[wasm] Fix {OpcodeLength} for invalid br-on-exn opcodes.
R=clemensh@chromium.org TEST=mjsunit/regress/wasm/regress-922432 BUG=chromium:922432 Change-Id: I3843eaee2027fff770fd77bc9205b70788fffa37 Reviewed-on: https://chromium-review.googlesource.com/c/1414917 Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#58853}
This commit is contained in:
parent
b121cde901
commit
30882a5076
@ -1119,6 +1119,7 @@ class WasmDecoder : public Decoder {
|
|||||||
|
|
||||||
case kExprBrOnExn: {
|
case kExprBrOnExn: {
|
||||||
BranchDepthImmediate<validate> imm_br(decoder, pc);
|
BranchDepthImmediate<validate> imm_br(decoder, pc);
|
||||||
|
if (!VALIDATE(decoder->ok())) return 1 + imm_br.length;
|
||||||
ExceptionIndexImmediate<validate> imm_idx(decoder, pc + imm_br.length);
|
ExceptionIndexImmediate<validate> imm_idx(decoder, pc + imm_br.length);
|
||||||
return 1 + imm_br.length + imm_idx.length;
|
return 1 + imm_br.length + imm_idx.length;
|
||||||
}
|
}
|
||||||
|
21
test/mjsunit/regress/wasm/regress-922432.js
Normal file
21
test/mjsunit/regress/wasm/regress-922432.js
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
// Copyright 2019 the V8 project authors. All rights reserved.
|
||||||
|
// Use of this source code is governed by a BSD-style license that can be
|
||||||
|
// found in the LICENSE file.
|
||||||
|
|
||||||
|
// Flags: --experimental-wasm-eh
|
||||||
|
|
||||||
|
load("test/mjsunit/wasm/wasm-constants.js");
|
||||||
|
load("test/mjsunit/wasm/wasm-module-builder.js");
|
||||||
|
|
||||||
|
(function TestTruncatedBrOnExnInLoop() {
|
||||||
|
let builder = new WasmModuleBuilder();
|
||||||
|
let fun = builder.addFunction(undefined, kSig_v_v)
|
||||||
|
.addLocals({except_count: 1})
|
||||||
|
.addBody([
|
||||||
|
kExprLoop, kWasmStmt,
|
||||||
|
kExprGetLocal, 0,
|
||||||
|
kExprBrOnExn // Bytecode truncated here.
|
||||||
|
]).exportFunc();
|
||||||
|
fun.body.pop(); // Pop implicitly added kExprEnd from body.
|
||||||
|
assertThrows(() => builder.instantiate(), WebAssembly.CompileError);
|
||||||
|
})();
|
Loading…
Reference in New Issue
Block a user