Commit 5c8cb168 authored by ishell's avatar ishell Committed by Commit bot

[ic] Don't call LookupIterator::GetStoreTarget() when receiver is not a JSReceiver.

BUG=chromium:619166,chromium:625155

Review-Url: https://codereview.chromium.org/2175273002
Cr-Commit-Position: refs/heads/master@{#38018}
parent b54e49ae
......@@ -176,6 +176,7 @@ class LookupIterator final BASE_EMBEDDED {
Handle<Object> GetReceiver() const { return receiver_; }
Handle<JSObject> GetStoreTarget() const {
DCHECK(receiver_->IsJSObject());
if (receiver_->IsJSGlobalProxy()) {
Map* map = JSGlobalProxy::cast(*receiver_)->map();
if (map->has_hidden_prototype()) {
......
......@@ -4374,15 +4374,18 @@ Maybe<bool> Object::SetPropertyInternal(LookupIterator* it,
value, it->GetReceiver(), language_mode);
case LookupIterator::INTERCEPTOR: {
Handle<Map> store_target_map =
handle(it->GetStoreTarget()->map(), it->isolate());
Handle<Map> store_target_map;
if (it->GetReceiver()->IsJSObject()) {
store_target_map = handle(it->GetStoreTarget()->map(), it->isolate());
}
if (it->HolderIsReceiverOrHiddenPrototype()) {
Maybe<bool> result =
JSObject::SetPropertyWithInterceptor(it, should_throw, value);
if (result.IsNothing() || result.FromJust()) return result;
// Interceptor modified the store target but failed to set the
// property.
Utils::ApiCheck(*store_target_map == it->GetStoreTarget()->map(),
Utils::ApiCheck(store_target_map.is_null() ||
*store_target_map == it->GetStoreTarget()->map(),
it->IsElement() ? "v8::IndexedPropertySetterCallback"
: "v8::NamedPropertySetterCallback",
"Interceptor silently changed store target.");
......@@ -4395,7 +4398,8 @@ Maybe<bool> Object::SetPropertyInternal(LookupIterator* it,
}
// Interceptor modified the store target but failed to set the
// property.
Utils::ApiCheck(*store_target_map == it->GetStoreTarget()->map(),
Utils::ApiCheck(store_target_map.is_null() ||
*store_target_map == it->GetStoreTarget()->map(),
it->IsElement() ? "v8::IndexedPropertySetterCallback"
: "v8::NamedPropertySetterCallback",
"Interceptor silently changed store target.");
......
......@@ -3292,6 +3292,25 @@ THREADED_TEST(Regress149912) {
CompileRun("Number.prototype.__proto__ = new Bug; var x = 0; x.foo();");
}
THREADED_TEST(Regress625155) {
LocalContext context;
v8::HandleScope scope(context->GetIsolate());
Local<FunctionTemplate> templ = FunctionTemplate::New(context->GetIsolate());
AddInterceptor(templ, EmptyInterceptorGetter, EmptyInterceptorSetter);
context->Global()
->Set(context.local(), v8_str("Bug"),
templ->GetFunction(context.local()).ToLocalChecked())
.FromJust();
CompileRun(
"Number.prototype.__proto__ = new Bug;"
"var x;"
"x = 0xdead;"
"x.boom = 0;"
"x = 's';"
"x.boom = 0;"
"x = 1.5;"
"x.boom = 0;");
}
THREADED_TEST(Regress125988) {
v8::HandleScope scope(CcTest::isolate());
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment