[v8-dev] ClusterFuzz fix: %NormalizeElements shouldn't process the global proxy. (issue 859713002 by [email protected])

Mon, 19 Jan 2015 00:59:26 -0800 

Reviewers: Yang,

Message:
Hi Yang,
Here is a clusterfuzz fix, can you have a look?
--Michael

Description:
ClusterFuzz fix: %NormalizeElements shouldn't process the global proxy.

BUG=449070
[email protected]

Please review this at https://codereview.chromium.org/859713002/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+6, -3 lines):
  M src/runtime/runtime-array.cc
  A + test/mjsunit/regress/regress-449070.js


Index: src/runtime/runtime-array.cc
diff --git a/src/runtime/runtime-array.cc b/src/runtime/runtime-array.cc
index a017236a540643ef08e8b0f6b64c95d4dc0752b5..a69d8c87f8b0d47e97be162b66b7fcb971e3de56 100644 
--- a/src/runtime/runtime-array.cc
+++ b/src/runtime/runtime-array.cc
@@ -1170,7 +1170,8 @@ RUNTIME_FUNCTION(Runtime_NormalizeElements) {
   DCHECK(args.length() == 1);
   CONVERT_ARG_HANDLE_CHECKED(JSObject, array, 0);
   RUNTIME_ASSERT(!array->HasExternalArrayElements() &&
-                 !array->HasFixedTypedArrayElements());
+                 !array->HasFixedTypedArrayElements() &&
+                 !array->IsJSGlobalProxy());
   JSObject::NormalizeElements(array);
   return *array;
 }
Index: test/mjsunit/regress/regress-449070.js
diff --git a/test/mjsunit/regress/regress-444805.js b/test/mjsunit/regress/regress-449070.js 
similarity index 69%
copy from test/mjsunit/regress/regress-444805.js
copy to test/mjsunit/regress/regress-449070.js
index 5a533acd5ebf2fc196373e2b0e2c4b9df0a29ab6..7a0f0a838cdd25817ab6a2d8f63c1ef9fbe6e526 100644 
--- a/test/mjsunit/regress/regress-444805.js
+++ b/test/mjsunit/regress/regress-449070.js
@@ -1,8 +1,10 @@
 // Copyright 2015 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax

 try {
-  load("test/mjsunit/regress/regress-444805.js-script");
-} catch (e) {
+  %NormalizeElements(this);
+} catch(e) {
 }


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to