[rab/gsab] Fix ValueSerializer error handling

Error mode: a TypedArray backed by RAB claims it's not backed by RAB. Drive-by: disable resizability even harder when --harmony-rab-gsab is not on. Bug: v8:11111, chromium:1402139 Change-Id: I937c69f6124419cc8d29da0195686bc3b9a5c281 Fixed: chromium:1402139 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4110751 Reviewed-by: Shu-yu Guo <syg@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/main@{#84952}
2022-12-20 11:00:07 +01:00 · 2022-12-20 11:00:07 +01:00 · 250525be1d
commit 250525be1d
parent fd98802746
2 changed files with 28 additions and 3 deletions
--- a/src/objects/value-serializer.cc
+++ b/src/objects/value-serializer.cc
@ -2162,10 +2162,17 @@ bool ValueDeserializer::ValidateJSArrayBufferViewFlags(
  // TODO(marja): When the version number is bumped the next time, check that
  // serialized_flags doesn't contain spurious 1-bits.

+  if (!v8_flags.harmony_rab_gsab) {
+    // Disable resizability. This ensures that no resizable buffers are
+    // created in a version which has the harmony_rab_gsab turned off, even if
+    // such a version is reading data containing resizable buffers from disk.
+    is_length_tracking = false;
+    is_backed_by_rab = false;
+    // The resizability of the buffer was already disabled.
+    CHECK(!buffer.is_resizable_by_js());
+  }
+
  if (is_backed_by_rab || is_length_tracking) {
-    if (!v8_flags.harmony_rab_gsab) {
-      return false;
-    }
    if (!buffer.is_resizable_by_js()) {
      return false;
    }
@ -2173,6 +2180,11 @@ bool ValueDeserializer::ValidateJSArrayBufferViewFlags(
      return false;
    }
  }
+  // The RAB-ness of the buffer and the TA's "is_backed_by_rab" need to be in
+  // sync.
+  if (buffer.is_resizable_by_js() && !buffer.is_shared() && !is_backed_by_rab) {
+    return false;
+  }
  return true;
 }

--- a/test/mjsunit/regress/regress-crbug-1402139.js
+++ b/test/mjsunit/regress/regress-crbug-1402139.js
@ -0,0 +1,13 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --harmony-rab-gsab
+
+const rab = new ArrayBuffer(363, {"maxByteLength": 1000});
+const ta = new Uint8Array(rab);
+rab.resize(80);
+const data = d8.serializer.serialize(ta);
+const dataArray = new Uint8Array(data);
+dataArray[dataArray.length - 1] = 17;
+assertThrows(() => { d8.serializer.deserialize(data); });