From 641c1a4efff75e74b96110a1dff01be89244bfad Mon Sep 17 00:00:00 2001
From: Andreas Haas <ahaas@chromium.org>
Date: Thu, 28 May 2020 12:31:38 +0200
Subject: [PATCH] [wasm] Fix bottom type handling in br-table

Even in unreachable code, the targets of br_table have to have matching
types.

R=thibaudm@chromium.org

Bug: v8:10556
Change-Id: I2e85df3cb92f7910a6bcb5ac03927c424194660d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2218062
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68148}
---
 src/wasm/function-body-decoder-impl.h        |  8 ++++++++
 test/cctest/wasm/test-run-wasm.cc            | 12 ------------
 test/mjsunit/regress/wasm/regress-1046472.js |  5 +++--
 test/wasm-spec-tests/wasm-spec-tests.status  |  1 -
 4 files changed, 11 insertions(+), 15 deletions(-)

diff --git a/src/wasm/function-body-decoder-impl.h b/src/wasm/function-body-decoder-impl.h
index 8bcf12a4e6..85ad4a69b6 100644
--- a/src/wasm/function-body-decoder-impl.h
+++ b/src/wasm/function-body-decoder-impl.h
@@ -3015,8 +3015,16 @@ class WasmFullDecoder : public WasmDecoder<validate> {
     for (int i = 0; i < br_arity; ++i) {
       if (this->enabled_.has_anyref()) {
         // The expected type is the biggest common sub type of all targets.
+        ValueType type = (*result_types)[i];
         (*result_types)[i] =
             ValueType::CommonSubType((*result_types)[i], (*merge)[i].type);
+        if ((*result_types)[i] == kWasmBottom) {
+          this->errorf(pos,
+                       "inconsistent type in br_table target %u (previous "
+                       "was %s, this one is %s)",
+                       index, type.type_name(), (*merge)[i].type.type_name());
+          return false;
+        }
       } else {
         // All target must have the same signature.
         if ((*result_types)[i] != (*merge)[i].type) {
diff --git a/test/cctest/wasm/test-run-wasm.cc b/test/cctest/wasm/test-run-wasm.cc
index 511ba19246..e65801fe85 100644
--- a/test/cctest/wasm/test-run-wasm.cc
+++ b/test/cctest/wasm/test-run-wasm.cc
@@ -1036,18 +1036,6 @@ WASM_EXEC_TEST(BrTable_loop_target) {
   CHECK_EQ(1, r.Call(0));
 }
 
-WASM_EXEC_TEST(BrTableMeetBottom) {
-  EXPERIMENTAL_FLAG_SCOPE(anyref);
-  WasmRunner<int32_t> r(execution_tier);
-  BUILD(r,
-        WASM_BLOCK_I(WASM_STMTS(
-            WASM_BLOCK_F(WASM_STMTS(
-                WASM_UNREACHABLE, WASM_BR_TABLE(WASM_I32V_1(1), 2, BR_TARGET(0),
-                                                BR_TARGET(1), BR_TARGET(1)))),
-            WASM_DROP, WASM_I32V_1(14))));
-  CHECK_TRAP(r.Call());
-}
-
 WASM_EXEC_TEST(F32ReinterpretI32) {
   WasmRunner<int32_t> r(execution_tier);
   int32_t* memory =
diff --git a/test/mjsunit/regress/wasm/regress-1046472.js b/test/mjsunit/regress/wasm/regress-1046472.js
index 056006b926..02cb585bf6 100644
--- a/test/mjsunit/regress/wasm/regress-1046472.js
+++ b/test/mjsunit/regress/wasm/regress-1046472.js
@@ -28,6 +28,7 @@ kExprEnd,   // @21
   builder.addExport('main', 0);
   assertThrows(
       () => {builder.toModule()}, WebAssembly.CompileError,
-      'WebAssembly.Module(): Compiling function #0:\"main\" failed: type ' +
-      'error in merge[0] (expected <bot>, got i32) @+57');
+      'WebAssembly.Module(): Compiling function #0:\"main\" failed: ' +
+      'inconsistent type in br_table target 1 (previous was i32, ' +
+      'this one is f32) @+60');
 })();
diff --git a/test/wasm-spec-tests/wasm-spec-tests.status b/test/wasm-spec-tests/wasm-spec-tests.status
index 855ac18c88..f19f9c2549 100644
--- a/test/wasm-spec-tests/wasm-spec-tests.status
+++ b/test/wasm-spec-tests/wasm-spec-tests.status
@@ -25,7 +25,6 @@
 
   'proposals/reference-types/linking': [FAIL],
   'proposals/reference-types/ref_func': [FAIL],
-  'proposals/reference-types/unreached-invalid': [FAIL],
 
   # TODO(wasm): This test declares a table larger than allowed by the spec.
   'table': [FAIL],