[wasm] Use correct instance when calling start function

We were always using the instance we were currently building. If the
start function is an exported wasm function of another instance, use the
exporting instance instead.

R=titzer@chromium.org

Bug: chromium:843120
Change-Id: I141d272b947bef8e903be7208ddf6ce344e754c4
Reviewed-on: https://chromium-review.googlesource.com/1059620
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53190}

src/wasm/module-compiler.cc

@@ -1828,15 +1828,25 @@ MaybeHandle<WasmInstanceObject> InstanceBuilder::Build() {
   //--------------------------------------------------------------------------
   if (module_->start_function_index >= 0) {
     int start_index = module_->start_function_index;
-    wasm::WasmCode* start_code =
-        native_module->GetIndirectlyCallableCode(start_index);
+    Handle<WasmInstanceObject> start_function_instance = instance;
+    wasm::WasmCode* start_code;
+    if (static_cast<uint32_t>(start_index) < module_->num_imported_functions) {
+      ImportedFunctionEntry entry(instance, start_index);
+      start_function_instance = handle(entry.instance(), isolate_);
+      start_code =
+          isolate_->wasm_engine()->code_manager()->GetCodeFromStartAddress(
+              entry.target());
+      DCHECK_EQ(start_code->native_module(),
+                start_function_instance->compiled_module()->GetNativeModule());
+    } else {
+      start_code = native_module->GetIndirectlyCallableCode(start_index);
+    }
     FunctionSig* sig = module_->functions[start_index].sig;
     Handle<Code> wrapper_code = js_to_wasm_cache_.CloneOrCompileJSToWasmWrapper(
         isolate_, module_, start_code, start_index, use_trap_handler());
     start_function_ = WasmExportedFunction::New(
-        isolate_, instance, MaybeHandle<String>(), start_index,
+        isolate_, start_function_instance, MaybeHandle<String>(), start_index,
         static_cast<int>(sig->parameter_count()), wrapper_code);
-    RecordStats(start_code, counters());
   }
 
   DCHECK(!isolate_->has_pending_exception());

test/mjsunit/wasm/import-function.js

@@ -360,3 +360,28 @@ testImportName('');
   new WebAssembly.Instance(module, {q: {imp: _ => set_global(27)}});
   assertEquals(27, global);
 })();
+
+(function testImportedStartFunctionUsesRightInstance() {
+  print(arguments.callee.name);
+  var global = 0;
+  const set_global = n => global = n;
+  const exp = (function() {
+    const builder = new WasmModuleBuilder();
+    builder.addMemory(1, 1);
+    builder.exportMemoryAs('mem');
+    const imp_index = builder.addImport('q', 'imp', kSig_v_i);
+    builder.addFunction('f', kSig_v_v)
+        .addBody([kExprI32Const, 0, kExprI32Const, 11, kExprI32StoreMem8, 0, 0])
+        .exportFunc();
+    return builder.instantiate({q: {imp: set_global}}).exports;
+  })();
+
+  const builder = new WasmModuleBuilder();
+  const imp_index = builder.addImport('q', 'imp', kSig_v_v);
+  builder.addStart(imp_index);
+  const module = builder.toModule();
+
+  assertEquals(0, new Uint8Array(exp.mem.buffer)[0], 'memory initially 0');
+  new WebAssembly.Instance(module, {q: {imp: exp.f}});
+  assertEquals(11, new Uint8Array(exp.mem.buffer)[0], 'memory changed to 11');
+})();