[wasm] Allow table.fill of size 0 at position table.length

This CL fixes an issue where V8 does not satisfy the WebAssembly spec of
the anyref proposal.

The table.fill instruction has 3 parameters, {start_index}, {length},
and {value}. V8 trapped with table-out-of-bounds when
{start_index >= table_size}. However, the spec requires that
{start_index == table_size} is valid when {length == 0}.

R=mstarzinger@chromium.org

Bug: v8:7581
Change-Id: I5f83a03fb8e349b48c887535f6f065492feb9ac2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1609537
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61689}

src/runtime/runtime-wasm.cc

@@ -658,7 +658,7 @@ RUNTIME_FUNCTION(Runtime_WasmTableFill) {
 
   uint32_t table_size = static_cast<uint32_t>(table->entries()->length());
 
-  if (start >= table_size) {
+  if (start > table_size) {
     return ThrowTableOutOfBounds(isolate, instance);
   }
 

src/wasm/wasm-objects.cc

@@ -983,7 +983,7 @@ void WasmTableObject::Fill(Isolate* isolate, Handle<WasmTableObject> table,
                            uint32_t start, Handle<Object> entry,
                            uint32_t count) {
   // Bounds checks must be done by the caller.
-  DCHECK_LT(start, table->entries()->length());
+  DCHECK_LE(start, table->entries()->length());
   DCHECK_LE(count, table->entries()->length());
   DCHECK_LE(start + count, table->entries()->length());
 

test/mjsunit/wasm/table-fill.js

@@ -193,4 +193,8 @@ function checkAnyFuncTable(call, start, count, value) {
   assertTraps(
       kTrapTableOutOfBounds,
       () => instance.exports[`fill${internal_func}`](start, null, 0));
+
+  // Check that table.fill at position `size` is still valid.
+  instance.exports[`fill${import_func}`](size, null, 0);
+  instance.exports[`fill${internal_func}`](size, null, 0);
 })();