[wasm] get length at the right time Table.p.grow

Get the old table size after converting integer of 'delta' argument.
Converting integer of the argument can execute another javascript code,
and the code can trigger mismatching between table sizes of instance and
table object, which causes redundant memory allocation.

http://webassembly.org/docs/js/#webassemblytableprototypegrow

Bug: chromium:752423
Change-Id: If9a576d20625d0c39342ea5de114e9fc9f230125
Reviewed-on: https://chromium-review.googlesource.com/627248Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Ben Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47641}

src/wasm/wasm-js.cc

@@ -639,12 +639,12 @@ void WebAssemblyTableGrow(const v8::FunctionCallbackInfo<v8::Value>& args) {
   Local<Context> context = isolate->GetCurrentContext();
   EXTRACT_THIS(receiver, WasmTableObject);
 
-  i::Handle<i::FixedArray> old_array(receiver->functions(), i_isolate);
-  int old_size = old_array->length();
   int64_t new_size64 = 0;
   if (args.Length() > 0 && !args[0]->IntegerValue(context).To(&new_size64)) {
     return;
   }
+  i::Handle<i::FixedArray> old_array(receiver->functions(), i_isolate);
+  int old_size = old_array->length();
   new_size64 += old_size;
 
   int64_t max_size64 = receiver->maximum_length()->Number();

test/mjsunit/wasm/table.js

@@ -272,4 +272,8 @@ function assertTableIsValid(table, length) {
     {element: "anyfunc", initial: 0, maximum: kV8MaxWasmTableSize});
   table.grow(kV8MaxWasmTableSize);
   assertThrows(() => table.grow(1), RangeError);
+
+  table = new WebAssembly.Table({element: "anyfunc", initial: 0});
+  table.grow({valueOf: () => {table.grow(2); return 1;}});
+  assertEquals(3, table.length);
 })();