[asmjs] Disallow AsmJs instantiation from a SharedArrayBuffer.

AsmJs does not support SharedArrayBuffers. This CL adds a check in
instantiation and reports a proper error.

Bug: chromium:1013920
Change-Id: Id7159f23ddcc2bde139c4c97bdb67ef3dc7f0e22
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1862563Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64291}

src/asmjs/asm-js.cc

@@ -387,6 +387,12 @@ MaybeHandle<Object> AsmJs::InstantiateAsmWasm(Isolate* isolate,
       ReportInstantiationFailure(script, position, "Requires heap buffer");
       return MaybeHandle<Object>();
     }
+    // AsmJs memory must be an ArrayBuffer.
+    if (memory->is_shared()) {
+      ReportInstantiationFailure(script, position,
+                                 "Invalid heap type: SharedArrayBuffer");
+      return MaybeHandle<Object>();
+    }
     // Mark the buffer as being used as an asm.js memory. This implies two
     // things: 1) if the buffer is from a Wasm memory, that memory can no longer
     // be grown, since that would detach this buffer, and 2) the buffer cannot

test/mjsunit/asm/regress-1013920.js

+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function asm(stdlib, foreign, heap) {
+  "use asm";
+  var heap32 = new stdlib.Uint32Array(heap);
+  function f() { return 0; }
+  return {f : f};
+}
+
+var heap = Reflect.construct(
+    SharedArrayBuffer,
+    [1024 * 1024],
+    ArrayBuffer.prototype.constructor);
+
+asm(this, {}, heap);