Fix out-of-memory crashes related to ArrayBuffer allocation

third_party/WebKit/Source/bindings/core/v8/ScriptValueSerializer.cpp

Index: third_party/WebKit/Source/bindings/core/v8/ScriptValueSerializer.cpp
diff --git a/third_party/WebKit/Source/bindings/core/v8/ScriptValueSerializer.cpp b/third_party/WebKit/Source/bindings/core/v8/ScriptValueSerializer.cpp
index 3bd0390146d9043f971387b6fb751005509455e8..7bf3c65832408e2f127e66aefb5cb257dad8ae50 100644
--- a/third_party/WebKit/Source/bindings/core/v8/ScriptValueSerializer.cpp
+++ b/third_party/WebKit/Source/bindings/core/v8/ScriptValueSerializer.cpp
@@ -976,10 +976,10 @@ ScriptValueSerializer::StateBase* ScriptValueSerializer::writeAndGreyArrayBuffer
     ASSERT(!object.IsEmpty());
     DOMArrayBufferView* arrayBufferView = V8ArrayBufferView::toImpl(object);
     if (!arrayBufferView)
-        return 0;
-    if (!arrayBufferView->bufferBase())
+        return nullptr;
+    if (!arrayBufferView->bufferBaseOrNull())
         return handleError(DataCloneError, "An ArrayBuffer could not be cloned.", next);
-    v8::Local<v8::Value> underlyingBuffer = toV8(arrayBufferView->bufferBase(), m_scriptState->context()->Global(), isolate());
+    v8::Local<v8::Value> underlyingBuffer = toV8(arrayBufferView->bufferBaseOrNull(), m_scriptState->context()->Global(), isolate());
     if (underlyingBuffer.IsEmpty())
         return handleError(DataCloneError, "An ArrayBuffer could not be cloned.", next);
     StateBase* stateOut = doSerializeArrayBuffer(underlyingBuffer, next);
@@ -1532,7 +1532,10 @@ bool SerializedScriptValueReader::readImageData(v8::Local<v8::Value>* value)
         return false;
     if (m_position + pixelDataLength > m_length)
         return false;
-    ImageData* imageData = ImageData::create(IntSize(width, height));
+    NonThrowableExceptionState exceptionState;
+    ImageData* imageData = ImageData::create(IntSize(width, height), exceptionState);
+    if (exceptionState.hadException())
+        return false;
     DOMUint8ClampedArray* pixelArray = imageData->data();
     ASSERT(pixelArray);
     ASSERT(pixelArray->length() >= pixelDataLength);
@@ -1556,7 +1559,7 @@ bool SerializedScriptValueReader::readCompositorProxy(v8::Local<v8::Value>* valu
     return !value->IsEmpty();
 }
 
-PassRefPtr<DOMArrayBuffer> SerializedScriptValueReader::doReadArrayBuffer()
+PassRefPtr<DOMArrayBuffer> SerializedScriptValueReader::doReadArrayBufferOrNull()

[jsbell, 2015/10/20 22:25:50]

Since this already returned nullptr in some cases, do we need to change the
name?

 {
     uint32_t byteLength;
     if (!doReadUint32(&byteLength))
@@ -1565,12 +1568,12 @@ PassRefPtr<DOMArrayBuffer> SerializedScriptValueReader::doReadArrayBuffer()
         return nullptr;
     const void* bufferStart = m_buffer + m_position;
     m_position += byteLength;
-    return DOMArrayBuffer::create(bufferStart, byteLength);
+    return DOMArrayBuffer::createOrNull(bufferStart, byteLength);
 }
 
 bool SerializedScriptValueReader::readArrayBuffer(v8::Local<v8::Value>* value)
 {
-    RefPtr<DOMArrayBuffer> arrayBuffer = doReadArrayBuffer();
+    RefPtr<DOMArrayBuffer> arrayBuffer = doReadArrayBufferOrNull();
     if (!arrayBuffer)
         return false;

[jsbell, 2015/10/20 22:25:50]

I'm embarrassed to say I don't know how we handle failure (false) here
downstream in all cases. Previously this would only happen if the data was
corrupted e.g. due to a bug in serialization, so crash-fast might be the best
approach.

We're trying to avoid that with this exploration, so more investigation needed
here. (Another TODO to investigate?)

     *value = toV8(arrayBuffer.release(), m_scriptState->context()->Global(), isolate());