Fix cluster-fuzz bug introduced in refs/heads/master@{#28796}.

Don't DCHECK when neutering that the buffer is not a SharedArrayBuffer; instead, just return early. BUG=chromium:498142,chromium:497295 R=jarin@chromium.org LOG=n Review URL: https://codereview.chromium.org/1174753002 Cr-Commit-Position: refs/heads/master@{#28892}

Fix cluster-fuzz bug introduced in refs/heads/master@{#28796}.
Don't DCHECK when neutering that the buffer is not a SharedArrayBuffer; instead, just return early. BUG=chromium:498142,chromium:497295 R=jarin@chromium.org LOG=n Review URL: https://codereview.chromium.org/1174753002 Cr-Commit-Position: refs/heads/master@{#28892}
4d6c3097 · binji · Commit bot · f83444a5 · 4d6c3097 · 4d6c3097
Commit 4d6c3097 authored Jun 10, 2015 by binji Committed by Commit bot Jun 10, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 1 deletion

runtime-typedarray.cc src/runtime/runtime-typedarray.cc +1 -1

regress-crbug-498142.js test/mjsunit/regress/regress-crbug-498142.js +8 -0

No files found.
--- a/src/runtime/runtime-typedarray.cc
+++ b/src/runtime/runtime-typedarray.cc
@@ -144,7 +144,7 @@ RUNTIME_FUNCTION(Runtime_ArrayBufferNeuter) {
    return isolate->heap()->undefined_value();
  }
  // Shared array buffers should never be neutered.
-  DCHECK(!array_buffer->is_shared());
+  RUNTIME_ASSERT(!array_buffer->is_shared());
  DCHECK(!array_buffer->is_external());
  void* backing_store = array_buffer->backing_store();
  size_t byte_length = NumberToSize(isolate, array_buffer->byte_length());

--- a/test/mjsunit/regress/regress-crbug-498142.js
+++ b/test/mjsunit/regress/regress-crbug-498142.js
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --harmony-sharedarraybuffer
+
+var sab = new SharedArrayBuffer(16);
+assertThrows(function() { %ArrayBufferNeuter(sab); });