From 6a8dccb19731fe78ce0d576876677734a7c0ae5e Mon Sep 17 00:00:00 2001
From: clemensh <clemensh@chromium.org>
Date: Mon, 5 Dec 2016 11:29:38 -0800
Subject: [PATCH] [wasm] Implement location from stack trace for asm.js frames

This avoids the crash which ClusterFuzz found, but still does not
report the same position as without validate.asm.
For calls like "foo()|0", we report the position of the call instead of
the position of the "|" if ToNumber throws an error.

After this CL, the correctness-fuzzer for validate-asm will probably
find mismatches there.

R=titzer@chromium.org
BUG=chromium:670808

Review-Url: https://codereview.chromium.org/2548323002
Cr-Commit-Position: refs/heads/master@{#41500}
---
 src/isolate.cc                         | 20 ++++++++++++++++++--
 src/isolate.h                          |  4 +++-
 test/mjsunit/regress/regress-670808.js | 22 ++++++++++++++++++++++
 3 files changed, 43 insertions(+), 3 deletions(-)
 create mode 100644 test/mjsunit/regress/regress-670808.js

diff --git a/src/isolate.cc b/src/isolate.cc
index 42a5a55b9d..84e1601f63 100644
--- a/src/isolate.cc
+++ b/src/isolate.cc
@@ -47,6 +47,7 @@
 #include "src/version.h"
 #include "src/vm-state-inl.h"
 #include "src/wasm/wasm-module.h"
+#include "src/wasm/wasm-objects.h"
 #include "src/zone/accounting-allocator.h"
 
 namespace v8 {
@@ -1546,8 +1547,23 @@ bool Isolate::ComputeLocationFromStackTrace(MessageLocation* target,
   const int frame_count = elements->FrameCount();
   for (int i = 0; i < frame_count; i++) {
     if (elements->IsWasmFrame(i)) {
-      // TODO(clemensh): handle wasm frames
-      return false;
+      // TODO(clemensh): Handle wasm frames if they ever need handling here.
+      continue;
+    }
+
+    if (elements->IsAsmJsWasmFrame(i)) {
+      Handle<WasmCompiledModule> compiled_module(
+          WasmInstanceObject::cast(elements->WasmInstance(i))
+              ->get_compiled_module());
+      int func_index = elements->WasmFunctionIndex(i)->value();
+      int code_offset = elements->Offset(i)->value();
+      int byte_pos = elements->Code(i)->SourcePosition(code_offset);
+      int source_pos = WasmCompiledModule::GetAsmJsSourcePosition(
+          compiled_module, func_index, byte_pos);
+      Handle<Script> script = compiled_module->script();
+
+      *target = MessageLocation(script, source_pos, source_pos + 1);
+      return true;
     }
 
     Handle<JSFunction> fun = handle(elements->Function(i), this);
diff --git a/src/isolate.h b/src/isolate.h
index 5a1461f102..6b9917f08a 100644
--- a/src/isolate.h
+++ b/src/isolate.h
@@ -765,7 +765,9 @@ class Isolate {
   Object* PromoteScheduledException();
 
   // Attempts to compute the current source location, storing the
-  // result in the target out parameter.
+  // result in the target out parameter. The source location is attached to a
+  // Message object as the location which should be shown to the user. It's
+  // typically the top-most meaningful location on the stack.
   bool ComputeLocation(MessageLocation* target);
   bool ComputeLocationFromException(MessageLocation* target,
                                     Handle<Object> exception);
diff --git a/test/mjsunit/regress/regress-670808.js b/test/mjsunit/regress/regress-670808.js
new file mode 100644
index 0000000000..d5e0b51be6
--- /dev/null
+++ b/test/mjsunit/regress/regress-670808.js
@@ -0,0 +1,22 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var sym = Symbol();
+function asm(stdlib, ffi) {
+  "use asm";
+  var get_sym = ffi.get_sym;
+  function crash() {
+    get_sym()|0;
+  }
+  return {crash: crash};
+}
+function get_sym() {
+  return sym;
+}
+try {
+  asm(null, {get_sym: get_sym}).crash();
+} catch (e) {
+  if (!(e instanceof TypeError))
+    throw e;
+}