Fix cluster-fuzz regression with Workers and recursive serialization

Shell::SerializeValue was using a HandleScope, but was also storing Handles in an ObjectList. The ObjectList handles would persist after the function had returned, but will have already been destroyed by the HandleScope, so there is a use-after-free. This change removes the HandleScope in Shell::SerializeValue and relies on the caller's HandleScope. BUG=chromium:503968 R=jochen@chromium.org LOG=n Review URL: https://codereview.chromium.org/1211433003 Cr-Commit-Position: refs/heads/master@{#29265}
2015-06-24 11:31:39 -07:00 · 2015-06-24 11:31:39 -07:00 · 5023335b4d
commit 5023335b4d
parent d2135603bc
2 changed files with 15 additions and 1 deletions
--- a/src/d8.cc
+++ b/src/d8.cc
@ -1972,7 +1972,6 @@ bool Shell::SerializeValue(Isolate* isolate, Handle<Value> value,
                           ObjectList* seen_objects,
                           SerializationData* out_data) {
  DCHECK(out_data);
-  HandleScope scope(isolate);
  Local<Context> context = isolate->GetCurrentContext();

  if (value->IsUndefined()) {
--- a/test/mjsunit/regress/regress-crbug-503968.js
+++ b/test/mjsunit/regress/regress-crbug-503968.js
@ -0,0 +1,15 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+if (this.Worker) {
+  function __f_0() { this.s = new Object(); }
+  function __f_1() {
+    this.l = [new __f_0, new __f_0];
+  }
+  __v_6 = new __f_1;
+  function __f_4() {
+  }
+  var __v_9 = new Worker(__f_4);
+  __v_9.postMessage(__v_6);
+}