Fix D8 Realm.navigate after Realm.detachGlobal

Realm.navigate hits a UAF when it's called after Realm.detachGlobal, and that's hit a clusterfuzz test. Bug: chromium:952749 Change-Id: Icf0f0d0b845bc5a2d1ddd80ab52756dae97b982f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1567583 Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Taiju Tsuiki <tzik@chromium.org> Cr-Commit-Position: refs/heads/master@{#60896}
2019-04-15 20:35:49 +09:00 · 2019-04-15 20:35:49 +09:00 · f41f6d7416
commit f41f6d7416
parent 468e36bab8
1 changed files with 11 additions and 0 deletions
--- a/src/d8.cc
+++ b/src/d8.cc
@ -1117,6 +1117,17 @@ void Shell::RealmNavigate(const v8::FunctionCallbackInfo<v8::Value>& args) {

  Local<Context> context = Local<Context>::New(isolate, data->realms_[index]);
  v8::MaybeLocal<Value> global_object = context->Global();
+
+  // Context::Global doesn't return JSGlobalProxy if DetachGlobal is called in
+  // advance.
+  if (!global_object.IsEmpty()) {
+    HandleScope scope(isolate);
+    if (!Utils::OpenHandle(*global_object.ToLocalChecked())
+             ->IsJSGlobalProxy()) {
+      global_object = v8::MaybeLocal<Value>();
+    }
+  }
+
  DisposeRealm(args, index);
  CreateRealm(args, index, global_object);
 }