[wasm] Fix {OpcodeLength} for invalid br-on-exn opcodes.

R=clemensh@chromium.org TEST=mjsunit/regress/wasm/regress-922432 BUG=chromium:922432 Change-Id: I3843eaee2027fff770fd77bc9205b70788fffa37 Reviewed-on: https://chromium-review.googlesource.com/c/1414917 Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#58853}
2019-01-16 15:11:58 +01:00 · 2019-01-16 15:11:58 +01:00 · 30882a5076
commit 30882a5076
parent b121cde901
2 changed files with 22 additions and 0 deletions
--- a/src/wasm/function-body-decoder-impl.h
+++ b/src/wasm/function-body-decoder-impl.h
@ -1119,6 +1119,7 @@ class WasmDecoder : public Decoder {

      case kExprBrOnExn: {
        BranchDepthImmediate<validate> imm_br(decoder, pc);
+        if (!VALIDATE(decoder->ok())) return 1 + imm_br.length;
        ExceptionIndexImmediate<validate> imm_idx(decoder, pc + imm_br.length);
        return 1 + imm_br.length + imm_idx.length;
      }
--- a/test/mjsunit/regress/wasm/regress-922432.js
+++ b/test/mjsunit/regress/wasm/regress-922432.js
@ -0,0 +1,21 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --experimental-wasm-eh
+
+load("test/mjsunit/wasm/wasm-constants.js");
+load("test/mjsunit/wasm/wasm-module-builder.js");
+
+(function TestTruncatedBrOnExnInLoop() {
+  let builder = new WasmModuleBuilder();
+  let fun = builder.addFunction(undefined, kSig_v_v)
+      .addLocals({except_count: 1})
+      .addBody([
+        kExprLoop, kWasmStmt,
+          kExprGetLocal, 0,
+          kExprBrOnExn  // Bytecode truncated here.
+      ]).exportFunc();
+  fun.body.pop();  // Pop implicitly added kExprEnd from body.
+  assertThrows(() => builder.instantiate(), WebAssembly.CompileError);
+})();