Fix out-of-memory crashes related to ArrayBuffer allocation

third_party/WebKit/Source/modules/push_messaging/PushMessageData.cpp

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "config.h"
 #include "modules/push_messaging/PushMessageData.h"
 
 #include "bindings/core/v8/ExceptionState.h"
 #include "bindings/core/v8/ScriptState.h"
 #include "bindings/core/v8/V8Binding.h"
 #include "bindings/modules/v8/UnionTypesModules.h"
 #include "core/dom/DOMArrayBuffer.h"
 #include "core/fileapi/Blob.h"
 #include "platform/blob/BlobData.h"
 #include "wtf/text/TextEncoding.h"
 #include <v8.h>
 
 namespace blink {
 
-PushMessageData* PushMessageData::create(const String& messageString)
+PushMessageData* PushMessageData::create(const String& messageString, ExceptionState& exceptionState)
 {
-    return PushMessageData::create(ArrayBufferOrArrayBufferViewOrUSVString::fromUSVString(messageString));
+    return PushMessageData::create(ArrayBufferOrArrayBufferViewOrUSVString::fromUSVString(messageString), exceptionState);
 }
 
-PushMessageData* PushMessageData::create(const ArrayBufferOrArrayBufferViewOrUSVString& messageData)
+PushMessageData* PushMessageData::create(const ArrayBufferOrArrayBufferViewOrUSVString& messageData, ExceptionState& exceptionState)
 {
     if (messageData.isArrayBuffer() || messageData.isArrayBufferView()) {
         RefPtr<DOMArrayBuffer> buffer = messageData.isArrayBufferView()
-            ? messageData.getAsArrayBufferView()->buffer()
+            ? messageData.getAsArrayBufferView()->bufferOrNull()
             : messageData.getAsArrayBuffer();
 
+        // TODO(junov): crbug.com/536816
+        // Instead of crashing when buffer allocation fails, we should consider
+        // throwing a RangeError exception. It is what the ECMAScript spec says to do:
+        // http://ecma-international.org/ecma-262/6.0/#sec-createbytedatablock
+        // However the PushMessageData specification does not state that such
+        // exceptions should be re-thrown.
+        RELEASE_ASSERT(buffer); // This is essentially an out-of-memory crash
         return new PushMessageData(static_cast<const char*>(buffer->data()), buffer->byteLength());
     }
 
     if (messageData.isUSVString()) {
         CString encodedString = UTF8Encoding().encode(messageData.getAsUSVString(), WTF::EntitiesForUnencodables);
         return new PushMessageData(encodedString.data(), encodedString.length());
     }
 
     ASSERT(messageData.isNull());
     return new PushMessageData();
 }
 
 PushMessageData::PushMessageData()
 {
 }
 
 PushMessageData::PushMessageData(const char* data, unsigned bytesSize)
 {
     m_data.append(data, bytesSize);
 }
 
 PushMessageData::~PushMessageData()
 {
 }
 
 PassRefPtr<DOMArrayBuffer> PushMessageData::arrayBuffer() const
 {
-    return DOMArrayBuffer::create(m_data.data(), m_data.size());
+    // TODO(junov): crbug.com/536816
+    // Use createOrNull instead of deprecatedCreateOrCrash. Requires
+    // defining behavior for when allocation fails. ECMAScript spec says
+    // allocation failure should throw a RangeError exception, but the
+    // spec for PushMessageData.arrayBuffer() does not state that
+    // such exceptions should be re-thrown. So for now, we just crash.
+    RefPtr<DOMArrayBuffer> buffer = DOMArrayBuffer::deprecatedCreateOrCrash(m_data.data(), m_data.size());
+    return buffer.release();
 }
 
 Blob* PushMessageData::blob() const
 {
     OwnPtr<BlobData> blobData = BlobData::create();
     blobData->appendBytes(m_data.data(), m_data.size());
 
     // Note that the content type of the Blob object is deliberately not being
     // provided, following the specification.
 
@@ skipping 21 matching lines @@
 String PushMessageData::text() const
 {
     return UTF8Encoding().decode(m_data.data(), m_data.size());
 }
 
 DEFINE_TRACE(PushMessageData)
 {
 }
 
 } // namespace blink