From df1f72bbf1cafb3338cce88b88013b377531eb82 Mon Sep 17 00:00:00 2001
From: binji <binji@chromium.org>
Date: Mon, 3 Aug 2015 10:07:48 -0700
Subject: [PATCH] [d8 worker] Fix regression when serializing very large
 arraybuffer

BUG=chromium:514081
R=jarin@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/1264723002

Cr-Commit-Position: refs/heads/master@{#29982}
---
 src/d8.cc                                    |  9 ++++-----
 test/mjsunit/regress/regress-crbug-514081.js | 15 +++++++++++++++
 2 files changed, 19 insertions(+), 5 deletions(-)
 create mode 100644 test/mjsunit/regress/regress-crbug-514081.js

diff --git a/src/d8.cc b/src/d8.cc
index 5e049fa..0944b9e 100644
--- a/src/d8.cc
+++ b/src/d8.cc
@@ -2077,16 +2077,15 @@ bool Shell::SerializeValue(Isolate* isolate, Local<Value> value,
     } else {
       ArrayBuffer::Contents contents = array_buffer->GetContents();
       // Clone ArrayBuffer
-      if (contents.ByteLength() > i::kMaxUInt32) {
+      if (contents.ByteLength() > i::kMaxInt) {
         Throw(isolate, "ArrayBuffer is too big to clone");
         return false;
       }
 
-      int byte_length = static_cast<int>(contents.ByteLength());
+      int32_t byte_length = static_cast<int32_t>(contents.ByteLength());
       out_data->WriteTag(kSerializationTagArrayBuffer);
       out_data->Write(byte_length);
-      out_data->WriteMemory(contents.Data(),
-                            static_cast<int>(contents.ByteLength()));
+      out_data->WriteMemory(contents.Data(), byte_length);
     }
   } else if (value->IsSharedArrayBuffer()) {
     Local<SharedArrayBuffer> sab = Local<SharedArrayBuffer>::Cast(value);
@@ -2212,7 +2211,7 @@ MaybeLocal<Value> Shell::DeserializeValue(Isolate* isolate,
       break;
     }
     case kSerializationTagArrayBuffer: {
-      int byte_length = data.Read<int>(offset);
+      int32_t byte_length = data.Read<int32_t>(offset);
       Local<ArrayBuffer> array_buffer = ArrayBuffer::New(isolate, byte_length);
       ArrayBuffer::Contents contents = array_buffer->GetContents();
       DCHECK(static_cast<size_t>(byte_length) == contents.ByteLength());
diff --git a/test/mjsunit/regress/regress-crbug-514081.js b/test/mjsunit/regress/regress-crbug-514081.js
new file mode 100644
index 0000000..1acd831
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-514081.js
@@ -0,0 +1,15 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+if (this.Worker) {
+  var __v_7 = new Worker('onmessage = function() {};');
+  try {
+    var ab = new ArrayBuffer(2147483648);
+    // If creating the ArrayBuffer succeeded, then postMessage should fail.
+    assertThrows(function() { __v_7.postMessage(ab); });
+  } catch (e) {
+    // Creating the ArrayBuffer failed.
+    assertInstanceof(e, RangeError);
+  }
+}
-- 
2.7.4