[wasm] Handle no initial memory case correctly when memory is exported

Currently when the module has memory specified in the compiled bytes, but with no initial memory
exported memory assigns a bogus buffer to the instance. When grow_memory is called on this buffer, it tries to patch an incorrect address.
 - Fix exported memory to handle no initial memory
 - Fix grow_memory to handle uninitialized buffers

BUG=chromium:710844
R=bradnelson@chromium.org

Review-Url: https://codereview.chromium.org/2820223002
Cr-Commit-Position: refs/heads/master@{#44671}

src/wasm/wasm-module.cc

@@ -1951,9 +1951,11 @@ class InstantiationHelper {
           Handle<WasmMemoryObject> memory_object;
           if (!instance->has_memory_object()) {
             // If there was no imported WebAssembly.Memory object, create one.
-            Handle<JSArrayBuffer> buffer(instance->memory_buffer(), isolate_);
             memory_object = WasmMemoryObject::New(
-                isolate_, buffer,
+                isolate_,
+                (instance->has_memory_buffer())
+                    ? handle(instance->memory_buffer())
+                    : Handle<JSArrayBuffer>::null(),
                 (module_->max_mem_pages != 0) ? module_->max_mem_pages : -1);
             instance->set_memory_object(*memory_object);
           } else {

src/wasm/wasm-objects.cc

@@ -382,8 +382,9 @@ Handle<WasmMemoryObject> WasmMemoryObject::New(Isolate* isolate,
   Handle<JSObject> memory_obj =
       isolate->factory()->NewJSObject(memory_ctor, TENURED);
   memory_obj->SetEmbedderField(kWrapperTracerHeader, Smi::kZero);
-
-  memory_obj->SetEmbedderField(kArrayBuffer, *buffer);
+  buffer.is_null() ? memory_obj->SetEmbedderField(
+                         kArrayBuffer, isolate->heap()->undefined_value())
+                   : memory_obj->SetEmbedderField(kArrayBuffer, *buffer);
   Handle<Object> max = isolate->factory()->NewNumber(maximum);
   memory_obj->SetEmbedderField(kMaximum, *max);
   Handle<Symbol> memory_sym(isolate->native_context()->wasm_memory_sym());
@@ -391,7 +392,8 @@ Handle<WasmMemoryObject> WasmMemoryObject::New(Isolate* isolate,
   return Handle<WasmMemoryObject>::cast(memory_obj);
 }
 
-DEFINE_OBJ_ACCESSORS(WasmMemoryObject, buffer, kArrayBuffer, JSArrayBuffer)
+DEFINE_OPTIONAL_OBJ_ACCESSORS(WasmMemoryObject, buffer, kArrayBuffer,
+                              JSArrayBuffer)
 DEFINE_OPTIONAL_OBJ_ACCESSORS(WasmMemoryObject, instances_link, kInstancesLink,
                               WasmInstanceWrapper)
 
@@ -438,11 +440,11 @@ void WasmMemoryObject::ResetInstancesLink(Isolate* isolate) {
 int32_t WasmMemoryObject::Grow(Isolate* isolate,
                                Handle<WasmMemoryObject> memory_object,
                                uint32_t pages) {
-  Handle<JSArrayBuffer> old_buffer(memory_object->buffer(), isolate);
+  Handle<JSArrayBuffer> old_buffer;
   uint32_t old_size = 0;
   Address old_mem_start = nullptr;
-  // Force byte_length to 0, if byte_length fails IsNumber() check.
-  if (!old_buffer.is_null()) {
+  if (memory_object->has_buffer()) {
+    old_buffer = handle(memory_object->buffer());
     old_size = old_buffer->byte_length()->Number();
     old_mem_start = static_cast<Address>(old_buffer->backing_store());
   }

src/wasm/wasm-objects.h

@@ -102,7 +102,7 @@ class WasmMemoryObject : public JSObject {
   };
 
   DECLARE_CASTS(WasmMemoryObject);
-  DECLARE_ACCESSORS(buffer, JSArrayBuffer);
+  DECLARE_OPTIONAL_ACCESSORS(buffer, JSArrayBuffer);
   DECLARE_OPTIONAL_ACCESSORS(instances_link, WasmInstanceWrapper);
 
   void AddInstance(Isolate* isolate, Handle<WasmInstanceObject> object);

test/mjsunit/regress/wasm/regression-699485.js

-// Copyright 2016 the V8 project authors. All rights reserved.
+// Copyright 2017 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 

test/mjsunit/regress/wasm/regression-710844.js

+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+load("test/mjsunit/wasm/wasm-constants.js");
+load("test/mjsunit/wasm/wasm-module-builder.js");
+
+(function() {
+  "use asm";
+  var builder = new WasmModuleBuilder();
+  builder.addMemory(0, 5, true);
+  builder.addFunction("regression_710844", kSig_v_v)
+    .addBody([
+        kExprI32Const, 0x03,
+        kExprNop,
+        kExprGrowMemory, 0x00,
+        kExprI32Const, 0x13,
+        kExprNop,
+        kExprI32StoreMem8, 0x00, 0x10
+        ]).exportFunc();
+ let instance = builder.instantiate();
+ instance.exports.regression_710844();
+})();