Commit e291b78a authored by binji's avatar binji Committed by Commit bot

Fix cluster-fuzz found regression in d8 Workers.

This one occurs when Function.prototype.toString is overridden to return a
non-string.

BUG=chromium:504729
R=mstarzinger@chromium.org
LOG=n

Review URL: https://codereview.chromium.org/1214803004

Cr-Commit-Position: refs/heads/master@{#29351}
parent 93c43523
...@@ -704,6 +704,10 @@ void Shell::WorkerNew(const v8::FunctionCallbackInfo<v8::Value>& args) { ...@@ -704,6 +704,10 @@ void Shell::WorkerNew(const v8::FunctionCallbackInfo<v8::Value>& args) {
workers_.Add(worker); workers_.Add(worker);
String::Utf8Value function_string(args[0]->ToString()); String::Utf8Value function_string(args[0]->ToString());
if (!*function_string) {
Throw(args.GetIsolate(), "Function.prototype.toString failed");
return;
}
worker->StartExecuteInThread(isolate, *function_string); worker->StartExecuteInThread(isolate, *function_string);
} }
} }
......
// Copyright 2015 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
if (this.Worker) {
Function.prototype.toString = "foo";
function __f_7() {}
assertThrows(function() { var __v_5 = new Worker(__f_7); });
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment