Fix out-of-memory crashes related to ArrayBuffer allocation

third_party/WebKit/Source/bindings/core/v8/ScriptValueSerializer.cpp

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "config.h"
 #include "bindings/core/v8/ScriptValueSerializer.h"
 
 #include "bindings/core/v8/V8ArrayBuffer.h"
 #include "bindings/core/v8/V8ArrayBufferView.h"
 #include "bindings/core/v8/V8Blob.h"
@@ skipping 958 matching lines @@
 {
     v8::Local<v8::RegExp> regExp = value.As<v8::RegExp>();
     m_writer.writeRegExp(regExp->GetSource(), regExp->GetFlags());
 }
 
 ScriptValueSerializer::StateBase* ScriptValueSerializer::writeAndGreyArrayBufferView(v8::Local<v8::Object> object, ScriptValueSerializer::StateBase* next)
 {
     ASSERT(!object.IsEmpty());
     DOMArrayBufferView* arrayBufferView = V8ArrayBufferView::toImpl(object);
     if (!arrayBufferView)
-        return 0;
-    if (!arrayBufferView->bufferBase())
+        return nullptr;
+    if (!arrayBufferView->bufferBaseOrNull())
         return handleError(DataCloneError, "An ArrayBuffer could not be cloned.", next);
-    v8::Local<v8::Value> underlyingBuffer = toV8(arrayBufferView->bufferBase(), m_scriptState->context()->Global(), isolate());
+    v8::Local<v8::Value> underlyingBuffer = toV8(arrayBufferView->bufferBaseOrNull(), m_scriptState->context()->Global(), isolate());
     if (underlyingBuffer.IsEmpty())
         return handleError(DataCloneError, "An ArrayBuffer could not be cloned.", next);
     StateBase* stateOut = doSerializeArrayBuffer(underlyingBuffer, next);
     if (stateOut)
         return stateOut;
     m_writer.writeArrayBufferView(*arrayBufferView);
     // This should be safe: we serialize something that we know to be a wrapper (see
     // the toV8 call above), so the call to doSerializeArrayBuffer should neither
     // cause the system stack to overflow nor should it have potential to reach
     // this ArrayBufferView again.
@@ skipping 532 matching lines @@
     uint32_t height;
     uint32_t pixelDataLength;
     if (!doReadUint32(&width))
         return false;
     if (!doReadUint32(&height))
         return false;
     if (!doReadUint32(&pixelDataLength))
         return false;
     if (m_position + pixelDataLength > m_length)
         return false;
-    ImageData* imageData = ImageData::create(IntSize(width, height));
+    NonThrowableExceptionState exceptionState;
+    ImageData* imageData = ImageData::create(IntSize(width, height), exceptionState);
+    if (exceptionState.hadException())
+        return false;
     DOMUint8ClampedArray* pixelArray = imageData->data();
     ASSERT(pixelArray);
     ASSERT(pixelArray->length() >= pixelDataLength);
     memcpy(pixelArray->data(), m_buffer + m_position, pixelDataLength);
     m_position += pixelDataLength;
     *value = toV8(imageData, m_scriptState->context()->Global(), isolate());
     return !value->IsEmpty();
 }
 
 bool SerializedScriptValueReader::readCompositorProxy(v8::Local<v8::Value>* value)
 {
     uint32_t attributes;
     uint64_t element;
     if (!doReadUint64(&element))
         return false;
     if (!doReadUint32(&attributes))
         return false;
 
     CompositorProxy* compositorProxy = CompositorProxy::create(element, attributes);
     *value = toV8(compositorProxy, m_scriptState->context()->Global(), isolate());
     return !value->IsEmpty();
 }
 
-PassRefPtr<DOMArrayBuffer> SerializedScriptValueReader::doReadArrayBuffer()
+PassRefPtr<DOMArrayBuffer> SerializedScriptValueReader::doReadArrayBufferOrNull()

[jsbell, 2015/10/20 22:25:50]

Since this already returned nullptr in some cases, do we need to change the
name?

 {
     uint32_t byteLength;
     if (!doReadUint32(&byteLength))
         return nullptr;
     if (m_position + byteLength > m_length)
         return nullptr;
     const void* bufferStart = m_buffer + m_position;
     m_position += byteLength;
-    return DOMArrayBuffer::create(bufferStart, byteLength);
+    return DOMArrayBuffer::createOrNull(bufferStart, byteLength);
 }
 
 bool SerializedScriptValueReader::readArrayBuffer(v8::Local<v8::Value>* value)
 {
-    RefPtr<DOMArrayBuffer> arrayBuffer = doReadArrayBuffer();
+    RefPtr<DOMArrayBuffer> arrayBuffer = doReadArrayBufferOrNull();
     if (!arrayBuffer)
         return false;

[jsbell, 2015/10/20 22:25:50]

I'm embarrassed to say I don't know how we handle failure (false) here
downstream in all cases. Previously this would only happen if the data was
corrupted e.g. due to a bug in serialization, so crash-fast might be the best
approach.

We're trying to avoid that with this exploration, so more investigation needed
here. (Another TODO to investigate?)

     *value = toV8(arrayBuffer.release(), m_scriptState->context()->Global(), isolate());
     return !value->IsEmpty();
 }
 
 bool SerializedScriptValueReader::readArrayBufferView(v8::Local<v8::Value>* value, ScriptValueCompositeCreator& creator)
 {
     ArrayBufferViewSubTag subTag;
     uint32_t byteOffset;
     uint32_t byteLength;
     RefPtr<DOMArrayBufferBase> arrayBuffer;
@@ skipping 571 matching lines @@
         return false;
     uint32_t objectReference = m_openCompositeReferenceStack[m_openCompositeReferenceStack.size() - 1];
     m_openCompositeReferenceStack.shrink(m_openCompositeReferenceStack.size() - 1);
     if (objectReference >= m_objectPool.size())
         return false;
     *object = m_objectPool[objectReference];
     return true;
 }
 
 } // namespace blink