[SharedArrayBuffer] Prevent SharedArrayBuffer being used in Web APIs

third_party/WebKit/Source/bindings/core/v8/V8Binding.h

Index: third_party/WebKit/Source/bindings/core/v8/V8Binding.h
diff --git a/third_party/WebKit/Source/bindings/core/v8/V8Binding.h b/third_party/WebKit/Source/bindings/core/v8/V8Binding.h
index 219e2722c49de31b047e84b932241311a9a55aa1..2ad7d05f32236349ba65ae655423768de32f3a55 100644
--- a/third_party/WebKit/Source/bindings/core/v8/V8Binding.h
+++ b/third_party/WebKit/Source/bindings/core/v8/V8Binding.h
@@ -47,6 +47,7 @@
 #include "bindings/core/v8/V8ThrowException.h"
 #include "bindings/core/v8/V8ValueCache.h"
 #include "core/CoreExport.h"
+#include "core/dom/NotShared.h"
 #include "platform/heap/Handle.h"
 #include "platform/wtf/text/AtomicString.h"
 #include "platform/wtf/text/StringView.h"
@@ -216,6 +217,12 @@ inline void v8SetReturnValue(const CallbackInfo& callbackInfo,
   v8SetReturnValue(callbackInfo, impl.get());
 }
 
+template <typename CallbackInfo, typename T>
+inline void v8SetReturnValue(const CallbackInfo& callbackInfo,
+                             NotShared<T> notShared) {
+  v8SetReturnValue(callbackInfo, notShared.view());
+}
+
 template <typename CallbackInfo>
 inline void v8SetReturnValueForMainWorld(const CallbackInfo& callbackInfo,
                                          ScriptWrappable* impl) {
@@ -334,6 +341,13 @@ inline void v8SetReturnValueFast(const CallbackInfo& callbackInfo,
   v8SetReturnValue(callbackInfo, handle);
 }
 
+template <typename CallbackInfo, typename T>
+inline void v8SetReturnValueFast(const CallbackInfo& callbackInfo,
+                                 NotShared<T> notShared,
+                                 const ScriptWrappable* wrappable) {
+  v8SetReturnValueFast(callbackInfo, notShared.view(), wrappable);
+}
+
 // Convert v8::String to a WTF::String. If the V8 string is not already
 // an external string then it is transformed into an external string at this
 // point to avoid repeated conversions.
@@ -1159,6 +1173,25 @@ CORE_EXPORT v8::Local<v8::Value> freezeV8Object(v8::Local<v8::Value>,
 CORE_EXPORT v8::Local<v8::Value> fromJSONString(v8::Isolate*,
                                                 const String& stringifiedJSON,
                                                 ExceptionState&);
+
+// Ensure that a typed array value is not backed by a SharedArrayBuffer. If it
+// is, an exception will be thrown. The return value will use the NotShared
+// wrapper type.
+template <typename NotSharedType>
+CORE_EXPORT NotSharedType toNotShared(v8::Isolate* isolate,
+                                      v8::Local<v8::Value> value,
+                                      ExceptionState& exceptionState) {
+  using DOMTypedArray = typename NotSharedType::TypedArrayType;
+  DOMTypedArray* domTypedArray =
+      V8TypeOf<DOMTypedArray>::Type::toImplWithTypeCheck(isolate, value);
+  if (domTypedArray && domTypedArray->isShared()) {
+    exceptionState.throwTypeError(
+        "The provided ArrayBufferView value must not be shared.");
+    return NotSharedType();
+  }
+  return NotSharedType(domTypedArray);
+}
+
 }  // namespace blink
 
 #endif  // V8Binding_h