[wasm] Fix wasm to js wrapper for illegal signature

When compiling a wasm to js wrapper for a signature which is not JS
compatible, we generate a runtime call to throw a type error and return
immediately afterwards. We were using the return value of the runtime
call as return value for the wrapper.
This worked for integer return values, since the same registers are
used for tagged values and integer values. For float values, however,
it failed, since the return value needs to be stored in another
register.

R=titzer@chromium.org
BUG=v8:6096

Change-Id: I8f39ea132cd150c3044673d25fa3c3588b4266bf
Reviewed-on: https://chromium-review.googlesource.com/455816Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43821}

src/compiler/wasm-compiler.cc

@@ -1061,6 +1061,22 @@ Node* WasmGraphBuilder::HeapConstant(Handle<HeapObject> value) {
   return jsgraph()->HeapConstant(value);
 }
 
+Node* WasmGraphBuilder::ZeroConstant(wasm::ValueType type) {
+  switch (type) {
+    case wasm::kWasmI32:
+      return Int32Constant(0);
+    case wasm::kWasmI64:
+      return Int64Constant(0);
+    case wasm::kWasmF32:
+      return Float32Constant(0);
+    case wasm::kWasmF64:
+      return Float64Constant(0);
+    default:
+      UNIMPLEMENTED();
+      return nullptr;
+  }
+}
+
 namespace {
 Node* Branch(JSGraph* jsgraph, Node* cond, Node** true_node, Node** false_node,
              Node* control, BranchHint hint) {
@@ -2804,9 +2820,12 @@ void WasmGraphBuilder::BuildWasmToJSWrapper(Handle<JSReceiver> target,
     // regenerated at instantiation time.
     Node* context =
         jsgraph()->HeapConstant(jsgraph()->isolate()->native_context());
-    Return(BuildCallToRuntimeWithContext(Runtime::kWasmThrowTypeError,
-                                         jsgraph(), context, nullptr, 0,
-                                         effect_, *control_));
+    BuildCallToRuntimeWithContext(Runtime::kWasmThrowTypeError, jsgraph(),
+                                  context, nullptr, 0, effect_, *control_);
+    // TODO(wasm): Support multi-return.
+    wasm::ValueType return_type =
+        sig->return_count() == 0 ? wasm::kWasmI32 : sig->GetReturn();
+    Return(ZeroConstant(return_type));
     return;
   }
 
@@ -2890,9 +2909,8 @@ void WasmGraphBuilder::BuildWasmToJSWrapper(Handle<JSReceiver> target,
   }
 
   // Convert the return value back.
-  Node* i32_zero = jsgraph()->Int32Constant(0);
   Node* val = sig->return_count() == 0
-                  ? i32_zero
+                  ? jsgraph()->Int32Constant(0)
                   : FromJS(call, HeapConstant(isolate->native_context()),
                            sig->GetReturn());
   Return(val);

src/compiler/wasm-compiler.h

@@ -142,6 +142,7 @@ class WasmGraphBuilder {
   Node* Float32Constant(float value);
   Node* Float64Constant(double value);
   Node* HeapConstant(Handle<HeapObject> value);
+  Node* ZeroConstant(wasm::ValueType);
   Node* Binop(wasm::WasmOpcode opcode, Node* left, Node* right,
               wasm::WasmCodePosition position = wasm::kNoCodePosition);
   Node* Unop(wasm::WasmOpcode opcode, Node* input,

test/mjsunit/wasm/ffi-error.js

@@ -115,6 +115,19 @@ assertThrows(function() {
   }, TypeError);
 })();
 
+(function ImportI64ParamWithF64ReturnThrows() {
+  // This tests that we generate correct code by using the correct return
+  // register. See bug 6096.
+  var builder = new WasmModuleBuilder();
+  builder.addImport('', 'f', makeSig([kWasmI64], [kWasmF64]));
+  builder.addFunction('main', kSig_v_v)
+      .addBody([kExprI64Const, 0, kExprCallFunction, 0, kExprDrop])
+      .exportFunc();
+  var instance = builder.instantiate({'': {f: i => i}});
+
+  assertThrows(() => instance.exports.main(), TypeError);
+})();
+
 (function ImportSymbolToNumberThrows() {
   var builder = new WasmModuleBuilder();
   var index = builder.addImport("", "func", kSig_i_v);