From e291b78a8ef4f5898052c58cdd3e85e430d86202 Mon Sep 17 00:00:00 2001
From: binji <binji@chromium.org>
Date: Mon, 29 Jun 2015 08:53:08 -0700
Subject: [PATCH] Fix cluster-fuzz found regression in d8 Workers.

This one occurs when Function.prototype.toString is overridden to return a
non-string.

BUG=chromium:504729
R=mstarzinger@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/1214803004

Cr-Commit-Position: refs/heads/master@{#29351}
---
 src/d8.cc                                    | 4 ++++
 test/mjsunit/regress/regress-crbug-504729.js | 9 +++++++++
 2 files changed, 13 insertions(+)
 create mode 100644 test/mjsunit/regress/regress-crbug-504729.js

diff --git a/src/d8.cc b/src/d8.cc
index 5022d93..94795cb 100644
--- a/src/d8.cc
+++ b/src/d8.cc
@@ -704,6 +704,10 @@ void Shell::WorkerNew(const v8::FunctionCallbackInfo<v8::Value>& args) {
     workers_.Add(worker);
 
     String::Utf8Value function_string(args[0]->ToString());
+    if (!*function_string) {
+      Throw(args.GetIsolate(), "Function.prototype.toString failed");
+      return;
+    }
     worker->StartExecuteInThread(isolate, *function_string);
   }
 }
diff --git a/test/mjsunit/regress/regress-crbug-504729.js b/test/mjsunit/regress/regress-crbug-504729.js
new file mode 100644
index 0000000..2a79054
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-504729.js
@@ -0,0 +1,9 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+if (this.Worker) {
+  Function.prototype.toString = "foo";
+  function __f_7() {}
+  assertThrows(function() { var __v_5 = new Worker(__f_7); });
+}
-- 
2.7.4