Reviewers: Jarin (OOO - vacation),
Description:
[d8 worker] Fix regression when serializing very large arraybuffer
BUG=chromium:514081
[email protected]
Please review this at https://codereview.chromium.org/1264723002/
Base URL: https://chromium.googlesource.com/v8/v8.git@master
Affected files (+19, -5 lines):
M src/d8.cc
A test/mjsunit/regress/regress-crbug-514081.js
Index: src/d8.cc
diff --git a/src/d8.cc b/src/d8.cc
index
9aeac11bb0a439b59a8933a6b15cdc8f0ac1116f..f53451e2e067d2d5fc704893b19106d740a0b006
100644
--- a/src/d8.cc
+++ b/src/d8.cc
@@ -2070,16 +2070,15 @@ bool Shell::SerializeValue(Isolate* isolate,
Local<Value> value,
} else {
ArrayBuffer::Contents contents = array_buffer->GetContents();
// Clone ArrayBuffer
- if (contents.ByteLength() > i::kMaxUInt32) {
+ if (contents.ByteLength() > i::kMaxInt) {
Throw(isolate, "ArrayBuffer is too big to clone");
return false;
}
- int byte_length = static_cast<int>(contents.ByteLength());
+ int32_t byte_length = static_cast<int32_t>(contents.ByteLength());
out_data->WriteTag(kSerializationTagArrayBuffer);
out_data->Write(byte_length);
- out_data->WriteMemory(contents.Data(),
- static_cast<int>(contents.ByteLength()));
+ out_data->WriteMemory(contents.Data(), byte_length);
}
} else if (value->IsSharedArrayBuffer()) {
Local<SharedArrayBuffer> sab = Local<SharedArrayBuffer>::Cast(value);
@@ -2204,7 +2203,7 @@ MaybeLocal<Value> Shell::DeserializeValue(Isolate*
isolate,
break;
}
case kSerializationTagArrayBuffer: {
- int byte_length = data.Read<int>(offset);
+ int32_t byte_length = data.Read<int32_t>(offset);
Local<ArrayBuffer> array_buffer = ArrayBuffer::New(isolate,
byte_length);
ArrayBuffer::Contents contents = array_buffer->GetContents();
DCHECK(static_cast<size_t>(byte_length) == contents.ByteLength());
Index: test/mjsunit/regress/regress-crbug-514081.js
diff --git a/test/mjsunit/regress/regress-crbug-514081.js
b/test/mjsunit/regress/regress-crbug-514081.js
new file mode 100644
index
0000000000000000000000000000000000000000..1acd8315cd4e7faf9188697140f0d3ce49574ec7
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-514081.js
@@ -0,0 +1,15 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+if (this.Worker) {
+ var __v_7 = new Worker('onmessage = function() {};');
+ try {
+ var ab = new ArrayBuffer(2147483648);
+ // If creating the ArrayBuffer succeeded, then postMessage should fail.
+ assertThrows(function() { __v_7.postMessage(ab); });
+ } catch (e) {
+ // Creating the ArrayBuffer failed.
+ assertInstanceof(e, RangeError);
+ }
+}
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
