[wasm] PostMessage of Memory.buffer should throw

PostMessage of an ArrayBuffer that is not detachable should result in a DataCloneError. Bug: chromium:1170176, chromium:961059 Change-Id: Ib89bbc10d2b58918067fd1a90365cad10a0db9ec Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2653810 Reviewed-by: Adam Klein <adamk@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Deepti Gandluri <gdeepti@chromium.org> Cr-Commit-Position: refs/heads/master@{#72415}
2021-01-27 22:19:44 -08:00 · 2021-01-27 22:19:44 -08:00 · dfcf1e86fa
commit dfcf1e86fa
parent fe95e24656
3 changed files with 14 additions and 0 deletions
--- a/src/common/message-template.h
+++ b/src/common/message-template.h
@ -583,6 +583,8 @@ namespace internal {
  T(DataCloneErrorOutOfMemory, "Data cannot be cloned, out of memory.")        \
  T(DataCloneErrorDetachedArrayBuffer,                                         \
    "An ArrayBuffer is detached and could not be cloned.")                     \
+  T(DataCloneErrorNonDetachableArrayBuffer,                                    \
+    "ArrayBuffer is not detachable and could not be cloned.")                  \
  T(DataCloneErrorSharedArrayBufferTransferred,                                \
    "A SharedArrayBuffer could not be cloned. SharedArrayBuffer must not be "  \
    "transferred.")                                                            \
--- a/src/objects/value-serializer.cc
+++ b/src/objects/value-serializer.cc
@ -875,6 +875,11 @@ Maybe<bool> ValueSerializer::WriteJSArrayBuffer(
    WriteVarint(index.FromJust());
    return ThrowIfOutOfMemory();
  }
+  if (!array_buffer->is_detachable()) {
+    ThrowDataCloneError(
+        MessageTemplate::kDataCloneErrorNonDetachableArrayBuffer);
+    return Nothing<bool>();
+  }

  uint32_t* transfer_entry = array_buffer_transfer_map_.Find(array_buffer);
  if (transfer_entry) {
--- a/test/mjsunit/wasm/worker-memory.js
+++ b/test/mjsunit/wasm/worker-memory.js
@ -11,6 +11,13 @@
  assertThrows(() => worker.postMessage(memory), Error);
 })();

+(function TestPostMessageUnsharedMemoryBuffer() {
+  let worker = new Worker('', {type: 'string'});
+  let memory = new WebAssembly.Memory({initial: 1, maximum: 2});
+
+  assertThrows(() => worker.postMessage(memory.buffer), Error);
+})();
+
 // Can't use assert in a worker.
 function workerHelpersHelper() {
  assertTrue = function(value, msg) {