Fix memory leak on serializing neutered ArrayBuffer.

Source/bindings/v8/SerializedScriptValue.cpp

 /*
  * Copyright (C) 2010 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 721 matching lines @@
     {
         v8::HandleScope scope(m_isolate);
         m_writer.writeVersion();
         StateBase* state = doSerialize(value, 0);
         while (state)
             state = state->advance(*this);
         return m_status;
     }
 
     // Functions used by serialization states.
-    StateBase* doSerialize(v8::Handle<v8::Value> value, StateBase* next);
+    StateBase* doSerialize(v8::Handle<v8::Value>, StateBase* next);
+
+    // The serializer workhorse, no stack depth check.
+    StateBase* doSerializeImpl(v8::Handle<v8::Value>, StateBase* next);
+
+    StateBase* doSerializeArrayBuffer(v8::Handle<v8::Value> arrayBuffer, StateBase* next)
+    {
+        return doSerializeImpl(arrayBuffer, next);
+    }
 
     StateBase* checkException(StateBase* state)
     {
         return m_tryCatch.HasCaught() ? handleError(JSException, state) : 0;
     }
 
     StateBase* reportFailure(StateBase* state)
     {
         return handleError(JSFailure, state);
     }
@@ skipping 379 matching lines @@
     {
         ASSERT(!object.IsEmpty());
         ArrayBufferView* arrayBufferView = V8ArrayBufferView::toNative(object);
         if (!arrayBufferView)
             return 0;
         if (!arrayBufferView->buffer())
             return handleError(DataCloneError, next);
         v8::Handle<v8::Value> underlyingBuffer = toV8(arrayBufferView->buffer(), v8::Handle<v8::Object>(), m_writer.getIsolate());
         if (underlyingBuffer.IsEmpty())
             return handleError(DataCloneError, next);
-        StateBase* stateOut = doSerialize(underlyingBuffer, 0);
+        StateBase* stateOut = doSerializeArrayBuffer(underlyingBuffer, next);
         if (stateOut)
-            return handleError(DataCloneError, next);
+            return stateOut;
         m_writer.writeArrayBufferView(*arrayBufferView);
         // This should be safe: we serialize something that we know to be a wrapper (see
-        // the toV8 call above), so the call to doSerialize above should neither cause
-        // the stack to overflow nor should it have the potential to reach this
-        // ArrayBufferView again. We do need to grey the underlying buffer before we grey
-        // its view, however; ArrayBuffers may be shared, so they need to be given reference IDs,
-        // and an ArrayBufferView cannot be constructed without a corresponding ArrayBuffer
+        // the toV8 call above), hence doSerializeArrayBuffer() will not consume stack
+        // (but might fail and unwind our current stack.)

[Dmitry Lomov (no reviews), 2013/11/05 10:56:10]

Keep the statement "the call to doSerializeArrayBuffer should neither cause the
system stack to overflow nor should it have potential to reach this
ArrayBufferView again".

+        //
+        // We do need to grey the underlying buffer before we grey its view, however;
+        // ArrayBuffers may be shared, so they need to be given reference IDs, and an
+        // ArrayBufferView cannot be constructed without a corresponding ArrayBuffer
         // (or without an additional tag that would allow us to do two-stage construction
         // like we do for Objects and Arrays).
         greyObject(object);
         return 0;
     }
 
     StateBase* writeArrayBuffer(v8::Handle<v8::Value> value, StateBase* next)
     {
         ArrayBuffer* arrayBuffer = V8ArrayBuffer::toNative(value.As<v8::Object>());
         if (!arrayBuffer)
@@ skipping 64 matching lines @@
     Status m_status;
     typedef V8ObjectMap<v8::Object, uint32_t> ObjectPool;
     ObjectPool m_objectPool;
     ObjectPool m_transferredMessagePorts;
     ObjectPool m_transferredArrayBuffers;
     uint32_t m_nextObjectReference;
     BlobDataHandleMap& m_blobDataHandles;
     v8::Isolate* m_isolate;
 };
 
-Serializer::StateBase* Serializer::doSerialize(v8::Handle<v8::Value> value, StateBase* next)
+Serializer::StateBase* Serializer::doSerializeImpl(v8::Handle<v8::Value> value, StateBase* next)
 {
-    if (m_execDepth + (next ? next->execDepth() : 0) > 1) {
-        m_writer.writeNull();
-        return 0;
-    }
     m_writer.writeReferenceCount(m_nextObjectReference);
     uint32_t objectReference;
     uint32_t arrayBufferIndex;
     WrapperWorldType currentWorldType = worldType(m_isolate);
     if ((value->IsObject() || value->IsDate() || value->IsRegExp())
         && m_objectPool.tryGet(value.As<v8::Object>(), &objectReference)) {
         // Note that IsObject() also detects wrappers (eg, it will catch the things
         // that we grey and write below).
         ASSERT(!value->IsString());
         m_writer.writeObjectReference(objectReference);
@@ skipping 57 matching lines @@
         else if (value->IsObject()) {
             if (isHostObject(jsObject) || jsObject->IsCallable() || value->IsNativeError())
                 return handleError(DataCloneError, next);
             return startObjectState(jsObject, next);
         } else
             return handleError(DataCloneError, next);
     }
     return 0;
 }
 
+Serializer::StateBase* Serializer::doSerialize(v8::Handle<v8::Value> value, StateBase* next)
+{
+    if (m_execDepth + (next ? next->execDepth() : 0) > 1) {
+        m_writer.writeNull();
+        return 0;
+    }
+    return doSerializeImpl(value, next);
+}
+
 // Interface used by Reader to create objects of composite types.
 class CompositeCreator {
 public:
     virtual ~CompositeCreator() { }
 
     virtual bool consumeTopOfStack(v8::Handle<v8::Value>*) = 0;
     virtual uint32_t objectReferenceCount() = 0;
     virtual void pushObjectReference(const v8::Handle<v8::Value>&) = 0;
     virtual bool tryGetObjectFromObjectReference(uint32_t reference, v8::Handle<v8::Value>*) = 0;
     virtual bool tryGetTransferredMessagePort(uint32_t index, v8::Handle<v8::Value>*) = 0;
@@ skipping 1226 matching lines @@
     // If the allocated memory was not registered before, then this class is likely
     // used in a context other then Worker's onmessage environment and the presence of
     // current v8 context is not guaranteed. Avoid calling v8 then.
     if (m_externallyAllocatedMemory) {
         ASSERT(v8::Isolate::GetCurrent());
         v8::V8::AdjustAmountOfExternalAllocatedMemory(-m_externallyAllocatedMemory);
     }
 }
 
 } // namespace WebCore