Terminate the decoding loop more gracefully.

The decoder has the assumption that it always holds that pc <= end.
However, in the FunctionBodyDecoder, end was set to start to terminate
the decoding loop. Thereby the assumption was violated, which caused a
crash. I set end to pc now to end the decoding loop, which preserves
the assumption and terminates the loop.

BUG=chromium:709741
TEST=unittests/FunctionBodyDecoderTest.Regression709741
R=clemensh@chromium.org

Change-Id: I5bfd61bdc4809fc16f12ca8611876c66a79aaa36
Reviewed-on: https://chromium-review.googlesource.com/472723
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44524}

src/wasm/function-body-decoder.cc

@@ -1948,7 +1948,7 @@ class WasmFullDecoder : public WasmDecoder {
   }
 
   virtual void onFirstError() {
-    end_ = start_;       // Terminate decoding loop.
+    end_ = pc_;          // Terminate decoding loop.
     builder_ = nullptr;  // Don't build any more nodes.
     TRACE(" !%s\n", error_msg_.c_str());
   }

test/unittests/wasm/function-body-decoder-unittest.cc

@@ -2323,6 +2323,24 @@ TEST_F(FunctionBodyDecoderTest, MultiValIf1) {
       kExprI32Add);
 }
 
+TEST_F(FunctionBodyDecoderTest, Regression709741) {
+  AddLocals(kWasmI32, kV8MaxWasmFunctionLocals - 1);
+  EXPECT_VERIFIES(v_v, WASM_NOP);
+  byte code[] = {WASM_NOP};
+  const byte* start = code;
+  const byte* end = code + sizeof(code);
+  PrepareBytecode(&start, &end);
+
+  for (const byte* i = start; i < end; i++) {
+    DecodeResult result =
+        VerifyWasmCode(zone()->allocator(), nullptr, sigs.v_v(), start, i);
+    if (result.ok()) {
+      std::ostringstream str;
+      str << "Expected verification to fail";
+    }
+  }
+}
+
 class BranchTableIteratorTest : public TestWithZone {
  public:
   BranchTableIteratorTest() : TestWithZone() {}