The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e75f1381dccdeef00b30479ad55432f60ee8db7d

commit e75f1381dccdeef00b30479ad55432f60ee8db7d
Author: sigbjornf <sigbjornf@opera.com>
Date: Tue Mar 14 20:04:39 2017

Accurate transfer of SerializedScriptValue allocation costs.

r456009 added transferring of allocation costs for a
SerializedScriptValue and any array buffers that it refers to,
transferring that cost from one v8 context to another as part
of a postMessage()

The handoff 'protocol' provided there fell short in that it could
fail to subtract transferable (array buffer contents) costs in
the source context, or end up doing it twice if the postMessage()
failed. Bookkeeping confusion resulted.

Rework the mechanism by instead having ArrayBufferContents keep
track of its external allocation cost registration status, so as
to prevent double discounting. Along with that, it is both safe
and accurate to unregister all allocation costs prior to
transfer. Should the value successfully be posted to its target
context, cost will be registered there. And if not, the value will
be destructed (..but without discounting allocation cost yet again.)

R=jbroman,haraken
BUG= 700353 

Review-Url: https://codereview.chromium.org/2741793003
Cr-Commit-Position: refs/heads/master@{#456800}

[modify] https://crrev.com/e75f1381dccdeef00b30479ad55432f60ee8db7d/third_party/WebKit/Source/bindings/core/v8/SerializedScriptValue.cpp
[modify] https://crrev.com/e75f1381dccdeef00b30479ad55432f60ee8db7d/third_party/WebKit/Source/bindings/core/v8/SerializedScriptValue.h
[modify] https://crrev.com/e75f1381dccdeef00b30479ad55432f60ee8db7d/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp
[modify] https://crrev.com/e75f1381dccdeef00b30479ad55432f60ee8db7d/third_party/WebKit/Source/bindings/templates/methods.cpp.tmpl
[modify] https://crrev.com/e75f1381dccdeef00b30479ad55432f60ee8db7d/third_party/WebKit/Source/bindings/tests/results/core/V8TestObject.cpp
[modify] https://crrev.com/e75f1381dccdeef00b30479ad55432f60ee8db7d/third_party/WebKit/Source/wtf/typed_arrays/ArrayBufferContents.cpp
[modify] https://crrev.com/e75f1381dccdeef00b30479ad55432f60ee8db7d/third_party/WebKit/Source/wtf/typed_arrays/ArrayBufferContents.h

ClusterFuzz has detected this issue as fixed in range 458081:458090.

Detailed report: https://clusterfuzz.com/testcase?key=5829576547893248

Fuzzer: ochang_domfuzzer
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Data race READ 4
Crash Address: 0x7b1400018d80
Crash State:
  blink::SerializedScriptValue::unregisterMemoryAllocatedByCurrentScriptContext
  blink::V8DedicatedWorkerGlobalScope::postMessageMethodCallback
  v8::internal::FunctionCallbackArguments::Call
  
Sanitizer: thread (TSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=455700:456019
Fixed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=458081:458090

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95soi7ZDxlFvlpmwpj5bTn_vozU7YsSTQKx8SzbYJEidBiXZEmq4ATzUCZi7AafEnrlGPOT3j8QPimZNsz5DM0UkPrJ07QkiULkNRlJUQCL__xLrwmSV98YZtkVzj_RkpRdusk_5WAPlJL3FeSANRNNkcV3Btqj9QaDK9bHKgUrMUa3ISVuY7H4CUTiFWIjAXj6cSH823P_xt_U8kI-kUeA6Hd8QmwSz8dKx5UGK8CCNPJikfVzUIpqiS8Jhjoq5PH6OEO6Fg8Jy-e9gp169DzfZWkRNLh3xf_Kh5g1wRpDsRhtJyIriprzeKNrWE6kx62jAKbgPTFkLJJe0Dxy4kM3xULCPs8xBm8OhcSgPuF_jJAQcLI?testcase_id=5829576547893248


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.