[wasm] Explicitly Disallow heap allocation when wasm memory references are updated

 - Enable grow memory tests on 32 bit windows
 - Use handles to module JSObject instead of object pointers

R=ahaas@chromium.org, bradnelson@chromium.org

Review-Url: https://codereview.chromium.org/2105013004
Cr-Commit-Position: refs/heads/master@{#37409}

src/runtime/runtime-wasm.cc

@@ -22,23 +22,29 @@ RUNTIME_FUNCTION(Runtime_WasmGrowMemory) {
   DCHECK_EQ(1, args.length());
   uint32_t delta_pages = 0;
   RUNTIME_ASSERT(args[0]->ToUint32(&delta_pages));
+  Handle<JSObject> module_object;
 
-  // Get the module JSObject
-  const Address entry = Isolate::c_entry_fp(isolate->thread_local_top());
-  Address pc =
-      Memory::Address_at(entry + StandardFrameConstants::kCallerPCOffset);
-  Code* code = isolate->inner_pointer_to_code_cache()->GetCacheEntry(pc)->code;
-  FixedArray* deopt_data = code->deoptimization_data();
-  DCHECK(deopt_data->length() == 2);
-  JSObject* module_object = JSObject::cast(deopt_data->get(0));
-  RUNTIME_ASSERT(!module_object->IsNull(isolate));
+  {
+    // Get the module JSObject
+    DisallowHeapAllocation no_allocation;
+    const Address entry = Isolate::c_entry_fp(isolate->thread_local_top());
+    Address pc =
+        Memory::Address_at(entry + StandardFrameConstants::kCallerPCOffset);
+    Code* code =
+        isolate->inner_pointer_to_code_cache()->GetCacheEntry(pc)->code;
+    FixedArray* deopt_data = code->deoptimization_data();
+    DCHECK(deopt_data->length() == 2);
+    module_object = Handle<JSObject>::cast(handle(deopt_data->get(0), isolate));
+    RUNTIME_ASSERT(!module_object->IsNull(isolate));
+  }
 
   Address old_mem_start, new_mem_start;
   uint32_t old_size, new_size;
   const int kWasmMemArrayBuffer = 2;
 
   // Get mem buffer associated with module object
-  Object* obj = module_object->GetInternalField(kWasmMemArrayBuffer);
+  Handle<Object> obj(module_object->GetInternalField(kWasmMemArrayBuffer),
+                     isolate);
 
   if (obj->IsUndefined(isolate)) {
     // If module object does not have linear memory associated with it,
@@ -65,8 +71,7 @@ RUNTIME_FUNCTION(Runtime_WasmGrowMemory) {
     }
 #endif
   } else {
-    Handle<JSArrayBuffer> old_buffer =
-        Handle<JSArrayBuffer>(JSArrayBuffer::cast(obj));
+    Handle<JSArrayBuffer> old_buffer = Handle<JSArrayBuffer>::cast(obj);
     old_mem_start = static_cast<Address>(old_buffer->backing_store());
     old_size = old_buffer->byte_length()->Number();
     // If the old memory was zero-sized, we should have been in the

src/wasm/wasm-module.cc

@@ -1278,10 +1278,11 @@ WasmDebugInfo* GetDebugInfo(JSObject* wasm) {
   return *new_info;
 }
 
-bool UpdateWasmModuleMemory(JSObject* object, Address old_start,
+bool UpdateWasmModuleMemory(Handle<JSObject> object, Address old_start,
                             Address new_start, uint32_t old_size,
                             uint32_t new_size) {
-  if (!IsWasmObject(object)) {
+  DisallowHeapAllocation no_allocation;
+  if (!IsWasmObject(*object)) {
     return false;
   }
 

src/wasm/wasm-module.h

@@ -367,7 +367,7 @@ int GetNumberOfFunctions(JSObject* wasm);
 bool IsWasmObject(Object* object);
 
 // Update memory references of code objects associated with the module
-bool UpdateWasmModuleMemory(JSObject* object, Address old_start,
+bool UpdateWasmModuleMemory(Handle<JSObject> object, Address old_start,
                             Address new_start, uint32_t old_size,
                             uint32_t new_size);
 

test/mjsunit/mjsunit.status

@@ -886,11 +886,6 @@
   'es6/tail-call-megatest*': [SKIP],
 }],  # (ignition or ignition_turbofan) and msan
 
-['system == windows and arch == ia32', {
-  # TODO(gdeepti): Flaky on multiple runs, windows nosnap crashes
-  'wasm/grow-memory': [SKIP],
-}],  # 'system == windows'
-
 ##############################################################################
 ['gcov_coverage', {
   # Tests taking too long.