Commit 1a94bc20 authored by yangguo's avatar yangguo Committed by Commit bot

Fix Error object value lookups.

Looking up 'name' and 'message' properties at the same time and loading
the properties later can cause assertion failure if one of the properties
is an accessor and calling it changes the holder map. That may invalidate
the other lookup.

R=jkummerow@chromium.org
BUG=chromium:542101
LOG=N

Review URL: https://codereview.chromium.org/1403923002

Cr-Commit-Position: refs/heads/master@{#31229}
parent 9b91bf3a
...@@ -400,10 +400,6 @@ MaybeHandle<String> ErrorToStringHelper::Stringify(Isolate* isolate, ...@@ -400,10 +400,6 @@ MaybeHandle<String> ErrorToStringHelper::Stringify(Isolate* isolate,
Handle<String> name_string = isolate->factory()->name_string(); Handle<String> name_string = isolate->factory()->name_string();
LookupIterator internal_error_lookup( LookupIterator internal_error_lookup(
error, internal_key, LookupIterator::PROTOTYPE_CHAIN_SKIP_INTERCEPTOR); error, internal_key, LookupIterator::PROTOTYPE_CHAIN_SKIP_INTERCEPTOR);
LookupIterator message_lookup(
error, message_string, LookupIterator::PROTOTYPE_CHAIN_SKIP_INTERCEPTOR);
LookupIterator name_lookup(error, name_string,
LookupIterator::PROTOTYPE_CHAIN_SKIP_INTERCEPTOR);
// Find out whether an internally created error object is on the prototype // Find out whether an internally created error object is on the prototype
// chain. If the name property is found on a holder prior to the internally // chain. If the name property is found on a holder prior to the internally
...@@ -412,24 +408,26 @@ MaybeHandle<String> ErrorToStringHelper::Stringify(Isolate* isolate, ...@@ -412,24 +408,26 @@ MaybeHandle<String> ErrorToStringHelper::Stringify(Isolate* isolate,
// Similar for the message property. If the message property shadows the // Similar for the message property. If the message property shadows the
// internally created error object, use that message property. Otherwise // internally created error object, use that message property. Otherwise
// use empty string as message. // use empty string as message.
if (internal_error_lookup.IsFound()) { LookupIterator name_lookup(error, name_string,
if (!ShadowsInternalError(isolate, &name_lookup, &internal_error_lookup)) { LookupIterator::PROTOTYPE_CHAIN_SKIP_INTERCEPTOR);
if (internal_error_lookup.IsFound() &&
!ShadowsInternalError(isolate, &name_lookup, &internal_error_lookup)) {
Handle<JSObject> holder = internal_error_lookup.GetHolder<JSObject>(); Handle<JSObject> holder = internal_error_lookup.GetHolder<JSObject>();
name = Handle<String>(holder->constructor_name()); name = Handle<String>(holder->constructor_name());
} } else {
if (!ShadowsInternalError(isolate, &message_lookup,
&internal_error_lookup)) {
message = isolate->factory()->empty_string();
}
}
if (name.is_null()) {
ASSIGN_RETURN_ON_EXCEPTION( ASSIGN_RETURN_ON_EXCEPTION(
isolate, name, isolate, name,
GetStringifiedProperty(isolate, &name_lookup, GetStringifiedProperty(isolate, &name_lookup,
isolate->factory()->Error_string()), isolate->factory()->Error_string()),
String); String);
} }
if (message.is_null()) {
LookupIterator message_lookup(
error, message_string, LookupIterator::PROTOTYPE_CHAIN_SKIP_INTERCEPTOR);
if (internal_error_lookup.IsFound() &&
!ShadowsInternalError(isolate, &message_lookup, &internal_error_lookup)) {
message = isolate->factory()->empty_string();
} else {
ASSIGN_RETURN_ON_EXCEPTION( ASSIGN_RETURN_ON_EXCEPTION(
isolate, message, isolate, message,
GetStringifiedProperty(isolate, &message_lookup, GetStringifiedProperty(isolate, &message_lookup,
......
// Copyright 2015 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
(function() {
Error.prototype.toString.call({
get name() { return { __proto__: this }; },
get message() { }
});
})();
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment