Gracefully fail in ValueDeserializer.

Bug: chromium:905940, chromium:907343

R=verwaest@chromium.org

Change-Id: Ibe8f06782f8a0bf9a09832d443e1c66c3bda8399
Reviewed-on: https://chromium-review.googlesource.com/c/1362046Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58040}

src/value-serializer.cc

@@ -1471,7 +1471,9 @@ MaybeHandle<JSArray> ValueDeserializer::ReadDenseJSArray() {
     if (version_ < 11 && element->IsUndefined(isolate_)) continue;
 
     // Safety check.
-    CHECK_LT(i, static_cast<uint32_t>(elements->length()));
+    if (i >= static_cast<uint32_t>(elements->length())) {
+      return MaybeHandle<JSArray>();
+    }
 
     elements->set(i, *element);
   }
@@ -1985,8 +1987,7 @@ Maybe<uint32_t> ValueDeserializer::ReadJSObjectProperties(
       bool success;
       LookupIterator it = LookupIterator::PropertyOrElement(
           isolate_, object, key, &success, LookupIterator::OWN);
-      CHECK_EQ(LookupIterator::NOT_FOUND, it.state());
-      if (!success ||
+      if (!success || it.state() != LookupIterator::NOT_FOUND ||
           JSObject::DefineOwnPropertyIgnoreAttributes(&it, value, NONE)
               .is_null()) {
         return Nothing<uint32_t>();
@@ -2020,8 +2021,7 @@ Maybe<uint32_t> ValueDeserializer::ReadJSObjectProperties(
     bool success;
     LookupIterator it = LookupIterator::PropertyOrElement(
         isolate_, object, key, &success, LookupIterator::OWN);
-    CHECK_EQ(LookupIterator::NOT_FOUND, it.state());
-    if (!success ||
+    if (!success || it.state() != LookupIterator::NOT_FOUND ||
         JSObject::DefineOwnPropertyIgnoreAttributes(&it, value, NONE)
             .is_null()) {
       return Nothing<uint32_t>();
@@ -2068,8 +2068,7 @@ static Maybe<bool> SetPropertiesFromKeyValuePairs(Isolate* isolate,
     bool success;
     LookupIterator it = LookupIterator::PropertyOrElement(
         isolate, object, key, &success, LookupIterator::OWN);
-    CHECK_EQ(LookupIterator::NOT_FOUND, it.state());
-    if (!success ||
+    if (!success || it.state() != LookupIterator::NOT_FOUND ||
         JSObject::DefineOwnPropertyIgnoreAttributes(&it, value, NONE)
             .is_null()) {
       return Nothing<bool>();

test/unittests/value-serializer-unittest.cc

@@ -1871,19 +1871,15 @@ TEST_F(ValueSerializerTest, DecodeDataView) {
 }
 
 TEST_F(ValueSerializerTest, DecodeArrayWithLengthProperty1) {
-  ASSERT_DEATH_IF_SUPPORTED(
-      DecodeTest({0xff, 0x0d, 0x41, 0x03, 0x49, 0x02, 0x49, 0x04,
-                  0x49, 0x06, 0x22, 0x06, 0x6c, 0x65, 0x6e, 0x67,
-                  0x74, 0x68, 0x49, 0x02, 0x24, 0x01, 0x03}),
-      ".*LookupIterator::NOT_FOUND == it.state\\(\\).*");
+  InvalidDecodeTest({0xff, 0x0d, 0x41, 0x03, 0x49, 0x02, 0x49, 0x04,
+                     0x49, 0x06, 0x22, 0x06, 0x6c, 0x65, 0x6e, 0x67,
+                     0x74, 0x68, 0x49, 0x02, 0x24, 0x01, 0x03});
 }
 
 TEST_F(ValueSerializerTest, DecodeArrayWithLengthProperty2) {
-  ASSERT_DEATH_IF_SUPPORTED(
-      DecodeTest({0xff, 0x0d, 0x41, 0x03, 0x49, 0x02, 0x49, 0x04,
-                  0x49, 0x06, 0x22, 0x06, 0x6c, 0x65, 0x6e, 0x67,
-                  0x74, 0x68, 0x6f, 0x7b, 0x00, 0x24, 0x01, 0x03}),
-      ".*LookupIterator::NOT_FOUND == it.state\\(\\).*");
+  InvalidDecodeTest({0xff, 0x0d, 0x41, 0x03, 0x49, 0x02, 0x49, 0x04,
+                     0x49, 0x06, 0x22, 0x06, 0x6c, 0x65, 0x6e, 0x67,
+                     0x74, 0x68, 0x6f, 0x7b, 0x00, 0x24, 0x01, 0x03});
 }
 
 TEST_F(ValueSerializerTest, DecodeInvalidDataView) {