Do not call user defined getter of Error.stackTraceLimit.

Handlify GetNormalizedProperty. BUG=360733 LOG=N R=yangguo@chromium.org Review URL: https://codereview.chromium.org/233243005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20691 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Do not call user defined getter of Error.stackTraceLimit.
Handlify GetNormalizedProperty. BUG=360733 LOG=N R=yangguo@chromium.org Review URL: https://codereview.chromium.org/233243005 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20691 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
49d951d0 · ulan@chromium.org · 2848dfe0 · 49d951d0 · 49d951d0 · 49d951d0
Commit 49d951d0 authored Apr 11, 2014 by ulan@chromium.org
Showing with 76 additions and 24 deletions

isolate.cc src/isolate.cc +6 -2

objects.cc src/objects.cc +49 -0

objects.h src/objects.h +5 -0

runtime.cc src/runtime.cc +2 -22

regress-360733.js test/mjsunit/regress/regress-360733.js +14 -0

No files found.
--- a/src/isolate.cc
+++ b/src/isolate.cc
@@ -859,9 +859,13 @@ Failure* Isolate::StackOverflow() {
  Handle<Object> error =
      GetProperty(js_builtins_object(), "$Error").ToHandleChecked();
  if (!error->IsJSObject()) return Failure::Exception();
+
+  Handle<String> stackTraceLimit =
+      factory()->InternalizeUtf8String("stackTraceLimit");
+  ASSERT(!stackTraceLimit.is_null());
  Handle<Object> stack_trace_limit =
-      GetProperty(
-          Handle<JSObject>::cast(error), "stackTraceLimit").ToHandleChecked();
+      JSObject::GetDataProperty(Handle<JSObject>::cast(error),
+                                stackTraceLimit);
  if (!stack_trace_limit->IsNumber()) return Failure::Exception();
  double dlimit = stack_trace_limit->Number();
  int limit = std::isnan(dlimit) ? 0 : static_cast<int>(dlimit);

--- a/src/objects.cc
+++ b/src/objects.cc
@@ -632,6 +632,20 @@ Object* JSObject::GetNormalizedProperty(const LookupResult* result) {
 }


+Handle<Object> JSObject::GetNormalizedProperty(Handle<JSObject> object,
+                                               const LookupResult* result) {
+  ASSERT(!object->HasFastProperties());
+  Isolate* isolate = object->GetIsolate();
+  Handle<Object> value(object->property_dictionary()->ValueAt(
+      result->GetDictionaryEntry()), isolate);
+  if (object->IsGlobalObject()) {
+    value = Handle<Object>(Handle<PropertyCell>::cast(value)->value(), isolate);
+  }
+  ASSERT(!value->IsPropertyCell() && !value->IsCell());
+  return value;
+}
+
+
 void JSObject::SetNormalizedProperty(Handle<JSObject> object,
                                     const LookupResult* result,
                                     Handle<Object> value) {
@@ -5956,6 +5970,41 @@ Handle<JSObject> JSObject::DeepCopy(Handle<JSObject> object,
 }


+Handle<Object> JSObject::GetDataProperty(Handle<JSObject> object,
+                                         Handle<Name> key) {
+  Isolate* isolate = object->GetIsolate();
+  LookupResult lookup(isolate);
+  {
+    DisallowHeapAllocation no_allocation;
+    object->LookupRealNamedProperty(*key, &lookup);
+  }
+  Handle<Object> result = isolate->factory()->undefined_value();
+  if (lookup.IsFound() && !lookup.IsTransition()) {
+    switch (lookup.type()) {
+      case NORMAL:
+        result = GetNormalizedProperty(
+            Handle<JSObject>(lookup.holder(), isolate), &lookup);
+        break;
+      case FIELD:
+        result = FastPropertyAt(Handle<JSObject>(lookup.holder(), isolate),
+                                lookup.representation(),
+                                lookup.GetFieldIndex().field_index());
+        break;
+      case CONSTANT:
+        result = Handle<Object>(lookup.GetConstant(), isolate);
+        break;
+      case CALLBACKS:
+      case HANDLER:
+      case INTERCEPTOR:
+        break;
+      case NONEXISTENT:
+        UNREACHABLE();
+    }
+  }
+  return result;
+}
+
+
 // Tests for the fast common case for property enumeration:
 // - This object and all prototypes has an enum cache (which means that
 //   it is no proxy, has no interceptors and needs no access checks).

--- a/src/objects.h
+++ b/src/objects.h
@@ -2303,6 +2303,8 @@ class JSObject: public JSReceiver {
  // Retrieve a value in a normalized object given a lookup result.
  // Handles the special representation of JS global objects.
  Object* GetNormalizedProperty(const LookupResult* result);
+  static Handle<Object> GetNormalizedProperty(Handle<JSObject> object,
+                                              const LookupResult* result);

  // Sets the property value in a normalized object given a lookup result.
  // Handles the special representation of JS global objects.
@@ -2654,6 +2656,9 @@ class JSObject: public JSReceiver {
  static Handle<JSObject> DeepWalk(Handle<JSObject> object,
                                   AllocationSiteCreationContext* site_context);

+  static Handle<Object> GetDataProperty(Handle<JSObject> object,
+                                        Handle<Name> key);
+
  // Casting.
  static inline JSObject* cast(Object* obj);


--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -5201,31 +5201,11 @@ RUNTIME_FUNCTION(MaybeObject*, Runtime_DefineOrRedefineDataProperty) {

 // Return property without being observable by accessors or interceptors.
 RUNTIME_FUNCTION(MaybeObject*, Runtime_GetDataProperty) {
-  SealHandleScope shs(isolate);
+  HandleScope scope(isolate);
  ASSERT(args.length() == 2);
  CONVERT_ARG_HANDLE_CHECKED(JSObject, object, 0);
  CONVERT_ARG_HANDLE_CHECKED(Name, key, 1);
-  LookupResult lookup(isolate);
-  object->LookupRealNamedProperty(*key, &lookup);
-  if (lookup.IsFound() && !lookup.IsTransition()) {
-    switch (lookup.type()) {
-      case NORMAL:
-        return lookup.holder()->GetNormalizedProperty(&lookup);
-      case FIELD:
-        return lookup.holder()->FastPropertyAt(
-            lookup.representation(),
-            lookup.GetFieldIndex().field_index());
-      case CONSTANT:
-        return lookup.GetConstant();
-      case CALLBACKS:
-      case HANDLER:
-      case INTERCEPTOR:
-        break;
-      case NONEXISTENT:
-        UNREACHABLE();
-    }
-  }
-  return isolate->heap()->undefined_value();
+  return *JSObject::GetDataProperty(object, key);
 }



--- a/test/mjsunit/regress/regress-360733.js
+++ b/test/mjsunit/regress/regress-360733.js
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --stack_size=150
+
+function f(a) {
+  f(a + 1);
+}
+
+Error.__defineGetter__('stackTraceLimit', function() { });
+try {
+  f(0);
+} catch (e) { }