From 56362efc7f6ffc449be8878f46ab2b7e2e9b4667 Mon Sep 17 00:00:00 2001 From: Manos Koukoutos Date: Wed, 2 Dec 2020 12:31:56 +0000 Subject: [PATCH] [wasm][bug] Update num_locals_ earlier in DecodeLocals If DecodeLocals exits early, num_locals_ is left in an inconsistent state. This CL fixes this issue by updating num_locals_ as the local_types_ are updated. Bug: chromium:1154439 Change-Id: I02328a050df8b2827a42f59443e994f535d3c826 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2567954 Reviewed-by: Clemens Backes Commit-Queue: Manos Koukoutos Cr-Commit-Position: refs/heads/master@{#71566} --- src/wasm/function-body-decoder-impl.h | 3 ++- test/unittests/wasm/function-body-decoder-unittest.cc | 10 ++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/src/wasm/function-body-decoder-impl.h b/src/wasm/function-body-decoder-impl.h index 50bc461ec7..e155825116 100644 --- a/src/wasm/function-body-decoder-impl.h +++ b/src/wasm/function-body-decoder-impl.h @@ -1181,10 +1181,11 @@ class WasmDecoder : public Decoder { // Move the insertion iterator to the end of the newly inserted locals. insert_iterator = local_types_.insert(insert_iterator, count, type) + count; + num_locals_ += count; } } + DCHECK(ok()); - if (insert_position.has_value()) num_locals_ += total_count; return total_count; } diff --git a/test/unittests/wasm/function-body-decoder-unittest.cc b/test/unittests/wasm/function-body-decoder-unittest.cc index 6ddc892436..7d1b213ae4 100644 --- a/test/unittests/wasm/function-body-decoder-unittest.cc +++ b/test/unittests/wasm/function-body-decoder-unittest.cc @@ -4381,6 +4381,16 @@ TEST_F(FunctionBodyDecoderTest, RefTestCast) { } } +// This tests that num_locals_ in decoder remains consistent, even if we fail +// mid-DecodeLocals(). +TEST_F(FunctionBodyDecoderTest, Regress_1154439) { + WASM_FEATURE_SCOPE(reftypes); + WASM_FEATURE_SCOPE(typed_funcref); + AddLocals(kWasmI32, 1); + AddLocals(kWasmI64, 1000000); + ExpectFailure(sigs.v_v(), {}, kAppendEnd, "local count too large"); +} + class BranchTableIteratorTest : public TestWithZone { public: BranchTableIteratorTest() : TestWithZone() {}