[d8] bounds-check before getting Shell::Worker internal field

Prevents fatal error in debug builds BUG=v8:4271, 506954 R=binji@chromium.org LOG=N Committed: https://crrev.com/43ce9c6f101c4224addd9a54e0c39963188dc7fa Cr-Commit-Position: refs/heads/master@{#29524} Review URL: https://codereview.chromium.org/1214053004 Cr-Commit-Position: refs/heads/master@{#29737}

[d8] bounds-check before getting Shell::Worker internal field
Prevents fatal error in debug builds BUG=v8:4271, 506954 R=binji@chromium.org LOG=N Committed: https://crrev.com/43ce9c6f101c4224addd9a54e0c39963188dc7fa Cr-Commit-Position: refs/heads/master@{#29524} Review URL: https://codereview.chromium.org/1214053004 Cr-Commit-Position: refs/heads/master@{#29737}
c9007d8f · caitpotter88 · Commit bot · 35b21148 · c9007d8f · c9007d8f
Commit c9007d8f authored Jul 17, 2015 by caitpotter88 Committed by Commit bot Jul 17, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 39 additions and 7 deletions

d8.cc src/d8.cc +15 -7

regress-4271.js test/mjsunit/regress/regress-4271.js +24 -0

No files found.
--- a/src/d8.cc
+++ b/src/d8.cc
@@ -720,14 +720,17 @@ void Shell::WorkerPostMessage(const v8::FunctionCallbackInfo<v8::Value>& args) {
  Isolate* isolate = args.GetIsolate();
  HandleScope handle_scope(isolate);
  Local<Context> context = isolate->GetCurrentContext();
+  Local<Value> this_value;

  if (args.Length() < 1) {
    Throw(isolate, "Invalid argument");
    return;
  }

-  Local<Value> this_value = args.This()->GetInternalField(0);
-  if (!this_value->IsExternal()) {
+  if (args.This()->InternalFieldCount() > 0) {
+    this_value = args.This()->GetInternalField(0);
+  }
+  if (this_value.IsEmpty()) {
    Throw(isolate, "this is not a Worker");
    return;
  }
@@ -773,9 +776,11 @@ void Shell::WorkerPostMessage(const v8::FunctionCallbackInfo<v8::Value>& args) {
 void Shell::WorkerGetMessage(const v8::FunctionCallbackInfo<v8::Value>& args) {
  Isolate* isolate = args.GetIsolate();
  HandleScope handle_scope(isolate);
-
-  Local<Value> this_value = args.This()->GetInternalField(0);
-  if (!this_value->IsExternal()) {
+  Local<Value> this_value;
+  if (args.This()->InternalFieldCount() > 0) {
+    this_value = args.This()->GetInternalField(0);
+  }
+  if (this_value.IsEmpty()) {
    Throw(isolate, "this is not a Worker");
    return;
  }
@@ -798,8 +803,11 @@ void Shell::WorkerGetMessage(const v8::FunctionCallbackInfo<v8::Value>& args) {
 void Shell::WorkerTerminate(const v8::FunctionCallbackInfo<v8::Value>& args) {
  Isolate* isolate = args.GetIsolate();
  HandleScope handle_scope(isolate);
-  Local<Value> this_value = args.This()->GetInternalField(0);
-  if (!this_value->IsExternal()) {
+  Local<Value> this_value;
+  if (args.This()->InternalFieldCount() > 0) {
+    this_value = args.This()->GetInternalField(0);
+  }
+  if (this_value.IsEmpty()) {
    Throw(isolate, "this is not a Worker");
    return;
  }

--- a/test/mjsunit/regress/regress-4271.js
+++ b/test/mjsunit/regress/regress-4271.js
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+if (this.Worker) {
+  // Throw rather than overflow internal field index
+  assertThrows(function() {
+    Worker.prototype.terminate();
+  });
+
+  assertThrows(function() {
+    Worker.prototype.getMessage();
+  });
+
+  assertThrows(function() {
+    Worker.prototype.postMessage({});
+  });
+
+  // Don't throw for real worker
+  var worker = new Worker('');
+  worker.getMessage();
+  worker.postMessage({});
+  worker.terminate();
+}