[foozzie] Properly stub out typed array constructor

When using correctness fuzzing, this makes sure all non-object arguments to typed array constructors are bound by 1MiB when interpreted as numbers. NOTRY=true Bug: chromium:910962 Change-Id: I66e87ece27aae7c5fa88429c5d1f1f478de702ae Reviewed-on: https://chromium-review.googlesource.com/c/1369959 Commit-Queue: Michael Achenbach <machenbach@chromium.org> Reviewed-by: Mathias Bynens <mathias@chromium.org> Reviewed-by: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#58144}

[foozzie] Properly stub out typed array constructor
When using correctness fuzzing, this makes sure all non-object arguments to typed array constructors are bound by 1MiB when interpreted as numbers. NOTRY=true Bug: chromium:910962 Change-Id: I66e87ece27aae7c5fa88429c5d1f1f478de702ae Reviewed-on: https://chromium-review.googlesource.com/c/1369959 Commit-Queue: Michael Achenbach <machenbach@chromium.org> Reviewed-by: Mathias Bynens <mathias@chromium.org> Reviewed-by: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#58144}
fdcaa3d4 · Michael Achenbach · Commit Bot · cc636ba7 · fdcaa3d4
Commit fdcaa3d4 authored Dec 11, 2018 by Michael Achenbach Committed by Commit Bot Dec 11, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 9 deletions

v8_mock_archs.js tools/clusterfuzz/v8_mock_archs.js +4 -9

No files found.
--- a/tools/clusterfuzz/v8_mock_archs.js
+++ b/tools/clusterfuzz/v8_mock_archs.js
@@ -15,15 +15,10 @@
  var mock = function(arrayType) {
    var handler = {
      construct: function(target, args) {
-        var arrayLength = args[0]
-        if (args.length > 0 &&
-            Number.isInteger(args[0]) &&
-            args[0] > 1048576) {
-          args[0] = 1048576
-        } else if (args.length > 2 &&
-                   Number.isInteger(args[2]) &&
-                   args[2] > 1048576) {
-          args[2] = 1048576
+        for (let i = 0; i < args.length; i++) {
+          if (typeof args[i] != "object") {
+            args[i] = Math.min(1048576, args[i]);
+          }
        }
        return new (
            Function.prototype.bind.apply(arrayType, [null].concat(args)));