Commit dfe7eb84 authored by Eric Holk's avatar Eric Holk Committed by Commit Bot

Mark neteured ArrayBuffers as not neuterable

Bug: chromium:821368
Change-Id: I4e7032d76a0ac0e291b9dab2f7bcb58ce84827cf
Reviewed-on: https://chromium-review.googlesource.com/963601Reviewed-by: 's avatarDeepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51971}
parent c65f0a78
......@@ -19046,6 +19046,7 @@ void JSArrayBuffer::Neuter() {
set_allocation_base(nullptr);
set_allocation_length(0);
set_was_neutered(true);
set_is_neuterable(false);
// Invalidate the neutering protector.
Isolate* const isolate = GetIsolate();
if (isolate->IsArrayBufferNeuteringIntact()) {
......
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const worker = new Worker("onmessage = function(){}");
const buffer = new ArrayBuffer();
worker.postMessage(buffer, [buffer]);
try {
worker.postMessage(buffer, [buffer]);
} catch (e) {
if (e != "ArrayBuffer could not be transferred") {
throw e;
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment