[wasm] Forbid sign mismatch in asm typer.

asm.js forbids mixing signed and unsigned % or /.
We had been allowing these.

Fixes crash.

BUG=618602
BUG=v8:4203
R=aseemgarg@chromium.org

Review-Url: https://codereview.chromium.org/2107683002
Cr-Commit-Position: refs/heads/master@{#37350}

src/typing-asm.cc

@@ -1299,6 +1299,16 @@ void AsmTyper::VisitBinaryOperation(BinaryOperation* expr) {
               FAIL(expr, "too many consecutive multiplicative ops");
             }
           }
+          if (expr->op() == Token::MOD || expr->op() == Token::DIV) {
+            if (!((left_type->Is(cache_.kAsmSigned) &&
+                   right_type->Is(cache_.kAsmSigned)) ||
+                  (left_type->Is(cache_.kAsmUnsigned) &&
+                   right_type->Is(cache_.kAsmUnsigned)))) {
+              FAIL(expr,
+                   "left and right side of integer / or % "
+                   "must match and be signed or unsigned");
+            }
+          }
           RECURSE(IntersectResult(expr, cache_.kAsmInt));
           return;
         }

test/cctest/test-asm-validator.cc

@@ -1318,7 +1318,40 @@ TEST(Division4) {
   CHECK_FUNC_ERROR(
       "function bar() { var x = 1; var y = 2; return (x/y/x/y)|0; }\n"
       "function foo() { bar(); }",
-      "asm: line 1: too many consecutive multiplicative ops\n");
+      "asm: line 1: left and right side of integer / or % "
+      "must match and be signed or unsigned\n");
+}
+
+TEST(ModInt) {
+  CHECK_FUNC_ERROR(
+      "function bar() { var x = 1; var y = 2; return (x%y)|0; }\n"
+      "function foo() { bar(); }",
+      "asm: line 1: left and right side of integer / or % "
+      "must match and be signed or unsigned\n");
+}
+
+TEST(DivInt) {
+  CHECK_FUNC_ERROR(
+      "function bar() { var x = 1; var y = 2; return (x/y)|0; }\n"
+      "function foo() { bar(); }",
+      "asm: line 1: left and right side of integer / or % "
+      "must match and be signed or unsigned\n");
+}
+
+TEST(ModIntMismatch) {
+  CHECK_FUNC_ERROR(
+      "function bar() { var x = 1; var y = 2; return ((x|0)%(y>>>0))|0; }\n"
+      "function foo() { bar(); }",
+      "asm: line 1: left and right side of integer / or % "
+      "must match and be signed or unsigned\n");
+}
+
+TEST(DivIntMismatch) {
+  CHECK_FUNC_ERROR(
+      "function bar() { var x = 1; var y = 2; return ((x|0)/(y>>>0))|0; }\n"
+      "function foo() { bar(); }",
+      "asm: line 1: left and right side of integer / or % "
+      "must match and be signed or unsigned\n");
 }
 
 

test/mjsunit/regress/regress-wasm-crbug-618602.js

@@ -0,0 +1,17 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-wasm
+
+function __f_1() {
+  'use asm';
+  function __f_3() {
+    var __v_11 = 1, __v_10 = 0, __v_12 = 0;
+    __v_12 = (__v_10 | 12) % 4294967295 | -1073741824;
+  }
+  return { __f_3: __f_3 };
+}
+assertThrows(function() {
+  Wasm.instantiateModuleFromAsm(__f_1.toString());
+});

test/mjsunit/wasm/asm-wasm-i32.js

@@ -67,13 +67,13 @@ function i32_mul(a, b) {
 function i32_div(a, b) {
   a = a | 0;
   b = b | 0;
-  return (a / b) | 0;
+  return ((a | 0) / (b | 0)) | 0;
 }
 
 function i32_mod(a, b) {
   a = a | 0;
   b = b | 0;
-  return (a % b) | 0;
+  return ((a | 0) % (b | 0)) | 0;
 }
 
 function i32_and(a, b) {