[objects] Disallow externalizing RO_SPACE 2-byte strings

This was already the case for 1-byte strings. This prevents crashes when attempting to externalize such strings. Bug: chromium:842078, v8:7464 Change-Id: I3092a6748edaf77b2689f7b6f6b949929998e508 Reviewed-on: https://chromium-review.googlesource.com/1054290 Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Dan Elphick <delphick@chromium.org> Cr-Commit-Position: refs/heads/master@{#53124}
2018-05-11 10:53:36 +01:00 · 2018-05-11 10:53:36 +01:00 · fad99f5e21
commit fad99f5e21
parent fc663faa50
2 changed files with 15 additions and 0 deletions
--- a/src/objects.cc
+++ b/src/objects.cc
@ -2601,6 +2601,7 @@ bool String::MakeExternal(v8::String::ExternalStringResource* resource) {
  // Abort if size does not allow in-place conversion.
  if (size < ExternalString::kShortSize) return false;
  Heap* heap = GetHeap();
+  if (heap->read_only_space()->Contains(this)) return false;
  bool is_one_byte = this->IsOneByteRepresentation();
  bool is_internalized = this->IsInternalizedString();
  bool has_pointers = StringShape(this).IsIndirect();
--- a/test/mjsunit/regress/regress-842078.js
+++ b/test/mjsunit/regress/regress-842078.js
@ -0,0 +1,14 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-externalize-string
+
+// Attempt to externalize a string that's in RO_SPACE, which is not allowed as
+// the string's map would need to be writable.
+assertThrows(() => {
+  externalizeString("1", false)
+});
+assertThrows(() => {
+  externalizeString("1", true)
+});