[asm.js] Treat typed array constructors as stdlib uses.

This makes sure that typed array constructors (e.g. Int8Array, ...) used
within an asm.js module are considered uses of stdlib values, and hence
are checked during module instantiation.

R=clemensh@chromium.org
TEST=mjsunit/regress/regress-6280
BUG=v8:6280,chromium:714537

Change-Id: Ic5d689f5319c4dac4e9df3dca4a8cf5a4edd890b
Reviewed-on: https://chromium-review.googlesource.com/485521
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44800}

src/asmjs/asm-js.cc

@@ -73,7 +73,7 @@ bool IsStdlibMemberValid(i::Isolate* isolate, Handle<JSReceiver> stdlib,
   if (!member_id->ToInt32(&member_kind)) {
     UNREACHABLE();
   }
-  switch (member_kind) {
+  switch (static_cast<wasm::AsmTyper::StandardMember>(member_kind)) {
     case wasm::AsmTyper::StandardMember::kNone:
     case wasm::AsmTyper::StandardMember::kModule:
     case wasm::AsmTyper::StandardMember::kStdlib:
@@ -132,8 +132,32 @@ bool IsStdlibMemberValid(i::Isolate* isolate, Handle<JSReceiver> stdlib,
   }
       STDLIB_MATH_VALUE_LIST(STDLIB_MATH_CONST)
 #undef STDLIB_MATH_CONST
-    default: { UNREACHABLE(); }
+#define STDLIB_ARRAY_TYPE(fname, FName)                                  \
+  case wasm::AsmTyper::StandardMember::k##FName: {                       \
+    if (stdlib.is_null()) {                                              \
+      return false;                                                      \
+    }                                                                    \
+    Handle<Name> name(isolate->factory()->InternalizeOneByteString(      \
+        STATIC_CHAR_VECTOR(#FName)));                                    \
+    Handle<Object> value;                                                \
+    MaybeHandle<Object> maybe_value = Object::GetProperty(stdlib, name); \
+    if (!maybe_value.ToHandle(&value) || !value->IsJSFunction()) {       \
+      return false;                                                      \
+    }                                                                    \
+    Handle<JSFunction> func = Handle<JSFunction>::cast(value);           \
+    return func.is_identical_to(isolate->fname());                       \
   }
+      STDLIB_ARRAY_TYPE(int8_array_fun, Int8Array)
+      STDLIB_ARRAY_TYPE(uint8_array_fun, Uint8Array)
+      STDLIB_ARRAY_TYPE(int16_array_fun, Int16Array)
+      STDLIB_ARRAY_TYPE(uint16_array_fun, Uint16Array)
+      STDLIB_ARRAY_TYPE(int32_array_fun, Int32Array)
+      STDLIB_ARRAY_TYPE(uint32_array_fun, Uint32Array)
+      STDLIB_ARRAY_TYPE(float32_array_fun, Float32Array)
+      STDLIB_ARRAY_TYPE(float64_array_fun, Float64Array)
+#undef STDLIB_ARRAY_TYPE
+  }
+  UNREACHABLE();
   return false;
 }
 

src/asmjs/asm-parser.cc

@@ -572,6 +572,7 @@ void AsmJsParser::ValidateModuleVarNewStdlib(VarInfo* info) {
 #define V(name, _junk1, _junk2, _junk3)                          \
   case TOK(name):                                                \
     DeclareStdlibFunc(info, VarKind::kSpecial, AsmType::name()); \
+    stdlib_uses_.insert(AsmTyper::k##name);                      \
     break;
     STDLIB_ARRAY_TYPE_LIST(V)
 #undef V

src/asmjs/asm-typer.h

@@ -11,6 +11,7 @@
 #include <unordered_set>
 
 #include "src/allocation.h"
+#include "src/asmjs/asm-names.h"
 #include "src/asmjs/asm-types.h"
 #include "src/ast/ast-type-bounds.h"
 #include "src/ast/ast-types.h"
@@ -39,33 +40,15 @@ class AsmTyper final {
     kNone = 0,
     kInfinity,
     kNaN,
-    kMathAcos,
-    kMathAsin,
-    kMathAtan,
-    kMathCos,
-    kMathSin,
-    kMathTan,
-    kMathExp,
-    kMathLog,
-    kMathCeil,
-    kMathFloor,
-    kMathSqrt,
-    kMathAbs,
-    kMathClz32,
-    kMathMin,
-    kMathMax,
-    kMathAtan2,
-    kMathPow,
-    kMathImul,
-    kMathFround,
-    kMathE,
-    kMathLN10,
-    kMathLN2,
-    kMathLOG2E,
-    kMathLOG10E,
-    kMathPI,
-    kMathSQRT1_2,
-    kMathSQRT2,
+#define V(_unused1, name, _unused2, _unused3) kMath##name,
+    STDLIB_MATH_FUNCTION_LIST(V)
+#undef V
+#define V(name, _unused1) kMath##name,
+        STDLIB_MATH_VALUE_LIST(V)
+#undef V
+#define V(name, _unused1, _unused2, _unused3) k##name,
+            STDLIB_ARRAY_TYPE_LIST(V)
+#undef V
   };
 
   ~AsmTyper() = default;

test/mjsunit/regress/regress-6280.js

@@ -0,0 +1,22 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function Module(stdlib, imports, buffer) {
+  "use asm";
+  var x = new stdlib.Int8Array(buffer);
+  function f() {
+    return x[0] | 0;
+  }
+  return { f:f };
+}
+
+var b = new ArrayBuffer(1024);
+var m1 = Module({ Int8Array:Int8Array }, {}, b);
+assertEquals(0, m1.f());
+
+var was_called = 0;
+function observer() { was_called++; return [23]; }
+var m2 = Module({ Int8Array:observer }, {}, b);
+assertEquals(1, was_called);
+assertEquals(23, m2.f());

test/mjsunit/regress/wasm/regression-647649.js

@@ -2,8 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-// Flags: --nostress-opt --expose-gc --invoke-weak-callbacks --validate-asm
-// Flags: --noalways-opt --invoke-weak-callbacks
+// Flags: --nostress-opt --expose-gc --noalways-opt --invoke-weak-callbacks
 
 // This test was generated by the fuzzer.
 
@@ -38,6 +37,6 @@ Array.prototype.__proto__ = {3: __v_13};
 Array.prototype.__proto__.__proto__ = {7: __v_11};
 __v_9 = [0, 1, , , 4, 5, , , , 9]
 __v_12 = __v_9.splice(4, 1)
-__v_9.__defineGetter__(getRandomProperty(__v_9, 1689439720), function() {; return __f_1(); });
+__v_9.__defineGetter__(getRandomProperty(__v_9, 1689439720), function() { return {}; });
  __v_9[8]
 gc();