[liftoff] Interrupt br_table decoding on error
This prevents the branch table iterator's has_next() method to trigger a
DCHECK when the decoder fails before the end of table decoding.
R=clemensb@chromium.org
Change-Id: I2258886501b77cd4c8fe98bc8a4ed0b66fb23066
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1864931
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64312}
diff --git a/src/wasm/baseline/liftoff-compiler.cc b/src/wasm/baseline/liftoff-compiler.cc
index 9e4c756..bbe0607 100644
--- a/src/wasm/baseline/liftoff-compiler.cc
+++ b/src/wasm/baseline/liftoff-compiler.cc
@@ -1473,6 +1473,8 @@
GenerateBrTable(decoder, tmp, value, min, split, table_iterator,
br_targets);
__ bind(&upper_half);
+ // table_iterator will trigger a DCHECK if we don't stop decoding now.
+ if (did_bailout()) return;
// Emit br table for upper half:
GenerateBrTable(decoder, tmp, value, split, max, table_iterator,
br_targets);
@@ -1496,6 +1498,8 @@
&br_targets);
__ bind(&case_default);
+ // table_iterator will trigger a DCHECK if we don't stop decoding now.
+ if (did_bailout()) return;
}
// Generate the default case.
diff --git a/test/mjsunit/wasm/multi-value.js b/test/mjsunit/wasm/multi-value.js
index 4da3d4a..ede7e3a 100644
--- a/test/mjsunit/wasm/multi-value.js
+++ b/test/mjsunit/wasm/multi-value.js
@@ -384,6 +384,23 @@
assertEquals(instance.exports.main(10), 200);
})();
+(function MultiBrTableTest() {
+ print(arguments.callee.name);
+ let builder = new WasmModuleBuilder();
+ let sig_ii_v = builder.addType(kSig_v_v);
+
+ builder.addFunction("main", kSig_ii_v)
+ .addBody([
+ kExprI32Const, 1, kExprI32Const, 2,
+ kExprI32Const, 0,
+ kExprBrTable, 1, 0, 0,
+ ])
+ .exportAs("main");
+
+ let instance = builder.instantiate();
+ assertEquals(instance.exports.main(), [1, 2]);
+})();
+
(function MultiWasmToJSReturnTest() {
print(arguments.callee.name);
let builder = new WasmModuleBuilder();
