[wasm] Limit code targets in {WasmCode} object.

This limits the call targets of {WasmCode} to only reference a limited
set of builtins via the {RelocInfo::CODE_TARGET} relocation mode. By now
most calls have been made independent of the Isolate.

R=clemensh@chromium.org
BUG=v8:7424

Change-Id: If4c643a7104e2ff0536ceb0f0de7fd30a923d854
Reviewed-on: https://chromium-review.googlesource.com/1092576Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53665}

src/wasm/wasm-code-manager.cc

@@ -218,8 +218,21 @@ void WasmCode::Validate() const {
        !it.done(); it.next()) {
     RelocInfo::Mode mode = it.rinfo()->rmode();
     switch (mode) {
-      case RelocInfo::CODE_TARGET:
-      // TODO(mstarzinger): Validate that we go through a trampoline.
+      case RelocInfo::CODE_TARGET: {
+        Address target = it.rinfo()->target_address();
+        Code* code = native_module_->ReverseTrampolineLookup(target);
+        // TODO(7424): This is by now limited to only contain references to a
+        // limited set of builtins. This code will eventually be completely free
+        // of {RelocInfo::CODE_TARGET} relocation entries altogether.
+        int builtin_index = code->builtin_index();
+        CHECK(builtin_index == Builtins::kAbort ||
+              builtin_index == Builtins::kAllocateHeapNumber ||
+              builtin_index == Builtins::kArgumentsAdaptorTrampoline ||
+              builtin_index == Builtins::kCall_ReceiverIsAny ||
+              builtin_index == Builtins::kDoubleToI ||
+              builtin_index == Builtins::kToNumber);
+        break;
+      }
       case RelocInfo::WASM_CODE_TABLE_ENTRY:
       case RelocInfo::WASM_CALL:
       case RelocInfo::WASM_STUB_CALL:
@@ -407,7 +420,6 @@ WasmCode* NativeModule::AddOwnedCode(
     Assembler::FlushICache(ret->instructions().start(),
                            ret->instructions().size());
   }
-  ret->Validate();
   return ret;
 }
 
@@ -521,6 +533,7 @@ WasmCode* NativeModule::AddAnonymousCode(Handle<Code> code,
     // TODO(mstarzinger): don't need the isolate here.
     ret->Print(code->GetIsolate());
   }
+  ret->Validate();
   return ret;
 }
 
@@ -589,6 +602,7 @@ WasmCode* NativeModule::AddCode(
     // TODO(mstarzinger): don't need the isolate here.
     ret->Print(source_pos_table->GetIsolate());
   }
+  ret->Validate();
   return ret;
 }
 
@@ -643,6 +657,17 @@ Address NativeModule::GetLocalAddressFor(Handle<Code> code) {
   }
 }
 
+Code* NativeModule::ReverseTrampolineLookup(Address target) {
+  // Uses sub-optimal linear search, but is only used for debugging.
+  for (auto pair : trampolines_) {
+    if (pair.second == target) {
+      return Code::GetCodeFromTargetAddress(pair.first);
+    }
+  }
+  UNREACHABLE();
+  return nullptr;
+}
+
 Address NativeModule::AllocateForCode(size_t size) {
   // This happens under a lock assumed by the caller.
   size = RoundUp(size, kCodeAlignment);

src/wasm/wasm-code-manager.h

@@ -307,6 +307,9 @@ class V8_EXPORT_PRIVATE NativeModule final {
 
   bool SetExecutable(bool executable);
 
+  // TODO(7424): Only used for debugging in {WasmCode::Validate}. Remove.
+  Code* ReverseTrampolineLookup(Address target);
+
   // For cctests, where we build both WasmModule and the runtime objects
   // on the fly, and bypass the instance builder pipeline.
   void ReserveCodeTableForTesting(uint32_t max_functions);