From fa5cb207a16896b0cf598fbcaef8e121d0ad4fd1 Mon Sep 17 00:00:00 2001
From: aseemgarg <aseemgarg@chromium.org>
Date: Tue, 28 Jun 2016 17:39:49 -0700
Subject: [PATCH] [wasm] fix loops and if-else to take int type instead of
 signed

BUG=617526
R=bradnelson@chromium.org
TEST=regress-617526.js

Review-Url: https://codereview.chromium.org/2101923003
Cr-Commit-Position: refs/heads/master@{#37354}
---
 src/typing-asm.cc                      | 20 ++++++++--
 test/mjsunit/regress/regress-617526.js | 23 ++++++++++++
 test/mjsunit/wasm/asm-wasm.js          | 51 ++++++++++++++++++++++++++
 3 files changed, 90 insertions(+), 4 deletions(-)
 create mode 100644 test/mjsunit/regress/regress-617526.js

diff --git a/src/typing-asm.cc b/src/typing-asm.cc
index e8c013a337..db1f8bdb60 100644
--- a/src/typing-asm.cc
+++ b/src/typing-asm.cc
@@ -340,8 +340,11 @@ void AsmTyper::VisitIfStatement(IfStatement* stmt) {
   if (!in_function_) {
     FAIL(stmt, "if statement inside module body");
   }
-  RECURSE(VisitWithExpectation(stmt->condition(), cache_.kAsmSigned,
+  RECURSE(VisitWithExpectation(stmt->condition(), cache_.kAsmInt,
                                "if condition expected to be integer"));
+  if (intish_ != 0) {
+    FAIL(stmt, "if condition expected to be signed or unsigned");
+  }
   RECURSE(Visit(stmt->then_statement()));
   RECURSE(Visit(stmt->else_statement()));
 }
@@ -434,8 +437,11 @@ void AsmTyper::VisitDoWhileStatement(DoWhileStatement* stmt) {
     FAIL(stmt, "do statement inside module body");
   }
   RECURSE(Visit(stmt->body()));
-  RECURSE(VisitWithExpectation(stmt->cond(), cache_.kAsmSigned,
+  RECURSE(VisitWithExpectation(stmt->cond(), cache_.kAsmInt,
                                "do condition expected to be integer"));
+  if (intish_ != 0) {
+    FAIL(stmt, "do condition expected to be signed or unsigned");
+  }
 }
 
 
@@ -443,8 +449,11 @@ void AsmTyper::VisitWhileStatement(WhileStatement* stmt) {
   if (!in_function_) {
     FAIL(stmt, "while statement inside module body");
   }
-  RECURSE(VisitWithExpectation(stmt->cond(), cache_.kAsmSigned,
+  RECURSE(VisitWithExpectation(stmt->cond(), cache_.kAsmInt,
                                "while condition expected to be integer"));
+  if (intish_ != 0) {
+    FAIL(stmt, "while condition expected to be signed or unsigned");
+  }
   RECURSE(Visit(stmt->body()));
 }
 
@@ -457,9 +466,12 @@ void AsmTyper::VisitForStatement(ForStatement* stmt) {
     RECURSE(Visit(stmt->init()));
   }
   if (stmt->cond() != nullptr) {
-    RECURSE(VisitWithExpectation(stmt->cond(), cache_.kAsmSigned,
+    RECURSE(VisitWithExpectation(stmt->cond(), cache_.kAsmInt,
                                  "for condition expected to be integer"));
   }
+  if (intish_ != 0) {
+    FAIL(stmt, "for condition expected to be signed or unsigned");
+  }
   if (stmt->next() != nullptr) {
     RECURSE(Visit(stmt->next()));
   }
diff --git a/test/mjsunit/regress/regress-617526.js b/test/mjsunit/regress/regress-617526.js
new file mode 100644
index 0000000000..a7cd5ce1dd
--- /dev/null
+++ b/test/mjsunit/regress/regress-617526.js
@@ -0,0 +1,23 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-wasm
+
+// Changing the code a little to avoid infinite loop
+
+function __f_109() {
+  "use asm";
+  function __f_18() {
+    var a = 0;
+    while(2147483648) {
+      a = 1;
+      break;
+    }
+    return a|0;
+  }
+  return {__f_18: __f_18};
+}
+
+var wasm = Wasm.instantiateModuleFromAsm( __f_109.toString());
+assertEquals(1, wasm.__f_18());
diff --git a/test/mjsunit/wasm/asm-wasm.js b/test/mjsunit/wasm/asm-wasm.js
index b4a9a81dc8..be4981d94a 100644
--- a/test/mjsunit/wasm/asm-wasm.js
+++ b/test/mjsunit/wasm/asm-wasm.js
@@ -1542,3 +1542,54 @@ assertWasm(1, TestXor);
     Wasm.instantiateModuleFromAsm('var x = 3;');
   });
 })();
+
+(function TestIfWithUnsigned() {
+  function asmModule() {
+    "use asm";
+    function main() {
+      if (2147483658) { // 2^31 + 10
+        return 231;
+      }
+      return 0;
+    }
+    return {main:main};
+  }
+  var wasm = Wasm.instantiateModuleFromAsm(asmModule.toString());
+  assertEquals(231, wasm.main());
+})();
+
+(function TestLoopsWithUnsigned() {
+  function asmModule() {
+    "use asm";
+    function main() {
+      var val = 1;
+      var count = 0;
+      for (val = 2147483648; 2147483648;) {
+        val = 2147483649;
+        break;
+      }
+      while (val>>>0) {
+        val = (val + 1) | 0;
+        count = (count + 1)|0;
+        if ((count|0) == 9) {
+          break;
+        }
+      }
+      count = 0;
+      do {
+        val = (val + 2) | 0;
+        count = (count + 1)|0;
+        if ((count|0) == 5) {
+          break;
+        }
+      } while (0xffffffff);
+      if ((val>>>0) == 2147483668) {
+        return 323;
+      }
+      return 0;
+    }
+    return {main:main};
+  }
+  var wasm = Wasm.instantiateModuleFromAsm(asmModule.toString());
+  assertEquals(323, wasm.main());
+})();