[wasm] Always trap for memory accesses with offset=uint32_max.

src/compiler/wasm-compiler.cc

Index: src/compiler/wasm-compiler.cc
diff --git a/src/compiler/wasm-compiler.cc b/src/compiler/wasm-compiler.cc
index baa6b7b41b0d9bc0b9dd3baa1a004c7cc169f00c..5026c1704a6b1f6f11471136ee57d5b93e43603a 100644
--- a/src/compiler/wasm-compiler.cc
+++ b/src/compiler/wasm-compiler.cc
@@ -2912,7 +2912,18 @@ void WasmGraphBuilder::BoundsCheckMem(MachineType memtype, Node* index,
     // out of bounds; one check for the offset being in bounds, and the next for
     // the offset + index being out of bounds for code to be patched correctly
     // on relocation.
-    size_t effective_offset = offset + memsize - 1;
+
+    // Check for overflows.
+    if ((std::numeric_limits<uint32_t>::max() - memsize) + 1 < offset) {
+      // Always trap. Do not use TrapAlways because it does not create a valid
+      // graph here.
+      trap_->TrapIfEq32(wasm::kTrapMemOutOfBounds, jsgraph()->Int32Constant(0),
+                        0, position);
+      return;
+    }
+    size_t effective_offset =
+        (offset - 1) + memsize;  // == offset + memsize - 1

[titzer, 2016/11/08 15:16:32]

comment is probably unnecessary

+
     Node* cond = graph()->NewNode(jsgraph()->machine()->Uint32LessThan(),
                                   jsgraph()->IntPtrConstant(effective_offset),
                                   jsgraph()->RelocatableInt32Constant(