[wasm] PostMessage of Memory.buffer should throw

dtig · Commit Bot · commit dfcf1e86fac0 · 2021-01-28T21:44:42.000Z
PostMessage of an ArrayBuffer that is not detachable should result in a DataCloneError. Bug: chromium:1170176, chromium:961059 Change-Id: Ib89bbc10d2b58918067fd1a90365cad10a0db9ec Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2653810 Reviewed-by: Adam Klein <adamk@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Deepti Gandluri <gdeepti@chromium.org> Cr-Commit-Position: refs/heads/master@{#72415}
diff --git a/src/common/message-template.h b/src/common/message-template.h
@@ -583,6 +583,8 @@ namespace internal {
   T(DataCloneErrorOutOfMemory, "Data cannot be cloned, out of memory.")        \
   T(DataCloneErrorDetachedArrayBuffer,                                         \
     "An ArrayBuffer is detached and could not be cloned.")                     \
+  T(DataCloneErrorNonDetachableArrayBuffer,                                    \
+    "ArrayBuffer is not detachable and could not be cloned.")                  \
   T(DataCloneErrorSharedArrayBufferTransferred,                                \
     "A SharedArrayBuffer could not be cloned. SharedArrayBuffer must not be "  \
     "transferred.")                                                            \
diff --git a/src/objects/value-serializer.cc b/src/objects/value-serializer.cc
@@ -875,6 +875,11 @@ Maybe<bool> ValueSerializer::WriteJSArrayBuffer(
     WriteVarint(index.FromJust());
     return ThrowIfOutOfMemory();
   }
+  if (!array_buffer->is_detachable()) {
+    ThrowDataCloneError(
+        MessageTemplate::kDataCloneErrorNonDetachableArrayBuffer);
+    return Nothing<bool>();
+  }
 
   uint32_t* transfer_entry = array_buffer_transfer_map_.Find(array_buffer);
   if (transfer_entry) {
diff --git a/test/mjsunit/wasm/worker-memory.js b/test/mjsunit/wasm/worker-memory.js
@@ -11,6 +11,13 @@
   assertThrows(() => worker.postMessage(memory), Error);
 })();
 
+(function TestPostMessageUnsharedMemoryBuffer() {
+  let worker = new Worker('', {type: 'string'});
+  let memory = new WebAssembly.Memory({initial: 1, maximum: 2});
+
+  assertThrows(() => worker.postMessage(memory.buffer), Error);
+})();
+
 // Can't use assert in a worker.
 function workerHelpersHelper() {
   assertTrue = function(value, msg) {
