[wasm] Fix checking of unreachable code (clear stack after unreachable).

src/wasm/function-body-decoder.cc

 // Copyright 2015 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/signature.h"
 
 #include "src/bit-vector.h"
 #include "src/flags.h"
 #include "src/handles.h"
 #include "src/zone/zone-containers.h"
@@ skipping 1223 matching lines @@
           }
         }
         PrintF("\n");
       }
 #endif
       pc_ += len;
     }  // end decode loop
     if (pc_ > end_ && ok()) error("Beyond end of code");
   }
 
-  void EndControl() { ssa_env_->Kill(SsaEnv::kControlEnd); }
+  void EndControl() {
+    ssa_env_->Kill(SsaEnv::kControlEnd);
+    if (control_.empty()) {

[rossberg, 2017/01/19 12:55:11]

I suppose you could avoid spurious case distinctions like this by pushing a
control frame for the function block itself, so that the stack is never empty?

+      stack_.clear();
+    } else {
+      DCHECK_LE(control_.back().stack_depth, stack_.size());
+      stack_.resize(control_.back().stack_depth);
+    }
+  }
 
   void SetBlockType(Control* c, BlockTypeOperand& operand) {
     c->merge.arity = operand.arity;
     if (c->merge.arity == 1) {
       c->merge.vals.first = {pc_, nullptr, operand.read_entry(0)};
     } else if (c->merge.arity > 1) {
       c->merge.vals.array = zone_->NewArray<Value>(c->merge.arity);
       for (unsigned i = 0; i < c->merge.arity; i++) {
         c->merge.vals.array[i] = {pc_, nullptr, operand.read_entry(i)};
       }
@@ skipping 749 matching lines @@
 BitVector* AnalyzeLoopAssignmentForTesting(Zone* zone, size_t num_locals,
                                            const byte* start, const byte* end) {
   Decoder decoder(start, end);
   return WasmDecoder::AnalyzeLoopAssignment(&decoder, start,
                                             static_cast<int>(num_locals), zone);
 }
 
 }  // namespace wasm
 }  // namespace internal
 }  // namespace v8