[wasm] Adjust segment loading for table index > 0

This was supposed to be only a clean-up, but the original code even
invalidated a test and thereby covered a test. I fixed the bug here as
well.

Without testing it I think this fixes https://crbug.com/964607.

Bug: v8:9183
Change-Id: I076f40a2302bfd5b7cecd2ae35d4e05a465e054b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1621935
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61691}

src/wasm/module-instantiate.cc

@@ -1531,10 +1531,15 @@ bool LoadElemSegmentImpl(Isolate* isolate, Handle<WasmInstanceObject> instance,
 
     const WasmFunction* function = &module->functions[func_index];
 
-    // Update the local dispatch table first.
-    uint32_t sig_id = module->signature_ids[function->sig_index];
-    IndirectFunctionTableEntry(instance, entry_index)
-        .Set(sig_id, instance, func_index);
+    // Update the local dispatch table first if necessary. We only have to
+    // update the dispatch table if the first table of the instance is changed.
+    // For all other tables, function calls do not use a dispatch table at
+    // the moment.
+    if (elem_segment.table_index == 0) {
+      uint32_t sig_id = module->signature_ids[function->sig_index];
+      IndirectFunctionTableEntry(instance, entry_index)
+          .Set(sig_id, instance, func_index);
+    }
 
     // Update the table object's other dispatch tables.
     MaybeHandle<WasmExportedFunction> wasm_exported_function =

test/mjsunit/wasm/wasm-module-builder.js

@@ -900,22 +900,6 @@ class WasmModuleBuilder {
   addElementSegment(table, base, is_global, array) {
     this.element_segments.push({table: table, base: base, is_global: is_global,
                                     array: array, is_active: true});
-
-    // As a testing convenience, update the table length when adding an element
-    // segment. If the table is imported, we can't do this because we don't
-    // know how long the table actually is. If |is_global| is true, then the
-    // base is a global index, instead of an integer offset, so we can't update
-    // the table then either.
-    if (!(is_global || table < this.num_imported_tables)) {
-      var length = base + array.length;
-      if (length > this.tables[0].initial_size) {
-        this.tables[0].initial_size = length;
-      }
-      if (this.tables[0].has_max &&
-          length > this.tables[0].max_size) {
-        this.tables[0].max_size = length;
-      }
-    }
     return this;
   }
 
@@ -932,7 +916,15 @@ class WasmModuleBuilder {
     if (this.tables.length == 0) {
       this.addTable(kWasmAnyFunc, 0);
     }
-    return this.addElementSegment(0, this.tables[0].initial_size, false, array);
+    // Adjust the table to the correct size.
+    let table = this.tables[0];
+    const base = table.initial_size;
+    const table_size = base + array.length;
+    table.initial_size = table_size;
+    if (table.has_max && table_size > table.max_size) {
+      table.max_size = table_size;
+    }
+    return this.addElementSegment(0, base, false, array);
   }
 
   setTableBounds(min, max = undefined) {