[wasm] Forbid sign mismatch in asm typer.

asm.js forbids mixing signed and unsigned % or /. We had been allowing these. Fixes crash. BUG=618602 BUG=v8:4203 R=aseemgarg@chromium.org Review-Url: https://codereview.chromium.org/2107683002 Cr-Commit-Position: refs/heads/master@{#37350}

[wasm] Forbid sign mismatch in asm typer.
asm.js forbids mixing signed and unsigned % or /. We had been allowing these. Fixes crash. BUG=618602 BUG=v8:4203 R=aseemgarg@chromium.org Review-Url: https://codereview.chromium.org/2107683002 Cr-Commit-Position: refs/heads/master@{#37350}
c5856779 · bradnelson · Commit bot · 58920e04 · c5856779 · c5856779
Commit c5856779 authored Jun 28, 2016 by bradnelson Committed by Commit bot Jun 28, 2016
4 changed files
--- a/src/typing-asm.cc
+++ b/src/typing-asm.cc
@@ -1299,6 +1299,16 @@ void AsmTyper::VisitBinaryOperation(BinaryOperation* expr) {
              FAIL(expr, "too many consecutive multiplicative ops");
            }
          }
+          if (expr->op() == Token::MOD || expr->op() == Token::DIV) {
+            if (!((left_type->Is(cache_.kAsmSigned) &&
+                   right_type->Is(cache_.kAsmSigned)) ||
+                  (left_type->Is(cache_.kAsmUnsigned) &&
+                   right_type->Is(cache_.kAsmUnsigned)))) {
+              FAIL(expr,
+                   "left and right side of integer / or % "
+                   "must match and be signed or unsigned");
+            }
+          }
          RECURSE(IntersectResult(expr, cache_.kAsmInt));
          return;
        }

--- a/test/cctest/test-asm-validator.cc
+++ b/test/cctest/test-asm-validator.cc
@@ -1318,7 +1318,40 @@ TEST(Division4) {
  CHECK_FUNC_ERROR(
      "function bar() { var x = 1; var y = 2; return (x/y/x/y)|0; }\n"
      "function foo() { bar(); }",
-      "asm: line 1: too many consecutive multiplicative ops\n");
+      "asm: line 1: left and right side of integer / or % "
+      "must match and be signed or unsigned\n");
+}
+
+TEST(ModInt) {
+  CHECK_FUNC_ERROR(
+      "function bar() { var x = 1; var y = 2; return (x%y)|0; }\n"
+      "function foo() { bar(); }",
+      "asm: line 1: left and right side of integer / or % "
+      "must match and be signed or unsigned\n");
+}
+
+TEST(DivInt) {
+  CHECK_FUNC_ERROR(
+      "function bar() { var x = 1; var y = 2; return (x/y)|0; }\n"
+      "function foo() { bar(); }",
+      "asm: line 1: left and right side of integer / or % "
+      "must match and be signed or unsigned\n");
+}
+
+TEST(ModIntMismatch) {
+  CHECK_FUNC_ERROR(
+      "function bar() { var x = 1; var y = 2; return ((x|0)%(y>>>0))|0; }\n"
+      "function foo() { bar(); }",
+      "asm: line 1: left and right side of integer / or % "
+      "must match and be signed or unsigned\n");
+}
+
+TEST(DivIntMismatch) {
+  CHECK_FUNC_ERROR(
+      "function bar() { var x = 1; var y = 2; return ((x|0)/(y>>>0))|0; }\n"
+      "function foo() { bar(); }",
+      "asm: line 1: left and right side of integer / or % "
+      "must match and be signed or unsigned\n");
 }



--- a/test/mjsunit/regress/regress-wasm-crbug-618602.js
+++ b/test/mjsunit/regress/regress-wasm-crbug-618602.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-wasm
+
+function __f_1() {
+  'use asm';
+  function __f_3() {
+    var __v_11 = 1, __v_10 = 0, __v_12 = 0;
+    __v_12 = (__v_10 | 12) % 4294967295 | -1073741824;
+  }
+  return { __f_3: __f_3 };
+}
+assertThrows(function() {
+  Wasm.instantiateModuleFromAsm(__f_1.toString());
+});
--- a/test/mjsunit/wasm/asm-wasm-i32.js
+++ b/test/mjsunit/wasm/asm-wasm-i32.js
@@ -67,13 +67,13 @@ function i32_mul(a, b) {
 function i32_div(a, b) {
  a = a | 0;
  b = b | 0;
-  return (a / b) | 0;
+  return ((a | 0) / (b | 0)) | 0;
 }

 function i32_mod(a, b) {
  a = a | 0;
  b = b | 0;
-  return (a % b) | 0;
+  return ((a | 0) % (b | 0)) | 0;
 }

 function i32_and(a, b) {