[v8-dev] Fix cluster-fuzz found regression in d8 Workers. (issue 1214803004 by [email protected])

Fri, 26 Jun 2015 16:40:20 -0700 

Reviewers: Michael Starzinger,

Description:
Fix cluster-fuzz found regression in d8 Workers.

This one occurs when Function.prototype.toString is overridden to return a
non-string.

BUG=chromium:504729
[email protected]
LOG=n

Please review this at https://codereview.chromium.org/1214803004/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+7, -4 lines):
  M src/d8.cc
  A + test/mjsunit/regress/regress-crbug-504729.js


Index: src/d8.cc
diff --git a/src/d8.cc b/src/d8.cc
index e165aa47e020e377c713872c552d255ca7acf2f4..3b5accb40f4c0870caf408b124850a2fd5e62d15 100644 
--- a/src/d8.cc
+++ b/src/d8.cc
@@ -704,6 +704,10 @@ void Shell::WorkerNew(const v8::FunctionCallbackInfo<v8::Value>& args) { 
     workers_.Add(worker);

     String::Utf8Value function_string(args[0]->ToString());
+    if (!*function_string) {
+      Throw(args.GetIsolate(), "Function.prototype.toString failed");
+      return;
+    }
     worker->StartExecuteInThread(isolate, *function_string);
   }
 }
Index: test/mjsunit/regress/regress-crbug-504729.js
diff --git a/test/mjsunit/regress/regress-crbug-503698.js b/test/mjsunit/regress/regress-crbug-504729.js 
similarity index 66%
copy from test/mjsunit/regress/regress-crbug-503698.js
copy to test/mjsunit/regress/regress-crbug-504729.js
index 274eb5a99e9bc392107d933400f1ff2a3aab0e13..4ea058d938ae4d4a15f7e84573e2fef472108c2b 100644 
--- a/test/mjsunit/regress/regress-crbug-503698.js
+++ b/test/mjsunit/regress/regress-crbug-504729.js
@@ -2,9 +2,8 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

-// Flags: --invoke-weak-callbacks
-
 if (this.Worker) {
-  function __f_1() {}
-  var __v_6 = new Worker(__f_1);
+  Function.prototype.toString = "foo";
+  function __f_7() {}
+  var __v_5 = new Worker(__f_7);
 }


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to