[web snap] Use-after-free fix

Bug: v8:11525,v8:12820 Change-Id: I282ab058b6062513113059db171644466ef37870 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3667078Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/main@{#80848}

[web snap] Use-after-free fix
Bug: v8:11525,v8:12820 Change-Id: I282ab058b6062513113059db171644466ef37870 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3667078Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/main@{#80848}
b5ccb0ef · Marja Hölttä · V8 LUCI CQ · 3b251deb · b5ccb0ef · b5ccb0ef
Commit b5ccb0ef authored May 31, 2022 by Marja Hölttä Committed by V8 LUCI CQ May 31, 2022
Expand all Hide whitespace changes
Inline Side-by-side

Showing with 80 additions and 66 deletions

web-snapshot.cc src/web-snapshot/web-snapshot.cc +76 -64

web-snapshot.h src/web-snapshot/web-snapshot.h +4 -2

No files found.
--- a/src/web-snapshot/web-snapshot.cc
+++ b/src/web-snapshot/web-snapshot.cc
--- a/src/web-snapshot/web-snapshot.h
+++ b/src/web-snapshot/web-snapshot.h
@@ -378,7 +378,8 @@ class V8_EXPORT WebSnapshotDeserializer

  WebSnapshotDeserializer(Isolate* isolate, Handle<Object> script_name,
                          base::Vector<const uint8_t> buffer);
-  base::Vector<const uint8_t> ExtractScriptBuffer(
+  // Return value: {data, length, data_owned}.
+  std::tuple<const uint8_t*, uint32_t, bool> ExtractScriptBuffer(
      Isolate* isolate, Handle<Script> snapshot_as_script);
  bool DeserializeSnapshot(bool skip_exports);
  void CollectBuiltinObjects();
@@ -517,7 +518,8 @@ class V8_EXPORT WebSnapshotDeserializer
  uint32_t object_count_ = 0;
  uint32_t current_object_count_ = 0;

-  ValueDeserializer deserializer_;
+  std::unique_ptr<ValueDeserializer> deserializer_;
+  std::unique_ptr<const uint8_t[]> owned_data_;
  ReadOnlyRoots roots_;

  bool deserialized_ = false;