From 20c65b00c28b46d01d432059d56ef29d87eaa337 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20Zasso?= Date: Sun, 7 Feb 2021 10:23:33 +0100 Subject: [PATCH] deps: V8: backport dfcf1e86fac0 Original commit message: [wasm] PostMessage of Memory.buffer should throw PostMessage of an ArrayBuffer that is not detachable should result in a DataCloneError. Bug: chromium:1170176, chromium:961059 Change-Id: Ib89bbc10d2b58918067fd1a90365cad10a0db9ec Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2653810 Reviewed-by: Adam Klein Reviewed-by: Andreas Haas Commit-Queue: Deepti Gandluri Cr-Commit-Position: refs/heads/master@{#72415} Refs: https://github.com/v8/v8/commit/dfcf1e86fac0a7b067caf8fdfc13eaf3e3f445e4 PR-URL: https://github.com/nodejs/node/pull/37245 Reviewed-By: Daniel Bevenius Reviewed-By: Antoine du Hamel Reviewed-By: Rich Trott Reviewed-By: Matteo Collina Reviewed-By: Vladimir de Turckheim Reviewed-By: Colin Ihrig --- common.gypi | 2 +- deps/v8/src/common/message-template.h | 2 ++ deps/v8/src/objects/value-serializer.cc | 5 +++++ deps/v8/test/mjsunit/wasm/worker-memory.js | 7 +++++++ 4 files changed, 15 insertions(+), 1 deletion(-) diff --git a/common.gypi b/common.gypi index 3b01d806407129..46f4f32a8dfcf8 100644 --- a/common.gypi +++ b/common.gypi @@ -36,7 +36,7 @@ # Reset this number to 0 on major V8 upgrades. # Increment by one for each non-official patch applied to deps/v8. - 'v8_embedder_string': '-node.23', + 'v8_embedder_string': '-node.24', ##### V8 defaults for Node.js ##### diff --git a/deps/v8/src/common/message-template.h b/deps/v8/src/common/message-template.h index c4edee49212489..dba4865250c8aa 100644 --- a/deps/v8/src/common/message-template.h +++ b/deps/v8/src/common/message-template.h @@ -573,6 +573,8 @@ namespace internal { T(DataCloneErrorOutOfMemory, "Data cannot be cloned, out of memory.") \ T(DataCloneErrorDetachedArrayBuffer, \ "An ArrayBuffer is detached and could not be cloned.") \ + T(DataCloneErrorNonDetachableArrayBuffer, \ + "ArrayBuffer is not detachable and could not be cloned.") \ T(DataCloneErrorSharedArrayBufferTransferred, \ "A SharedArrayBuffer could not be cloned. SharedArrayBuffer must not be " \ "transferred.") \ diff --git a/deps/v8/src/objects/value-serializer.cc b/deps/v8/src/objects/value-serializer.cc index 58b1db67492857..9e79f9ba434193 100644 --- a/deps/v8/src/objects/value-serializer.cc +++ b/deps/v8/src/objects/value-serializer.cc @@ -860,6 +860,11 @@ Maybe ValueSerializer::WriteJSArrayBuffer( WriteVarint(index.FromJust()); return ThrowIfOutOfMemory(); } + if (!array_buffer->is_detachable()) { + ThrowDataCloneError( + MessageTemplate::kDataCloneErrorNonDetachableArrayBuffer); + return Nothing(); + } uint32_t* transfer_entry = array_buffer_transfer_map_.Find(array_buffer); if (transfer_entry) { diff --git a/deps/v8/test/mjsunit/wasm/worker-memory.js b/deps/v8/test/mjsunit/wasm/worker-memory.js index c5b99ede7e2836..bf5430f7139815 100644 --- a/deps/v8/test/mjsunit/wasm/worker-memory.js +++ b/deps/v8/test/mjsunit/wasm/worker-memory.js @@ -11,6 +11,13 @@ assertThrows(() => worker.postMessage(memory), Error); })(); +(function TestPostMessageUnsharedMemoryBuffer() { + let worker = new Worker('', {type: 'string'}); + let memory = new WebAssembly.Memory({initial: 1, maximum: 2}); + + assertThrows(() => worker.postMessage(memory.buffer), Error); +})(); + // Can't use assert in a worker. let workerHelpers = `function assertTrue(value, msg) {