Bug 1472633: Check that ref types exist when used as inline block types; r=jseward

--HG--
extra : rebase_source : 4769b66af2da20095dcd687edeae534b8774e7a6

js/src/jit-test/tests/wasm/gc/binary.js

@@ -4,6 +4,13 @@ if (!wasmGcEnabled()) {
 
 load(libdir + "wasm-binary.js");
 
+const v2vSig = {args:[], ret:VoidCode};
+const v2vSigSection = sigSection([v2vSig]);
+
+function checkInvalid(body, errorMessage) {
+    assertErrorMessage(() => new WebAssembly.Module(moduleWithSections([v2vSigSection, declSection([0]), bodySection([body])])), WebAssembly.CompileError, errorMessage);
+}
+
 const invalidRefNullBody = funcBody({locals:[], body:[
     RefNull,
     RefCode,
@@ -20,8 +27,20 @@ const invalidRefNullBody = funcBody({locals:[], body:[
     SelectCode,
     DropCode
 ]});
+checkInvalid(invalidRefNullBody, /invalid nullref type/);
 
-const v2vSig = {args:[], ret:VoidCode};
-const v2vSigSection = sigSection([v2vSig]);
+const invalidRefBlockType = funcBody({locals:[], body:[
+    BlockCode,
+    RefCode,
+    0x42,
+    EndCode,
+]});
+checkInvalid(invalidRefBlockType, /invalid inline block type/);
 
-assertErrorMessage(() => new WebAssembly.Module(moduleWithSections([v2vSigSection, declSection([0]), bodySection([invalidRefNullBody])])), WebAssembly.CompileError, /invalid nullref type/);
+const invalidTooBigRefType = funcBody({locals:[], body:[
+    BlockCode,
+    RefCode,
+    varU32(1000000),
+    EndCode,
+]});
+checkInvalid(invalidTooBigRefType, /invalid inline block type/);

js/src/wasm/WasmOpIter.h

@@ -1016,7 +1016,9 @@ OpIter<Policy>::readBlockType(ExprType* type)
         known = true;
         break;
       case uint8_t(ExprType::Ref):
-        known = env_.gcTypesEnabled == HasGcTypes::True;
+        known = env_.gcTypesEnabled == HasGcTypes::True &&
+                uncheckedRefTypeIndex < MaxTypes &&
+                uncheckedRefTypeIndex < env_.types.length();
         break;
       case uint8_t(ExprType::AnyRef):
         known = env_.gcTypesEnabled == HasGcTypes::True;