Fix cluster-fuzz found regression with d8 Workers

This one occurred when serializing an object. When the property getter threw an
exception, that value was skipped, but the property count wasn't updated. The
deserializer then tried to deserialize the wrong value.

BUG=chromium:506549
R=jarin@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/1220193004

Cr-Commit-Position: refs/heads/master@{#29541}

diff --git a/src/d8.cc b/src/d8.cc
index 7db6f3e..0b737c6 100644 (file)
--- a/src/d8.cc
+++ b/src/d8.cc
@@ -2024,6 +2024,9 @@ bool Shell::SerializeValue(Isolate* isolate, Handle<Value> value,
         if (!SerializeValue(isolate, element_value, to_transfer, seen_objects,
                             out_data))
           return false;
+      } else {
+        Throw(isolate, "Failed to serialize array element.");
+        return false;
       }
     }
   } else if (value->IsArrayBuffer()) {
@@ -2098,6 +2101,9 @@ bool Shell::SerializeValue(Isolate* isolate, Handle<Value> value,
         if (!SerializeValue(isolate, property_value, to_transfer, seen_objects,
                             out_data))
           return false;
+      } else {
+        Throw(isolate, "Failed to serialize property.");
+        return false;
       }
     }
   } else {

diff --git a/test/mjsunit/regress/regress-crbug-506549.js b/test/mjsunit/regress/regress-crbug-506549.js
new file mode 100644 (file)
index 0000000..40e162c
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-506549.js
@@ -0,0 +1,10 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+if (this.Worker) {
+  var __v_5 = {};
+  __v_5.__defineGetter__('byteLength', function() {foo();});
+  var __v_8 = new Worker('onmessage = function() {};');
+  assertThrows(function() { __v_8.postMessage(__v_5); });
+}