[wasm] Properly handlify WasmCompiledModule::Clone.

This is to avoid a dereference of the unhandlified {this} reference
after handlified allocation functions have been called. Combining
handlified and unhandlified style is inherently unsafe.

R=titzer@chromium.org

Review-Url: https://codereview.chromium.org/2380463006
Cr-Commit-Position: refs/heads/master@{#39921}

src/wasm/wasm-module.cc

@@ -1220,7 +1220,7 @@ MaybeHandle<JSObject> WasmModule::Instantiate(Isolate* isolate,
       // There is already an owner, clone everything.
       owner = Handle<JSObject>(JSObject::cast(tmp->value()), isolate);
       // Insert the latest clone in front.
-      compiled_module = original->Clone(isolate);
+      compiled_module = WasmCompiledModule::Clone(isolate, original);
       // Replace the strong reference to point to the new instance here.
       // This allows any of the other instances, including the original,
       // to be collected.

src/wasm/wasm-module.h

@@ -442,13 +442,14 @@ class WasmCompiledModule : public FixedArray {
     return handle(WasmCompiledModule::cast(*ret));
   }
 
-  Handle<WasmCompiledModule> Clone(Isolate* isolate) {
-    Handle<WasmCompiledModule> ret = handle(WasmCompiledModule::cast(
-        *isolate->factory()->CopyFixedArray(handle(this))));
+  static Handle<WasmCompiledModule> Clone(Isolate* isolate,
+                                          Handle<WasmCompiledModule> module) {
+    Handle<WasmCompiledModule> ret = Handle<WasmCompiledModule>::cast(
+        isolate->factory()->CopyFixedArray(module));
     Handle<HeapNumber> number =
         isolate->factory()->NewHeapNumber(0.0, MUTABLE, TENURED);
     ret->set(kID_mem_size, *number);
-    ret->set_mem_size(mem_size());
+    ret->set_mem_size(module->mem_size());
     return ret;
   }