Fix construction of empty backing stores for SharedArrayBuffers

Bug: chromium:1006629,v8:9380 Change-Id: I8e45759fe3ad1b0ef8f1ebdb33919c84e1e8a044 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1815244 Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#63928}
2019-09-23 09:54:04 +02:00 · 2019-09-23 09:54:04 +02:00 · 39ecc997eb
commit 39ecc997eb
parent 3803d4d32d
4 changed files with 24 additions and 11 deletions
--- a/src/api/api.cc
+++ b/src/api/api.cc
@ -3742,7 +3742,8 @@ std::shared_ptr<v8::BackingStore> v8::ArrayBuffer::GetBackingStore() {
  i::Handle<i::JSArrayBuffer> self = Utils::OpenHandle(this);
  std::shared_ptr<i::BackingStore> backing_store = self->GetBackingStore();
  if (!backing_store) {
-    backing_store = i::BackingStore::NewEmptyBackingStore();
+    backing_store =
+        i::BackingStore::NewEmptyBackingStore(i::SharedFlag::kNotShared);
  }
  i::GlobalBackingStoreRegistry::Register(backing_store);
  std::shared_ptr<i::BackingStoreBase> bs_base = backing_store;
@ -3753,7 +3754,8 @@ std::shared_ptr<v8::BackingStore> v8::SharedArrayBuffer::GetBackingStore() {
  i::Handle<i::JSArrayBuffer> self = Utils::OpenHandle(this);
  std::shared_ptr<i::BackingStore> backing_store = self->GetBackingStore();
  if (!backing_store) {
-    backing_store = i::BackingStore::NewEmptyBackingStore();
+    backing_store =
+        i::BackingStore::NewEmptyBackingStore(i::SharedFlag::kShared);
  }
  i::GlobalBackingStoreRegistry::Register(backing_store);
  std::shared_ptr<i::BackingStoreBase> bs_base = backing_store;
--- a/src/objects/backing-store.cc
+++ b/src/objects/backing-store.cc
@ -454,14 +454,15 @@ std::unique_ptr<BackingStore> BackingStore::WrapAllocation(
  return std::unique_ptr<BackingStore>(result);
 }

-std::unique_ptr<BackingStore> BackingStore::NewEmptyBackingStore() {
-  auto result = new BackingStore(nullptr,                 // start
-                                 0,                       // length
-                                 0,                       // capacity
-                                 SharedFlag::kNotShared,  // shared
-                                 false,                   // is_wasm_memory
-                                 false,                   // free_on_destruct
-                                 false);                  // has_guard_regions
+std::unique_ptr<BackingStore> BackingStore::NewEmptyBackingStore(
+    SharedFlag shared) {
+  auto result = new BackingStore(nullptr,  // start
+                                 0,        // length
+                                 0,        // capacity
+                                 shared,   // shared
+                                 false,    // is_wasm_memory
+                                 false,    // free_on_destruct
+                                 false);   // has_guard_regions

  return std::unique_ptr<BackingStore>(result);
 }
--- a/src/objects/backing-store.h
+++ b/src/objects/backing-store.h
@ -64,7 +64,7 @@ class V8_EXPORT_PRIVATE BackingStore : public BackingStoreBase {
                                                      bool free_on_destruct);

  // Create an empty backing store.
-  static std::unique_ptr<BackingStore> NewEmptyBackingStore();
+  static std::unique_ptr<BackingStore> NewEmptyBackingStore(SharedFlag shared);

  // Accessors.
  void* buffer_start() const { return buffer_start_; }
--- a/test/mjsunit/regress/regress-1006629.js
+++ b/test/mjsunit/regress/regress-1006629.js
@ -0,0 +1,10 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+const workerScript = `
+  onmessage = function() {
+  };`;
+const worker = new Worker(workerScript, {type: 'string'});
+const i32a = new Int32Array( new SharedArrayBuffer() );
+worker.postMessage([i32a.buffer]);