[wasm][bug] Update num_locals_ earlier in DecodeLocals

If DecodeLocals exits early, num_locals_ is left in an inconsistent state. This CL fixes this issue by updating num_locals_ as the local_types_ are updated. Bug: chromium:1154439 Change-Id: I02328a050df8b2827a42f59443e994f535d3c826 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2567954 Reviewed-by: Clemens Backes <clemensb@chromium.org> Commit-Queue: Manos Koukoutos <manoskouk@chromium.org> Cr-Commit-Position: refs/heads/master@{#71566}
2020-12-02 12:31:56 +00:00 · 2020-12-02 12:31:56 +00:00 · 56362efc7f
commit 56362efc7f
parent 02ab03b9e8
2 changed files with 12 additions and 1 deletions
--- a/src/wasm/function-body-decoder-impl.h
+++ b/src/wasm/function-body-decoder-impl.h
@ -1181,10 +1181,11 @@ class WasmDecoder : public Decoder {
        // Move the insertion iterator to the end of the newly inserted locals.
        insert_iterator =
            local_types_.insert(insert_iterator, count, type) + count;
+        num_locals_ += count;
      }
    }
+
    DCHECK(ok());
-    if (insert_position.has_value()) num_locals_ += total_count;
    return total_count;
  }

--- a/test/unittests/wasm/function-body-decoder-unittest.cc
+++ b/test/unittests/wasm/function-body-decoder-unittest.cc
@ -4381,6 +4381,16 @@ TEST_F(FunctionBodyDecoderTest, RefTestCast) {
  }
 }

+// This tests that num_locals_ in decoder remains consistent, even if we fail
+// mid-DecodeLocals().
+TEST_F(FunctionBodyDecoderTest, Regress_1154439) {
+  WASM_FEATURE_SCOPE(reftypes);
+  WASM_FEATURE_SCOPE(typed_funcref);
+  AddLocals(kWasmI32, 1);
+  AddLocals(kWasmI64, 1000000);
+  ExpectFailure(sigs.v_v(), {}, kAppendEnd, "local count too large");
+}
+
 class BranchTableIteratorTest : public TestWithZone {
 public:
  BranchTableIteratorTest() : TestWithZone() {}