Throw a DataCloneError if a neutered ArrayBuffer occurs in the transfer list.

Currently the exception is not thrown until after serialization.
This makes us consistent with Gecko and WebKit, which throw before serialization.

This fixes the second test case in https://github.com/w3c/web-platform-tests/pull/9672
(not yet pushed to upstream WPT).

Bug: 816447
Change-Id: I30b798b5d21dc8d6f2a40d049ced6aa7f60dd090
Reviewed-on: https://chromium-review.googlesource.com/956254Reviewed-by: Kentaro Hara <haraken@chromium.org>
Reviewed-by: Marijn Kruisselbrink <mek@chromium.org>
Commit-Queue: Jeremy Roman <jbroman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#542484}

third_party/WebKit/LayoutTests/fast/dom/Window/window-postmessage-neutered-arraybuffer.html

+<!DOCTYPE html>
+<script src="../../../resources/testharness.js"></script>
+<script src="../../../resources/testharnessreport.js"></script>
+<script>
+test(() => {
+  var arrayBuffer = new ArrayBuffer(32);
+  postMessage(null, '*', [arrayBuffer]);
+  assert_throws('DataCloneError', () => {
+    postMessage(null, '*', [arrayBuffer]);
+  });
+}, "Exception should be thrown if ArrayBuffer is neutered before serialization.");
+
+test(() => {
+  var arrayBuffer = new ArrayBuffer(32);
+  postMessage(null, '*', [arrayBuffer]);
+  assert_throws('DataCloneError', () => {
+    postMessage({
+      get a() { assert_unreached('DataCloneError should be thrown first.'); }
+    }, '*', [arrayBuffer]);
+  });
+}, "Exception for neutered ArrayBuffer should be thrown before serialization.");
+
+test(() => {
+  var arrayBuffer = new ArrayBuffer(32);
+  assert_throws('DataCloneError', () => {
+    postMessage({
+      get a() { postMessage(null, '*', [arrayBuffer]); }
+    }, '*', [arrayBuffer]);
+  });
+}, "Exception should be thrown if ArrayBuffer is neutered during serialization.");
+</script>

third_party/WebKit/Source/bindings/core/v8/serialization/SerializedScriptValue.cpp

@@ -455,6 +455,12 @@ bool SerializedScriptValue::ExtractTransferables(
     } else if (transferable_object->IsArrayBuffer()) {
       DOMArrayBuffer* array_buffer = V8ArrayBuffer::ToImpl(
           v8::Local<v8::Object>::Cast(transferable_object));
+      if (array_buffer->IsNeutered()) {
+        exception_state.ThrowDOMException(
+            kDataCloneError, "ArrayBuffer at index " + String::Number(i) +
+                                 " is already neutered.");
+        return false;
+      }
       if (transferables.array_buffers.Contains(array_buffer)) {
         exception_state.ThrowDOMException(
             kDataCloneError, "ArrayBuffer at index " + String::Number(i) +
@@ -533,17 +539,6 @@ SerializedScriptValue::TransferArrayBufferContents(
   if (!array_buffers.size())
     return ArrayBufferContentsArray();
 
-  for (auto it = array_buffers.begin(); it != array_buffers.end(); ++it) {
-    DOMArrayBufferBase* array_buffer = *it;
-    if (array_buffer->IsNeutered()) {
-      size_t index = std::distance(array_buffers.begin(), it);
-      exception_state.ThrowDOMException(
-          kDataCloneError, "ArrayBuffer at index " + String::Number(index) +
-                               " is already neutered.");
-      return ArrayBufferContentsArray();
-    }
-  }
-
   contents.Grow(array_buffers.size());
   HeapHashSet<Member<DOMArrayBufferBase>> visited;
   for (auto it = array_buffers.begin(); it != array_buffers.end(); ++it) {