Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 196268c

Browse filesBrowse files
legendecasaduh95
legendecas
authored and
aduh95
committed
deps: V8: cherry-pick c5ff7c4d6cde
Original commit message: [builtins] disallow ArrayBuffer transfer with a detach key This allows embedder to disallow `ArrayBuffer.prototype.transfer()` on an arraybuffer that is not detachable. This also fix the check on `ArrayBufferCopyAndDetach` step 8 of `ArrayBuffer.prototype.transfer`. Refs: #61362 Refs: https://tc39.es/ecma262/#sec-arraybuffercopyanddetach Change-Id: I3c6e156a8fad007fd100218d8b16aed5c4e1db68 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7454288 Commit-Queue: Chengzhong Wu <cwu631@bloomberg.net> Reviewed-by: Olivier Flückiger <olivf@chromium.org> Cr-Commit-Position: refs/heads/main@{#104697} Refs: v8/v8@c5ff7c4 PR-URL: #61372 Fixes: #61362 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: René <contact.9a5d6388@renegade334.me.uk>
1 parent 5505511 commit 196268c
Copy full SHA for 196268c

5 files changed

+66-2Lines changed: 66 additions & 2 deletions

File tree

Expand file treeCollapse file tree
Open diff view settings
Filter options
Expand file treeCollapse file tree
Open diff view settings
Collapse file

‎common.gypi‎

Copy file name to clipboardExpand all lines: common.gypi
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@
3838

3939
# Reset this number to 0 on major V8 upgrades.
4040
# Increment by one for each non-official patch applied to deps/v8.
41-
'v8_embedder_string': '-node.45',
41+
'v8_embedder_string': '-node.46',
4242

4343
##### V8 defaults for Node.js #####
4444

Collapse file

‎deps/v8/src/builtins/builtins-arraybuffer.cc‎

Copy file name to clipboardExpand all lines: deps/v8/src/builtins/builtins-arraybuffer.cc
+2-1Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -631,7 +631,8 @@ Tagged<Object> ArrayBufferTransfer(Isolate* isolate,
631631
// 8. If arrayBuffer.[[ArrayBufferDetachKey]] is not undefined, throw a
632632
// TypeError exception.
633633

634-
if (!array_buffer->is_detachable()) {
634+
if (!IsUndefined(array_buffer->detach_key()) ||
635+
!array_buffer->is_detachable()) {
635636
THROW_NEW_ERROR_RETURN_FAILURE(
636637
isolate,
637638
NewTypeError(MessageTemplate::kDataCloneErrorNonDetachableArrayBuffer));
Collapse file

‎deps/v8/test/mjsunit/array-buffer-transfer-detach-key.js‎

Copy file name to clipboard
+22Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
// Copyright 2026 the V8 project authors. All rights reserved.
2+
// Use of this source code is governed by a BSD-style license that can be
3+
// found in the LICENSE file.
4+
//
5+
// Flags: --allow-natives-syntax
6+
7+
function TestTransferSucceeds() {
8+
const ab = new ArrayBuffer(100);
9+
%ArrayBufferSetDetachKey(ab, undefined);
10+
ab.transfer();
11+
assertEquals(0, ab.byteLength); // Detached.
12+
}
13+
14+
function TestTransferFails() {
15+
const ab = new ArrayBuffer(100);
16+
%ArrayBufferSetDetachKey(ab, Symbol());
17+
assertThrows(() => { ab.transfer(); }, TypeError);
18+
assertEquals(100, ab.byteLength); // Not detached.
19+
}
20+
21+
TestTransferSucceeds();
22+
TestTransferFails();
Collapse file

‎deps/v8/test/unittests/BUILD.gn‎

Copy file name to clipboardExpand all lines: deps/v8/test/unittests/BUILD.gn
+1Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -264,6 +264,7 @@ v8_source_set("v8_unittests_sources") {
264264
"api/remote-object-unittest.cc",
265265
"api/resource-constraints-unittest.cc",
266266
"api/smi-tagging-unittest.cc",
267+
"api/v8-array-buffer-unittest.cc",
267268
"api/v8-array-unittest.cc",
268269
"api/v8-maybe-unittest.cc",
269270
"api/v8-object-unittest.cc",
Collapse file

‎deps/v8/test/unittests/api/v8-array-buffer-unittest.cc‎

Copy file name to clipboard
+40Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
// Copyright 2026 the V8 project authors. All rights reserved.
2+
// Use of this source code is governed by a BSD-style license that can be
3+
// found in the LICENSE file.
4+
5+
#include "include/v8-array-buffer.h"
6+
7+
#include "test/unittests/test-utils.h"
8+
#include "testing/gtest/include/gtest/gtest.h"
9+
10+
namespace v8 {
11+
namespace {
12+
13+
using ArrayBufferTest = TestWithContext;
14+
15+
TEST_F(ArrayBufferTest, TransferWithDetachKey) {
16+
Local<ArrayBuffer> ab = ArrayBuffer::New(isolate(), 1);
17+
Local<Value> key = Symbol::New(isolate());
18+
ab->SetDetachKey(key);
19+
Local<Object> global = context()->Global();
20+
Local<String> property_name =
21+
String::NewFromUtf8Literal(isolate(), "test_ab");
22+
global->Set(context(), property_name, ab).ToChecked();
23+
24+
{
25+
TryCatch try_catch(isolate());
26+
CHECK(TryRunJS("globalThis.test_ab.transfer()").IsEmpty());
27+
}
28+
29+
// Didnot transfer.
30+
EXPECT_EQ(ab->ByteLength(), 1u);
31+
32+
ab->SetDetachKey(Undefined(isolate()));
33+
RunJS("globalThis.test_ab.transfer()");
34+
35+
// Transferred.
36+
EXPECT_EQ(ab->ByteLength(), 0u);
37+
}
38+
39+
} // namespace
40+
} // namespace v8

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.