[wasm] Use 64-bit comparison for bounds checks on 64-bit platforms

By using 64-bit comparison we make sure that there will be no out of
memory accesses even if there are stale values in the high word of a
register.

R=titzer@chromium.org

Change-Id: I2627b15e1598f35cc480d7028031e8de405164ea
Reviewed-on: https://chromium-review.googlesource.com/721323Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48604}

src/compiler/wasm-compiler.cc

@@ -3405,10 +3405,9 @@ void WasmGraphBuilder::BoundsCheckMem(MachineType memtype, Node* index,
     // The end offset is larger than the smallest memory.
     // Dynamically check the end offset against the actual memory size, which
     // is not known at compile time.
-    Node* cond = graph()->NewNode(
-        jsgraph()->machine()->Uint32LessThanOrEqual(),
-        jsgraph()->IntPtrConstant(static_cast<uintptr_t>(end_offset)),
-        *mem_size_);
+    Node* cond =
+        graph()->NewNode(jsgraph()->machine()->Uint32LessThanOrEqual(),
+                         jsgraph()->Int32Constant(end_offset), *mem_size_);
     TrapIfFalse(wasm::kTrapMemOutOfBounds, cond, position);
   } else {
     // The end offset is within the bounds of the smallest memory, so only
@@ -3428,8 +3427,10 @@ void WasmGraphBuilder::BoundsCheckMem(MachineType memtype, Node* index,
       graph()->NewNode(jsgraph()->machine()->Int32Sub(), *mem_size_,
                        jsgraph()->Int32Constant(end_offset - 1));
 
-  Node* cond = graph()->NewNode(jsgraph()->machine()->Uint32LessThan(), index,
-                                effective_size);
+  const Operator* less = jsgraph()->machine()->Is32()
+                             ? jsgraph()->machine()->Uint32LessThan()
+                             : jsgraph()->machine()->Uint64LessThan();
+  Node* cond = graph()->NewNode(less, index, effective_size);
   TrapIfFalse(wasm::kTrapMemOutOfBounds, cond, position);
 }