[SharedArrayBuffer] Prevent SharedArrayBuffer being used in Web APIs

third_party/WebKit/Source/bindings/core/v8/V8Binding.h

 /*
 * Copyright (C) 2009 Google Inc. All rights reserved.
 * Copyright (C) 2012 Ericsson AB. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
 * met:
 *
 *     * Redistributions of source code must retain the above copyright
 * notice, this list of conditions and the following disclaimer.
@@ skipping 29 matching lines @@
 #include "bindings/core/v8/ScriptState.h"
 #include "bindings/core/v8/ScriptValue.h"
 #include "bindings/core/v8/ScriptWrappable.h"
 #include "bindings/core/v8/V8BindingMacros.h"
 #include "bindings/core/v8/V8PerIsolateData.h"
 #include "bindings/core/v8/V8ScriptRunner.h"
 #include "bindings/core/v8/V8StringResource.h"
 #include "bindings/core/v8/V8ThrowException.h"
 #include "bindings/core/v8/V8ValueCache.h"
 #include "core/CoreExport.h"
+#include "core/dom/NotShared.h"
 #include "platform/heap/Handle.h"
 #include "platform/wtf/text/AtomicString.h"
 #include "platform/wtf/text/StringView.h"
 #include "v8/include/v8.h"
 
 namespace blink {
 
 class DOMWindow;
 class EventListener;
 class EventTarget;
@@ skipping 149 matching lines @@
   v8SetReturnValue(callbackInfo, ToV8(impl, callbackInfo.Holder(),
                                       callbackInfo.GetIsolate()));
 }
 
 template <typename CallbackInfo, typename T>
 inline void v8SetReturnValue(const CallbackInfo& callbackInfo,
                              PassRefPtr<T> impl) {
   v8SetReturnValue(callbackInfo, impl.get());
 }
 
+template <typename CallbackInfo, typename T>
+inline void v8SetReturnValue(const CallbackInfo& callbackInfo,
+                             NotShared<T> notShared) {
+  v8SetReturnValue(callbackInfo, notShared.view());
+}
+
 template <typename CallbackInfo>
 inline void v8SetReturnValueForMainWorld(const CallbackInfo& callbackInfo,
                                          ScriptWrappable* impl) {
   ASSERT(DOMWrapperWorld::current(callbackInfo.GetIsolate()).isMainWorld());
   if (UNLIKELY(!impl)) {
     v8SetReturnValueNull(callbackInfo);
     return;
   }
   if (DOMDataStore::setReturnValueForMainWorld(callbackInfo.GetReturnValue(),
                                                impl))
@@ skipping 98 matching lines @@
   v8SetReturnValueFast(callbackInfo, impl.get(), wrappable);
 }
 
 template <typename CallbackInfo, typename T>
 inline void v8SetReturnValueFast(const CallbackInfo& callbackInfo,
                                  const v8::Local<T> handle,
                                  const ScriptWrappable*) {
   v8SetReturnValue(callbackInfo, handle);
 }
 
+template <typename CallbackInfo, typename T>
+inline void v8SetReturnValueFast(const CallbackInfo& callbackInfo,
+                                 NotShared<T> notShared,
+                                 const ScriptWrappable* wrappable) {
+  v8SetReturnValueFast(callbackInfo, notShared.view(), wrappable);
+}
+
 // Convert v8::String to a WTF::String. If the V8 string is not already
 // an external string then it is transformed into an external string at this
 // point to avoid repeated conversions.
 inline String toCoreString(v8::Local<v8::String> value) {
   return v8StringToWebCoreString<String>(value, Externalize);
 }
 
 inline String toCoreStringWithNullCheck(v8::Local<v8::String> value) {
   if (value.IsEmpty() || value->IsNull())
     return String();
@@ skipping 805 matching lines @@
 
 // Freeze a V8 object. The type of the first parameter and the return value is
 // intentionally v8::Value so that this function can wrap ToV8().
 // If the argument isn't an object, this will crash.
 CORE_EXPORT v8::Local<v8::Value> freezeV8Object(v8::Local<v8::Value>,
                                                 v8::Isolate*);
 
 CORE_EXPORT v8::Local<v8::Value> fromJSONString(v8::Isolate*,
                                                 const String& stringifiedJSON,
                                                 ExceptionState&);
+
+// Ensure that a typed array value is not backed by a SharedArrayBuffer. If it
+// is, an exception will be thrown. The return value will use the NotShared
+// wrapper type.
+template <typename NotSharedType>
+CORE_EXPORT NotSharedType toNotShared(v8::Isolate* isolate,
+                                      v8::Local<v8::Value> value,
+                                      ExceptionState& exceptionState) {
+  using DOMTypedArray = typename NotSharedType::TypedArrayType;
+  DOMTypedArray* domTypedArray =
+      V8TypeOf<DOMTypedArray>::Type::toImplWithTypeCheck(isolate, value);
+  if (domTypedArray && domTypedArray->isShared()) {
+    exceptionState.throwTypeError(
+        "The provided ArrayBufferView value must not be shared.");
+    return NotSharedType();
+  }
+  return NotSharedType(domTypedArray);
+}
+
 }  // namespace blink
 
 #endif  // V8Binding_h