Commit c137eb50 authored by Eric Holk's avatar Eric Holk Committed by Commit Bot

[typed arrays] GetBuffer returns old buffer for guarded buffers

This also adds a DCHECK that the buffer does not have guard pages in
MaterializeArrayBuffer because the code there does not know how correctly set up
a buffer with guard pages.

Bug: chromium:801849
Change-Id: Ic761fcdfbd16a2d6e87f4eb135f5d03b7aa2d71d
Reviewed-on: https://chromium-review.googlesource.com/938968Reviewed-by: 's avatarDeepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51616}
parent 556bf4a9
......@@ -19159,6 +19159,10 @@ Handle<JSArrayBuffer> JSTypedArray::MaterializeArrayBuffer(
Handle<JSArrayBuffer> buffer(JSArrayBuffer::cast(typed_array->buffer()),
isolate);
// This code does not know how to materialize from a buffer with guard
// regions.
DCHECK(!buffer->has_guard_region());
void* backing_store =
isolate->array_buffer_allocator()->AllocateUninitialized(
fixed_typed_array->DataSize());
......@@ -19193,7 +19197,8 @@ Handle<JSArrayBuffer> JSTypedArray::GetBuffer() {
Handle<JSArrayBuffer> array_buffer(JSArrayBuffer::cast(buffer()),
GetIsolate());
if (array_buffer->was_neutered() ||
array_buffer->backing_store() != nullptr) {
array_buffer->backing_store() != nullptr ||
array_buffer->has_guard_region()) {
return array_buffer;
}
Handle<JSTypedArray> self(this);
......
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
(new Int8Array((new WebAssembly.Memory({})).buffer)).buffer;
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment