[asm] Avoid instantiation as resumable function

If "use asm" is used inside a "function*" or async function, it should
bail out.

Drive-by: Minor cleanup in {Runtime_InstantiateAsmJs}.

R=ecmziegler@chromium.org

Bug: chromium:1065852
Change-Id: Ice48126b803a30c4b4ff7b5ae22df85a3f36198a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2126920Reviewed-by: Emanuel Ziegler <ecmziegler@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66939}

src/asmjs/asm-js.cc

@@ -332,6 +332,13 @@ MaybeHandle<Object> AsmJs::InstantiateAsmWasm(Isolate* isolate,
   // but should instead point to the instantiation site (more intuitive).
   int position = shared->StartPosition();
 
+  // Check that the module is not instantiated as a generator or async function.
+  if (IsResumableFunction(shared->scope_info().function_kind())) {
+    ReportInstantiationFailure(script, position,
+                               "Cannot be instantiated as resumable function");
+    return MaybeHandle<Object>();
+  }
+
   // Check that all used stdlib members are valid.
   bool stdlib_use_of_typed_array_present = false;
   wasm::AsmJsParser::StdlibSet stdlib_uses =

src/runtime/runtime-compiler.cc

@@ -123,22 +123,17 @@ RUNTIME_FUNCTION(Runtime_InstantiateAsmJs) {
   if (args[3].IsJSArrayBuffer()) {
     memory = args.at<JSArrayBuffer>(3);
   }
-  if (function->shared().HasAsmWasmData()) {
-    Handle<SharedFunctionInfo> shared(function->shared(), isolate);
+  Handle<SharedFunctionInfo> shared(function->shared(), isolate);
+  if (shared->HasAsmWasmData()) {
     Handle<AsmWasmData> data(shared->asm_wasm_data(), isolate);
     MaybeHandle<Object> result = AsmJs::InstantiateAsmWasm(
         isolate, shared, data, stdlib, foreign, memory);
-    if (!result.is_null()) {
-      return *result.ToHandleChecked();
-    }
-  }
-  // Remove wasm data, mark as broken for asm->wasm, replace function code with
-  // UncompiledData, and return a smi 0 to indicate failure.
-  if (function->shared().HasAsmWasmData()) {
-    SharedFunctionInfo::DiscardCompiled(isolate,
-                                        handle(function->shared(), isolate));
+    if (!result.is_null()) return *result.ToHandleChecked();
+    // Remove wasm data, mark as broken for asm->wasm, replace function code
+    // with UncompiledData, and return a smi 0 to indicate failure.
+    SharedFunctionInfo::DiscardCompiled(isolate, shared);
   }
-  function->shared().set_is_asm_wasm_broken(true);
+  shared->set_is_asm_wasm_broken(true);
   DCHECK(function->code() ==
          isolate->builtins()->builtin(Builtins::kInstantiateAsmJs));
   function->set_code(isolate->builtins()->builtin(Builtins::kCompileLazy));

test/mjsunit/regress/wasm/regress-1065852.js

+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function* asm() {
+  "use asm";
+  function x(v) {
+    v = v | 0;
+  }
+  return x;
+}
+
+// 'function*' creates a generator with an implicit 'next' method.
+asm().next();

test/mjsunit/wasm/asm-wasm.js

@@ -1397,3 +1397,27 @@ assertWasm(3.25, TestFloatGlobals);
   assertEquals(42, m.bar());
   assertEquals(42, m.baz());
 })();
+
+(function TestGenerator() {
+  function* asmModule() {
+    "use asm";
+    function foo() {
+      return 42;
+    }
+    return {foo: foo};
+  }
+  asmModule();
+  assertFalse(%IsAsmWasmCode(asmModule));
+})();
+
+(function TestAsyncFunction() {
+  async function asmModule() {
+    "use asm";
+    function foo() {
+      return 42;
+    }
+    return {foo: foo};
+  }
+  asmModule();
+  assertFalse(%IsAsmWasmCode(asmModule));
+})();