Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(239)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/d8.cc

Issue 1204753002: Fix cluster-fuzz found regression in d8 when deserializing ArrayBuffer (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master
Patch Set: Created 5 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | test/mjsunit/regress/regress-crbug-503578.js » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2012 the V8 project authors. All rights reserved. 1 // Copyright 2012 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 5
6 // Defined when linking against shared lib on Windows. 6 // Defined when linking against shared lib on Windows.
7 #if defined(USING_V8_SHARED) && !defined(V8_SHARED) 7 #if defined(USING_V8_SHARED) && !defined(V8_SHARED)
8 #define V8_SHARED 8 #define V8_SHARED
9 #endif 9 #endif
10 10
(...skipping 2133 matching lines...) Expand 10 before | Expand all | Expand 10 after
2144 } 2144 }
2145 result = array; 2145 result = array;
2146 break; 2146 break;
2147 } 2147 }
2148 case kSerializationTagObject: { 2148 case kSerializationTagObject: {
2149 int length = data.Read<int>(offset); 2149 int length = data.Read<int>(offset);
2150 Handle<Object> object = Object::New(isolate); 2150 Handle<Object> object = Object::New(isolate);
2151 for (int i = 0; i < length; ++i) { 2151 for (int i = 0; i < length; ++i) {
2152 Local<Value> property_name; 2152 Local<Value> property_name;
2153 CHECK(DeserializeValue(isolate, data, offset).ToLocal(&property_name)); 2153 CHECK(DeserializeValue(isolate, data, offset).ToLocal(&property_name));
2154 DCHECK(property_name->IsString());
2155 Local<Value> property_value; 2154 Local<Value> property_value;
2156 CHECK(DeserializeValue(isolate, data, offset).ToLocal(&property_value)); 2155 CHECK(DeserializeValue(isolate, data, offset).ToLocal(&property_value));
2157 object->Set(property_name, property_value); 2156 object->Set(property_name, property_value);
2158 } 2157 }
2159 result = object; 2158 result = object;
2160 break; 2159 break;
2161 } 2160 }
2162 case kSerializationTagArrayBuffer: { 2161 case kSerializationTagArrayBuffer: {
2163 int byte_length = data.Read<int>(offset); 2162 int byte_length = data.Read<int>(offset);
2164 Handle<ArrayBuffer> array_buffer = ArrayBuffer::New(isolate, byte_length); 2163 Handle<ArrayBuffer> array_buffer = ArrayBuffer::New(isolate, byte_length);
(...skipping 233 matching lines...) Expand 10 before | Expand all | Expand 10 after
2398 } 2397 }
2399 2398
2400 } // namespace v8 2399 } // namespace v8
2401 2400
2402 2401
2403 #ifndef GOOGLE3 2402 #ifndef GOOGLE3
2404 int main(int argc, char* argv[]) { 2403 int main(int argc, char* argv[]) {
2405 return v8::Shell::Main(argc, argv); 2404 return v8::Shell::Main(argc, argv);
2406 } 2405 }
2407 #endif 2406 #endif
OLDNEW
« no previous file with comments | « no previous file | test/mjsunit/regress/regress-crbug-503578.js » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698