fixup! lib: short-circuit WebIDL BufferSource SAB check

Author: panva

lib/internal/webidl.js

@@ -2,7 +2,7 @@
 
 const {
   ArrayBufferIsView,
-  ArrayBufferPrototype,
+  ArrayBufferPrototypeGetByteLength,
   ArrayPrototypePush,
   ArrayPrototypeToSorted,
   DataViewPrototypeGetBuffer,
@@ -34,7 +34,6 @@ const {
 const { kEmptyObject } = require('internal/util');
 const {
   isArrayBuffer,
-  isSharedArrayBuffer,
   isTypedArray,
 } = require('internal/util/types');
 
@@ -397,13 +396,17 @@ function getViewedArrayBuffer(V) {
     TypedArrayPrototypeGetBuffer(V) : DataViewPrototypeGetBuffer(V);
 }
 
-// Returns `true` if `buffer` is a `SharedArrayBuffer`. The prototype-chain
-// check is a cheap V8 builtin that fast-accepts every non-tampered
-// `ArrayBuffer`; only buffers whose prototype chain has been detached or
-// reassigned (and real SABs) fall through to the authoritative brand check.
+// Returns `true` if `buffer` is a `SharedArrayBuffer`. Uses a brand check via
+// the `ArrayBuffer.prototype.byteLength` getter, which succeeds only on real
+// (non-shared) ArrayBuffers and throws on SharedArrayBuffers — independent
+// of the receiver's prototype chain.
 function isSharedArrayBufferBacking(buffer) {
-  return !ObjectPrototypeIsPrototypeOf(ArrayBufferPrototype, buffer) &&
-    isSharedArrayBuffer(buffer);
+  try {
+    ArrayBufferPrototypeGetByteLength(buffer);
+    return false;
+  } catch {
+    return true;
+  }
 }
 
 // https://webidl.spec.whatwg.org/#ArrayBufferView

test/parallel/test-internal-webidl-buffer-source.js

@@ -84,6 +84,16 @@ test('BufferSource rejects SAB-backed DataView', () => {
   );
 });
 
+test('BufferSource rejects SAB view whose buffer prototype was reassigned', () => {
+  const sab = new SharedArrayBuffer(4);
+  Object.setPrototypeOf(sab, ArrayBuffer.prototype);
+  const view = new Uint8Array(sab);
+  assert.throws(
+    () => converters.BufferSource(view),
+    { code: 'ERR_INVALID_ARG_TYPE' },
+  );
+});
+
 test('BufferSource accepts a detached ArrayBuffer', () => {
   const ab = new ArrayBuffer(8);
   structuredClone(ab, { transfer: [ab] });
@@ -169,6 +179,16 @@ test('ArrayBufferView rejects SAB-backed DataView', () => {
   );
 });
 
+test('ArrayBufferView rejects SAB view whose buffer prototype was reassigned', () => {
+  const sab = new SharedArrayBuffer(4);
+  Object.setPrototypeOf(sab, ArrayBuffer.prototype);
+  const view = new Uint8Array(sab);
+  assert.throws(
+    () => converters.ArrayBufferView(view),
+    { code: 'ERR_INVALID_ARG_TYPE' },
+  );
+});
+
 test('ArrayBufferView rejects objects with a forged @@toStringTag', () => {
   const fake = { [Symbol.toStringTag]: 'Uint8Array' };
   assert.throws(