[wasm] Validate function bodies for lazy compilation

Validation normally happens while generating the turbofan graph of a
wasm function. For lazy compilation (behind the flag
--wasm-lazy-compilation), we skip this graph generation step during
module generation. Thus we need to validate explicitely.

R=ahaas@chromium.org
BUG=chromium:724851

Change-Id: Ic70887c0d823460a272d0bb636dc98b2b7a7e55e
Reviewed-on: https://chromium-review.googlesource.com/509574
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45478}

src/wasm/wasm-module.cc

@@ -559,6 +559,29 @@ class CompilationHelper {
     }
   }
 
+  void ValidateSequentially(ModuleBytesEnv* module_env, ErrorThrower* thrower) {
+    DCHECK(!thrower->error());
+
+    const WasmModule* module = module_env->module_env.module;
+    for (uint32_t i = 0; i < module->functions.size(); ++i) {
+      const WasmFunction& func = module->functions[i];
+      if (func.imported) continue;
+
+      const byte* base = module_env->wire_bytes.start();
+      FunctionBody body{func.sig, base, base + func.code_start_offset,
+                        base + func.code_end_offset};
+      DecodeResult result = VerifyWasmCode(isolate_->allocator(),
+                                           module_env->module_env.module, body);
+      if (result.failed()) {
+        WasmName str = module_env->wire_bytes.GetName(&func);
+        thrower->CompileError(
+            "Compiling function #%d:%.*s failed: %s @+%u", i, str.length(),
+            str.start(), result.error_msg().c_str(), result.error_offset());
+        break;
+      }
+    }
+  }
+
   MaybeHandle<WasmModuleObject> CompileToModuleObject(
       ErrorThrower* thrower, const ModuleWireBytes& wire_bytes,
       Handle<Script> asm_js_script,
@@ -651,8 +674,16 @@ class CompilationHelper {
       } else {
         CompileSequentially(&module_env, temp_instance->function_code, thrower);
       }
-      if (thrower->error()) return {};
+    } else if (module_->is_wasm()) {
+      // Validate wasm modules for lazy compilation. Don't validate asm.js
+      // modules, they are valid by construction (otherwise a CHECK will fail
+      // during lazy compilation).
+      // TODO(clemensh): According to the spec, we can actually skip validation
+      // at module creation time, and return a function that always traps at
+      // (lazy) compilation time.
+      ValidateSequentially(&module_env, thrower);
     }
+    if (thrower->error()) return {};
 
     // At this point, compilation has completed. Update the code table.
     for (size_t i = FLAG_skip_compiling_wasm_funcs;
@@ -3311,6 +3342,8 @@ void LazyCompilationOrchestrator::CompileFunction(
   // If there is a pending error, something really went wrong. The module was
   // verified before starting execution with lazy compilation.
   // This might be OOM, but then we cannot continue execution anyway.
+  // TODO(clemensh): According to the spec, we can actually skip validation at
+  // module creation time, and return a function that always traps here.
   CHECK(!thrower.error());
 
   Handle<FixedArray> deopt_data = isolate->factory()->NewFixedArray(2, TENURED);

test/mjsunit/regress/wasm/regression-724851.js

@@ -0,0 +1,12 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --wasm-lazy-compilation
+
+load('test/mjsunit/wasm/wasm-constants.js');
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+let builder = new WasmModuleBuilder();
+builder.addFunction('f', kSig_i_v).addBody([kExprReturn]);
+assertThrows(() => builder.instantiate(), WebAssembly.CompileError);