From 680496ee100aadb45c2dc5589132f91d345de74a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20Zasso?= Date: Sun, 7 Feb 2021 10:23:33 +0100 Subject: [PATCH] deps: V8: backport dfcf1e86fac0 Original commit message: [wasm] PostMessage of Memory.buffer should throw PostMessage of an ArrayBuffer that is not detachable should result in a DataCloneError. Bug: chromium:1170176, chromium:961059 Change-Id: Ib89bbc10d2b58918067fd1a90365cad10a0db9ec Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2653810 Reviewed-by: Adam Klein Reviewed-by: Andreas Haas Commit-Queue: Deepti Gandluri Cr-Commit-Position: refs/heads/master@{#72415} Refs: https://github.com/v8/v8/commit/dfcf1e86fac0a7b067caf8fdfc13eaf3e3f445e4 PR-URL: https://github.com/nodejs/node/pull/37245 Reviewed-By: Daniel Bevenius Reviewed-By: Antoine du Hamel Reviewed-By: Rich Trott Reviewed-By: Matteo Collina Reviewed-By: Vladimir de Turckheim Reviewed-By: Colin Ihrig --- common.gypi | 2 +- deps/v8/src/common/message-template.h | 4 +++- deps/v8/src/objects/value-serializer.cc | 5 +++++ deps/v8/test/mjsunit/wasm/worker-memory.js | 7 +++++++ 4 files changed, 16 insertions(+), 2 deletions(-) diff --git a/common.gypi b/common.gypi index 102f0907745507..a6556a4cb727ac 100644 --- a/common.gypi +++ b/common.gypi @@ -34,7 +34,7 @@ # Reset this number to 0 on major V8 upgrades. # Increment by one for each non-official patch applied to deps/v8. - 'v8_embedder_string': '-node.45', + 'v8_embedder_string': '-node.46', ##### V8 defaults for Node.js ##### diff --git a/deps/v8/src/common/message-template.h b/deps/v8/src/common/message-template.h index e3307a525c81fa..7b9819a0bab8e9 100644 --- a/deps/v8/src/common/message-template.h +++ b/deps/v8/src/common/message-template.h @@ -554,7 +554,9 @@ namespace internal { T(DataCloneError, "% could not be cloned.") \ T(DataCloneErrorOutOfMemory, "Data cannot be cloned, out of memory.") \ T(DataCloneErrorDetachedArrayBuffer, \ - "An ArrayBuffer is neutered and could not be cloned.") \ + "An ArrayBuffer is detached and could not be cloned.") \ + T(DataCloneErrorNonDetachableArrayBuffer, \ + "ArrayBuffer is not detachable and could not be cloned.") \ T(DataCloneErrorSharedArrayBufferTransferred, \ "A SharedArrayBuffer could not be cloned. SharedArrayBuffer must not be " \ "transferred.") \ diff --git a/deps/v8/src/objects/value-serializer.cc b/deps/v8/src/objects/value-serializer.cc index 3b3506fbb9178a..898741dfbe9d35 100644 --- a/deps/v8/src/objects/value-serializer.cc +++ b/deps/v8/src/objects/value-serializer.cc @@ -877,6 +877,11 @@ Maybe ValueSerializer::WriteJSArrayBuffer( WriteVarint(index.FromJust()); return ThrowIfOutOfMemory(); } + if (!array_buffer->is_detachable()) { + ThrowDataCloneError( + MessageTemplate::kDataCloneErrorNonDetachableArrayBuffer); + return Nothing(); + } uint32_t* transfer_entry = array_buffer_transfer_map_.Find(array_buffer); if (transfer_entry) { diff --git a/deps/v8/test/mjsunit/wasm/worker-memory.js b/deps/v8/test/mjsunit/wasm/worker-memory.js index c5b99ede7e2836..bf5430f7139815 100644 --- a/deps/v8/test/mjsunit/wasm/worker-memory.js +++ b/deps/v8/test/mjsunit/wasm/worker-memory.js @@ -11,6 +11,13 @@ assertThrows(() => worker.postMessage(memory), Error); })(); +(function TestPostMessageUnsharedMemoryBuffer() { + let worker = new Worker('', {type: 'string'}); + let memory = new WebAssembly.Memory({initial: 1, maximum: 2}); + + assertThrows(() => worker.postMessage(memory.buffer), Error); +})(); + // Can't use assert in a worker. let workerHelpers = `function assertTrue(value, msg) {