From d92428aa1d912cf58c0ad2bc88a61927d7baf667 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20Zasso?= Date: Sat, 6 Feb 2021 11:14:59 +0100 Subject: [PATCH] deps: V8: backport dfcf1e86fac0 Original commit message: [wasm] PostMessage of Memory.buffer should throw PostMessage of an ArrayBuffer that is not detachable should result in a DataCloneError. Bug: chromium:1170176, chromium:961059 Change-Id: Ib89bbc10d2b58918067fd1a90365cad10a0db9ec Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2653810 Reviewed-by: Adam Klein Reviewed-by: Andreas Haas Commit-Queue: Deepti Gandluri Cr-Commit-Position: refs/heads/master@{#72415} Refs: https://github.com/v8/v8/commit/dfcf1e86fac0a7b067caf8fdfc13eaf3e3f445e4 --- common.gypi | 2 +- deps/v8/src/common/message-template.h | 2 ++ deps/v8/src/objects/value-serializer.cc | 5 +++++ deps/v8/test/mjsunit/wasm/worker-memory.js | 7 +++++++ 4 files changed, 15 insertions(+), 1 deletion(-) diff --git a/common.gypi b/common.gypi index 374ded1c426dae..7c7ece7a381d6b 100644 --- a/common.gypi +++ b/common.gypi @@ -36,7 +36,7 @@ # Reset this number to 0 on major V8 upgrades. # Increment by one for each non-official patch applied to deps/v8. - 'v8_embedder_string': '-node.23', + 'v8_embedder_string': '-node.24', ##### V8 defaults for Node.js ##### diff --git a/deps/v8/src/common/message-template.h b/deps/v8/src/common/message-template.h index b7bbc6da84ca03..dc4d7581f16591 100644 --- a/deps/v8/src/common/message-template.h +++ b/deps/v8/src/common/message-template.h @@ -575,6 +575,8 @@ namespace internal { T(DataCloneErrorOutOfMemory, "Data cannot be cloned, out of memory.") \ T(DataCloneErrorDetachedArrayBuffer, \ "An ArrayBuffer is detached and could not be cloned.") \ + T(DataCloneErrorNonDetachableArrayBuffer, \ + "ArrayBuffer is not detachable and could not be cloned.") \ T(DataCloneErrorSharedArrayBufferTransferred, \ "A SharedArrayBuffer could not be cloned. SharedArrayBuffer must not be " \ "transferred.") \ diff --git a/deps/v8/src/objects/value-serializer.cc b/deps/v8/src/objects/value-serializer.cc index b34076025f07ff..d9abe45124f176 100644 --- a/deps/v8/src/objects/value-serializer.cc +++ b/deps/v8/src/objects/value-serializer.cc @@ -860,6 +860,11 @@ Maybe ValueSerializer::WriteJSArrayBuffer( WriteVarint(index.FromJust()); return ThrowIfOutOfMemory(); } + if (!array_buffer->is_detachable()) { + ThrowDataCloneError( + MessageTemplate::kDataCloneErrorNonDetachableArrayBuffer); + return Nothing(); + } uint32_t* transfer_entry = array_buffer_transfer_map_.Find(array_buffer); if (transfer_entry) { diff --git a/deps/v8/test/mjsunit/wasm/worker-memory.js b/deps/v8/test/mjsunit/wasm/worker-memory.js index c5b99ede7e2836..bf5430f7139815 100644 --- a/deps/v8/test/mjsunit/wasm/worker-memory.js +++ b/deps/v8/test/mjsunit/wasm/worker-memory.js @@ -11,6 +11,13 @@ assertThrows(() => worker.postMessage(memory), Error); })(); +(function TestPostMessageUnsharedMemoryBuffer() { + let worker = new Worker('', {type: 'string'}); + let memory = new WebAssembly.Memory({initial: 1, maximum: 2}); + + assertThrows(() => worker.postMessage(memory.buffer), Error); +})(); + // Can't use assert in a worker. let workerHelpers = `function assertTrue(value, msg) {