[wasm-simd] Check v128 imported global object

Check that a v128 imported global in a Wasm module is initialized with a
WebAssembly.Global object.

This is technically impossible, because creating WebAssembly.Global of
type v128 is an error, and creating one of any other type is a type
mismatch. However, we still need this check to avoid hitting an
unreachable case when setting the value of the global later on.

Also, this is not a validation error, since the v128 restriction is only
a Web/JS limitation. Other embedders can choose to do something
different with this module with an imported v128 global.

Bug: chromium:1127740
Change-Id: I6d444578c082b6b1c353cfa2fd82bb42eb14fc3b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2410659Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69919}

src/wasm/module-instantiate.cc

@@ -1316,6 +1316,18 @@ bool InstanceBuilder::ProcessImportedGlobal(Handle<WasmInstanceObject> instance,
                     module_name, import_name);
     return false;
   }
+
+  // SIMD proposal allows modules to define an imported v128 global, and only
+  // supports importing a WebAssembly.Global object for this global, but also
+  // defines constructing a WebAssembly.Global of v128 to be a TypeError.
+  // We *should* never hit this case in the JS API, but the module should should
+  // be allowed to declare such a global (no validation error).
+  if (global.type == kWasmS128 && !value->IsWasmGlobalObject()) {
+    ReportLinkError("global import of type v128 must be a WebAssembly.Global",
+                    import_index, module_name, import_name);
+    return false;
+  }
+
   if (is_asmjs_module(module_)) {
     // Accepting {JSFunction} on top of just primitive values here is a
     // workaround to support legacy asm.js code with broken binding. Note

test/mjsunit/wasm/simd-globals.js

@@ -9,7 +9,7 @@ load("test/mjsunit/wasm/wasm-module-builder.js");
 // Test for S128 global with initialization.
 // This checks for a bug in copying the immediate values from the
 // initialization expression into the globals area of the module.
-(function TestS128() {
+(function TestS128GlobalInitialization() {
   var builder = new WasmModuleBuilder();
   var g = builder.addGlobal(kWasmS128);
   g.init = [1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0];
@@ -35,3 +35,15 @@ load("test/mjsunit/wasm/wasm-module-builder.js");
     assertEquals(i+1, instance.exports[`get${i}`]());
   }
 })();
+
+(function TestS128GlobalImport() {
+  // We want to test that a module with an imported V128 global does not crash.
+  // But that is a bit tricky because:
+  // 1. WebAssembly.Global({value: 'v128'}) is an error
+  // 2. WebAssembly.Global of any other type is a type mismatch error
+  // So here, we do 2. in order to get further along the code path, where
+  // previously it would have crashed, it now checks for v128 and exits early.
+  var builder = new WasmModuleBuilder();
+  var g = builder.addImportedGlobal('m', 'foo', kWasmS128);
+  assertThrows(() => builder.instantiate({m: {foo: 0}}));
+})();