Commit c3856de3 authored by jbroman's avatar jbroman Committed by Commit bot

ValueSerializer: Check for zero length before casting to FixedDoubleArray.

Even though the elements kind is FAST_DOUBLE_ELEMENTS, if length is zero
the isolate's empty_fixed_array is used. It's illegal to cast this to
FixedDoubleArray, so we avoid the cast.

BUG=chromium:686479

Review-Url: https://codereview.chromium.org/2665313003
Cr-Commit-Position: refs/heads/master@{#42867}
parent 4975ac41
...@@ -554,6 +554,9 @@ Maybe<bool> ValueSerializer::WriteJSArray(Handle<JSArray> array) { ...@@ -554,6 +554,9 @@ Maybe<bool> ValueSerializer::WriteJSArray(Handle<JSArray> array) {
break; break;
} }
case FAST_DOUBLE_ELEMENTS: { case FAST_DOUBLE_ELEMENTS: {
// Elements are empty_fixed_array, not a FixedDoubleArray, if the array
// is empty. No elements to encode in this case anyhow.
if (length == 0) break;
Handle<FixedDoubleArray> elements( Handle<FixedDoubleArray> elements(
FixedDoubleArray::cast(array->elements()), isolate_); FixedDoubleArray::cast(array->elements()), isolate_);
for (; i < length; i++) { for (; i < length; i++) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment