Issue 267: Calls to arguments in eval-tainted function scope uses global object as receiver.

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1476 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Issue 267: Calls to arguments in eval-tainted function scope uses global object as receiver.
git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1476 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
34db0ff8 · lrn@chromium.org · 773843b6 · 34db0ff8 · 34db0ff8 · 34db0ff8
Commit 34db0ff8 authored Mar 10, 2009 by lrn@chromium.org
Showing with 61 additions and 9 deletions

ast.h src/ast.h +10 -3

codegen-arm.cc src/codegen-arm.cc +7 -2

codegen-ia32.cc src/codegen-ia32.cc +7 -3

scopes.cc src/scopes.cc +2 -1

regress-267.js test/mjsunit/regress/regress-267.js +35 -0

No files found.
--- a/src/ast.h
+++ b/src/ast.h
@@ -887,8 +887,13 @@ class Slot: public Expression {

 class Property: public Expression {
 public:
-  Property(Expression* obj, Expression* key, int pos)
-      : obj_(obj), key_(key), pos_(pos) { }
+  // Synthetic properties are property lookups introduced by the system,
+  // to objects that aren't visible to the user. Function calls to synthetic
+  // properties should use the global object as receiver, not the base object
+  // of the resolved Reference.
+  enum Type { NORMAL, SYNTHETIC };
+  Property(Expression* obj, Expression* key, int pos, Type type = NORMAL)
+      : obj_(obj), key_(key), pos_(pos), type_(type) { }

  virtual void Accept(AstVisitor* v);

@@ -900,6 +905,7 @@ class Property: public Expression {
  Expression* obj() const { return obj_; }
  Expression* key() const { return key_; }
  int position() const { return pos_; }
+  bool is_synthetic() const { return type_ == SYNTHETIC; }

  // Returns a property singleton property access on 'this'.  Used
  // during preparsing.
@@ -909,8 +915,9 @@ class Property: public Expression {
  Expression* obj_;
  Expression* key_;
  int pos_;
+  Type type_;

-  // Dummy property used during preparsing
+  // Dummy property used during preparsing.
  static Property this_property_;
 };


--- a/src/codegen-arm.cc
+++ b/src/codegen-arm.cc
@@ -3076,8 +3076,13 @@ void CodeGenerator::VisitCall(Call* node) {
      ref.GetValueAndSpill(NOT_INSIDE_TYPEOF);  // receiver

      // Pass receiver to called function.
-      __ ldr(r0, frame_->ElementAt(ref.size()));
-      frame_->EmitPush(r0);
+      if (property->is_synthetic()) {
+        LoadGlobalReceiver(r0);
+      } else {
+        __ ldr(r0, frame_->ElementAt(ref.size()));
+        frame_->EmitPush(r0);
+      }
+
      // Call the function.
      CallWithArguments(args, node->position());
      frame_->EmitPush(r0);

--- a/src/codegen-ia32.cc
+++ b/src/codegen-ia32.cc
@@ -3911,9 +3911,13 @@ void CodeGenerator::VisitCall(Call* node) {
      ref.GetValue(NOT_INSIDE_TYPEOF);

      // Pass receiver to called function.
-      // The reference's size is non-negative.
-      frame_->SpillAll();
-      frame_->EmitPush(frame_->ElementAt(ref.size()));
+      if (property->is_synthetic()) {
+        // Use global object as receiver.
+        LoadGlobalReceiver();
+      } else {
+        // The reference's size is non-negative.
+        frame_->PushElementAt(ref.size());
+      }

      // Call the function.
      CallWithArguments(args, node->position());

--- a/src/scopes.cc
+++ b/src/scopes.cc
@@ -822,7 +822,8 @@ void Scope::AllocateParameterLocals() {
        var->rewrite_ =
          new Property(arguments_shadow_,
                       new Literal(Handle<Object>(Smi::FromInt(i))),
-                       RelocInfo::kNoPosition);
+                       RelocInfo::kNoPosition,
+                       Property::SYNTHETIC);
        arguments_shadow->var_uses()->RecordUses(var->var_uses());
      }
    }

--- a/test/mjsunit/regress/regress-267.js
+++ b/test/mjsunit/regress/regress-267.js
+// Copyright 2009 the V8 project authors. All rights reserved.
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+//       notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+//       copyright notice, this list of conditions and the following
+//       disclaimer in the documentation and/or other materials provided
+//       with the distribution.
+//     * Neither the name of Google Inc. nor the names of its
+//       contributors may be used to endorse or promote products derived
+//       from this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// See http://code.google.com/p/v8/issues/detail?id=267
+
+var global = (function(){ return this; })();
+function taint(fn){var v = fn(); eval("taint"); return v; }
+function getThis(){ return this; }
+var obj = taint(getThis);
+
+assertEquals(global, obj, "Should be the global object.");