[v8-dev] Fix cluster-fuzz found regression in d8 when deserializing ArrayBuffer (issue 1204753002 by [email protected])

Tue, 23 Jun 2015 11:46:57 -0700 

Reviewers: jarin,

Message:
PTAL, the DCHECK was erroneous. I assumed that Object keys always are strings, 
but in this case the keys were Numbers.

Description:
Fix cluster-fuzz found regression in d8 when deserializing ArrayBuffer

BUG=503578
[email protected]
LOG=n

Please review this at https://codereview.chromium.org/1204753002/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+15, -1 lines):
  M src/d8.cc
  A test/mjsunit/regress/regress-crbug-503578.js


Index: src/d8.cc
diff --git a/src/d8.cc b/src/d8.cc
index b9b2294e7d708ae29ee9af61e60b28c005299b09..333f7e440274b2334ace286e7be5e46064fa3959 100644 
--- a/src/d8.cc
+++ b/src/d8.cc
@@ -2151,7 +2151,6 @@ MaybeLocal<Value> Shell::DeserializeValue(Isolate* isolate, 
       for (int i = 0; i < length; ++i) {
         Local<Value> property_name;
CHECK(DeserializeValue(isolate, data, offset).ToLocal(&property_name)); 
-        DCHECK(property_name->IsString());
         Local<Value> property_value;
CHECK(DeserializeValue(isolate, data, offset).ToLocal(&property_value)); 
         object->Set(property_name, property_value);
Index: test/mjsunit/regress/regress-crbug-503578.js
diff --git a/test/mjsunit/regress/regress-crbug-503578.js b/test/mjsunit/regress/regress-crbug-503578.js 
new file mode 100644
index 0000000000000000000000000000000000000000..931509efebe57fb91427111b482b14a1f519173f 
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-503578.js
@@ -0,0 +1,15 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function __f_1() {
+  onmessage = function() {}
+}
+function __f_0(byteLength) {
+  var __v_1 = new ArrayBuffer(byteLength);
+  var __v_5 = new Uint32Array(__v_1);
+  return __v_5;
+}
+var __v_6 = new Worker(__f_1);
+var __v_3 = __f_0(16);
+__v_6.postMessage(__v_3);


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to