[wasm] Do not used "undefined" for function signature padding.

src/wasm/wasm-module.cc

 // Copyright 2015 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/base/atomic-utils.h"
 #include "src/macro-assembler.h"
 #include "src/objects.h"
 #include "src/property-descriptor.h"
 #include "src/v8.h"
 
@@ skipping 227 matching lines @@
   }
 
   Handle<FixedArray> fixed = isolate->factory()->NewFixedArray(2 * table_size);
   for (uint32_t i = 0;
        i < static_cast<uint32_t>(module->function_table.size());
        ++i) {
     const WasmFunction* function =
         &module->functions[module->function_table[i]];
     fixed->set(i, Smi::FromInt(function->sig_index));
   }
+  // Set the remaining elements to -1 (instead of "undefined"). These
+  // elements are accessed directly as SMIs (without a check). On 64-bit
+  // platforms, it is possible to have the top bits of "undefined" take
+  // small integer values (or zero), which are more likely to be equal to
+  // the signature index we check against.
+  for (uint32_t i = static_cast<uint32_t>(module->function_table.size());
+       i < table_size;
+       ++i) {
+    fixed->set(i, Smi::FromInt(-1));
+  }
   return fixed;
 }
 
 Handle<JSArrayBuffer> NewArrayBuffer(Isolate* isolate, size_t size) {
   if (size > (WasmModule::kMaxMemPages * WasmModule::kPageSize)) {
     // TODO(titzer): lift restriction on maximum memory allocated here.
     return Handle<JSArrayBuffer>::null();
   }
   void* memory = isolate->array_buffer_allocator()->Allocate(size);
   if (memory == nullptr) {
@@ skipping 1116 matching lines @@
     return static_cast<int32_t>(HeapNumber::cast(*result)->value());
   }
   thrower.Error("WASM.compileRun() failed: Return value should be number");
   return -1;
 }
 
 }  // namespace testing
 }  // namespace wasm
 }  // namespace internal
 }  // namespace v8