Ensure ArrayBuffers are not neutered twice

Bug: chromium:813876
Change-Id: I71c571e4185eff3a7386141a408dcb820a70ff95
Reviewed-on: https://chromium-review.googlesource.com/933594Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Eric Holk <eholk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51890}

src/objects.cc

@@ -19050,6 +19050,7 @@ Handle<String> JSMessageObject::GetSourceLine() const {
 
 void JSArrayBuffer::Neuter() {
   CHECK(is_neuterable());
+  CHECK(!was_neutered());
   CHECK(is_external());
   set_backing_store(nullptr);
   set_byte_length(Smi::kZero);

test/unittests/value-serializer-unittest.cc

@@ -81,7 +81,6 @@ class ValueSerializerTest : public TestWithIsolate {
   // Overridden in more specific fixtures.
   virtual ValueSerializer::Delegate* GetSerializerDelegate() { return nullptr; }
   virtual void BeforeEncode(ValueSerializer*) {}
-  virtual void AfterEncode() {}
   virtual ValueDeserializer::Delegate* GetDeserializerDelegate() {
     return nullptr;
   }
@@ -118,7 +117,6 @@ class ValueSerializerTest : public TestWithIsolate {
     if (!serializer.WriteValue(context, value).FromMaybe(false)) {
       return Nothing<std::vector<uint8_t>>();
     }
-    AfterEncode();
     std::pair<uint8_t*, size_t> buffer = serializer.Release();
     std::vector<uint8_t> result(buffer.first, buffer.first + buffer.second);
     free(buffer.first);
@@ -1652,8 +1650,6 @@ class ValueSerializerTestWithArrayBufferTransfer : public ValueSerializerTest {
     serializer->TransferArrayBuffer(0, input_buffer_);
   }
 
-  void AfterEncode() override { input_buffer_->Neuter(); }
-
   void BeforeDecode(ValueDeserializer* deserializer) override {
     deserializer->TransferArrayBuffer(0, output_buffer_);
   }