[wasm] Fix {OpcodeLength} for invalid br-on-exn opcodes.

R=clemensh@chromium.org
TEST=mjsunit/regress/wasm/regress-922432
BUG=chromium:922432

Change-Id: I3843eaee2027fff770fd77bc9205b70788fffa37
Reviewed-on: https://chromium-review.googlesource.com/c/1414917
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58853}
This commit is contained in:
Michael Starzinger 2019-01-16 15:11:58 +01:00 committed by Commit Bot
parent b121cde901
commit 30882a5076
2 changed files with 22 additions and 0 deletions

View File

@ -1119,6 +1119,7 @@ class WasmDecoder : public Decoder {
case kExprBrOnExn: { case kExprBrOnExn: {
BranchDepthImmediate<validate> imm_br(decoder, pc); BranchDepthImmediate<validate> imm_br(decoder, pc);
if (!VALIDATE(decoder->ok())) return 1 + imm_br.length;
ExceptionIndexImmediate<validate> imm_idx(decoder, pc + imm_br.length); ExceptionIndexImmediate<validate> imm_idx(decoder, pc + imm_br.length);
return 1 + imm_br.length + imm_idx.length; return 1 + imm_br.length + imm_idx.length;
} }

View File

@ -0,0 +1,21 @@
// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --experimental-wasm-eh
load("test/mjsunit/wasm/wasm-constants.js");
load("test/mjsunit/wasm/wasm-module-builder.js");
(function TestTruncatedBrOnExnInLoop() {
let builder = new WasmModuleBuilder();
let fun = builder.addFunction(undefined, kSig_v_v)
.addLocals({except_count: 1})
.addBody([
kExprLoop, kWasmStmt,
kExprGetLocal, 0,
kExprBrOnExn // Bytecode truncated here.
]).exportFunc();
fun.body.pop(); // Pop implicitly added kExprEnd from body.
assertThrows(() => builder.instantiate(), WebAssembly.CompileError);
})();