control_.back().stack_depth);
    control_.emplace_back(kind, locals_count, stack_depth, this->pc_,
                          reachability);
    current_code_reachable_ = this->ok() && reachability == kReachable;