Initialize internal fields in Factory::NewJSTypedArray and NewJSDataView.

This was causing array buffer views created by ValueDeserializer to have uninitialized internal fields, which lead to crashes in layout tests when Blink tried to read those fields. For array buffers, JSArrayBuffer::Setup is responsible for this logic (as well as initializing the V8 fields); this is similar to that. The runtime already seems to correctly initialize these for script-created array buffer views as well, which is why this issue was not detected sooner. Review-Url: https://codereview.chromium.org/2498413002 Cr-Commit-Position: refs/heads/master@{#41014}

Initialize internal fields in Factory::NewJSTypedArray and NewJSDataView.
This was causing array buffer views created by ValueDeserializer to have uninitialized internal fields, which lead to crashes in layout tests when Blink tried to read those fields. For array buffers, JSArrayBuffer::Setup is responsible for this logic (as well as initializing the V8 fields); this is similar to that. The runtime already seems to correctly initialize these for script-created array buffer views as well, which is why this issue was not detected sooner. Review-Url: https://codereview.chromium.org/2498413002 Cr-Commit-Position: refs/heads/master@{#41014}
879f6599 · jbroman · Commit bot · e80cfa00 · 879f6599 · 879f6599
Commit 879f6599 authored Nov 15, 2016 by jbroman Committed by Commit bot Nov 15, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 39 additions and 0 deletions

factory.cc src/factory.cc +11 -0

test-api.cc test/cctest/test-api.cc +28 -0

No files found.
--- a/src/factory.cc
+++ b/src/factory.cc
@@ -2010,6 +2010,12 @@ void SetupArrayBufferView(i::Isolate* isolate,
  DCHECK(byte_offset + byte_length <=
         static_cast<size_t>(buffer->byte_length()->Number()));

+  DCHECK_EQ(obj->GetInternalFieldCount(),
+            v8::ArrayBufferView::kInternalFieldCount);
+  for (int i = 0; i < v8::ArrayBufferView::kInternalFieldCount; i++) {
+    obj->SetInternalField(i, Smi::kZero);
+  }
+
  obj->set_buffer(*buffer);

  i::Handle<i::Object> byte_offset_object =
@@ -2079,6 +2085,11 @@ Handle<JSTypedArray> Factory::NewJSTypedArray(ElementsKind elements_kind,
                                              size_t number_of_elements,
                                              PretenureFlag pretenure) {
  Handle<JSTypedArray> obj = NewJSTypedArray(elements_kind, pretenure);
+  DCHECK_EQ(obj->GetInternalFieldCount(),
+            v8::ArrayBufferView::kInternalFieldCount);
+  for (int i = 0; i < v8::ArrayBufferView::kInternalFieldCount; i++) {
+    obj->SetInternalField(i, Smi::kZero);
+  }

  size_t element_size = GetFixedTypedArraysElementSize(elements_kind);
  ExternalArrayType array_type = GetArrayTypeFromElementsKind(elements_kind);

--- a/test/cctest/test-api.cc
+++ b/test/cctest/test-api.cc
@@ -26156,3 +26156,31 @@ THREADED_TEST(MutableProtoGlobal) {
  CHECK(result->Equals(context, v8::Integer::New(CcTest::isolate(), 0))
            .FromJust());
 }
+
+TEST(InternalFieldsOnTypedArray) {
+  LocalContext env;
+  v8::Isolate* isolate = env->GetIsolate();
+  v8::HandleScope scope(isolate);
+  v8::Local<v8::Context> context = env.local();
+  Context::Scope context_scope(context);
+  v8::Local<v8::ArrayBuffer> buffer = v8::ArrayBuffer::New(isolate, 1);
+  v8::Local<v8::Uint8Array> array = v8::Uint8Array::New(buffer, 0, 1);
+  for (int i = 0; i < v8::ArrayBufferView::kInternalFieldCount; i++) {
+    CHECK_EQ(static_cast<void*>(nullptr),
+             array->GetAlignedPointerFromInternalField(i));
+  }
+}
+
+TEST(InternalFieldsOnDataView) {
+  LocalContext env;
+  v8::Isolate* isolate = env->GetIsolate();
+  v8::HandleScope scope(isolate);
+  v8::Local<v8::Context> context = env.local();
+  Context::Scope context_scope(context);
+  v8::Local<v8::ArrayBuffer> buffer = v8::ArrayBuffer::New(isolate, 1);
+  v8::Local<v8::DataView> array = v8::DataView::New(buffer, 0, 1);
+  for (int i = 0; i < v8::ArrayBufferView::kInternalFieldCount; i++) {
+    CHECK_EQ(static_cast<void*>(nullptr),
+             array->GetAlignedPointerFromInternalField(i));
+  }
+}