Fix memory leak on serializing neutered ArrayBuffer.

Source/bindings/v8/SerializedScriptValue.cpp

Index: Source/bindings/v8/SerializedScriptValue.cpp
diff --git a/Source/bindings/v8/SerializedScriptValue.cpp b/Source/bindings/v8/SerializedScriptValue.cpp
index 984d5e7388c81401ba571f73baad30d1c1c07b9e..15e3d2c6ed5d76b4dc8e185f4935780721043fe6 100644
--- a/Source/bindings/v8/SerializedScriptValue.cpp
+++ b/Source/bindings/v8/SerializedScriptValue.cpp
@@ -739,7 +739,15 @@ public:
     }
 
     // Functions used by serialization states.
-    StateBase* doSerialize(v8::Handle<v8::Value> value, StateBase* next);
+    StateBase* doSerialize(v8::Handle<v8::Value>, StateBase* next);
+
+    // The serializer workhorse, no stack depth check.
+    StateBase* doSerializeImpl(v8::Handle<v8::Value>, StateBase* next);
+
+    StateBase* doSerializeArrayBuffer(v8::Handle<v8::Value> arrayBuffer, StateBase* next)
+    {
+        return doSerializeImpl(arrayBuffer, next);
+    }
 
     StateBase* checkException(StateBase* state)
     {
@@ -1139,16 +1147,17 @@ private:
         v8::Handle<v8::Value> underlyingBuffer = toV8(arrayBufferView->buffer(), v8::Handle<v8::Object>(), m_writer.getIsolate());
         if (underlyingBuffer.IsEmpty())
             return handleError(DataCloneError, next);
-        StateBase* stateOut = doSerialize(underlyingBuffer, 0);
+        StateBase* stateOut = doSerializeArrayBuffer(underlyingBuffer, next);
         if (stateOut)
-            return handleError(DataCloneError, next);
+            return stateOut;
         m_writer.writeArrayBufferView(*arrayBufferView);
         // This should be safe: we serialize something that we know to be a wrapper (see
-        // the toV8 call above), so the call to doSerialize above should neither cause
-        // the stack to overflow nor should it have the potential to reach this
-        // ArrayBufferView again. We do need to grey the underlying buffer before we grey
-        // its view, however; ArrayBuffers may be shared, so they need to be given reference IDs,
-        // and an ArrayBufferView cannot be constructed without a corresponding ArrayBuffer
+        // the toV8 call above), hence doSerializeArrayBuffer() will not consume stack
+        // (but might fail and unwind our current stack.)

[Dmitry Lomov (no reviews), 2013/11/05 10:56:10]

Keep the statement "the call to doSerializeArrayBuffer should neither cause the
system stack to overflow nor should it have potential to reach this
ArrayBufferView again".

+        //
+        // We do need to grey the underlying buffer before we grey its view, however;
+        // ArrayBuffers may be shared, so they need to be given reference IDs, and an
+        // ArrayBufferView cannot be constructed without a corresponding ArrayBuffer
         // (or without an additional tag that would allow us to do two-stage construction
         // like we do for Objects and Arrays).
         greyObject(object);
@@ -1233,12 +1242,8 @@ private:
     v8::Isolate* m_isolate;
 };
 
-Serializer::StateBase* Serializer::doSerialize(v8::Handle<v8::Value> value, StateBase* next)
+Serializer::StateBase* Serializer::doSerializeImpl(v8::Handle<v8::Value> value, StateBase* next)
 {
-    if (m_execDepth + (next ? next->execDepth() : 0) > 1) {
-        m_writer.writeNull();
-        return 0;
-    }
     m_writer.writeReferenceCount(m_nextObjectReference);
     uint32_t objectReference;
     uint32_t arrayBufferIndex;
@@ -1316,6 +1321,15 @@ Serializer::StateBase* Serializer::doSerialize(v8::Handle<v8::Value> value, Stat
     return 0;
 }
 
+Serializer::StateBase* Serializer::doSerialize(v8::Handle<v8::Value> value, StateBase* next)
+{
+    if (m_execDepth + (next ? next->execDepth() : 0) > 1) {
+        m_writer.writeNull();
+        return 0;
+    }
+    return doSerializeImpl(value, next);
+}
+
 // Interface used by Reader to create objects of composite types.
 class CompositeCreator {
 public: