Fix construction of empty backing stores for SharedArrayBuffers

Bug: chromium:1006629,v8:9380
Change-Id: I8e45759fe3ad1b0ef8f1ebdb33919c84e1e8a044
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1815244Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63928}

src/api/api.cc

@@ -3742,7 +3742,8 @@ std::shared_ptr<v8::BackingStore> v8::ArrayBuffer::GetBackingStore() {
   i::Handle<i::JSArrayBuffer> self = Utils::OpenHandle(this);
   std::shared_ptr<i::BackingStore> backing_store = self->GetBackingStore();
   if (!backing_store) {
-    backing_store = i::BackingStore::NewEmptyBackingStore();
+    backing_store =
+        i::BackingStore::NewEmptyBackingStore(i::SharedFlag::kNotShared);
   }
   i::GlobalBackingStoreRegistry::Register(backing_store);
   std::shared_ptr<i::BackingStoreBase> bs_base = backing_store;
@@ -3753,7 +3754,8 @@ std::shared_ptr<v8::BackingStore> v8::SharedArrayBuffer::GetBackingStore() {
   i::Handle<i::JSArrayBuffer> self = Utils::OpenHandle(this);
   std::shared_ptr<i::BackingStore> backing_store = self->GetBackingStore();
   if (!backing_store) {
-    backing_store = i::BackingStore::NewEmptyBackingStore();
+    backing_store =
+        i::BackingStore::NewEmptyBackingStore(i::SharedFlag::kShared);
   }
   i::GlobalBackingStoreRegistry::Register(backing_store);
   std::shared_ptr<i::BackingStoreBase> bs_base = backing_store;

src/objects/backing-store.cc

@@ -454,14 +454,15 @@ std::unique_ptr<BackingStore> BackingStore::WrapAllocation(
   return std::unique_ptr<BackingStore>(result);
 }
 
-std::unique_ptr<BackingStore> BackingStore::NewEmptyBackingStore() {
-  auto result = new BackingStore(nullptr,                 // start
-                                 0,                       // length
-                                 0,                       // capacity
-                                 SharedFlag::kNotShared,  // shared
-                                 false,                   // is_wasm_memory
-                                 false,                   // free_on_destruct
-                                 false);                  // has_guard_regions
+std::unique_ptr<BackingStore> BackingStore::NewEmptyBackingStore(
+    SharedFlag shared) {
+  auto result = new BackingStore(nullptr,  // start
+                                 0,        // length
+                                 0,        // capacity
+                                 shared,   // shared
+                                 false,    // is_wasm_memory
+                                 false,    // free_on_destruct
+                                 false);   // has_guard_regions
 
   return std::unique_ptr<BackingStore>(result);
 }

src/objects/backing-store.h

@@ -64,7 +64,7 @@ class V8_EXPORT_PRIVATE BackingStore : public BackingStoreBase {
                                                       bool free_on_destruct);
 
   // Create an empty backing store.
-  static std::unique_ptr<BackingStore> NewEmptyBackingStore();
+  static std::unique_ptr<BackingStore> NewEmptyBackingStore(SharedFlag shared);
 
   // Accessors.
   void* buffer_start() const { return buffer_start_; }

test/mjsunit/regress/regress-1006629.js

+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+const workerScript = `
+  onmessage = function() {
+  };`;
+const worker = new Worker(workerScript, {type: 'string'});
+const i32a = new Int32Array( new SharedArrayBuffer() );
+worker.postMessage([i32a.buffer]);