From 9112a310123d1c6738a97190dc1f97b3eb21217f Mon Sep 17 00:00:00 2001
From: Chengzhong Wu <chengzhong.wcz@alibaba-inc.com>
Date: Tue, 18 Apr 2023 15:02:48 +0800
Subject: [PATCH 1/3] src: throw DataCloneError on transfering untransferable
 objects

The HTML StructuredSerializeWithTransfer algorithm defines that when
an untransferable object is in the transfer list, a DataCloneError is
thrown.
An array buffer that is already transferred is also considered as
untransferable.
---
 doc/api/worker_threads.md                     | 46 +++++++++++++++++--
 lib/internal/buffer.js                        |  9 ++++
 lib/internal/modules/esm/worker.js            | 16 +++++--
 lib/worker_threads.js                         |  2 +
 src/env_properties.h                          |  4 +-
 src/node_messaging.cc                         | 16 +++++--
 test/addons/worker-buffer-callback/test.js    |  5 +-
 .../test_worker_buffer_callback/test.js       |  5 +-
 .../test-buffer-pool-untransferable.js        |  5 +-
 .../test-worker-message-port-arraybuffer.js   |  7 +++
 ...est-worker-message-port-transfer-native.js |  2 +-
 ...ge-transfer-port-mark-as-untransferable.js | 13 ++++--
 12 files changed, 109 insertions(+), 21 deletions(-)

diff --git a/doc/api/worker_threads.md b/doc/api/worker_threads.md
index f3f500c9075058..c3b99404a1d9f0 100644
--- a/doc/api/worker_threads.md
+++ b/doc/api/worker_threads.md
@@ -128,10 +128,18 @@ if (isMainThread) {
 added:
   - v14.5.0
   - v12.19.0
+changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/47604
+    description: An error is thrown when the untransferable object is in the
+                 transfer list.
 -->
 
+* `object` {any} Any arbitrary JavaScript value.
+
 Mark an object as not transferable. If `object` occurs in the transfer list of
-a [`port.postMessage()`][] call, it is ignored.
+a [`port.postMessage()`][] call, an error is thrown. This is a no-op if
+`object` is a primitive value.
 
 In particular, this makes sense for objects that can be cloned, rather than
 transferred, and which are used by other objects on the sending side.
@@ -150,10 +158,15 @@ const typedArray2 = new Float64Array(pooledBuffer);
 markAsUntransferable(pooledBuffer);
 
 const { port1 } = new MessageChannel();
-port1.postMessage(typedArray1, [ typedArray1.buffer ]);
+try {
+  // This will throw an error, because pooledBuffer is not transferable.
+  port1.postMessage(typedArray1, [ typedArray1.buffer ]);
+} catch (error) {
+  // error.name === 'DataCloneError'
+}
 
 // The following line prints the contents of typedArray1 -- it still owns
-// its memory and has been cloned, not transferred. Without
+// its memory and has not been transferred. Without
 // `markAsUntransferable()`, this would print an empty Uint8Array.
 // typedArray2 is intact as well.
 console.log(typedArray1);
@@ -162,6 +175,29 @@ console.log(typedArray2);
 
 There is no equivalent to this API in browsers.
 
+## `worker.isMarkedAsUntransferable(object)`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+* `object` {any} Any arbitrary JavaScript value.
+* Returns: {boolean}
+
+Check is an object is marked as not transferable with
+[`markAsUntransferable()`][].
+
+```js
+const { markAsUntransferable, isMarkedAsUntransferable } = require('node:worker_threads');
+
+const pooledBuffer = new ArrayBuffer(8);
+markAsUntransferable(pooledBuffer);
+
+isMarkedAsUntransferable(pooledBuffer);  // Returns true.
+```
+
+There is no equivalent to this API in browsers.
+
 ## `worker.moveMessagePortToContext(port, contextifiedSandbox)`
 
 <!-- YAML
@@ -568,6 +604,10 @@ are part of the channel.
 <!-- YAML
 added: v10.5.0
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/47604
+    description: An error is thrown when an untransferable object is in the
+                 transfer list.
   - version:
       - v15.14.0
       - v14.18.0
diff --git a/lib/internal/buffer.js b/lib/internal/buffer.js
index fbe9de249348b3..b8f867a9a725be 100644
--- a/lib/internal/buffer.js
+++ b/lib/internal/buffer.js
@@ -1053,6 +1053,14 @@ function markAsUntransferable(obj) {
   obj[untransferable_object_private_symbol] = true;
 }
 
+// This simply checks if the object is marked as untransferable and doesn't
+// check the ability to be transferred.
+function isMarkedAsUntransferable(obj) {
+  if ((typeof obj !== 'object' && typeof obj !== 'function') || obj === null)
+    return false;
+  return obj[untransferable_object_private_symbol] === true;
+}
+
 // A toggle used to access the zero fill setting of the array buffer allocator
 // in C++.
 // |zeroFill| can be undefined when running inside an isolate where we
@@ -1079,6 +1087,7 @@ module.exports = {
   FastBuffer,
   addBufferPrototypeMethods,
   markAsUntransferable,
+  isMarkedAsUntransferable,
   createUnsafeBuffer,
   readUInt16BE,
   readUInt32BE,
diff --git a/lib/internal/modules/esm/worker.js b/lib/internal/modules/esm/worker.js
index 616076c98fb627..9b531c3231b54e 100644
--- a/lib/internal/modules/esm/worker.js
+++ b/lib/internal/modules/esm/worker.js
@@ -30,13 +30,21 @@ const {
   WORKER_TO_MAIN_THREAD_NOTIFICATION,
 } = require('internal/modules/esm/shared_constants');
 const { initializeHooks } = require('internal/modules/esm/utils');
-
+const { isMarkedAsUntransferable } = require('internal/buffer');
 
 function transferArrayBuffer(hasError, source) {
   if (hasError || source == null) return;
-  if (isArrayBuffer(source)) return [source];
-  if (isTypedArray(source)) return [TypedArrayPrototypeGetBuffer(source)];
-  if (isDataView(source)) return [DataViewPrototypeGetBuffer(source)];
+  let arrayBuffer;
+  if (isArrayBuffer(source)) {
+    arrayBuffer = source;
+  } else if (isTypedArray(source)) {
+    arrayBuffer = TypedArrayPrototypeGetBuffer(source);
+  } else if (isDataView(source)) {
+    arrayBuffer = DataViewPrototypeGetBuffer(source);
+  }
+  if (arrayBuffer && !isMarkedAsUntransferable(arrayBuffer)) {
+    return [arrayBuffer];
+  }
 }
 
 function wrapMessage(status, body) {
diff --git a/lib/worker_threads.js b/lib/worker_threads.js
index 155cc11ecdaf43..084fa98908dc57 100644
--- a/lib/worker_threads.js
+++ b/lib/worker_threads.js
@@ -20,6 +20,7 @@ const {
 
 const {
   markAsUntransferable,
+  isMarkedAsUntransferable,
 } = require('internal/buffer');
 
 module.exports = {
@@ -27,6 +28,7 @@ module.exports = {
   MessagePort,
   MessageChannel,
   markAsUntransferable,
+  isMarkedAsUntransferable,
   moveMessagePortToContext,
   receiveMessageOnPort,
   resourceLimits,
diff --git a/src/env_properties.h b/src/env_properties.h
index 095094714aa400..1ab6af1e744bb4 100644
--- a/src/env_properties.h
+++ b/src/env_properties.h
@@ -66,7 +66,7 @@
   V(change_string, "change")                                                   \
   V(channel_string, "channel")                                                 \
   V(chunks_sent_since_last_write_string, "chunksSentSinceLastWrite")           \
-  V(clone_unsupported_type_str, "Cannot transfer object of unsupported type.") \
+  V(clone_unsupported_type_str, "Cannot clone object of unsupported type.")    \
   V(code_string, "code")                                                       \
   V(commonjs_string, "commonjs")                                               \
   V(config_string, "config")                                                   \
@@ -301,6 +301,8 @@
   V(time_to_first_header_string, "timeToFirstHeader")                          \
   V(tls_ticket_string, "tlsTicket")                                            \
   V(transfer_string, "transfer")                                               \
+  V(transfer_unsupported_type_str,                                             \
+    "Cannot transfer object of unsupported type.")                             \
   V(ttl_string, "ttl")                                                         \
   V(type_string, "type")                                                       \
   V(uid_string, "uid")                                                         \
diff --git a/src/node_messaging.cc b/src/node_messaging.cc
index b40868a1ceeff4..0e1c6b485a46cd 100644
--- a/src/node_messaging.cc
+++ b/src/node_messaging.cc
@@ -459,11 +459,14 @@ Maybe<bool> Message::Serialize(Environment* env,
               .To(&untransferable)) {
         return Nothing<bool>();
       }
-      if (untransferable) continue;
+      if (untransferable) {
+        ThrowDataCloneException(context, env->transfer_unsupported_type_str());
+        return Nothing<bool>();
+      }
     }
 
     // Currently, we support ArrayBuffers and BaseObjects for which
-    // GetTransferMode() does not return kUntransferable.
+    // GetTransferMode() returns kTransferable.
     if (entry->IsArrayBuffer()) {
       Local<ArrayBuffer> ab = entry.As<ArrayBuffer>();
       // If we cannot render the ArrayBuffer unusable in this Isolate,
@@ -474,7 +477,10 @@ Maybe<bool> Message::Serialize(Environment* env,
       // raw data *and* an Isolate with a non-default ArrayBuffer allocator
       // is always going to outlive any Workers it creates, and so will its
       // allocator along with it.
-      if (!ab->IsDetachable()) continue;
+      if (!ab->IsDetachable() || ab->WasDetached()) {
+        ThrowDataCloneException(context, env->transfer_unsupported_type_str());
+        return Nothing<bool>();
+      }
       if (std::find(array_buffers.begin(), array_buffers.end(), ab) !=
           array_buffers.end()) {
         ThrowDataCloneException(
@@ -524,8 +530,8 @@ Maybe<bool> Message::Serialize(Environment* env,
                 entry.As<Object>()->GetConstructorName()));
         return Nothing<bool>();
       }
-      if (host_object && host_object->GetTransferMode() !=
-              BaseObject::TransferMode::kUntransferable) {
+      if (host_object && host_object->GetTransferMode() ==
+                             BaseObject::TransferMode::kTransferable) {
         delegate.AddHostObject(host_object);
         continue;
       }
diff --git a/test/addons/worker-buffer-callback/test.js b/test/addons/worker-buffer-callback/test.js
index 08625b72384eb1..3194fdcb375965 100644
--- a/test/addons/worker-buffer-callback/test.js
+++ b/test/addons/worker-buffer-callback/test.js
@@ -9,7 +9,10 @@ const { buffer } = require(`./build/${common.buildType}/binding`);
 
 const { port1 } = new MessageChannel();
 const origByteLength = buffer.byteLength;
-port1.postMessage(buffer, [buffer.buffer]);
+assert.throws(() => port1.postMessage(buffer, [buffer.buffer]), {
+  code: 25,
+  name: 'DataCloneError',
+});
 
 assert.strictEqual(buffer.byteLength, origByteLength);
 assert.notStrictEqual(buffer.byteLength, 0);
diff --git a/test/node-api/test_worker_buffer_callback/test.js b/test/node-api/test_worker_buffer_callback/test.js
index 4884a27d39e6a2..04b9249c684eab 100644
--- a/test/node-api/test_worker_buffer_callback/test.js
+++ b/test/node-api/test_worker_buffer_callback/test.js
@@ -9,7 +9,10 @@ const { buffer } = require(`./build/${common.buildType}/binding`);
 
 const { port1 } = new MessageChannel();
 const origByteLength = buffer.byteLength;
-port1.postMessage(buffer, [buffer]);
+assert.throws(() => port1.postMessage(buffer, [buffer]), {
+  code: 25,
+  name: 'DataCloneError',
+});
 
 assert.strictEqual(buffer.byteLength, origByteLength);
 assert.notStrictEqual(buffer.byteLength, 0);
diff --git a/test/parallel/test-buffer-pool-untransferable.js b/test/parallel/test-buffer-pool-untransferable.js
index d39b03435fa5b7..596bb6b6c91422 100644
--- a/test/parallel/test-buffer-pool-untransferable.js
+++ b/test/parallel/test-buffer-pool-untransferable.js
@@ -13,7 +13,10 @@ assert.strictEqual(a.buffer, b.buffer);
 const length = a.length;
 
 const { port1 } = new MessageChannel();
-port1.postMessage(a, [ a.buffer ]);
+assert.throws(() => port1.postMessage(a, [ a.buffer ]), {
+  code: 25,
+  name: 'DataCloneError',
+});
 
 // Verify that the pool ArrayBuffer has not actually been transferred:
 assert.strictEqual(a.buffer, b.buffer);
diff --git a/test/parallel/test-worker-message-port-arraybuffer.js b/test/parallel/test-worker-message-port-arraybuffer.js
index 247efa3fdf143b..a30378674a311d 100644
--- a/test/parallel/test-worker-message-port-arraybuffer.js
+++ b/test/parallel/test-worker-message-port-arraybuffer.js
@@ -12,6 +12,13 @@ const { MessageChannel } = require('worker_threads');
   typedArray[0] = 0x12345678;
 
   port1.postMessage(typedArray, [ arrayBuffer ]);
+  assert.strictEqual(arrayBuffer.byteLength, 0);
+  // Transferring again should throw a DataCloneError.
+  assert.throws(() => port1.postMessage(typedArray, [ arrayBuffer ]), {
+    code: 25,
+    name: 'DataCloneError',
+  });
+
   port2.on('message', common.mustCall((received) => {
     assert.strictEqual(received[0], 0x12345678);
     port2.close(common.mustCall());
diff --git a/test/parallel/test-worker-message-port-transfer-native.js b/test/parallel/test-worker-message-port-transfer-native.js
index eb51b2b01af1a3..6990e48e5cb801 100644
--- a/test/parallel/test-worker-message-port-transfer-native.js
+++ b/test/parallel/test-worker-message-port-transfer-native.js
@@ -31,7 +31,7 @@ const { internalBinding } = require('internal/test/binding');
     port1.postMessage(nativeObject);
   }, {
     name: 'DataCloneError',
-    message: /Cannot transfer object of unsupported type\.$/
+    message: /Cannot clone object of unsupported type\.$/
   });
   port1.close();
 }
diff --git a/test/parallel/test-worker-message-transfer-port-mark-as-untransferable.js b/test/parallel/test-worker-message-transfer-port-mark-as-untransferable.js
index 240928263871a4..426cc7a1195fdf 100644
--- a/test/parallel/test-worker-message-transfer-port-mark-as-untransferable.js
+++ b/test/parallel/test-worker-message-transfer-port-mark-as-untransferable.js
@@ -9,11 +9,13 @@ const { MessageChannel, markAsUntransferable } = require('worker_threads');
   markAsUntransferable(ab);
   assert.strictEqual(ab.byteLength, 8);
 
-  const { port1, port2 } = new MessageChannel();
-  port1.postMessage(ab, [ ab ]);
+  const { port1 } = new MessageChannel();
+  assert.throws(() => port1.postMessage(ab, [ ab ]), {
+    code: 25,
+    name: 'DataCloneError',
+  });
 
   assert.strictEqual(ab.byteLength, 8);  // The AB is not detached.
-  port2.once('message', common.mustCall());
 }
 
 {
@@ -24,7 +26,10 @@ const { MessageChannel, markAsUntransferable } = require('worker_threads');
 
   assert.throws(() => {
     channel1.port1.postMessage(channel2.port1, [ channel2.port1 ]);
-  }, /was found in message but not listed in transferList/);
+  }, {
+    code: 25,
+    name: 'DataCloneError',
+  });
 
   channel2.port1.postMessage('still works, not closed/transferred');
   channel2.port2.once('message', common.mustCall());

From 78e022a9f93f121f1dbeb07a3872ff1aa550ea4a Mon Sep 17 00:00:00 2001
From: Chengzhong Wu <chengzhong.wcz@alibaba-inc.com>
Date: Thu, 27 Apr 2023 11:51:32 +0800
Subject: [PATCH 2/3] fixup! src: throw DataCloneError on transfering
 untransferable objects

---
 doc/api/worker_threads.md                     | 10 +++------
 lib/internal/buffer.js                        |  7 ++++++-
 ...ge-transfer-port-mark-as-untransferable.js | 21 +++++++++++++++++--
 3 files changed, 28 insertions(+), 10 deletions(-)

diff --git a/doc/api/worker_threads.md b/doc/api/worker_threads.md
index c3b99404a1d9f0..862b49cb364d72 100644
--- a/doc/api/worker_threads.md
+++ b/doc/api/worker_threads.md
@@ -128,11 +128,6 @@ if (isMainThread) {
 added:
   - v14.5.0
   - v12.19.0
-changes:
-  - version: REPLACEME
-    pr-url: https://github.com/nodejs/node/pull/47604
-    description: An error is thrown when the untransferable object is in the
-                 transfer list.
 -->
 
 * `object` {any} Any arbitrary JavaScript value.
@@ -167,7 +162,8 @@ try {
 
 // The following line prints the contents of typedArray1 -- it still owns
 // its memory and has not been transferred. Without
-// `markAsUntransferable()`, this would print an empty Uint8Array.
+// `markAsUntransferable()`, this would print an empty Uint8Array and the
+// postMessage call would have succeeded.
 // typedArray2 is intact as well.
 console.log(typedArray1);
 console.log(typedArray2);
@@ -181,7 +177,7 @@ There is no equivalent to this API in browsers.
 added: REPLACEME
 -->
 
-* `object` {any} Any arbitrary JavaScript value.
+* `object` {any} Any JavaScript value.
 * Returns: {boolean}
 
 Check is an object is marked as not transferable with
diff --git a/lib/internal/buffer.js b/lib/internal/buffer.js
index b8f867a9a725be..476113f3a159be 100644
--- a/lib/internal/buffer.js
+++ b/lib/internal/buffer.js
@@ -6,6 +6,7 @@ const {
   Float64Array,
   MathFloor,
   Number,
+  ObjectPrototypeHasOwnProperty,
   Uint8Array,
 } = primordials;
 
@@ -1056,8 +1057,12 @@ function markAsUntransferable(obj) {
 // This simply checks if the object is marked as untransferable and doesn't
 // check the ability to be transferred.
 function isMarkedAsUntransferable(obj) {
-  if ((typeof obj !== 'object' && typeof obj !== 'function') || obj === null)
+  if (obj == null)
+    return false;
+  // v8::Object::HasPrivate checks own properties only.
+  if (!ObjectPrototypeHasOwnProperty(obj, untransferable_object_private_symbol)) {
     return false;
+  }
   return obj[untransferable_object_private_symbol] === true;
 }
 
diff --git a/test/parallel/test-worker-message-transfer-port-mark-as-untransferable.js b/test/parallel/test-worker-message-transfer-port-mark-as-untransferable.js
index 426cc7a1195fdf..94ae4e8c5fd237 100644
--- a/test/parallel/test-worker-message-transfer-port-mark-as-untransferable.js
+++ b/test/parallel/test-worker-message-transfer-port-mark-as-untransferable.js
@@ -1,12 +1,13 @@
 'use strict';
 const common = require('../common');
 const assert = require('assert');
-const { MessageChannel, markAsUntransferable } = require('worker_threads');
+const { MessageChannel, markAsUntransferable, isMarkedAsUntransferable } = require('worker_threads');
 
 {
   const ab = new ArrayBuffer(8);
 
   markAsUntransferable(ab);
+  assert.ok(isMarkedAsUntransferable(ab));
   assert.strictEqual(ab.byteLength, 8);
 
   const { port1 } = new MessageChannel();
@@ -23,6 +24,7 @@ const { MessageChannel, markAsUntransferable } = require('worker_threads');
   const channel2 = new MessageChannel();
 
   markAsUntransferable(channel2.port1);
+  assert.ok(isMarkedAsUntransferable(channel2.port1));
 
   assert.throws(() => {
     channel1.port1.postMessage(channel2.port1, [ channel2.port1 ]);
@@ -36,7 +38,22 @@ const { MessageChannel, markAsUntransferable } = require('worker_threads');
 }
 
 {
-  for (const value of [0, null, false, true, undefined, [], {}]) {
+  for (const value of [0, null, false, true, undefined]) {
     markAsUntransferable(value);  // Has no visible effect.
+    assert.ok(!isMarkedAsUntransferable(value));
   }
+  for (const value of [[], {}]) {
+    markAsUntransferable(value);
+    assert.ok(isMarkedAsUntransferable(value));
+  }
+}
+
+{
+  // Verifies that the mark is not inherited.
+  class Foo {}
+  markAsUntransferable(Foo.prototype);
+  assert.ok(isMarkedAsUntransferable(Foo.prototype));
+
+  const foo = new Foo();
+  assert.ok(!isMarkedAsUntransferable(foo));
 }

From eb3c867b0d9cd7dc3e2d7aae0d2c574649480b3c Mon Sep 17 00:00:00 2001
From: legendecas <legendecas@gmail.com>
Date: Wed, 3 May 2023 19:45:40 +0800
Subject: [PATCH 3/3] fixup! src: throw DataCloneError on transfering
 untransferable objects

---
 doc/api/worker_threads.md |  2 +-
 lib/internal/buffer.js    | 10 +++-------
 2 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/doc/api/worker_threads.md b/doc/api/worker_threads.md
index 862b49cb364d72..09b695eb96ea29 100644
--- a/doc/api/worker_threads.md
+++ b/doc/api/worker_threads.md
@@ -180,7 +180,7 @@ added: REPLACEME
 * `object` {any} Any JavaScript value.
 * Returns: {boolean}
 
-Check is an object is marked as not transferable with
+Check if an object is marked as not transferable with
 [`markAsUntransferable()`][].
 
 ```js
diff --git a/lib/internal/buffer.js b/lib/internal/buffer.js
index 476113f3a159be..a65dd43263714e 100644
--- a/lib/internal/buffer.js
+++ b/lib/internal/buffer.js
@@ -6,7 +6,6 @@ const {
   Float64Array,
   MathFloor,
   Number,
-  ObjectPrototypeHasOwnProperty,
   Uint8Array,
 } = primordials;
 
@@ -1055,15 +1054,12 @@ function markAsUntransferable(obj) {
 }
 
 // This simply checks if the object is marked as untransferable and doesn't
-// check the ability to be transferred.
+// check whether we are able to transfer it.
 function isMarkedAsUntransferable(obj) {
   if (obj == null)
     return false;
-  // v8::Object::HasPrivate checks own properties only.
-  if (!ObjectPrototypeHasOwnProperty(obj, untransferable_object_private_symbol)) {
-    return false;
-  }
-  return obj[untransferable_object_private_symbol] === true;
+  // Private symbols are not inherited.
+  return obj[untransferable_object_private_symbol] !== undefined;
 }
 
 // A toggle used to access the zero fill setting of the array buffer allocator