• Georg Neis's avatar
    [csa] Make JSProxy's CheckGetSetTrapResult bailout for certain names · b9962a9a
    Georg Neis authored
    The TryGetOwnProperty code supports only unique names that are not
    array indices. Unfortunately, this is neither obvious from its type,
    nor from its comment, nor from its code.
    
    ProxiesCodeStubAssembler::CheckHasTrapResult violated the assumption
    and was already fixed a few days ago. This CL fixes
    CheckGetSetTrapResult and improves our code documentation in the
    form of comments and assertions. Concretely:
    
    - Add CodeStubAssembler::IsUniqueName and IsUniqueNameNoIndex
    - Use IsUniqueNameNoIndex in CheckGetSetTrapResult to guard
      TryGetOwnProperty (bailout to runtime if not satisfied).
    - Similarly, use IsUniqueNameNoIndex to simplify the previous fix in
      CheckHasTrapResult.
    - Add a IsUniqueNameNoIndex CSA_ASSERT to TryGetOwnProperty and a few
      other places to avoid such bugs in the future.
    - Add a IsUniqueName CSA_ASSERT to a few places where we apparently
      expect unique names (I don't know if those allow indices or not).
    - Add a DCHECK to Name::IsUniqueName to ensure and document that this
      shortcut version is equivalent to HeapObject::IsUniqueName.
    
    Bug: chromium:937618
    Change-Id: Id4a18ab2a0e9c7591b087dd0c9fe018aa9b9ef3a
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1514732
    Auto-Submit: Georg Neis <neis@chromium.org>
    Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
    Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
    Reviewed-by: 's avatarMaya Lekova <mslekova@chromium.org>
    Commit-Queue: Georg Neis <neis@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#60196}
    b9962a9a
code-stub-assembler.h 170 KB