Commit 173b69f0 authored by mvstanton's avatar mvstanton Committed by Commit bot

ClusterFuzz fix: %NormalizeElements shouldn't process the global proxy.

BUG=449070
R=yangguo@chromium.org
LOG=N

Review URL: https://codereview.chromium.org/859713002

Cr-Commit-Position: refs/heads/master@{#26126}
parent 3a53f2fd
......@@ -1170,7 +1170,8 @@ RUNTIME_FUNCTION(Runtime_NormalizeElements) {
DCHECK(args.length() == 1);
CONVERT_ARG_HANDLE_CHECKED(JSObject, array, 0);
RUNTIME_ASSERT(!array->HasExternalArrayElements() &&
!array->HasFixedTypedArrayElements());
!array->HasFixedTypedArrayElements() &&
!array->IsJSGlobalProxy());
JSObject::NormalizeElements(array);
return *array;
}
......
// Copyright 2015 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax
try {
%NormalizeElements(this);
} catch(e) {
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment