From 4d6c309777ac11a22267605c3d7e159072750feb Mon Sep 17 00:00:00 2001 From: binji Date: Wed, 10 Jun 2015 00:33:43 -0700 Subject: [PATCH] Fix cluster-fuzz bug introduced in refs/heads/master@{#28796}. Don't DCHECK when neutering that the buffer is not a SharedArrayBuffer; instead, just return early. BUG=chromium:498142,chromium:497295 R=jarin@chromium.org LOG=n Review URL: https://codereview.chromium.org/1174753002 Cr-Commit-Position: refs/heads/master@{#28892} --- src/runtime/runtime-typedarray.cc | 2 +- test/mjsunit/regress/regress-crbug-498142.js | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 test/mjsunit/regress/regress-crbug-498142.js diff --git a/src/runtime/runtime-typedarray.cc b/src/runtime/runtime-typedarray.cc index 217d739..0c4223c 100644 --- a/src/runtime/runtime-typedarray.cc +++ b/src/runtime/runtime-typedarray.cc @@ -144,7 +144,7 @@ RUNTIME_FUNCTION(Runtime_ArrayBufferNeuter) { return isolate->heap()->undefined_value(); } // Shared array buffers should never be neutered. - DCHECK(!array_buffer->is_shared()); + RUNTIME_ASSERT(!array_buffer->is_shared()); DCHECK(!array_buffer->is_external()); void* backing_store = array_buffer->backing_store(); size_t byte_length = NumberToSize(isolate, array_buffer->byte_length()); diff --git a/test/mjsunit/regress/regress-crbug-498142.js b/test/mjsunit/regress/regress-crbug-498142.js new file mode 100644 index 0000000..fcec5d1 --- /dev/null +++ b/test/mjsunit/regress/regress-crbug-498142.js @@ -0,0 +1,8 @@ +// Copyright 2015 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax --harmony-sharedarraybuffer + +var sab = new SharedArrayBuffer(16); +assertThrows(function() { %ArrayBufferNeuter(sab); }); -- 2.7.4