[v8-dev] Version 4.6.85.4 (cherry-pick) (issue 1314683003 by [email protected])

Mon, 24 Aug 2015 16:45:11 -0700 

Reviewers: binji,

Description:
Version 4.6.85.4 (cherry-pick)

Merged de26ce051f5b5062f71bf16327c9d1e26ead9823

[api] Relax CHECK for ArrayBuffer API abuse

BUG=522496
LOG=N
[email protected]

Please review this at https://codereview.chromium.org/1314683003/

Base URL: https://chromium.googlesource.com/v8/[email protected]

Affected files (+6, -5 lines):
  M include/v8-version.h
  M src/api.cc
  A + test/mjsunit/regress/regress-crbug-522496.js


Index: include/v8-version.h
diff --git a/include/v8-version.h b/include/v8-version.h
index 178b1fdcbf050e084bb123a58ced3dc24bd206bd..1a6a95a66b968f128e7a85489efe5789a74d27db 100644 
--- a/include/v8-version.h
+++ b/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 4
 #define V8_MINOR_VERSION 6
 #define V8_BUILD_NUMBER 85
-#define V8_PATCH_LEVEL 3
+#define V8_PATCH_LEVEL 4

 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
Index: src/api.cc
diff --git a/src/api.cc b/src/api.cc
index b46d69fe2676ec77f97556a724d5d8b29d77520d..77201473a3d343ccd1a02c6eb68b3e7c45253048 100644 
--- a/src/api.cc
+++ b/src/api.cc
@@ -6560,7 +6560,7 @@ Local<ArrayBuffer> v8::ArrayBuffer::New(Isolate* isolate, void* data, 
                                         size_t byte_length,
                                         ArrayBufferCreationMode mode) {
   // Embedders must guarantee that the external backing store is valid.
-  CHECK(data != NULL);
+  CHECK(byte_length == 0 || data != NULL);
   i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(isolate);
   LOG_API(i_isolate, "v8::ArrayBuffer::New(void*, size_t)");
   ENTER_V8(i_isolate);
@@ -6759,7 +6759,7 @@ Local<SharedArrayBuffer> v8::SharedArrayBuffer::New(
     ArrayBufferCreationMode mode) {
   CHECK(i::FLAG_harmony_sharedarraybuffer);
   // Embedders must guarantee that the external backing store is valid.
-  CHECK(data != NULL);
+  CHECK(byte_length == 0 || data != NULL);
   i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(isolate);
   LOG_API(i_isolate, "v8::SharedArrayBuffer::New(void*, size_t)");
   ENTER_V8(i_isolate);
Index: test/mjsunit/regress/regress-crbug-522496.js
diff --git a/test/mjsunit/regress-4399.js b/test/mjsunit/regress/regress-crbug-522496.js 
similarity index 61%
copy from test/mjsunit/regress-4399.js
copy to test/mjsunit/regress/regress-crbug-522496.js
index a8fdab7d9d62dfa33d34987f8994536e5dc762cc..e47e0a0677bb574ea9e4b1ca1942341e3fd08bf4 100644 
--- a/test/mjsunit/regress-4399.js
+++ b/test/mjsunit/regress/regress-crbug-522496.js
@@ -2,7 +2,8 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

-
 if (this.Worker) {
-  assertThrows(function() { Worker.prototype.constructor("55"); });
+  var worker = new Worker("onmessage = function(){}");
+  var buf = new ArrayBuffer();
+  worker.postMessage(buf, [buf]);
 }


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to