• binji's avatar
    Fix cluster-fuzz regression with Workers and recursive serialization · 5023335b
    binji authored
    Shell::SerializeValue was using a HandleScope, but was also storing Handles in
    an ObjectList. The ObjectList handles would persist after the function had
    returned, but will have already been destroyed by the HandleScope, so there is
    a use-after-free.
    
    This change removes the HandleScope in Shell::SerializeValue and relies on the
    caller's HandleScope.
    
    BUG=chromium:503968
    R=jochen@chromium.org
    LOG=n
    
    Review URL: https://codereview.chromium.org/1211433003
    
    Cr-Commit-Position: refs/heads/master@{#29265}
    5023335b
regress-crbug-503968.js 404 Bytes