[wasm] Fix WasmMemoryObject constructor for when a module has no initial memory

BUG=chromium:724972 R=clemensh@chromium.org, rossberg@chromium.org Review-Url: https://codereview.chromium.org/2917603002 Cr-Commit-Position: refs/heads/master@{#45665}

[wasm] Fix WasmMemoryObject constructor for when a module has no initial memory
BUG=chromium:724972 R=clemensh@chromium.org, rossberg@chromium.org Review-Url: https://codereview.chromium.org/2917603002 Cr-Commit-Position: refs/heads/master@{#45665}
5c0baf71 · gdeepti · Commit Bot · c25744c2 · 5c0baf71 · 5c0baf71
Commit 5c0baf71 authored Jun 01, 2017 by gdeepti Committed by Commit Bot Jun 01, 2017
4 changed files
--- a/src/wasm/wasm-objects.cc
+++ b/src/wasm/wasm-objects.cc
@@ -409,9 +409,12 @@ Handle<WasmMemoryObject> WasmMemoryObject::New(Isolate* isolate,
  Handle<JSObject> memory_obj =
      isolate->factory()->NewJSObject(memory_ctor, TENURED);
  memory_obj->SetEmbedderField(kWrapperTracerHeader, Smi::kZero);
-  buffer.is_null() ? memory_obj->SetEmbedderField(
+  if (buffer.is_null()) {
-                         kArrayBuffer, isolate->heap()->undefined_value())
+    const bool enable_guard_regions = EnableGuardRegions();
-                   : memory_obj->SetEmbedderField(kArrayBuffer, *buffer);
+    buffer = SetupArrayBuffer(isolate, nullptr, 0, nullptr, 0, false,
+                              enable_guard_regions);
+  }
+  memory_obj->SetEmbedderField(kArrayBuffer, *buffer);
  Handle<Object> max = isolate->factory()->NewNumber(maximum);
  memory_obj->SetEmbedderField(kMaximum, *max);
  Handle<Symbol> memory_sym(isolate->native_context()->wasm_memory_sym());
@@ -419,8 +422,7 @@ Handle<WasmMemoryObject> WasmMemoryObject::New(Isolate* isolate,
  return Handle<WasmMemoryObject>::cast(memory_obj);
 }
-DEFINE_OPTIONAL_OBJ_ACCESSORS(WasmMemoryObject, buffer, kArrayBuffer,
+DEFINE_OBJ_ACCESSORS(WasmMemoryObject, buffer, kArrayBuffer, JSArrayBuffer)
-                              JSArrayBuffer)
 DEFINE_OPTIONAL_OBJ_ACCESSORS(WasmMemoryObject, instances_link, kInstancesLink,
                              WasmInstanceWrapper)
@@ -467,20 +469,15 @@ void WasmMemoryObject::ResetInstancesLink(Isolate* isolate) {
 int32_t WasmMemoryObject::Grow(Isolate* isolate,
                               Handle<WasmMemoryObject> memory_object,
                               uint32_t pages) {
-  Handle<JSArrayBuffer> old_buffer;
+  Handle<JSArrayBuffer> old_buffer(memory_object->buffer());
  uint32_t old_size = 0;
-  Address old_mem_start = nullptr;
+  CHECK(old_buffer->byte_length()->ToUint32(&old_size));
-  if (memory_object->has_buffer()) {
-    old_buffer = handle(memory_object->buffer());
-    old_size = old_buffer->byte_length()->Number();
-    old_mem_start = static_cast<Address>(old_buffer->backing_store());
-  }
  Handle<JSArrayBuffer> new_buffer;
  // Return current size if grow by 0.
  if (pages == 0) {
    // Even for pages == 0, we need to attach a new JSArrayBuffer with the same
    // backing store and neuter the old one to be spec compliant.
-    if (!old_buffer.is_null() && old_size != 0) {
+    if (old_size != 0) {
      new_buffer = SetupArrayBuffer(
          isolate, old_buffer->allocation_base(),
          old_buffer->allocation_length(), old_buffer->backing_store(),
@@ -515,6 +512,7 @@ int32_t WasmMemoryObject::Grow(Isolate* isolate,
    if (new_buffer.is_null()) return -1;
    DCHECK(!instance_wrapper->has_previous());
    SetInstanceMemory(isolate, instance, new_buffer);
+    Address old_mem_start = static_cast<Address>(old_buffer->backing_store());
    UncheckedUpdateInstanceMemory(isolate, instance, old_mem_start, old_size);
    while (instance_wrapper->has_next()) {
      instance_wrapper = instance_wrapper->next_wrapper();

--- a/src/wasm/wasm-objects.h
+++ b/src/wasm/wasm-objects.h
@@ -104,7 +104,7 @@ class WasmMemoryObject : public JSObject {
  };
  DECLARE_CASTS(WasmMemoryObject);
-  DECLARE_OPTIONAL_ACCESSORS(buffer, JSArrayBuffer);
+  DECLARE_ACCESSORS(buffer, JSArrayBuffer);
  DECLARE_OPTIONAL_ACCESSORS(instances_link, WasmInstanceWrapper);
  void AddInstance(Isolate* isolate, Handle<WasmInstanceObject> object);

--- a/test/mjsunit/regress/wasm/regression-724972.js
+++ b/test/mjsunit/regress/wasm/regression-724972.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+load('test/mjsunit/wasm/wasm-constants.js');
+load('test/mjsunit/wasm/wasm-module-builder.js');
+var builder = new WasmModuleBuilder();
+builder.addMemory(0, 0, true);
+var instance = builder.instantiate();
+instance.exports.memory.buffer;
--- a/test/mjsunit/regress/wasm/regression-727560.js
+++ b/test/mjsunit/regress/wasm/regression-727560.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+load('test/mjsunit/wasm/wasm-constants.js');
+load('test/mjsunit/wasm/wasm-module-builder.js');
+{
+  let builder = new WasmModuleBuilder();
+  builder.addMemory();
+  builder.exportMemoryAs("exported_mem");
+  i1 = builder.instantiate();
+}
+{
+  let builder = new WasmModuleBuilder();
+  builder.addImportedMemory("fil", "imported_mem");
+  i2 = builder.instantiate({fil: {imported_mem: i1.exports.exported_mem}});
+}