[d8] Fix Realm.owner on detached global proxy

Return undefined instead of hard-crashing. Bug: chromium:1130213 Change-Id: I7e573f46607fc0e7b91db62d881b4209b919028e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2456087 Commit-Queue: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#70420}

[d8] Fix Realm.owner on detached global proxy
Return undefined instead of hard-crashing. Bug: chromium:1130213 Change-Id: I7e573f46607fc0e7b91db62d881b4209b919028e Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2456087 Commit-Queue: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#70420}
3935dc49 · Camillo Bruni · Commit Bot · d3e8c837 · 3935dc49 · 3935dc49
Commit 3935dc49 authored Oct 08, 2020 by Camillo Bruni Committed by Commit Bot Oct 09, 2020
5 changed files
--- a/src/d8/d8.cc
+++ b/src/d8/d8.cc
@@ -1314,10 +1314,14 @@ void Shell::RealmOwner(const v8::FunctionCallbackInfo<v8::Value>& args) {
    Throw(args.GetIsolate(), "Invalid argument");
    return;
  }
-  int index = data->RealmFind(args[0]
-                                  ->ToObject(isolate->GetCurrentContext())
-                                  .ToLocalChecked()
-                                  ->CreationContext());
+  Local<Object> object =
+      args[0]->ToObject(isolate->GetCurrentContext()).ToLocalChecked();
+  i::Handle<i::JSReceiver> i_object = Utils::OpenHandle(*object);
+  if (i_object->IsJSGlobalProxy() &&
+      i::Handle<i::JSGlobalProxy>::cast(i_object)->IsDetached()) {
+    return;
+  }
+  int index = data->RealmFind(object->CreationContext());
  if (index == -1) return;
  args.GetReturnValue().Set(index);
 }

--- a/src/init/bootstrapper.cc
+++ b/src/init/bootstrapper.cc
@@ -365,6 +365,7 @@ void Bootstrapper::DetachGlobal(Handle<Context> env) {
  if (FLAG_track_detached_contexts) {
    isolate_->AddDetachedContext(env);
  }
+  DCHECK(global_proxy->IsDetached());

  env->native_context().set_microtask_queue(isolate_, nullptr);
 }

--- a/src/objects/js-objects.cc
+++ b/src/objects/js-objects.cc
@@ -4885,6 +4885,10 @@ bool JSObject::IsDroppableApiWrapper() {
         instance_type == JS_SPECIAL_API_OBJECT_TYPE;
 }

+bool JSGlobalProxy::IsDetached() const {
+  return native_context().IsNull(GetIsolate());
+}
+
 void JSGlobalObject::InvalidatePropertyCell(Handle<JSGlobalObject> global,
                                            Handle<Name> name) {
  // Regardless of whether the property is there or not invalidate

--- a/src/objects/js-objects.h
+++ b/src/objects/js-objects.h
@@ -937,6 +937,7 @@ class JSGlobalProxy
    : public TorqueGeneratedJSGlobalProxy<JSGlobalProxy, JSSpecialObject> {
 public:
  inline bool IsDetachedFrom(JSGlobalObject global) const;
+  V8_EXPORT_PRIVATE bool IsDetached() const;

  static int SizeWithEmbedderFields(int embedder_field_count);


--- a/test/mjsunit/regress/regress-crbug-1130213.js
+++ b/test/mjsunit/regress/regress-crbug-1130213.js
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+Realm.createAllowCrossRealmAccess();
+const global = Realm.global(1);
+assertSame(1, Realm.owner(global));
+Realm.detachGlobal(1);
+assertSame(undefined, Realm.owner(global));