Put PDFium V8 Array Buffers into their own partition

Restores a protection that was lost some time ago when PDFium, as
embedded in chrome, began taking external isolates as handed to it
from gin.

Add tests which use the same "beep" mechanism to communicate
results back from deep inside PDF javascript to the .cc test
file.

Bug: 1091380
Change-Id: I884b70997e3042afb967b8e4a0e51a4b88beebd1
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2232806
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Cr-Commit-Position: refs/heads/master@{#776692}

chrome/browser/pdf/pdf_extension_test.cc

@@ -837,6 +837,13 @@ IN_PROC_BROWSER_TEST_F(PDFExtensionJSTest, Metrics) {
   RunTestsInJsModule("metrics_test.js", "test.pdf");
 }
 
+IN_PROC_BROWSER_TEST_F(PDFExtensionJSTest, ArrayBufferAllocator) {
+  // Run several times to see if there are issues with unloading.
+  RunTestsInJsModule("beep_test.js", "array_buffer.pdf");
+  RunTestsInJsModule("beep_test.js", "array_buffer.pdf");
+  RunTestsInJsModule("beep_test.js", "array_buffer.pdf");
+}
+
 // Test that if the plugin tries to load a URL that redirects then it will fail
 // to load. This is to avoid the source origin of the document changing during
 // the redirect, which can have security implications. https://crbug.com/653749.

chrome/test/data/pdf/array_buffer.in

@@ -0,0 +1,46 @@
+{{header}}
+{{object 1 0}} <<
+  /Type /Catalog
+  /Pages 2 0 R
+  /OpenAction 3 0 R
+>>
+endobj
+{{object 2 0}} <<
+  /Type /Pages
+  /Count 1
+  /Kids [3 0 R]
+>>
+endobj
+{{object 3 0}} <<
+  /Type /Page
+  /Parent 2 0 R
+  /MediaBox [0 0 612 792]
+>>
+endobj
+{{object 3 0}} <<
+  /Type /Action
+  /S /JavaScript
+  /JS 4 0 R
+>>
+endobj
+{{object 4 0}} <<
+  {{streamlen}}
+>>
+stream
+var ab1, ab2, ab3;
+try {
+  ab1 = new ArrayBuffer(1000);
+  ab2 = new ArrayBuffer(2000000);
+  ab3 = new ArrayBuffer(2147483640); // Too large per pdfium.
+} catch (e) {
+}
+// Clumsily signal test harness if successful.
+if (ab1 && ab2 && !ab3) {
+  app.beep(1);
+}
+endstream
+endobj
+{{xref}}
+{{trailer}}
+{{startxref}}
+%%EOF

chrome/test/data/pdf/array_buffer.pdf

@@ -0,0 +1,57 @@
+%PDF-1.7
+%<25><><EFBFBD><EFBFBD>
+1 0 obj <<
+  /Type /Catalog
+  /Pages 2 0 R
+  /OpenAction 3 0 R
+>>
+endobj
+2 0 obj <<
+  /Type /Pages
+  /Count 1
+  /Kids [3 0 R]
+>>
+endobj
+3 0 obj <<
+  /Type /Page
+  /Parent 2 0 R
+  /MediaBox [0 0 612 792]
+>>
+endobj
+3 0 obj <<
+  /Type /Action
+  /S /JavaScript
+  /JS 4 0 R
+>>
+endobj
+4 0 obj <<
+  /Length 258
+>>
+stream
+var ab1, ab2, ab3;
+try {
+  ab1 = new ArrayBuffer(1000);
+  ab2 = new ArrayBuffer(2000000);
+  ab3 = new ArrayBuffer(2147483640); // Too large per pdfium.
+} catch (e) {
+}
+// Clumsily signal test harness if successful.
+if (ab1 && ab2 && !ab3) {
+  app.beep(1);
+}
+endstream
+endobj
+xref
+0 5
+0000000000 65535 f 
+0000000015 00000 n 
+0000000088 00000 n 
+0000000228 00000 n 
+0000000294 00000 n 
+trailer <<
+  /Root 1 0 R
+  /Size 5
+>>
+startxref
+604
+%%EOF

pdf/pdfium/pdfium_engine.cc

@@ -220,8 +220,10 @@ bool IsV8Initialized() {
 void SetUpV8() {
   const char* recommended = FPDF_GetRecommendedV8Flags();
   v8::V8::SetFlagsFromString(recommended, strlen(recommended));
-  gin::IsolateHolder::Initialize(gin::IsolateHolder::kNonStrictMode,
-                                 gin::ArrayBufferAllocator::SharedInstance());
+  gin::IsolateHolder::Initialize(
+      gin::IsolateHolder::kNonStrictMode,
+      static_cast<v8::ArrayBuffer::Allocator*>(
+          FPDF_GetArrayBufferAllocatorSharedInstance()));
   DCHECK(!g_isolate_holder);
   g_isolate_holder = new gin::IsolateHolder(
       base::ThreadTaskRunnerHandle::Get(), gin::IsolateHolder::kSingleThread,