Fix cluster-fuzz found regression in d8 when deserializing ArrayBuffer

author binji <binji@chromium.org>

Wed, 24 Jun 2015 04:23:37 +0000 (21:23 -0700)

committer Commit bot <commit-bot@chromium.org>

Wed, 24 Jun 2015 04:23:58 +0000 (04:23 +0000)
author binji <binji@chromium.org>
Wed, 24 Jun 2015 04:23:37 +0000 (21:23 -0700)
committer Commit bot <commit-bot@chromium.org>
Wed, 24 Jun 2015 04:23:58 +0000 (04:23 +0000)
diff --git a/src/d8.cc b/src/d8.cc

index b9b2294..333f7e4 100644 (file)
--- a/src/d8.cc
+++ b/src/d8.cc
@@ -2151,7 +2151,6 @@ MaybeLocal<Value> Shell::DeserializeValue(Isolate* isolate,
        for (int i = 0; i < length; ++i) {
          Local<Value> property_name;
          CHECK(DeserializeValue(isolate, data, offset).ToLocal(&property_name));
-        DCHECK(property_name->IsString());
          Local<Value> property_value;
          CHECK(DeserializeValue(isolate, data, offset).ToLocal(&property_value));
          object->Set(property_name, property_value);
diff --git a/test/mjsunit/regress/regress-crbug-503578.js b/test/mjsunit/regress/regress-crbug-503578.js

new file mode 100644 (file)

index 0000000..931509e
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-503578.js
@@ -0,0 +1,15 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function __f_1() {
+  onmessage = function() {}
+}
+function __f_0(byteLength) {
+  var __v_1 = new ArrayBuffer(byteLength);
+  var __v_5 = new Uint32Array(__v_1);
+  return __v_5;
+}
+var __v_6 = new Worker(__f_1);
+var __v_3 = __f_0(16);
+__v_6.postMessage(__v_3);
author	binji <binji@chromium.org>
	Wed, 24 Jun 2015 04:23:37 +0000 (21:23 -0700)
committer	Commit bot <commit-bot@chromium.org>
	Wed, 24 Jun 2015 04:23:58 +0000 (04:23 +0000)
src/d8.cc		patch \| blob \| history
test/mjsunit/regress/regress-crbug-503578.js	[new file with mode: 0644]	patch \| blob