[runtime] Skip vector config for interceptors.

Do not preinitialize the feedback vector slot if the lookup iterator is an interceptor, because it is not guaranteed that the iterator has a PropertyCell. If the HandlerConfiguration has a non-masking intercepting setter, the iterator does not have a valid PropertyCell. BUG=chromium:656648 Review-Url: https://codereview.chromium.org/2674103002 Cr-Commit-Position: refs/heads/master@{#43034}

[runtime] Skip vector config for interceptors.
Do not preinitialize the feedback vector slot if the lookup iterator is an interceptor, because it is not guaranteed that the iterator has a PropertyCell. If the HandlerConfiguration has a non-masking intercepting setter, the iterator does not have a valid PropertyCell. BUG=chromium:656648 Review-Url: https://codereview.chromium.org/2674103002 Cr-Commit-Position: refs/heads/master@{#43034}
0c137304 · franzih · Commit bot · b90d9205 · 0c137304 · 0c137304
Commit 0c137304 authored Feb 08, 2017 by franzih Committed by Commit bot Feb 08, 2017
Show whitespace changes
Inline Side-by-side

Showing with 27 additions and 1 deletion

runtime-scopes.cc src/runtime/runtime-scopes.cc +2 -1

test-api-interceptors.cc test/cctest/test-api-interceptors.cc +25 -0

No files found.
--- a/src/runtime/runtime-scopes.cc
+++ b/src/runtime/runtime-scopes.cc
@@ -115,7 +115,8 @@ Object* DeclareGlobal(
  RETURN_FAILURE_ON_EXCEPTION(
      isolate, JSObject::DefineOwnPropertyIgnoreAttributes(&it, value, attr));

-  if (!feedback_vector.is_null()) {
+  if (!feedback_vector.is_null() &&
+      it.state() != LookupIterator::State::INTERCEPTOR) {
    DCHECK_EQ(*global, *it.GetHolder<Object>());
    // Preinitialize the feedback slot if the global object does not have
    // named interceptor or the interceptor is not masking.

--- a/test/cctest/test-api-interceptors.cc
+++ b/test/cctest/test-api-interceptors.cc
@@ -495,6 +495,12 @@ void SetterCallback(Local<Name> property, Local<Value> value,
  set_was_called_counter++;
 }

+void InterceptingSetterCallback(
+    Local<Name> property, Local<Value> value,
+    const v8::PropertyCallbackInfo<v8::Value>& info) {
+  info.GetReturnValue().Set(value);
+}
+
 }  // namespace

 // Check that get callback is called in defineProperty with accessor descriptor.
@@ -596,6 +602,25 @@ THREADED_TEST(InterceptorFunctionRedeclareWithQueryCallback) {
  v8::Script::Compile(ctx, code).ToLocalChecked()->Run(ctx).ToLocalChecked();
 }

+// Regression test for chromium bug 656648.
+// Do not crash on non-masking, intercepting setter callbacks.
+THREADED_TEST(NonMaskingInterceptor) {
+  v8::HandleScope scope(CcTest::isolate());
+  LocalContext env;
+  v8::Local<v8::FunctionTemplate> templ =
+      v8::FunctionTemplate::New(CcTest::isolate());
+
+  v8::Local<ObjectTemplate> object_template = templ->InstanceTemplate();
+  object_template->SetHandler(v8::NamedPropertyHandlerConfiguration(
+      nullptr, InterceptingSetterCallback, nullptr, nullptr, nullptr,
+      Local<Value>(), v8::PropertyHandlerFlags::kNonMasking));
+  v8::Local<v8::Context> ctx =
+      v8::Context::New(CcTest::isolate(), nullptr, object_template);
+
+  v8::Local<v8::String> code = v8_str("function x() {return 43;};");
+  v8::Script::Compile(ctx, code).ToLocalChecked()->Run(ctx).ToLocalChecked();
+}
+
 // Check that function re-declarations throw if they are read-only.
 THREADED_TEST(SetterCallbackFunctionDeclarationInterceptorThrow) {
  v8::HandleScope scope(CcTest::isolate());