[d8] Fix a crash when getting the worker's onmessage handler

Bug: chromium:1162473
Change-Id: Ided2f52882aaf02e1dc9a8d0ba883fedf029464d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2663004Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72473}

src/d8/d8.cc

@@ -3547,12 +3547,11 @@ void Worker::ProcessMessage(std::unique_ptr<SerializationData> data) {
   Local<Object> global = context->Global();
 
   // Get the message handler.
-  Local<Value> onmessage = global
-                               ->Get(context, String::NewFromUtf8Literal(
-                                                  isolate_, "onmessage",
-                                                  NewStringType::kInternalized))
-                               .ToLocalChecked();
-  if (!onmessage->IsFunction()) {
+  MaybeLocal<Value> maybe_onmessage = global->Get(
+      context, String::NewFromUtf8Literal(isolate_, "onmessage",
+                                          NewStringType::kInternalized));
+  Local<Value> onmessage;
+  if (!maybe_onmessage.ToLocal(&onmessage) || !onmessage->IsFunction()) {
     return;
   }
   Local<Function> onmessage_fun = onmessage.As<Function>();

test/mjsunit/regress/regress-crbug-1162473.js

+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+const script = `__proto__ = Realm.global(Realm.create());`;
+const w = new Worker(script, {type : 'string'});
+w.postMessage('hi');