[wasm] Fix BigInt imports to asm.js modules

Replacing a crash with a TypeError.

Bug: chromium:1203692
Change-Id: I6970f980b46f20033f29c1deb9bc5d49ea2014ae
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2856842
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74266}

src/wasm/module-instantiate.cc

@@ -1325,11 +1325,15 @@ bool InstanceBuilder::ProcessImportedGlobal(Handle<WasmInstanceObject> instance,
     // TODO(wasm): Still observable if Function.prototype.valueOf or friends
     // are patched, we might need to check for that as well.
     if (value->IsJSFunction()) value = isolate_->factory()->nan_value();
-    if (value->IsPrimitive() && !value->IsSymbol()) {
-      if (global.type == kWasmI32) {
-        value = Object::ToInt32(isolate_, value).ToHandleChecked();
-      } else {
-        value = Object::ToNumber(isolate_, value).ToHandleChecked();
+    if (value->IsPrimitive()) {
+      MaybeHandle<Object> converted = global.type == kWasmI32
+                                          ? Object::ToInt32(isolate_, value)
+                                          : Object::ToNumber(isolate_, value);
+      if (!converted.ToHandle(&value)) {
+        // Conversion is known to fail for Symbols and BigInts.
+        ReportLinkError("global import must be a number", import_index,
+                        module_name, import_name);
+        return false;
       }
     }
   }

test/mjsunit/regress/wasm/regress-crbug-1203692.js

@@ -0,0 +1,12 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function asm(stdlib, foreign) {
+  "use asm";
+  var unused = foreign.a | 0;
+  function fun() { }
+  return fun;
+}
+
+assertThrows(() => asm(null, { a: 1n }).fun(), TypeError);