[api] Relax CHECK for ArrayBuffer API abuse

Zero-length ArrayBuffers are allowed to have NULL backing stores.

BUG=522496
LOG=n

Review URL: https://codereview.chromium.org/1302803003

Cr-Commit-Position: refs/heads/master@{#30259}

diff --git a/src/api.cc b/src/api.cc
index b46d69f..7720147 100644 (file)
--- a/src/api.cc
+++ b/src/api.cc
@@ -6560,7 +6560,7 @@ Local<ArrayBuffer> v8::ArrayBuffer::New(Isolate* isolate, void* data,
                                         size_t byte_length,
                                         ArrayBufferCreationMode mode) {
   // Embedders must guarantee that the external backing store is valid.
-  CHECK(data != NULL);
+  CHECK(byte_length == 0 || data != NULL);
   i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(isolate);
   LOG_API(i_isolate, "v8::ArrayBuffer::New(void*, size_t)");
   ENTER_V8(i_isolate);
@@ -6759,7 +6759,7 @@ Local<SharedArrayBuffer> v8::SharedArrayBuffer::New(
     ArrayBufferCreationMode mode) {
   CHECK(i::FLAG_harmony_sharedarraybuffer);
   // Embedders must guarantee that the external backing store is valid.
-  CHECK(data != NULL);
+  CHECK(byte_length == 0 || data != NULL);
   i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(isolate);
   LOG_API(i_isolate, "v8::SharedArrayBuffer::New(void*, size_t)");
   ENTER_V8(i_isolate);

diff --git a/test/mjsunit/regress/regress-crbug-522496.js b/test/mjsunit/regress/regress-crbug-522496.js
new file mode 100644 (file)
index 0000000..e47e0a0
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-522496.js
@@ -0,0 +1,9 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+if (this.Worker) {
+  var worker = new Worker("onmessage = function(){}");
+  var buf = new ArrayBuffer();
+  worker.postMessage(buf, [buf]);
+}