[wasm][arm] Fix {Word32Shr} instruction selection.

This fixes a corner case with the matching for a {UBFX} instruction.
According to the ISA reference "UBFX Rd, Rn, #lsb, #width" is only valid
for "#width" in the [1;32-#lsb] range. Specifically a "#width" of 0 is
invalid but was not checked against by the instruction selector.

R=ahaas@chromium.org
TEST=mjsunit/regress/wasm/regress-924905
BUG=chromium:924905

Change-Id: I470671282b215be62dfd147a619a0d317f7cc746
Reviewed-on: https://chromium-review.googlesource.com/c/1435939Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59096}

src/compiler/backend/arm/instruction-selector-arm.cc

@@ -769,6 +769,7 @@ void EmitBic(InstructionSelector* selector, Node* node, Node* left,
 
 void EmitUbfx(InstructionSelector* selector, Node* node, Node* left,
               uint32_t lsb, uint32_t width) {
+  DCHECK_LE(lsb, 31u);
   DCHECK_LE(1u, width);
   DCHECK_LE(width, 32u - lsb);
   ArmOperandGenerator g(selector);
@@ -948,7 +949,7 @@ void InstructionSelector::VisitWord32Shr(Node* node) {
       uint32_t value = (mleft.right().Value() >> lsb) << lsb;
       uint32_t width = base::bits::CountPopulation(value);
       uint32_t msb = base::bits::CountLeadingZeros32(value);
-      if (msb + width + lsb == 32) {
+      if ((width != 0) && (msb + width + lsb == 32)) {
         DCHECK_EQ(lsb, base::bits::CountTrailingZeros32(value));
         return EmitUbfx(this, node, mleft.left().node(), lsb, width);
       }

test/mjsunit/regress/wasm/regress-924905.js

+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+load('test/mjsunit/wasm/wasm-constants.js');
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+let builder = new WasmModuleBuilder();
+builder.addFunction("kaboom", kSig_i_v)
+    .addBody([
+      kExprI32Const, 0,
+      kExprI32Const, 0,
+      kExprI32And,
+      kExprI32Const, 0,
+      kExprI32ShrU,
+    ]).exportFunc();
+let instance = builder.instantiate();
+assertEquals(0, instance.exports.kaboom());