AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

Fix cluster-fuzz found regression in d8 when deserializing ArrayBuffer

Browse Source 
BUG=503578
R=jarin@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/1204753002

Cr-Commit-Position: refs/heads/master@{#29244}
This commit is contained in:
binji 2015-06-23 21:23:37 -07:00 committed by Commit bot
parent 5e2a114102
commit 10b6af71b8
2 changed files with 15 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/d8.cc
View File

@ -2151,7 +2151,6 @@ MaybeLocal<Value> Shell::DeserializeValue(Isolate* isolate,
for (int i = 0; i < length; ++i) {
Local<Value> property_name;
CHECK(DeserializeValue(isolate, data, offset).ToLocal(&property_name));
DCHECK(property_name->IsString());
Local<Value> property_value;
CHECK(DeserializeValue(isolate, data, offset).ToLocal(&property_value));
object->Set(property_name, property_value);

15
test/mjsunit/regress/regress-crbug-503578.js Normal file
View File

@ -0,0 +1,15 @@
// Copyright 2015 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function __f_1() {
onmessage = function() {}
}
function __f_0(byteLength) {
var __v_1 = new ArrayBuffer(byteLength);
var __v_5 = new Uint32Array(__v_1);
return __v_5;
}
var __v_6 = new Worker(__f_1);
var __v_3 = __f_0(16);
__v_6.postMessage(__v_3);