ClusterFuzz fix: %NormalizeElements shouldn't process the global proxy.

BUG=449070 R=yangguo@chromium.org LOG=N Review URL: https://codereview.chromium.org/859713002 Cr-Commit-Position: refs/heads/master@{#26126}

ClusterFuzz fix: %NormalizeElements shouldn't process the global proxy.
BUG=449070 R=yangguo@chromium.org LOG=N Review URL: https://codereview.chromium.org/859713002 Cr-Commit-Position: refs/heads/master@{#26126}
173b69f0 · mvstanton · Commit bot · 3a53f2fd · 173b69f0 · 173b69f0
Commit 173b69f0 authored Jan 19, 2015 by mvstanton Committed by Commit bot Jan 19, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 1 deletion

runtime-array.cc src/runtime/runtime-array.cc +2 -1

regress-449070.js test/mjsunit/regress/regress-449070.js +10 -0

No files found.
--- a/src/runtime/runtime-array.cc
+++ b/src/runtime/runtime-array.cc
@@ -1170,7 +1170,8 @@ RUNTIME_FUNCTION(Runtime_NormalizeElements) {
  DCHECK(args.length() == 1);
  CONVERT_ARG_HANDLE_CHECKED(JSObject, array, 0);
  RUNTIME_ASSERT(!array->HasExternalArrayElements() &&
-                 !array->HasFixedTypedArrayElements());
+                 !array->HasFixedTypedArrayElements() &&
+                 !array->IsJSGlobalProxy());
  JSObject::NormalizeElements(array);
  return *array;
 }

--- a/test/mjsunit/regress/regress-449070.js
+++ b/test/mjsunit/regress/regress-449070.js
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax
+
+try {
+  %NormalizeElements(this);
+} catch(e) {
+}