From e4eac0802c2473d899d3c156a37c7daeecae5bb9 Mon Sep 17 00:00:00 2001
From: Manos Koukoutos <manoskouk@chromium.org>
Date: Thu, 13 Jan 2022 11:27:42 +0000
Subject: [PATCH] [wasm-gc] Fix pc offset for static br_on instructions

Bug: v8:7748
Change-Id: I3a20c588c2e0753c646cceb0a03fd882041fed7e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3383779
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78612}
---
 src/wasm/function-body-decoder-impl.h | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/wasm/function-body-decoder-impl.h b/src/wasm/function-body-decoder-impl.h
index ffd4b632ff..96db519b0f 100644
--- a/src/wasm/function-body-decoder-impl.h
+++ b/src/wasm/function-body-decoder-impl.h
@@ -4602,12 +4602,13 @@ class WasmFullDecoder : public WasmDecoder<validate, decoding_mode> {
                             control_.size())) {
           return 0;
         }
+        uint32_t pc_offset = opcode_length + branch_depth.length;
         Value rtt = Peek(0, 1);  // This is safe for the ...Static instruction.
         if (opcode == kExprBrOnCastStatic) {
-          IndexImmediate<validate> imm(this, this->pc_ + opcode_length,
+          IndexImmediate<validate> imm(this, this->pc_ + pc_offset,
                                        "type index");
           if (!this->ValidateType(this->pc_ + opcode_length, imm)) return 0;
-          opcode_length += imm.length;
+          pc_offset += imm.length;
           rtt = CreateValue(ValueType::Rtt(
               imm.index, GetSubtypingDepth(this->module_, imm.index)));
           CALL_INTERFACE_IF_OK_AND_REACHABLE(RttCanon, imm.index, &rtt);
@@ -4672,7 +4673,7 @@ class WasmFullDecoder : public WasmDecoder<validate, decoding_mode> {
 
         Drop(result_on_branch);
         Push(obj);  // Restore stack state on fallthrough.
-        return opcode_length + branch_depth.length;
+        return pc_offset;
       }
       case kExprBrOnCastFail:
       case kExprBrOnCastStaticFail: {
@@ -4683,12 +4684,13 @@ class WasmFullDecoder : public WasmDecoder<validate, decoding_mode> {
                             control_.size())) {
           return 0;
         }
+        uint32_t pc_offset = opcode_length + branch_depth.length;
         Value rtt = Peek(0, 1);  // This is safe for the ...Static instruction.
         if (opcode == kExprBrOnCastStaticFail) {
-          IndexImmediate<validate> imm(this, this->pc_ + opcode_length,
+          IndexImmediate<validate> imm(this, this->pc_ + pc_offset,
                                        "type index");
           if (!this->ValidateType(this->pc_ + opcode_length, imm)) return 0;
-          opcode_length += imm.length;
+          pc_offset += imm.length;
           rtt = CreateValue(ValueType::Rtt(
               imm.index, GetSubtypingDepth(this->module_, imm.index)));
           CALL_INTERFACE_IF_OK_AND_REACHABLE(RttCanon, imm.index, &rtt);
@@ -4761,7 +4763,7 @@ class WasmFullDecoder : public WasmDecoder<validate, decoding_mode> {
         // Make sure the correct value is on the stack state on fallthrough.
         Drop(obj);
         Push(result_on_fallthrough);
-        return opcode_length + branch_depth.length;
+        return pc_offset;
       }
 #define ABSTRACT_TYPE_CHECK(heap_type)                                  \
   case kExprRefIs##heap_type: {                                         \