[wasm] Do not produce code for br_if if its condition does not validate.

I could not reproduce the bug in either a unittest nor a cctest. That's why I created an mjsunit test now. BUG=chromium:644682 R=titzer@chromium.org Review-Url: https://codereview.chromium.org/2319213003 Cr-Commit-Position: refs/heads/master@{#39282}
2016-09-08 07:40:34 -07:00 · 2016-09-08 07:40:34 -07:00 · 853892a516
commit 853892a516
parent 9142671847
2 changed files with 27 additions and 1 deletions
--- a/src/wasm/ast-decoder.cc
+++ b/src/wasm/ast-decoder.cc
@ -1023,7 +1023,7 @@ class WasmFullDecoder : public WasmDecoder {
            Value cond = Pop(operand.arity, kAstI32);
            Value val = {pc_, nullptr, kAstStmt};
            if (operand.arity == 1) val = Pop();
-            if (Validate(pc_, operand, control_)) {
+            if (ok() && Validate(pc_, operand, control_)) {
              SsaEnv* fenv = ssa_env_;
              SsaEnv* tenv = Split(fenv);
              fenv->SetNotMerged();
--- a/test/mjsunit/wasm/regression-644682.js
+++ b/test/mjsunit/wasm/regression-644682.js
@ -0,0 +1,26 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-wasm
+
+load("test/mjsunit/wasm/wasm-constants.js");
+load("test/mjsunit/wasm/wasm-module-builder.js");
+
+(function() {
+var builder = new WasmModuleBuilder();
+builder.addFunction("regression_644682", kSig_i_v)
+  .addBody([
+            kExprBlock,   // @1
+            kExprI32Const, 0x3b,
+            kExprI32LoadMem, 0x00, 0x00,
+            kExprI32Const, 0x10,
+            kExprBrIf, 0x01, 0x00,   // arity=1 depth0
+            kExprI32Const, 0x45,
+            kExprI32Const, 0x3b,
+            kExprI64LoadMem16S, 0x00, 0x3b,
+            kExprBrIf, 0x01, 0x00   // arity=1 depth0
+            ])
+            .exportFunc();
+assertThrows(function() { builder.instantiate(); });
+})();