Add test case for ValueDeserializer

Bug: chromium:905940
Change-Id: Ifc5e04ea871539af3a690d75b4eddf54168836df
Reviewed-on: https://chromium-review.googlesource.com/c/1340283
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57593}

src/value-serializer.cc

@@ -1473,10 +1473,8 @@ MaybeHandle<JSArray> ValueDeserializer::ReadDenseJSArray() {
     // hole. Past version 11, undefined means undefined.
     if (version_ < 11 && element->IsUndefined(isolate_)) continue;
 
-    // Make sure elements is still large enough.
-    if (i >= static_cast<uint32_t>(elements->length())) {
-      return MaybeHandle<JSArray>();
-    }
+    // Safety check.
+    CHECK_LT(i, static_cast<uint32_t>(elements->length()));
 
     elements->set(i, *element);
   }

test/unittests/value-serializer-unittest.cc

@@ -1870,6 +1870,22 @@ TEST_F(ValueSerializerTest, DecodeDataView) {
   ExpectScriptTrue("Object.getPrototypeOf(result) === DataView.prototype");
 }
 
+TEST_F(ValueSerializerTest, DecodeArrayWithLengthProperty1) {
+  Local<Value> value = DecodeTest(
+      {0xff, 0x0d, 0x41, 0x03, 0x49, 0x02, 0x49, 0x04, 0x49, 0x06, 0x22, 0x06,
+       0x6c, 0x65, 0x6e, 0x67, 0x74, 0x68, 0x49, 0x02, 0x24, 0x01, 0x03});
+  ASSERT_TRUE(value->IsArray());
+  EXPECT_EQ(1u, Local<Array>::Cast(value)->Length());
+}
+
+TEST_F(ValueSerializerTest, DecodeArrayWithLengthProperty2) {
+  ASSERT_DEATH_IF_SUPPORTED(
+      DecodeTest({0xff, 0x0d, 0x41, 0x03, 0x49, 0x02, 0x49, 0x04,
+                  0x49, 0x06, 0x22, 0x06, 0x6c, 0x65, 0x6e, 0x67,
+                  0x74, 0x68, 0x6f, 0x7b, 0x00, 0x24, 0x01, 0x03}),
+      ".*AllowJavascriptExecution::IsAllowed.*");
+}
+
 TEST_F(ValueSerializerTest, DecodeInvalidDataView) {
   // Byte offset out of range.
   InvalidDecodeTest(