[wasm] Fix validation error while inlining

If Liftoff is disabled, inlining could try to inline an invalid function
body. Thus run validation explicitly if the function was not validated
before.

R=jkummerow@chromium.org

Bug: chromium:1374535, v8:13371
Change-Id: If9ce17bb90259e265dc94dbb2f9e4fb97c338f14
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3956977
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83727}

src/compiler/wasm-inlining.cc

@@ -179,9 +179,27 @@ void WasmInliner::Finalize() {
     size_t subgraph_min_node_id = graph()->NodeCount();
     Node* inlinee_start;
     Node* inlinee_end;
-    const wasm::FunctionBody inlinee_body(inlinee->sig, inlinee->code.offset(),
+    const wasm::FunctionBody inlinee_body{inlinee->sig, inlinee->code.offset(),
                                           function_bytes.begin(),
-                                          function_bytes.end());
+                                          function_bytes.end()};
+
+    // If the inlinee was not validated before, do that now.
+    if (!module()->function_was_validated(candidate.inlinee_index)) {
+      wasm::WasmFeatures unused_detected_features;
+      if (ValidateFunctionBody(zone()->allocator(), env_->enabled_features,
+                               module(), &unused_detected_features,
+                               inlinee_body)
+              .failed()) {
+        Trace(candidate, "function is invalid");
+        // At this point we cannot easily raise a compilation error any more.
+        // Since this situation is highly unlikely though, we just ignore this
+        // inlinee and move on. The same validation error will be triggered
+        // again when actually compiling the invalid function.
+        continue;
+      }
+      module()->set_function_validated(candidate.inlinee_index);
+    }
+
     WasmGraphBuilder builder(env_, zone(), mcgraph_, inlinee_body.sig,
                              source_positions_);
     {
@@ -193,15 +211,10 @@ void WasmInliner::Finalize() {
           NodeProperties::IsExceptionalCall(call)
               ? wasm::kInlinedHandledCall
               : wasm::kInlinedNonHandledCall);
-      if (result.ok()) {
-        builder.LowerInt64(WasmGraphBuilder::kCalledFromWasm);
-        inlinee_start = graph()->start();
-        inlinee_end = graph()->end();
-      } else {
-        // Otherwise report failure.
-        Trace(candidate, "failed to compile");
-        return;
-      }
+      CHECK(result.ok());
+      builder.LowerInt64(WasmGraphBuilder::kCalledFromWasm);
+      inlinee_start = graph()->start();
+      inlinee_end = graph()->end();
     }
 
     size_t additional_nodes = graph()->NodeCount() - subgraph_min_node_id;

test/mjsunit/mjsunit.js

@@ -530,7 +530,7 @@ var prettyPrinted;
   };
 
   function executeCode(code) {
-    if (typeof code === 'function')  return code();
+    if (typeof code === 'function') return code();
     if (typeof code === 'string') return eval(code);
     failWithMessage(
         'Given code is neither function nor string, but ' + (typeof code) +

test/mjsunit/regress/wasm/regress-1374535.js

@@ -0,0 +1,18 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --wasm-inlining --no-liftoff
+
+d8.file.execute("test/mjsunit/wasm/wasm-module-builder.js");
+
+let builder = new WasmModuleBuilder();
+let global = builder.addGlobal(kWasmI32);
+let callee =
+    builder.addFunction('callee', kSig_v_v).addBody([kExprLocalGet, 11]);
+builder.addFunction('main', kSig_v_v)
+    .addBody([kExprCallFunction, callee.index])
+    .exportFunc();
+assertThrows(
+    () => builder.instantiate(), WebAssembly.CompileError,
+    /invalid local index: 11/);