Fix cluster-fuzz found regression in d8 Workers

v8::Internal::List will DCHECK when indexing out of the array, even if just to get the address, and the value is never used. So this construct will fail: memcpy(p, &data[0], length); When data is empty and length is 0. BUG=chromium:505778 R=mstarzinger@chromium.org LOG=n Review URL: https://codereview.chromium.org/1216853003 Cr-Commit-Position: refs/heads/master@{#29388}

Fix cluster-fuzz found regression in d8 Workers
v8::Internal::List will DCHECK when indexing out of the array, even if just to get the address, and the value is never used. So this construct will fail: memcpy(p, &data[0], length); When data is empty and length is 0. BUG=chromium:505778 R=mstarzinger@chromium.org LOG=n Review URL: https://codereview.chromium.org/1216853003 Cr-Commit-Position: refs/heads/master@{#29388}
abaa094a · binji · Commit bot · 316ff3d8 · abaa094a · abaa094a
Commit abaa094a authored Jun 30, 2015 by binji Committed by Commit bot Jun 30, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 2 deletions

d8.cc src/d8.cc +4 -2

regress-crbug-505778.js test/mjsunit/regress/regress-crbug-505778.js +11 -0

No files found.
--- a/src/d8.cc
+++ b/src/d8.cc
@@ -1578,8 +1578,10 @@ SerializationTag SerializationData::ReadTag(int* offset) const {


 void SerializationData::ReadMemory(void* p, int length, int* offset) const {
-  memcpy(p, &data[*offset], length);
-  (*offset) += length;
+  if (length > 0) {
+    memcpy(p, &data[*offset], length);
+    (*offset) += length;
+  }
 }



--- a/test/mjsunit/regress/regress-crbug-505778.js
+++ b/test/mjsunit/regress/regress-crbug-505778.js
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+if (this.Worker) {
+  function __f_3() {
+    onmessage = function() {}
+  }
+  var __v_7 = new Worker(__f_3);
+  __v_7.postMessage("");
+}