[wasm] fix for GC during instantiation.

src/wasm/wasm-module.cc

 // Copyright 2015 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <memory>
 
 #include "src/base/atomic-utils.h"
 #include "src/code-stubs.h"
 
 #include "src/macro-assembler.h"
@@ skipping 1237 matching lines @@
       isolate->counters()->wasm_instantiate_module_time());
   Factory* factory = isolate->factory();
 
   //--------------------------------------------------------------------------
   // Reuse the compiled module (if no owner), otherwise clone.
   //--------------------------------------------------------------------------
   Handle<FixedArray> compiled_module;
   Handle<FixedArray> code_table;
   Handle<FixedArray> old_code_table;
   Handle<JSObject> owner;
+  // If we don't clone, this will be null(). Otherwise, this will
+  // be a weak link to the original. If we lose the original to GC,
+  // this will be a cleared. We'll link the instances chain last.
+  MaybeHandle<WeakCell> link_to_original;
+
   {
     Handle<FixedArray> original(
         FixedArray::cast(module_object->GetInternalField(0)), isolate);
     // Always make a new copy of the code_table, since the old_code_table
     // may still have placeholders for imports.
     old_code_table = original->GetValueChecked<FixedArray>(isolate, kCodeTable);
     code_table = factory->CopyFixedArray(old_code_table);
 
     WeakCell* tmp = GetOwningInstance(*original);
     if (tmp != nullptr) {
+      DCHECK(!tmp->cleared());
       // There is already an owner, clone everything.
       owner = Handle<JSObject>(JSObject::cast(tmp->value()), isolate);
       // Insert the latest clone in front.
       compiled_module = factory->CopyFixedArray(original);
+      // Replace the strong reference to point to the new instance here.
+      // This allows any of the other instances, including the original,
+      // to be collected.
+      module_object->SetInternalField(0, *compiled_module);
       Handle<WeakCell> weak_link_to_wasm_obj =
           original->GetValueChecked<WeakCell>(isolate, kModuleObject);
 
       compiled_module->set(kModuleObject, *weak_link_to_wasm_obj);
-      Handle<WeakCell> link_to_original = factory->NewWeakCell(original);
-      compiled_module->set(kNextInstance, *link_to_original);
-      Handle<WeakCell> link_to_clone = factory->NewWeakCell(compiled_module);
-      original->set(kPrevInstance, *link_to_clone);
-      JSObject::cast(weak_link_to_wasm_obj->value())
-          ->SetInternalField(0, *compiled_module);
+      link_to_original = factory->NewWeakCell(original);
+      // Don't link to original here. We remember the original
+      // as a weak link. If that link isn't clear by the time we finish
+      // instantiating this instance, then we link it at that time.
+      compiled_module->set(kNextInstance, *factory->undefined_value());
 
       // Clone the code for WASM functions and exports.
       for (int i = 0; i < code_table->length(); ++i) {
         Handle<Code> orig_code = code_table->GetValueChecked<Code>(isolate, i);
         switch (orig_code->kind()) {
           case Code::WASM_TO_JS_FUNCTION:
             // Imports will be overwritten with newly compiled wrappers.
             break;
           case Code::JS_TO_WASM_FUNCTION:
           case Code::WASM_FUNCTION: {
@@ skipping 278 matching lines @@
       thrower->Error("WASM.instantiateModule(): start function failed");
       return nothing;
     }
   }
 
   DCHECK(wasm::IsWasmObject(*instance));
 
   if (!compiled_module->GetValue<WeakCell>(isolate, kModuleObject).is_null()) {
     instance->SetInternalField(kWasmCompiledModule, *compiled_module);
     Handle<WeakCell> link_to_owner = factory->NewWeakCell(instance);
-    compiled_module->set(kOwningInstance, *link_to_owner);
 
     Handle<Object> global_handle = isolate->global_handles()->Create(*instance);
-    GlobalHandles::MakeWeak(global_handle.location(), global_handle.location(),
-                            &InstanceFinalizer,
-                            v8::WeakCallbackType::kFinalizer);
+    Handle<WeakCell> link_to_clone = factory->NewWeakCell(compiled_module);
+    {
+      DisallowHeapAllocation no_gc;
+      compiled_module->set(kOwningInstance, *link_to_owner);
+      Handle<WeakCell> next;
+      if (link_to_original.ToHandle(&next) && !next->cleared()) {
+        FixedArray* original = FixedArray::cast(next->value());
+        DCHECK_NOT_NULL(GetOwningInstance(original));
+        DCHECK(!GetOwningInstance(original)->cleared());
+        compiled_module->set(kNextInstance, *next);
+        original->set(kPrevInstance, *link_to_clone);
+      }
+      GlobalHandles::MakeWeak(global_handle.location(),
+                              global_handle.location(), &InstanceFinalizer,
+                              v8::WeakCallbackType::kFinalizer);
+    }
   }
 
   return instance;
 }
 
 compiler::CallDescriptor* ModuleEnv::GetCallDescriptor(Zone* zone,
                                                        uint32_t index) {
   DCHECK(IsValidFunction(index));
   // Always make a direct call to whatever is in the table at that location.
   // A wrapper will be generated for FFI calls.
@@ skipping 253 matching lines @@
   FixedArray* compiled_module =
       FixedArray::cast(instance->GetInternalField(kWasmCompiledModule));
   CHECK_NOT_NULL(GetModuleObject(compiled_module));
   CHECK(GetModuleObject(compiled_module)->cleared());
 }
 
 }  // namespace testing
 }  // namespace wasm
 }  // namespace internal
 }  // namespace v8