Pass in the original receiver to avoid use-after-return issues

BUG=chromium:622664 Review-Url: https://codereview.chromium.org/2092943003 Cr-Commit-Position: refs/heads/master@{#37254}

Pass in the original receiver to avoid use-after-return issues
BUG=chromium:622664 Review-Url: https://codereview.chromium.org/2092943003 Cr-Commit-Position: refs/heads/master@{#37254}
235ed700 · verwaest · Commit bot · cfcb3597 · 235ed700
Commit 235ed700 authored Jun 24, 2016 by verwaest Committed by Commit bot Jun 24, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 21 additions and 20 deletions

builtins.cc src/builtins.cc +21 -20

No files found.
--- a/src/builtins.cc
+++ b/src/builtins.cc
@@ -5148,8 +5148,8 @@ template <bool is_construct>
 MUST_USE_RESULT MaybeHandle<Object> HandleApiCallHelper(
    Isolate* isolate, Handle<HeapObject> function,
    Handle<HeapObject> new_target, Handle<FunctionTemplateInfo> fun_data,
-    BuiltinArguments args) {
-  Handle<JSObject> receiver;
+    Handle<Object> receiver, BuiltinArguments args) {
+  Handle<JSObject> js_receiver;
  JSObject* raw_holder;
  if (is_construct) {
    DCHECK(args.receiver()->IsTheHole(isolate));
@@ -5162,33 +5162,33 @@ MUST_USE_RESULT MaybeHandle<Object> HandleApiCallHelper(
    Handle<ObjectTemplateInfo> instance_template(
        ObjectTemplateInfo::cast(fun_data->instance_template()), isolate);
    ASSIGN_RETURN_ON_EXCEPTION(
-        isolate, receiver,
+        isolate, js_receiver,
        ApiNatives::InstantiateObject(instance_template,
                                      Handle<JSReceiver>::cast(new_target)),
        Object);
-    args[0] = *receiver;
-    DCHECK_EQ(*receiver, *args.receiver());
+    args[0] = *js_receiver;
+    DCHECK_EQ(*js_receiver, *args.receiver());

-    raw_holder = *receiver;
+    raw_holder = *js_receiver;
  } else {
-    DCHECK(args.receiver()->IsJSReceiver());
+    DCHECK(receiver->IsJSReceiver());

-    Handle<JSReceiver> object = args.at<JSReceiver>(0);
-    if (!object->IsJSObject()) {
+    if (!receiver->IsJSObject()) {
      // This function cannot be called with the given receiver.  Abort!
      THROW_NEW_ERROR(
          isolate, NewTypeError(MessageTemplate::kIllegalInvocation), Object);
    }

-    receiver = Handle<JSObject>::cast(object);
+    js_receiver = Handle<JSObject>::cast(receiver);

-    if (!fun_data->accept_any_receiver() && receiver->IsAccessCheckNeeded() &&
-        !isolate->MayAccess(handle(isolate->context()), receiver)) {
-      isolate->ReportFailedAccessCheck(receiver);
+    if (!fun_data->accept_any_receiver() &&
+        js_receiver->IsAccessCheckNeeded() &&
+        !isolate->MayAccess(handle(isolate->context()), js_receiver)) {
+      isolate->ReportFailedAccessCheck(js_receiver);
      RETURN_EXCEPTION_IF_SCHEDULED_EXCEPTION(isolate, Object);
    }

-    raw_holder = GetCompatibleReceiver(isolate, *fun_data, *receiver);
+    raw_holder = GetCompatibleReceiver(isolate, *fun_data, *js_receiver);

    if (raw_holder == nullptr) {
      // This function cannot be called with the given receiver.  Abort!
@@ -5206,7 +5206,7 @@ MUST_USE_RESULT MaybeHandle<Object> HandleApiCallHelper(
        v8::ToCData<v8::FunctionCallback>(callback_obj);
    Object* data_obj = call_data->data();

-    LOG(isolate, ApiObjectAccess("call", JSObject::cast(*args.receiver())));
+    LOG(isolate, ApiObjectAccess("call", JSObject::cast(*js_receiver)));

    FunctionCallbackArguments custom(isolate, data_obj, *function, raw_holder,
                                     *new_target, &args[0] - 1,
@@ -5216,7 +5216,7 @@ MUST_USE_RESULT MaybeHandle<Object> HandleApiCallHelper(

    RETURN_EXCEPTION_IF_SCHEDULED_EXCEPTION(isolate, Object);
    if (result.is_null()) {
-      if (is_construct) return receiver;
+      if (is_construct) return js_receiver;
      return isolate->factory()->undefined_value();
    }
    // Rebox the result.
@@ -5224,7 +5224,7 @@ MUST_USE_RESULT MaybeHandle<Object> HandleApiCallHelper(
    if (!is_construct || result->IsJSObject()) return handle(*result, isolate);
  }

-  return receiver;
+  return js_receiver;
 }

 }  // namespace
@@ -5233,17 +5233,18 @@ MUST_USE_RESULT MaybeHandle<Object> HandleApiCallHelper(
 BUILTIN(HandleApiCall) {
  HandleScope scope(isolate);
  Handle<JSFunction> function = args.target<JSFunction>();
+  Handle<Object> receiver = args.receiver();
  Handle<HeapObject> new_target = args.new_target();
  Handle<FunctionTemplateInfo> fun_data(function->shared()->get_api_func_data(),
                                        isolate);
  if (new_target->IsJSReceiver()) {
    RETURN_RESULT_OR_FAILURE(
        isolate, HandleApiCallHelper<true>(isolate, function, new_target,
-                                           fun_data, args));
+                                           fun_data, receiver, args));
  } else {
    RETURN_RESULT_OR_FAILURE(
        isolate, HandleApiCallHelper<false>(isolate, function, new_target,
-                                            fun_data, args));
+                                            fun_data, receiver, args));
  }
 }

@@ -5389,7 +5390,7 @@ MaybeHandle<Object> Builtins::InvokeApiFunction(Isolate* isolate,
  {
    RelocatableArguments arguments(isolate, argc + 3, &argv[argc] + 2);
    result = HandleApiCallHelper<false>(isolate, function, new_target, fun_data,
-                                        arguments);
+                                        receiver, arguments);
  }
  if (argv != small_argv) delete[] argv;
  return result;