[wasm] clear is_wasm_memory flag when neutering ArrayBuffers

Bug: chromium:825087
Change-Id: I2eb163e5399e98da75cd1e4ad6f0a62d6da4ae2c
Reviewed-on: https://chromium-review.googlesource.com/978840Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52198}

src/objects/js-array.h

@@ -190,6 +190,9 @@ class JSArrayBuffer : public JSObject {
   // Returns whether the buffer is tracked by the WasmMemoryTracker.
   inline bool is_wasm_memory() const;
 
+  // Sets whether the buffer is tracked by the WasmMemoryTracker.
+  void set_is_wasm_memory(bool is_wasm_memory);
+
   void FreeBackingStore();
   static void FreeBackingStore(Isolate* isolate, Allocation allocation);
 
@@ -238,8 +241,6 @@ class JSArrayBuffer : public JSObject {
   class IsWasmMemory : public BitField<bool, 6, 1> {};
 
  private:
-  void set_is_wasm_memory(bool is_wasm_memory);
-
   DISALLOW_IMPLICIT_CONSTRUCTORS(JSArrayBuffer);
 };
 

src/wasm/wasm-memory.cc

@@ -280,6 +280,7 @@ void DetachMemoryBuffer(Isolate* isolate, Handle<JSArrayBuffer> buffer,
   }
 
   DCHECK(buffer->is_external());
+  buffer->set_is_wasm_memory(false);
   buffer->set_is_neuterable(true);
   buffer->Neuter();
 }

test/mjsunit/regress/wasm/regress-825087a.js

+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+PAGES = 10;
+memory = new WebAssembly.Memory({initial: PAGES});
+buffer = memory.buffer;
+memory.grow();
+WebAssembly.validate(buffer);

test/mjsunit/regress/wasm/regress-825087b.js

+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+PAGES = 10;
+memory = new WebAssembly.Memory({initial: PAGES});
+buffer = memory.buffer;
+buffer = new Uint8Array(buffer);
+memory.grow();
+WebAssembly.validate(buffer);