From 084207d9688ebedd8d974e2bc5afd3546628389c Mon Sep 17 00:00:00 2001
From: Clemens Hammacher <clemensh@chromium.org>
Date: Wed, 3 Apr 2019 15:54:08 +0200
Subject: [PATCH] [wasm] Use engine's allocator consistently

Using the Isolate's allocator when creating the WasmModule can lead to
use-after-free situations when the NativeModule is shared across
Isolates.

R=mstarzinger@chromium.org

Bug: v8:9079
Change-Id: I5a564852179cc5b9d4cbad2a002d3b6e14b01968
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1550404
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60605}
---
 src/wasm/wasm-serialization.cc                 | 7 ++++---
 test/cctest/wasm/test-streaming-compilation.cc | 2 +-
 test/common/wasm/wasm-module-runner.cc         | 2 +-
 test/fuzzer/wasm-fuzzer-common.cc              | 3 ++-
 test/unittests/wasm/module-decoder-unittest.cc | 4 ++--
 5 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/src/wasm/wasm-serialization.cc b/src/wasm/wasm-serialization.cc
index 2540d9bcfc..9621d8d18d 100644
--- a/src/wasm/wasm-serialization.cc
+++ b/src/wasm/wasm-serialization.cc
@@ -613,9 +613,10 @@ MaybeHandle<WasmModuleObject> DeserializeNativeModule(
   ModuleWireBytes wire_bytes(wire_bytes_vec);
   // TODO(titzer): module features should be part of the serialization format.
   WasmFeatures enabled_features = WasmFeaturesFromIsolate(isolate);
-  ModuleResult decode_result = DecodeWasmModule(
-      enabled_features, wire_bytes.start(), wire_bytes.end(), false,
-      i::wasm::kWasmOrigin, isolate->counters(), isolate->allocator());
+  ModuleResult decode_result =
+      DecodeWasmModule(enabled_features, wire_bytes.start(), wire_bytes.end(),
+                       false, i::wasm::kWasmOrigin, isolate->counters(),
+                       isolate->wasm_engine()->allocator());
   if (decode_result.failed()) return {};
   CHECK_NOT_NULL(decode_result.value());
   WasmModule* module = decode_result.value().get();
diff --git a/test/cctest/wasm/test-streaming-compilation.cc b/test/cctest/wasm/test-streaming-compilation.cc
index bfcc5c53cb..3c4d25f9e2 100644
--- a/test/cctest/wasm/test-streaming-compilation.cc
+++ b/test/cctest/wasm/test-streaming-compilation.cc
@@ -264,7 +264,7 @@ size_t GetFunctionOffset(i::Isolate* isolate, const uint8_t* buffer,
                          size_t size, size_t index) {
   ModuleResult result = DecodeWasmModule(
       kAllWasmFeatures, buffer, buffer + size, false, ModuleOrigin::kWasmOrigin,
-      isolate->counters(), isolate->allocator());
+      isolate->counters(), isolate->wasm_engine()->allocator());
   CHECK(result.ok());
   const WasmFunction* func = &result.value()->functions[1];
   return func->code.offset();
diff --git a/test/common/wasm/wasm-module-runner.cc b/test/common/wasm/wasm-module-runner.cc
index 45428cbc75..c4858ce281 100644
--- a/test/common/wasm/wasm-module-runner.cc
+++ b/test/common/wasm/wasm-module-runner.cc
@@ -46,7 +46,7 @@ std::shared_ptr<WasmModule> DecodeWasmModuleForTesting(
   auto enabled_features = WasmFeaturesFromIsolate(isolate);
   ModuleResult decoding_result = DecodeWasmModule(
       enabled_features, module_start, module_end, verify_functions, origin,
-      isolate->counters(), isolate->allocator());
+      isolate->counters(), isolate->wasm_engine()->allocator());
 
   if (decoding_result.failed()) {
     // Module verification failed. throw.
diff --git a/test/fuzzer/wasm-fuzzer-common.cc b/test/fuzzer/wasm-fuzzer-common.cc
index 5cb91e5f9f..2bfe1cbd74 100644
--- a/test/fuzzer/wasm-fuzzer-common.cc
+++ b/test/fuzzer/wasm-fuzzer-common.cc
@@ -116,7 +116,8 @@ void GenerateTestCase(Isolate* isolate, ModuleWireBytes wire_bytes,
   auto enabled_features = i::wasm::WasmFeaturesFromIsolate(isolate);
   ModuleResult module_res = DecodeWasmModule(
       enabled_features, wire_bytes.start(), wire_bytes.end(), kVerifyFunctions,
-      ModuleOrigin::kWasmOrigin, isolate->counters(), isolate->allocator());
+      ModuleOrigin::kWasmOrigin, isolate->counters(),
+      isolate->wasm_engine()->allocator());
   CHECK(module_res.ok());
   WasmModule* module = module_res.value().get();
   CHECK_NOT_NULL(module);
diff --git a/test/unittests/wasm/module-decoder-unittest.cc b/test/unittests/wasm/module-decoder-unittest.cc
index c86d32d7de..6fd4902f78 100644
--- a/test/unittests/wasm/module-decoder-unittest.cc
+++ b/test/unittests/wasm/module-decoder-unittest.cc
@@ -186,7 +186,7 @@ class WasmModuleVerifyTest : public TestWithIsolateAndZone {
     }
     ModuleResult result = DecodeWasmModule(
         enabled_features_, temp, temp + total, false, kWasmOrigin,
-        isolate()->counters(), isolate()->allocator());
+        isolate()->counters(), isolate()->wasm_engine()->allocator());
     delete[] temp;
     return result;
   }
@@ -194,7 +194,7 @@ class WasmModuleVerifyTest : public TestWithIsolateAndZone {
                                     const byte* module_end) {
     return DecodeWasmModule(enabled_features_, module_start, module_end, false,
                             kWasmOrigin, isolate()->counters(),
-                            isolate()->allocator());
+                            isolate()->wasm_engine()->allocator());
   }
 };