This one occurred when serializing an object. When the property getter threw an
exception, that value was skipped, but the property count wasn't updated. The
deserializer then tried to deserialize the wrong value.
BUG=chromium:506549
R=jarin@chromium.org
LOG=n
Review URL: https://codereview.chromium.org/
1220193004
Cr-Commit-Position: refs/heads/master@{#29541}
if (!SerializeValue(isolate, element_value, to_transfer, seen_objects,
out_data))
return false;
+ } else {
+ Throw(isolate, "Failed to serialize array element.");
+ return false;
}
}
} else if (value->IsArrayBuffer()) {
if (!SerializeValue(isolate, property_value, to_transfer, seen_objects,
out_data))
return false;
+ } else {
+ Throw(isolate, "Failed to serialize property.");
+ return false;
}
}
} else {
--- /dev/null
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+if (this.Worker) {
+ var __v_5 = {};
+ __v_5.__defineGetter__('byteLength', function() {foo();});
+ var __v_8 = new Worker('onmessage = function() {};');
+ assertThrows(function() { __v_8.postMessage(__v_5); });
+}