[wasm] Fix UAF in AsyncCompileJob callbacks

Execute foreground tasks triggered by the {CompilationStateCallback}
via the {CompileStep} mechanism of {AsyncCompileJob} such that they get
cancelled when the AsyncCompileJob dies.

R=ahaas@chromium.org

Bug: chromium:938311
Change-Id: I2082f93f47988c014c8dee3ddf3e9b2940f6f531
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1507674Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60082}

src/wasm/module-compiler.cc

@@ -979,14 +979,7 @@ class AsyncCompileJob::CompilationStateCallback {
       case CompilationEvent::kFinishedBaselineCompilation:
         DCHECK(!last_event_.has_value());
         if (job_->DecrementAndCheckFinisherCount()) {
-          AsyncCompileJob* job = job_;
-          job->foreground_task_runner_->PostTask(
-              MakeCancelableTask(job->isolate_, [job] {
-                HandleScope scope(job->isolate_);
-                SaveAndSwitchContext saved_context(job->isolate_,
-                                                   *job->native_context_);
-                job->FinishCompile();
-              }));
+          job_->DoSync<CompileFinished>();
         }
         break;
       case CompilationEvent::kFinishedTopTierCompilation:
@@ -996,17 +989,7 @@ class AsyncCompileJob::CompilationStateCallback {
         break;
       case CompilationEvent::kFailedCompilation: {
         DCHECK(!last_event_.has_value());
-        AsyncCompileJob* job = job_;
-        job->foreground_task_runner_->PostTask(
-            MakeCancelableTask(job->isolate_, [job] {
-              HandleScope scope(job->isolate_);
-              SaveAndSwitchContext saved_context(job->isolate_,
-                                                 *job->native_context_);
-              WasmError error = Impl(job->native_module_->compilation_state())
-                                    ->GetCompileError();
-              return job->AsyncCompileFailed(error);
-            }));
-
+        job_->DoSync<CompileFailed>();
         break;
       }
       default:
@@ -1247,6 +1230,32 @@ class AsyncCompileJob::PrepareAndStartCompile : public CompileStep {
   }
 };
 
+//==========================================================================
+// Step 3a (sync): Compilation failed.
+//==========================================================================
+class AsyncCompileJob::CompileFailed : public CompileStep {
+ private:
+  void RunInForeground(AsyncCompileJob* job) override {
+    TRACE_COMPILE("(3a) Compilation failed\n");
+
+    WasmError error =
+        Impl(job->native_module_->compilation_state())->GetCompileError();
+    // {job_} is deleted in AsyncCompileFailed, therefore the {return}.
+    return job->AsyncCompileFailed(error);
+  }
+};
+
+//==========================================================================
+// Step 3b (sync): Compilation finished.
+//==========================================================================
+class AsyncCompileJob::CompileFinished : public CompileStep {
+ private:
+  void RunInForeground(AsyncCompileJob* job) override {
+    TRACE_COMPILE("(3b) Compilation finished\n");
+    job->FinishCompile();
+  }
+};
+
 void AsyncCompileJob::CompileWrappers() {
   // TODO(wasm): Compile all wrappers here, including the start function wrapper
   // and the wrappers for the function table elements.

src/wasm/module-compiler.h

@@ -92,6 +92,8 @@ class AsyncCompileJob {
   class DecodeModule;            // Step 1  (async)
   class DecodeFail;              // Step 1b (sync)
   class PrepareAndStartCompile;  // Step 2  (sync)
+  class CompileFailed;           // Step 3a (sync)
+  class CompileFinished;         // Step 3b (sync)
 
   friend class AsyncStreamingProcessor;