From ed3e5d1f3a57ad1756b4276235e1a72033f2f16f Mon Sep 17 00:00:00 2001
From: jochen <jochen@chromium.org>
Date: Mon, 3 Aug 2015 09:11:14 -0700
Subject: [PATCH] Check whether a typed array was neutered before writing to it

As demanded by the spec.

BUG=chromium:516251
R=jkummerow@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/1261453004

Cr-Commit-Position: refs/heads/master@{#29981}
---
 src/objects.cc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/objects.cc b/src/objects.cc
index 1a0a368..8aa73d6 100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -3426,6 +3426,12 @@ MaybeHandle<Object> Object::SetDataProperty(LookupIterator* it,
       // have been invalidated since typed array elements cannot be reconfigured
       // in any way.
       it->ReloadHolderMap();
+
+      // We have to recheck the length. However, it can only change if the
+      // underlying buffer was neutered, so just check that.
+      if (Handle<JSArrayBufferView>::cast(receiver)->WasNeutered()) {
+        return value;
+      }
     }
   }
 
-- 
2.7.4