Reland [d8] Fix a crash when getting the worker's onmessage handler

Now with more fixes. Bug: chromium:1162473, v8:11383 Change-Id: I54751cef03f6b2b1dc70324486441c9b0b011cc1 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2667512 Auto-Submit: Marja Hölttä <marja@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#72487}

Reland [d8] Fix a crash when getting the worker's onmessage handler
Now with more fixes. Bug: chromium:1162473, v8:11383 Change-Id: I54751cef03f6b2b1dc70324486441c9b0b011cc1 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2667512 Auto-Submit: Marja Hölttä <marja@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#72487}
b5dae1e4 · Marja Hölttä · Commit Bot · 3a159b87 · b5dae1e4 · b5dae1e4
Commit b5dae1e4 authored Feb 02, 2021 by Marja Hölttä Committed by Commit Bot Feb 02, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 13 deletions

d8.cc src/d8/d8.cc +11 -13

regress-crbug-1162473.js test/mjsunit/regress/regress-crbug-1162473.js +7 -0

No files found.
--- a/src/d8/d8.cc
+++ b/src/d8/d8.cc
@@ -3547,12 +3547,11 @@ void Worker::ProcessMessage(std::unique_ptr<SerializationData> data) {
  Local<Object> global = context->Global();

  // Get the message handler.
-  Local<Value> onmessage = global
-                               ->Get(context, String::NewFromUtf8Literal(
-                                                  isolate_, "onmessage",
-                                                  NewStringType::kInternalized))
-                               .ToLocalChecked();
-  if (!onmessage->IsFunction()) {
+  MaybeLocal<Value> maybe_onmessage = global->Get(
+      context, String::NewFromUtf8Literal(isolate_, "onmessage",
+                                          NewStringType::kInternalized));
+  Local<Value> onmessage;
+  if (!maybe_onmessage.ToLocal(&onmessage) || !onmessage->IsFunction()) {
    return;
  }
  Local<Function> onmessage_fun = onmessage.As<Function>();
@@ -3631,13 +3630,12 @@ void Worker::ExecuteInThread() {
                isolate_, source, file_name, Shell::kNoPrintResult,
                Shell::kReportExceptions, Shell::kProcessMessageQueue)) {
          // Check that there's a message handler
-          Local<Value> onmessage =
-              global
-                  ->Get(context, String::NewFromUtf8Literal(
-                                     isolate_, "onmessage",
-                                     NewStringType::kInternalized))
-                  .ToLocalChecked();
-          if (onmessage->IsFunction()) {
+          MaybeLocal<Value> maybe_onmessage = global->Get(
+              context,
+              String::NewFromUtf8Literal(isolate_, "onmessage",
+                                         NewStringType::kInternalized));
+          Local<Value> onmessage;
+          if (maybe_onmessage.ToLocal(&onmessage) && onmessage->IsFunction()) {
            // Now wait for messages
            ProcessMessages();
          }

--- a/test/mjsunit/regress/regress-crbug-1162473.js
+++ b/test/mjsunit/regress/regress-crbug-1162473.js
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+const script = `__proto__ = Realm.global(Realm.create());`;
+const w = new Worker(script, {type : 'string'});
+w.postMessage('hi');