Add more checks for native callback results.

R=svenpanne@chromium.org BUG= Review URL: https://chromiumcodereview.appspot.com/10928083 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12474 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Add more checks for native callback results.
R=svenpanne@chromium.org BUG= Review URL: https://chromiumcodereview.appspot.com/10928083 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@12474 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
266cca47 · yangguo@chromium.org · f6cd2403 · 266cca47 · 266cca47 · 266cca47
Commit 266cca47 authored Sep 10, 2012 by yangguo@chromium.org
6 changed files
--- a/src/builtins.cc
+++ b/src/builtins.cc
@@ -1149,6 +1149,7 @@ MUST_USE_RESULT static MaybeObject* HandleApiCallHelper(
      result = heap->undefined_value();
    } else {
      result = *reinterpret_cast<Object**>(*value);
+      result->VerifyApiCallResultType();
    }

    RETURN_IF_SCHEDULED_EXCEPTION(isolate);
@@ -1225,6 +1226,7 @@ MUST_USE_RESULT static MaybeObject* HandleApiCallAsFunctionOrConstructor(
      result = heap->undefined_value();
    } else {
      result = *reinterpret_cast<Object**>(*value);
+      result->VerifyApiCallResultType();
    }
  }
  // Check for exceptions and return result.

--- a/src/handles.cc
+++ b/src/handles.cc
@@ -561,6 +561,9 @@ v8::Handle<v8::Array> GetKeysForNamedInterceptor(Handle<JSReceiver> receiver,
      result = enum_fun(info);
    }
  }
+#if ENABLE_EXTRA_CHECKS
+  CHECK(result.IsEmpty() || v8::Utils::OpenHandle(*result)->IsJSObject());
+#endif
  return result;
 }

@@ -581,6 +584,9 @@ v8::Handle<v8::Array> GetKeysForIndexedInterceptor(Handle<JSReceiver> receiver,
      // Leaving JavaScript.
      VMState state(isolate, EXTERNAL);
      result = enum_fun(info);
+#if ENABLE_EXTRA_CHECKS
+      CHECK(result.IsEmpty() || v8::Utils::OpenHandle(*result)->IsJSObject());
+#endif
    }
  }
  return result;

--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@@ -1664,6 +1664,23 @@ bool Object::IsStringObjectWithCharacterAt(uint32_t index) {
 }


+
+void Object::VerifyApiCallResultType() {
+#if ENABLE_EXTRA_CHECKS
+  if (!(IsSmi() ||
+        IsString() ||
+        IsSpecObject() ||
+        IsHeapNumber() ||
+        IsUndefined() ||
+        IsTrue() ||
+        IsFalse() ||
+        IsNull())) {
+    FATAL("API call returned invalid object");
+  }
+#endif  // ENABLE_EXTRA_CHECKS
+}
+
+
 FixedArrayBase* FixedArrayBase::cast(Object* object) {
  ASSERT(object->IsFixedArray() || object->IsFixedDoubleArray());
  return reinterpret_cast<FixedArrayBase*>(object);

--- a/src/objects.cc
+++ b/src/objects.cc
@@ -211,18 +211,7 @@ MaybeObject* JSObject::GetPropertyWithCallback(Object* receiver,
      return isolate->heap()->undefined_value();
    }
    Object* return_value = *v8::Utils::OpenHandle(*result);
-#if ENABLE_EXTRA_CHECKS
-    if (!(return_value->IsSmi() ||
-          return_value->IsString() ||
-          return_value->IsSpecObject() ||
-          return_value->IsHeapNumber() ||
-          return_value->IsUndefined() ||
-          return_value->IsTrue() ||
-          return_value->IsFalse() ||
-          return_value->IsNull())) {
-      FATAL("API call returned invalid object");
-    }
-#endif
+    return_value->VerifyApiCallResultType();
    return return_value;
  }

@@ -3805,7 +3794,9 @@ MaybeObject* JSObject::DeletePropertyWithInterceptor(String* name) {
    RETURN_IF_SCHEDULED_EXCEPTION(isolate);
    if (!result.IsEmpty()) {
      ASSERT(result->IsBoolean());
-      return *v8::Utils::OpenHandle(*result);
+      Handle<Object> result_internal = v8::Utils::OpenHandle(*result);
+      result_internal->VerifyApiCallResultType();
+      return *result_internal;
    }
  }
  MaybeObject* raw_result =
@@ -3840,7 +3831,9 @@ MaybeObject* JSObject::DeleteElementWithInterceptor(uint32_t index) {
  RETURN_IF_SCHEDULED_EXCEPTION(isolate);
  if (!result.IsEmpty()) {
    ASSERT(result->IsBoolean());
-    return *v8::Utils::OpenHandle(*result);
+    Handle<Object> result_internal = v8::Utils::OpenHandle(*result);
+    result_internal->VerifyApiCallResultType();
+    return *result_internal;
  }
  MaybeObject* raw_result = this_handle->GetElementsAccessor()->Delete(
      *this_handle,
@@ -9133,7 +9126,9 @@ MaybeObject* JSObject::GetElementWithCallback(Object* receiver,
    }
    RETURN_IF_SCHEDULED_EXCEPTION(isolate);
    if (result.IsEmpty()) return isolate->heap()->undefined_value();
-    return *v8::Utils::OpenHandle(*result);
+    Handle<Object> result_internal = v8::Utils::OpenHandle(*result);
+    result_internal->VerifyApiCallResultType();
+    return *result_internal;
  }

  // __defineGetter__ callback
@@ -9952,7 +9947,11 @@ MaybeObject* JSObject::GetElementWithInterceptor(Object* receiver,
      result = getter(index, info);
    }
    RETURN_IF_SCHEDULED_EXCEPTION(isolate);
-    if (!result.IsEmpty()) return *v8::Utils::OpenHandle(*result);
+    if (!result.IsEmpty()) {
+      Handle<Object> result_internal = v8::Utils::OpenHandle(*result);
+      result_internal->VerifyApiCallResultType();
+      return *result_internal;
+    }
  }

  Heap* heap = holder_handle->GetHeap();
@@ -10254,7 +10253,9 @@ MaybeObject* JSObject::GetPropertyWithInterceptor(
    RETURN_IF_SCHEDULED_EXCEPTION(isolate);
    if (!result.IsEmpty()) {
      *attributes = NONE;
-      return *v8::Utils::OpenHandle(*result);
+      Handle<Object> result_internal = v8::Utils::OpenHandle(*result);
+      result_internal->VerifyApiCallResultType();
+      return *result_internal;
    }
  }


--- a/src/objects.h
+++ b/src/objects.h
@@ -970,6 +970,8 @@ class Object : public MaybeObject {
  static void VerifyPointer(Object* p);
 #endif

+  inline void VerifyApiCallResultType();
+
  // Prints this object without details.
  inline void ShortPrint() {
    ShortPrint(stdout);

--- a/src/stub-cache.cc
+++ b/src/stub-cache.cc
@@ -1005,7 +1005,9 @@ RUNTIME_FUNCTION(MaybeObject*, LoadCallbackProperty) {
  }
  RETURN_IF_SCHEDULED_EXCEPTION(isolate);
  if (result.IsEmpty()) return HEAP->undefined_value();
-  return *v8::Utils::OpenHandle(*result);
+  Handle<Object> result_internal = v8::Utils::OpenHandle(*result);
+  result_internal->VerifyApiCallResultType();
+  return *result_internal;
 }


@@ -1070,6 +1072,8 @@ RUNTIME_FUNCTION(MaybeObject*, LoadPropertyWithInterceptorOnly) {
    }
    RETURN_IF_SCHEDULED_EXCEPTION(isolate);
    if (!r.IsEmpty()) {
+      Handle<Object> result = v8::Utils::OpenHandle(*r);
+      result->VerifyApiCallResultType();
      return *v8::Utils::OpenHandle(*r);
    }
  }
@@ -1126,7 +1130,9 @@ static MaybeObject* LoadWithInterceptor(Arguments* args,
    RETURN_IF_SCHEDULED_EXCEPTION(isolate);
    if (!r.IsEmpty()) {
      *attrs = NONE;
-      return *v8::Utils::OpenHandle(*r);
+      Handle<Object> result = v8::Utils::OpenHandle(*r);
+      result->VerifyApiCallResultType();
+      return *result;
    }
  }