[runtime] Add instance size check for CheckEquivalent().

WASM exported functions have additional internal fields which change the instance
size. Adding a getter or setter to such an exported function results in its map
becoming normalized. The normalized map cache, however, finds a different map
with a different instance size, and thus BOOM.

R=verwaest@chromium.org,cbruni@chromium.org
BUG=

Review-Url: https://codereview.chromium.org/2554343002
Cr-Commit-Position: refs/heads/master@{#41691}

src/objects-inl.h

@@ -2108,6 +2108,8 @@ int JSObject::GetHeaderSize(InstanceType type) {
       return JSStringIterator::kSize;
     case JS_FIXED_ARRAY_ITERATOR_TYPE:
       return JSFixedArrayIterator::kHeaderSize;
+    case JS_MODULE_NAMESPACE_TYPE:
+      return JSModuleNamespace::kSize;
     default:
       UNREACHABLE();
       return 0;

src/objects.cc

@@ -12296,7 +12296,9 @@ bool Map::EquivalentToForNormalization(Map* other,
   int properties =
       mode == CLEAR_INOBJECT_PROPERTIES ? 0 : other->GetInObjectProperties();
   return CheckEquivalent(this, other) && bit_field2() == other->bit_field2() &&
-         GetInObjectProperties() == properties;
+         GetInObjectProperties() == properties &&
+         JSObject::GetInternalFieldCount(this) ==
+             JSObject::GetInternalFieldCount(other);
 }
 
 

test/mjsunit/wasm/add-getters.js

+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-wasm
+
+load("test/mjsunit/wasm/wasm-constants.js");
+load("test/mjsunit/wasm/wasm-module-builder.js");
+
+function testAddGetter(object, name, val) {
+  Object.defineProperty(object, name, { get: function() { return val; } });
+  assertSame(val, object[name]);
+}
+
+function testAddGetterBothWays(object, name, val) {
+  print("Object.defineProperty");
+  Object.defineProperty(object, name, { get: function() { return val; } });
+  print("object.__defineGetter__");
+  object.__defineGetter__(name, () => val);
+  assertSame(val, object[name]);
+}
+
+function testFailToAddGetter(object, name, val) {
+  assertThrows(() => Object.defineProperty(object, name, { get: function() { return val; } }));
+}
+
+testAddGetter(testAddGetter, "name", 11);
+
+function makeBuilder() {
+  var builder = new WasmModuleBuilder();
+
+  builder.addFunction("f", kSig_v_v)
+    .addBody([])
+    .exportFunc();
+  return builder;
+}
+
+(function TestAddGetterToFunction() {
+  print("TestAddGetterToFunction...");
+  var builder = makeBuilder();
+  var f = builder.instantiate().exports.f;
+  testAddGetterBothWays(f, "name", "foo");
+  testAddGetter(f, "blam", "baz");
+})();
+
+(function TestAddGetterToModule() {
+  print("TestAddGetterToModule...");
+  var builder = makeBuilder();
+  var module = new WebAssembly.Module(builder.toBuffer());
+  testAddGetter(module, "exports", 290);
+  testAddGetter(module, "xyz", new Object());
+})();
+
+(function TestAddGetterToInstance() {
+  print("TestAddGetterToInstance...");
+  var builder = makeBuilder();
+  var instance = builder.instantiate();
+  testAddGetter(instance, "exports", 290);
+  testAddGetter(instance, "xyz", new Object());
+})();
+
+(function TestAddGetterToExports() {
+  print("TestAddGetterToExports...");
+  var builder = makeBuilder();
+  var exports = builder.instantiate().exports;
+  testFailToAddGetter(exports, "f", 9834);
+  testAddGetter(exports, "nag", new Number(2));
+})();