From 4c50af9358bdcbfeffa863e1104bbf9ffb70da95 Mon Sep 17 00:00:00 2001
From: Michael Starzinger <mstarzinger@chromium.org>
Date: Mon, 17 Jul 2017 12:46:37 +0200
Subject: [PATCH] [runtime] Make %ArrayBufferNeuter fuzzable.

This makes sure Runtime_ArrayBufferNeuter fails gracefully on array
buffers that are non-neuterable. Note that this runtime function is
whitelisted on ClusterFuzz and otherwise only used for testing.

R=cbruni@chromium.org
BUG=chromium:743215,v8:6534

Change-Id: I5069e615468f8789bf4fd87bb1e093a18bfd0347
Reviewed-on: https://chromium-review.googlesource.com/574168
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46710}
---
 src/runtime/runtime-typedarray.cc | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/runtime/runtime-typedarray.cc b/src/runtime/runtime-typedarray.cc
index aa87c921eb..54b9050b6c 100644
--- a/src/runtime/runtime-typedarray.cc
+++ b/src/runtime/runtime-typedarray.cc
@@ -33,7 +33,9 @@ RUNTIME_FUNCTION(Runtime_ArrayBufferNeuter) {
         isolate, NewTypeError(MessageTemplate::kNotTypedArray));
   }
   Handle<JSArrayBuffer> array_buffer = Handle<JSArrayBuffer>::cast(argument);
-
+  if (!array_buffer->is_neuterable()) {
+    return isolate->heap()->undefined_value();
+  }
   if (array_buffer->backing_store() == NULL) {
     CHECK(Smi::kZero == array_buffer->byte_length());
     return isolate->heap()->undefined_value();