From e21bac5b0ba22a8aab396ed02a6ec3e50999ea4b Mon Sep 17 00:00:00 2001
From: Andreas Haas <ahaas@chromium.org>
Date: Mon, 27 Nov 2017 14:15:42 +0100
Subject: [PATCH] [wasm] Open CodeSpaceMemoryModificationScope after imports
 got sanitized

Within SanitizeImports it is possible that JavaScript code gets executed
therefore we have to open the CodeSpaceMemoryModificationScope after
SanitizeImports.

R=clemensh@chromium.org

Bug: chromium:788469
Change-Id: Ide9bbd4ee4613b28380979d4a6c66d26e6a9406f
Reviewed-on: https://chromium-review.googlesource.com/789936
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49635}
---
 src/wasm/module-compiler.cc | 10 +++++-----
 test/mjsunit/wasm/ffi.js    | 15 +++++++++++++++
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/src/wasm/module-compiler.cc b/src/wasm/module-compiler.cc
index 9dda234ac8..bfd3ac1da3 100644
--- a/src/wasm/module-compiler.cc
+++ b/src/wasm/module-compiler.cc
@@ -1598,11 +1598,6 @@ InstanceBuilder::InstanceBuilder(
 
 // Build an instance, in all of its glory.
 MaybeHandle<WasmInstanceObject> InstanceBuilder::Build() {
-  // TODO(6792): No longer needed once WebAssembly code is off heap.
-  // Use base::Optional to be able to close the scope before executing the start
-  // function.
-  base::Optional<CodeSpaceMemoryModificationScope> modification_scope(
-      base::in_place_t(), isolate_->heap());
   // Check that an imports argument was provided, if the module requires it.
   // No point in continuing otherwise.
   if (!module_->import_table.empty() && ffi_.is_null()) {
@@ -1614,6 +1609,11 @@ MaybeHandle<WasmInstanceObject> InstanceBuilder::Build() {
   SanitizeImports();
   if (thrower_->error()) return {};
 
+  // TODO(6792): No longer needed once WebAssembly code is off heap.
+  // Use base::Optional to be able to close the scope before executing the start
+  // function.
+  base::Optional<CodeSpaceMemoryModificationScope> modification_scope(
+      base::in_place_t(), isolate_->heap());
   // From here on, we expect the build pipeline to run without exiting to JS.
   // Exception is when we run the startup function.
   DisallowJavascriptExecution no_js(isolate_);
diff --git a/test/mjsunit/wasm/ffi.js b/test/mjsunit/wasm/ffi.js
index 9451c875d6..67b1ccc8f5 100644
--- a/test/mjsunit/wasm/ffi.js
+++ b/test/mjsunit/wasm/ffi.js
@@ -385,3 +385,18 @@ testCallBinopVoid(kWasmF64);
   main();
   assertEquals(0, num_valueOf);
 })();
+
+(function ImportWithCustomGetter() {
+  print(arguments.callee.name);
+  const builder = new WasmModuleBuilder();
+  builder.addImport("import", "func", kSig_v_v);
+
+  const ffi = {};
+  Object.defineProperty(ffi, 'import', {
+    get: _ => {
+      return {func: () => null };
+    }
+  });
+
+  builder.instantiate(ffi);
+})();