[wasm] Do not try to relocate off-heap trampolines

Off-heap trampolines (short trampolines that jump to .text-embedded
builtin instruction streams) should contain exactly one OFF_HEAP_TARGET
reloc entry.

When AddAnonymousCode is called on such a trampoline, it copies the
(off-heap) *instruction stream* and thus should never perform any
relocations using the *trampoline's* RelocInfo.

Bug: v8:6666
Change-Id: I09a11344fb7e62d759c4c943712e7d4e91199130
Reviewed-on: https://chromium-review.googlesource.com/1179671
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55214}

src/wasm/wasm-code-manager.cc

@@ -199,7 +199,6 @@ void WasmCode::Validate() const {
       }
       case RelocInfo::JS_TO_WASM_CALL:
       case RelocInfo::EXTERNAL_REFERENCE:
-      case RelocInfo::OFF_HEAP_TARGET:
       case RelocInfo::COMMENT:
       case RelocInfo::CONST_POOL:
       case RelocInfo::VENEER_POOL:
@@ -444,9 +443,13 @@ void NativeModule::SetRuntimeStubs(Isolate* isolate) {
 
 WasmCode* NativeModule::AddAnonymousCode(Handle<Code> code,
                                          WasmCode::Kind kind) {
-  OwnedVector<byte> reloc_info =
-      OwnedVector<byte>::New(code->relocation_size());
-  memcpy(reloc_info.start(), code->relocation_start(), code->relocation_size());
+  // For off-heap builtins, we create a copy of the off-heap instruction stream
+  // instead of the on-heap code object containing the trampoline. Ensure that
+  // we do not apply the on-heap reloc info to the off-heap instructions.
+  const size_t relocation_size =
+      code->is_off_heap_trampoline() ? 0 : code->relocation_size();
+  OwnedVector<byte> reloc_info = OwnedVector<byte>::New(relocation_size);
+  memcpy(reloc_info.start(), code->relocation_start(), relocation_size);
   Handle<ByteArray> source_pos_table(code->SourcePositionTable(),
                                      code->GetIsolate());
   OwnedVector<byte> source_pos =