[asm.js] Fix load type of {Float32Array} and {Float64Array}.

This makes sure that the return type of the aforementioned heap views is
always {float?} and {double?} respectively, independent of the type of
the value passed to the store. It fixes validation failures due to bogus
(and redundant) conversion expressions being emitted.

R=clemensb@chromium.org
TEST=mjsunit/asm/regress-1027595
BUG=chromium:1027595

Change-Id: I037613afc643ac1b04ae4a943e42dc1823ad5bdf
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1932374
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65151}

src/asmjs/asm-parser.cc

@@ -1514,17 +1514,19 @@ AsmType* AsmJsParser::AssignmentExpression() {
       if (!value->IsA(ret)) {
         FAILn("Illegal type stored to heap view");
       }
+      ret = value;
       if (heap_type->IsA(AsmType::Float32Array()) &&
           value->IsA(AsmType::DoubleQ())) {
         // Assignment to a float32 heap can be used to convert doubles.
         current_function_builder_->Emit(kExprF32ConvertF64);
+        ret = AsmType::FloatQ();
       }
       if (heap_type->IsA(AsmType::Float64Array()) &&
           value->IsA(AsmType::FloatQ())) {
         // Assignment to a float64 heap can be used to convert floats.
         current_function_builder_->Emit(kExprF64ConvertF32);
+        ret = AsmType::DoubleQ();
       }
-      ret = value;
 #define V(array_type, wasmload, wasmstore, type)                         \
   if (heap_type->IsA(AsmType::array_type())) {                           \
     current_function_builder_->Emit(kExpr##type##AsmjsStore##wasmstore); \

test/mjsunit/asm/regress-1027595.js

@@ -0,0 +1,44 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+(function TestF32StoreConvertsF64ToF32() {
+  function Module(stdlib, foreign, heap) {
+    'use asm';
+    var f32 = new stdlib.Float32Array(heap);
+    function f(a) {
+      a = +a;
+      f32[0] = f32[1] = a;
+    }
+    return f;
+  }
+  var buffer = new ArrayBuffer(0x10000);
+  var f = Module(this, {}, buffer);
+  assertDoesNotThrow(() => f(23.42));
+  var view = new Float32Array(buffer);
+  assertEquals(Math.fround(23.42), view[0]);
+  assertEquals(Math.fround(23.42), view[1]);
+  assertTrue(%IsAsmWasmCode(Module));
+})();
+
+(function TestF64StoreConvertsF32ToF64() {
+  function Module(stdlib, foreign, heap) {
+    'use asm';
+    var fround = stdlib.Math.fround;
+    var f64 = new stdlib.Float64Array(heap);
+    function f(a) {
+      a = fround(a);
+      f64[0] = f64[1] = a;
+    }
+    return f;
+  }
+  var buffer = new ArrayBuffer(0x10000);
+  var f = Module(this, {}, buffer);
+  assertDoesNotThrow(() => f(23.42));
+  var view = new Float64Array(buffer);
+  assertEquals(Math.fround(23.42), view[0]);
+  assertEquals(Math.fround(23.42), view[1]);
+  assertTrue(%IsAsmWasmCode(Module));
+})();

test/mjsunit/mjsunit.status

@@ -373,6 +373,7 @@
   'asm/call-stdlib': [SKIP],
   'asm/call-annotation': [SKIP],
   'asm/global-imports': [SKIP],
+  'asm/regress-1027595': [SKIP],
   'asm/regress-913822': [SKIP],
   'asm/regress-937650': [SKIP],
   'asm/regress-9531': [SKIP],