[wasm] Growing memory should always allocate a new JS buffer

The UpdateSharedWasmMemoryObjects function only creates a new
JSArrayBuffer when the the legths of old/new ArrayBuffer objects
are unequal, but the CHECK in the Grow() funciton assumes that a new
object is always created. Fix so that a new ArrayBuffer is always
allocated.

Bug: v8:10044, chromium:1040325
Change-Id: I66912bdc091e65a57e5b50f4ed63b0da5492dcc4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1999603Reviewed-by: Ben Smith <binji@chromium.org>
Commit-Queue: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65742}

src/objects/backing-store.cc

@@ -732,11 +732,9 @@ void GlobalBackingStoreRegistry::UpdateSharedWasmMemoryObjects(
     Handle<JSArrayBuffer> old_buffer(memory_object->array_buffer(), isolate);
     std::shared_ptr<BackingStore> backing_store = old_buffer->GetBackingStore();
 
-    if (old_buffer->byte_length() != backing_store->byte_length()) {
-      Handle<JSArrayBuffer> new_buffer =
-          isolate->factory()->NewJSSharedArrayBuffer(std::move(backing_store));
-      memory_object->update_instances(isolate, new_buffer);
-    }
+    Handle<JSArrayBuffer> new_buffer =
+        isolate->factory()->NewJSSharedArrayBuffer(std::move(backing_store));
+    memory_object->update_instances(isolate, new_buffer);
   }
 }
 

test/mjsunit/wasm/grow-shared-memory.js

@@ -344,3 +344,9 @@ let workerHelpers = assertTrue.toString() + assertIsWasmSharedMemory.toString();
   assertEquals(memory.grow(1), 1);
   assertInstanceof(memory.buffer, SharedArrayBuffer);
 })();
+
+(function TestSharedMemoryGrowByZero() {
+  const memory = new WebAssembly.Memory({
+    "initial": 1, "maximum": 2, "shared": true });
+  assertEquals(memory.grow(0), 1);
+})();