[d8] bounds-check before getting Shell::Worker internal field

Prevents fatal error in debug builds BUG=v8:4271 R=binji@chromium.org LOG=N Review URL: https://codereview.chromium.org/1214053004 Cr-Commit-Position: refs/heads/master@{#29524}

[d8] bounds-check before getting Shell::Worker internal field
Prevents fatal error in debug builds BUG=v8:4271 R=binji@chromium.org LOG=N Review URL: https://codereview.chromium.org/1214053004 Cr-Commit-Position: refs/heads/master@{#29524}
43ce9c6f · caitpotter88 · Commit bot · a1f20f09 · 43ce9c6f · 43ce9c6f
Commit 43ce9c6f authored Jul 07, 2015 by caitpotter88 Committed by Commit bot Jul 07, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 39 additions and 7 deletions

d8.cc src/d8.cc +15 -7

regress-4271.js test/mjsunit/regress/regress-4271.js +24 -0

No files found.
--- a/src/d8.cc
+++ b/src/d8.cc
@@ -717,14 +717,17 @@ void Shell::WorkerPostMessage(const v8::FunctionCallbackInfo<v8::Value>& args) {
  Isolate* isolate = args.GetIsolate();
  HandleScope handle_scope(isolate);
  Local<Context> context = isolate->GetCurrentContext();
+  Local<Value> this_value;

  if (args.Length() < 1) {
    Throw(isolate, "Invalid argument");
    return;
  }

-  Local<Value> this_value = args.This()->GetInternalField(0);
-  if (!this_value->IsExternal()) {
+  if (args.This()->InternalFieldCount() > 0) {
+    this_value = args.This()->GetInternalField(0);
+  }
+  if (this_value.IsEmpty()) {
    Throw(isolate, "this is not a Worker");
    return;
  }
@@ -770,9 +773,11 @@ void Shell::WorkerPostMessage(const v8::FunctionCallbackInfo<v8::Value>& args) {
 void Shell::WorkerGetMessage(const v8::FunctionCallbackInfo<v8::Value>& args) {
  Isolate* isolate = args.GetIsolate();
  HandleScope handle_scope(isolate);
-
-  Local<Value> this_value = args.This()->GetInternalField(0);
-  if (!this_value->IsExternal()) {
+  Local<Value> this_value;
+  if (args.This()->InternalFieldCount() > 0) {
+    this_value = args.This()->GetInternalField(0);
+  }
+  if (this_value.IsEmpty()) {
    Throw(isolate, "this is not a Worker");
    return;
  }
@@ -795,8 +800,11 @@ void Shell::WorkerGetMessage(const v8::FunctionCallbackInfo<v8::Value>& args) {
 void Shell::WorkerTerminate(const v8::FunctionCallbackInfo<v8::Value>& args) {
  Isolate* isolate = args.GetIsolate();
  HandleScope handle_scope(isolate);
-  Local<Value> this_value = args.This()->GetInternalField(0);
-  if (!this_value->IsExternal()) {
+  Local<Value> this_value;
+  if (args.This()->InternalFieldCount() > 0) {
+    this_value = args.This()->GetInternalField(0);
+  }
+  if (this_value.IsEmpty()) {
    Throw(isolate, "this is not a Worker");
    return;
  }

--- a/test/mjsunit/regress/regress-4271.js
+++ b/test/mjsunit/regress/regress-4271.js
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Throw rather than overflow internal field index
+
+assertThrows(function() {
+  Worker.prototype.terminate();
+});
+
+assertThrows(function() {
+  Worker.prototype.getMessage();
+});
+
+assertThrows(function() {
+  Worker.prototype.postMessage({});
+});
+
+// Don't throw for real worker
+
+var worker = new Worker('');
+worker.getMessage();
+worker.postMessage({});
+worker.terminate();