[v8-dev] Fix cluster-fuzz regression with Workers and recursive serialization (issue 1211433003 by [email protected])

Wed, 24 Jun 2015 10:52:29 -0700 

Reviewers: jochen,

Description:
Fix cluster-fuzz regression with Workers and recursive serialization
Shell::SerializeValue was using a HandleScope, but was also storing Handles in 
an ObjectList. The ObjectList handles would persist after the function had
returned, but will have already been destroyed by the HandleScope, so there is 
a use-after-free.
This change removes the HandleScope in Shell::SerializeValue and relies on the 
caller's HandleScope.

BUG=chromium:503968
[email protected]
LOG=n

Please review this at https://codereview.chromium.org/1211433003/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+15, -1 lines):
  M src/d8.cc
  A test/mjsunit/regress/regress-crbug-503968.js


Index: src/d8.cc
diff --git a/src/d8.cc b/src/d8.cc
index 333f7e440274b2334ace286e7be5e46064fa3959..d04af86396200e17021e95ca58d73f862795d738 100644 
--- a/src/d8.cc
+++ b/src/d8.cc
@@ -1970,7 +1970,6 @@ bool Shell::SerializeValue(Isolate* isolate, Handle<Value> value, 
                            ObjectList* seen_objects,
                            SerializationData* out_data) {
   DCHECK(out_data);
-  HandleScope scope(isolate);
   Local<Context> context = isolate->GetCurrentContext();

   if (value->IsUndefined()) {
Index: test/mjsunit/regress/regress-crbug-503968.js
diff --git a/test/mjsunit/regress/regress-crbug-503968.js b/test/mjsunit/regress/regress-crbug-503968.js 
new file mode 100644
index 0000000000000000000000000000000000000000..c0446da94db586271c3dcc468cb3ff289434c22d 
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-503968.js
@@ -0,0 +1,15 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+if (this.Worker) {
+  function __f_0() { this.s = new Object(); }
+  function __f_1() {
+    this.l = [new __f_0, new __f_0];
+  }
+  __v_6 = new __f_1;
+  function __f_4() {
+  }
+  var __v_9 = new Worker(__f_4);
+  __v_9.postMessage(__v_6);
+}


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to