ClusterFuzz fix: %NormalizeElements shouldn't process the global proxy.

author mvstanton <mvstanton@chromium.org>

Mon, 19 Jan 2015 09:31:02 +0000 (01:31 -0800)

committer Commit bot <commit-bot@chromium.org>

Mon, 19 Jan 2015 09:31:19 +0000 (09:31 +0000)
author mvstanton <mvstanton@chromium.org>
Mon, 19 Jan 2015 09:31:02 +0000 (01:31 -0800)
committer Commit bot <commit-bot@chromium.org>
Mon, 19 Jan 2015 09:31:19 +0000 (09:31 +0000)
diff --git a/src/runtime/runtime-array.cc b/src/runtime/runtime-array.cc

index a017236..a69d8c8 100644 (file)
--- a/src/runtime/runtime-array.cc
+++ b/src/runtime/runtime-array.cc
@@ -1170,7 +1170,8 @@ RUNTIME_FUNCTION(Runtime_NormalizeElements) {
    DCHECK(args.length() == 1);
    CONVERT_ARG_HANDLE_CHECKED(JSObject, array, 0);
    RUNTIME_ASSERT(!array->HasExternalArrayElements() &&
-                 !array->HasFixedTypedArrayElements());
+                 !array->HasFixedTypedArrayElements() &&
+                 !array->IsJSGlobalProxy());
    JSObject::NormalizeElements(array);
    return *array;
  }
diff --git a/test/mjsunit/regress/regress-449070.js b/test/mjsunit/regress/regress-449070.js

new file mode 100644 (file)

index 0000000..7a0f0a8
--- /dev/null
+++ b/test/mjsunit/regress/regress-449070.js
@@ -0,0 +1,10 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax
+
+try {
+  %NormalizeElements(this);
+} catch(e) {
+}
author	mvstanton <mvstanton@chromium.org>
	Mon, 19 Jan 2015 09:31:02 +0000 (01:31 -0800)
committer	Commit bot <commit-bot@chromium.org>
	Mon, 19 Jan 2015 09:31:19 +0000 (09:31 +0000)
src/runtime/runtime-array.cc		patch \| blob \| history
test/mjsunit/regress/regress-449070.js	[new file with mode: 0644]	patch \| blob