Avoid trusting the length encoded in the Snapshot if there is an

runtime/vm/isolate.cc

 // Copyright (c) 2012, the Dart project authors.  Please see the AUTHORS file
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
 #include "vm/isolate.h"
 
 #include "include/dart_api.h"
 #include "platform/assert.h"
 #include "lib/mirrors.h"
 #include "vm/compiler_stats.h"
@@ skipping 62 matching lines @@
     isolate_->ScheduleInterrupts(Isolate::kMessageInterrupt);
   }
   Dart_MessageNotifyCallback callback = isolate_->message_notify_callback();
   if (callback) {
     // Allow the embedder to handle message notification.
     (*callback)(Api::CastIsolate(isolate_));
   }
 }
 
 
-static RawInstance* DeserializeMessage(void* data) {
-  // Create a snapshot object using the buffer.
-  const Snapshot* snapshot = Snapshot::SetupFromBuffer(data);
-  ASSERT(snapshot->IsMessageSnapshot());
-
-  // Read object back from the snapshot.
-  SnapshotReader reader(snapshot, Isolate::Current());
-  Instance& instance = Instance::Handle();
-  instance ^= reader.ReadObject();
-  return instance.raw();
-}
-
-
 bool IsolateMessageHandler::HandleMessage(Message* message) {
   StartIsolateScope start_scope(isolate_);
   Zone zone(isolate_);
   HandleScope handle_scope(isolate_);
 
-  const Instance& msg =
-      Instance::Handle(DeserializeMessage(message->data()));
+  const Snapshot* snapshot = Snapshot::SetupFromBuffer(message->data(),
+                                                       message->len());
+  if (snapshot == NULL || !snapshot->IsMessageSnapshot()) {
+    if (message->IsLocal()) {
+      FATAL("IsolateMessageHandler saw malformed message.  Exiting.");

[siva, 2012/08/22 23:30:39]

Do these really need to be fatal errors?

We could drop this garbage message, set a sticky error and return false, the way
it seems to do it in the code below.

[turnidge, 2012/08/23 18:37:57]

I believe it should be fatal, yes.  Made this UNREACHABLE().

On 2012/08/22 23:30:39, asiva wrote:

+    }
+    delete message;
+    return true;
+  }
+
+  // Read object back from the snapshot.
+  SnapshotReader reader(snapshot, Isolate::Current());
+  const Object& msg_obj = Object::Handle(reader.ReadObject());
+  if (!msg_obj.IsNull() && !msg_obj.IsInstance()) {
+    if (message->IsLocal()) {
+      FATAL("IsolateMessageHandler saw malformed message.  Exiting.");

[siva, 2012/08/22 23:30:39]

Ditto comment.

[turnidge, 2012/08/23 18:37:57]

This goes away in new revision.

+    }
+    delete message;
+    return true;
+  }
+
+  Instance& msg = Instance::Handle();
+  msg ^= msg_obj.raw();  // Can't use Instance::Cast because may be null.
+
   if (message->IsOOB()) {
     // For now the only OOB messages are Mirrors messages.
     HandleMirrorsMessage(isolate_, message->reply_port(), msg);
     delete message;
   } else {
     const Object& result = Object::Handle(
         DartLibraryCalls::HandleMessage(
             message->dest_port(), message->reply_port(), msg));
     delete message;
     if (result.IsError()) {
@@ skipping 355 matching lines @@
 
 
 void Isolate::VisitWeakPersistentHandles(HandleVisitor* visitor,
                                          bool visit_prologue_weak_handles) {
   if (api_state() != NULL) {
     api_state()->VisitWeakHandles(visitor, visit_prologue_weak_handles);
   }
 }
 
 }  // namespace dart