[wasm-gc] Function body decoder: Fix dcheck in case of local with invalid heap type

Bug: v8:7748 Change-Id: I9d3e2245db4d98d370291ea86d615b355f2c941a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3921518 Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Matthias Liedtke <mliedtke@chromium.org> Auto-Submit: Matthias Liedtke <mliedtke@chromium.org> Cr-Commit-Position: refs/heads/main@{#83457}
2022-09-27 14:54:45 +02:00 · 2022-09-27 14:54:45 +02:00 · e002faf111
commit e002faf111
parent 0582087685
2 changed files with 20 additions and 1 deletions
--- a/src/wasm/function-body-decoder-impl.h
+++ b/src/wasm/function-body-decoder-impl.h
@ -1221,7 +1221,7 @@ class WasmDecoder : public Decoder {

      ValueType type = value_type_reader::read_value_type<validate>(
          this, pc + *total_length, &length, this->module_, enabled_);
-      if (!VALIDATE(type != kWasmBottom)) return;
+      if (!VALIDATE(ok())) return;
      *total_length += length;

      local_types_.insert(local_types_.end(), count, type);
--- a/test/mjsunit/wasm/wasm-invalid-local.js
+++ b/test/mjsunit/wasm/wasm-invalid-local.js
@ -0,0 +1,19 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --experimental-wasm-gc
+
+d8.file.execute('test/mjsunit/wasm/wasm-module-builder.js');
+
+(function TestLocalInvalidHeapType() {
+  let builder = new WasmModuleBuilder();
+  builder.addFunction('testEqLocal',
+                    makeSig([], [kWasmAnyRef]))
+  .addLocals(wasmRefNullType(123), 1) // 123 is not a valid type index
+  .addBody([
+    kExprRefNull, kNullRefCode,
+    kExprLocalSet, 0,
+  ]).exportFunc();
+  assertThrows(() => builder.instantiate(), WebAssembly.CompileError);
+})();