Skip to content

V
V8
Commit dfe7eb84 authored by Eric Holk's avatar Eric Holk Committed by Commit Bot
Browse files
Options

Mark neteured ArrayBuffers as not neuterable 

Bug: chromium:821368
Change-Id: I4e7032d76a0ac0e291b9dab2f7bcb58ce84827cf
Reviewed-on: https://chromium-review.googlesource.com/963601Reviewed-by: 's avatarDeepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51971}
parent c65f0a78
Hide whitespace changes
Inline Side-by-side
Showing with 15 additions and 0 deletions
src/objects.cc
View file @ dfe7eb84
......@@ -19046,6 +19046,7 @@ void JSArrayBuffer::Neuter() {
set_allocation_base(nullptr);
set_allocation_length(0);
set_was_neutered(true);
set_is_neuterable(false);
// Invalidate the neutering protector.
Isolate* const isolate = GetIsolate();
if (isolate->IsArrayBufferNeuteringIntact()) {
......
test/mjsunit/regress/regress-821368.js 0 → 100644
View file @ dfe7eb84
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const worker = new Worker("onmessage = function(){}");
const buffer = new ArrayBuffer();
worker.postMessage(buffer, [buffer]);
try {
worker.postMessage(buffer, [buffer]);
} catch (e) {
if (e != "ArrayBuffer could not be transferred") {
throw e;
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment