Commit 2547a664 authored by Z Nguyen-Huu's avatar Z Nguyen-Huu Committed by Commit Bot

Use GetPropertyWithReceiver stub in Reflect.get

Bail out if name in proxy is private symbol.
Also, do stack check to avoid deeply nested proxy.

Spec: https://tc39.es/ecma262/#sec-reflect.get
Change-Id: I0761762b074d5af892e8d7e419c87c9bbea99241
Bug: v8:8958
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1682680
Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com>
Reviewed-by: 's avatarMaya Lekova <mslekova@chromium.org>
Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62747}
parent da5a277a
...@@ -822,7 +822,6 @@ namespace internal { ...@@ -822,7 +822,6 @@ namespace internal {
ASM(ReflectConstruct, Dummy) \ ASM(ReflectConstruct, Dummy) \
CPP(ReflectDefineProperty) \ CPP(ReflectDefineProperty) \
CPP(ReflectDeleteProperty) \ CPP(ReflectDeleteProperty) \
CPP(ReflectGet) \
CPP(ReflectGetOwnPropertyDescriptor) \ CPP(ReflectGetOwnPropertyDescriptor) \
TFJ(ReflectHas, 2, kReceiver, kTarget, kKey) \ TFJ(ReflectHas, 2, kReceiver, kTarget, kKey) \
CPP(ReflectOwnKeys) \ CPP(ReflectOwnKeys) \
......
...@@ -1047,6 +1047,9 @@ TF_BUILTIN(GetPropertyWithReceiver, CodeStubAssembler) { ...@@ -1047,6 +1047,9 @@ TF_BUILTIN(GetPropertyWithReceiver, CodeStubAssembler) {
// Convert the {key} to a Name first. // Convert the {key} to a Name first.
Node* name = CallBuiltin(Builtins::kToName, context, key); Node* name = CallBuiltin(Builtins::kToName, context, key);
// Proxy cannot handle private symbol so bailout.
GotoIf(IsPrivateSymbol(name), &if_slow);
// The {object} is a JSProxy instance, look up the {name} on it, passing // The {object} is a JSProxy instance, look up the {name} on it, passing
// {object} both as receiver and holder. If {name} is absent we can safely // {object} both as receiver and holder. If {name} is absent we can safely
// return undefined from here. // return undefined from here.
......
...@@ -70,29 +70,6 @@ BUILTIN(ReflectDeleteProperty) { ...@@ -70,29 +70,6 @@ BUILTIN(ReflectDeleteProperty) {
return *isolate->factory()->ToBoolean(result.FromJust()); return *isolate->factory()->ToBoolean(result.FromJust());
} }
// ES6 section 26.1.6 Reflect.get
BUILTIN(ReflectGet) {
HandleScope scope(isolate);
Handle<Object> target = args.atOrUndefined(isolate, 1);
Handle<Object> key = args.atOrUndefined(isolate, 2);
Handle<Object> receiver = args.length() > 3 ? args.at(3) : target;
if (!target->IsJSReceiver()) {
THROW_NEW_ERROR_RETURN_FAILURE(
isolate, NewTypeError(MessageTemplate::kCalledOnNonObject,
isolate->factory()->NewStringFromAsciiChecked(
"Reflect.get")));
}
Handle<Name> name;
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, name,
Object::ToName(isolate, key));
RETURN_RESULT_OR_FAILURE(
isolate, Object::GetPropertyOrElement(receiver, name,
Handle<JSReceiver>::cast(target)));
}
// ES6 section 26.1.7 Reflect.getOwnPropertyDescriptor // ES6 section 26.1.7 Reflect.getOwnPropertyDescriptor
BUILTIN(ReflectGetOwnPropertyDescriptor) { BUILTIN(ReflectGetOwnPropertyDescriptor) {
HandleScope scope(isolate); HandleScope scope(isolate);
......
...@@ -15,6 +15,7 @@ namespace proxy { ...@@ -15,6 +15,7 @@ namespace proxy {
ProxyGetProperty(implicit context: Context)( ProxyGetProperty(implicit context: Context)(
proxy: JSProxy, name: Name, receiverValue: Object, proxy: JSProxy, name: Name, receiverValue: Object,
onNonExistent: Smi): Object { onNonExistent: Smi): Object {
PerformStackCheck();
// 1. Assert: IsPropertyKey(P) is true. // 1. Assert: IsPropertyKey(P) is true.
assert(TaggedIsNotSmi(name)); assert(TaggedIsNotSmi(name));
assert(IsName(name)); assert(IsName(name));
......
...@@ -42,4 +42,26 @@ namespace reflect { ...@@ -42,4 +42,26 @@ namespace reflect {
} }
ThrowTypeError(kProtoObjectOrNull, proto); ThrowTypeError(kProtoObjectOrNull, proto);
} }
extern transitioning builtin ToName(implicit context: Context)(Object): Name;
type OnNonExistent constexpr 'OnNonExistent';
const kReturnUndefined: constexpr OnNonExistent
generates 'OnNonExistent::kReturnUndefined';
extern macro SmiConstant(constexpr OnNonExistent): Smi;
extern transitioning builtin GetPropertyWithReceiver(
implicit context: Context)(Object, Name, Object, Smi): Object;
// ES6 section 26.1.6 Reflect.get
transitioning javascript builtin
ReflectGet(js-implicit context: Context)(...arguments): Object {
const length = arguments.length;
const object: Object = length > 0 ? arguments[0] : Undefined;
const objectJSReceiver = Cast<JSReceiver>(object)
otherwise ThrowTypeError(kCalledOnNonObject, 'Reflect.get');
const propertyKey: Object = length > 1 ? arguments[1] : Undefined;
const name: Name = ToName(propertyKey);
const receiver: Object = length > 2 ? arguments[2] : objectJSReceiver;
return GetPropertyWithReceiver(
objectJSReceiver, name, receiver, SmiConstant(kReturnUndefined));
}
} // namespace reflect } // namespace reflect
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment