[asmjs] Check function body size limit

R=mstarzinger@chromium.org
BUG=chromium:944945

Change-Id: I9cd83118fd27556197bfd5c4597b4678fc97ee32
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1541479
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60494}

src/asmjs/asm-parser.cc

@@ -808,6 +808,9 @@ void AsmJsParser::ValidateFunction() {
   // End function
   current_function_builder_->Emit(kExprEnd);
 
+  if (current_function_builder_->GetPosition() > kV8MaxWasmFunctionSize) {
+    FAIL("Size of function body exceeds internal limit");
+  }
   // Record (or validate) function type.
   AsmType* function_type = AsmType::Function(zone(), return_type_);
   for (auto t : params) {

src/wasm/wasm-engine.cc

@@ -135,7 +135,12 @@ MaybeHandle<AsmWasmData> WasmEngine::SyncCompileTranslatedAsmJs(
   ModuleResult result =
       DecodeWasmModule(kAsmjsWasmFeatures, bytes.start(), bytes.end(), false,
                        kAsmJsOrigin, isolate->counters(), allocator());
-  CHECK(!result.failed());
+  if (result.failed()) {
+    // This happens once in a while when we have missed some limit check
+    // in the asm parser. Output an error message to help diagnose, but crash.
+    std::cout << result.error().message();
+    UNREACHABLE();
+  }
 
   // Transfer ownership of the WasmModule to the {Managed<WasmModule>} generated
   // in {CompileToNativeModule}.

test/mjsunit/regress/regress-944945.js

@@ -0,0 +1,6 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+const E = '"use asm";\nfunction f() { LOCALS }\nreturn f;';
+const PI = new Function(E.replace('LOCALS', Array(999995).fill('0.9')));