[wasm] Fix return from unreachable code

We hit a DCHECK in the wasm graph builder because the current SSA
environment is unreachable. We were using the wrong block (the target
block) to do the reachability check.

R=titzer@chromium.org

Bug: chromium:913804
Change-Id: I4cfd3a0c696fb63903a47e4448362626a524340d
Reviewed-on: https://chromium-review.googlesource.com/c/1371566
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58150}

src/wasm/function-body-decoder-impl.h

@@ -1825,10 +1825,10 @@ class WasmFullDecoder : public WasmDecoder<validate> {
           case kExprBr: {
             BreakDepthImmediate<validate> imm(this, this->pc_);
             if (!this->Validate(this->pc_, imm, control_.size())) break;
-            Control* c = control_at(imm.depth);
             if (imm.depth == control_.size() - 1) {
-              DoReturn(c, false);
+              DoReturn(&control_.back(), false);
             } else {
+              Control* c = control_at(imm.depth);
               if (!TypeCheckBreak(c)) break;
               if (control_.back().reachable()) {
                 CALL_INTERFACE(Br, c);

test/mjsunit/regress/wasm/regress-913804.js

@@ -0,0 +1,17 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+load('test/mjsunit/wasm/wasm-constants.js');
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+const builder = new WasmModuleBuilder();
+builder.addFunction('main', kSig_v_v).addBody([
+  kExprLoop, kWasmStmt,        // loop
+  /**/ kExprBr, 0x01,          //   br depth=1
+  /**/ kExprBlock, kWasmStmt,  //   block
+  /**/ /**/ kExprBr, 0x02,     //     br depth=2
+  /**/ /**/ kExprEnd,          //     end [block]
+  /**/ kExprEnd                //   end [loop]
+]);
+builder.instantiate();