Commit 752872d0 authored by jameslahm's avatar jameslahm Committed by V8 LUCI CQ

[runtime] Check if proxy has been revoked in ObjectToString

We could throw proxy revoked error before calling
Array.IsArray to make error message clearer.

Bug: v8:13037
Change-Id: I85055d24c833acd25791ef7a8a394955805ff3f1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3813065Reviewed-by: 's avatarLeszek Swirski <leszeks@chromium.org>
Commit-Queue: 王澳 <wangao.james@bytedance.com>
Cr-Commit-Position: refs/heads/main@{#82251}
parent dc8c911a
...@@ -880,6 +880,13 @@ TF_BUILTIN(ObjectToString, ObjectBuiltinsAssembler) { ...@@ -880,6 +880,13 @@ TF_BUILTIN(ObjectToString, ObjectBuiltinsAssembler) {
BIND(&if_proxy); BIND(&if_proxy);
{ {
// Check if the proxy has been revoked.
Label throw_proxy_handler_revoked(this, Label::kDeferred);
TNode<HeapObject> handler = CAST(LoadObjectField(
TNode<JSProxy>::UncheckedCast(receiver), JSProxy::kHandlerOffset));
CSA_DCHECK(this, IsNullOrJSReceiver(handler));
GotoIfNot(IsJSReceiver(handler), &throw_proxy_handler_revoked);
// If {receiver} is a proxy for a JSArray, we default to "[object Array]", // If {receiver} is a proxy for a JSArray, we default to "[object Array]",
// otherwise we default to "[object Object]" or "[object Function]" here, // otherwise we default to "[object Object]" or "[object Function]" here,
// depending on whether the {receiver} is callable. The order matters here, // depending on whether the {receiver} is callable. The order matters here,
...@@ -911,6 +918,12 @@ TF_BUILTIN(ObjectToString, ObjectBuiltinsAssembler) { ...@@ -911,6 +918,12 @@ TF_BUILTIN(ObjectToString, ObjectBuiltinsAssembler) {
} }
BIND(&if_tagisstring); BIND(&if_tagisstring);
ReturnToStringFormat(context, CAST(var_tag.value())); ReturnToStringFormat(context, CAST(var_tag.value()));
BIND(&throw_proxy_handler_revoked);
{
ThrowTypeError(context, MessageTemplate::kProxyRevoked,
"Object.prototype.toString");
}
} }
BIND(&if_regexp); BIND(&if_regexp);
......
// Copyright 2022 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var r = Proxy.revocable({}, {});
r.revoke();
assertThrows(() => {
Object.prototype.toString.call(r.proxy)
}, TypeError, "Cannot perform 'Object.prototype.toString' on a proxy that has been revoked");
...@@ -543,30 +543,30 @@ KNOWN_OBJECTS = { ...@@ -543,30 +543,30 @@ KNOWN_OBJECTS = {
("old_space", 0x04a2d): "RegExpMultipleCache", ("old_space", 0x04a2d): "RegExpMultipleCache",
("old_space", 0x04e35): "SingleCharacterStringTable", ("old_space", 0x04e35): "SingleCharacterStringTable",
("old_space", 0x0523d): "BuiltinsConstantsTable", ("old_space", 0x0523d): "BuiltinsConstantsTable",
("old_space", 0x0567d): "AsyncFunctionAwaitRejectSharedFun", ("old_space", 0x05681): "AsyncFunctionAwaitRejectSharedFun",
("old_space", 0x056a1): "AsyncFunctionAwaitResolveSharedFun", ("old_space", 0x056a5): "AsyncFunctionAwaitResolveSharedFun",
("old_space", 0x056c5): "AsyncGeneratorAwaitRejectSharedFun", ("old_space", 0x056c9): "AsyncGeneratorAwaitRejectSharedFun",
("old_space", 0x056e9): "AsyncGeneratorAwaitResolveSharedFun", ("old_space", 0x056ed): "AsyncGeneratorAwaitResolveSharedFun",
("old_space", 0x0570d): "AsyncGeneratorYieldResolveSharedFun", ("old_space", 0x05711): "AsyncGeneratorYieldResolveSharedFun",
("old_space", 0x05731): "AsyncGeneratorReturnResolveSharedFun", ("old_space", 0x05735): "AsyncGeneratorReturnResolveSharedFun",
("old_space", 0x05755): "AsyncGeneratorReturnClosedRejectSharedFun", ("old_space", 0x05759): "AsyncGeneratorReturnClosedRejectSharedFun",
("old_space", 0x05779): "AsyncGeneratorReturnClosedResolveSharedFun", ("old_space", 0x0577d): "AsyncGeneratorReturnClosedResolveSharedFun",
("old_space", 0x0579d): "AsyncIteratorValueUnwrapSharedFun", ("old_space", 0x057a1): "AsyncIteratorValueUnwrapSharedFun",
("old_space", 0x057c1): "PromiseAllResolveElementSharedFun", ("old_space", 0x057c5): "PromiseAllResolveElementSharedFun",
("old_space", 0x057e5): "PromiseAllSettledResolveElementSharedFun", ("old_space", 0x057e9): "PromiseAllSettledResolveElementSharedFun",
("old_space", 0x05809): "PromiseAllSettledRejectElementSharedFun", ("old_space", 0x0580d): "PromiseAllSettledRejectElementSharedFun",
("old_space", 0x0582d): "PromiseAnyRejectElementSharedFun", ("old_space", 0x05831): "PromiseAnyRejectElementSharedFun",
("old_space", 0x05851): "PromiseCapabilityDefaultRejectSharedFun", ("old_space", 0x05855): "PromiseCapabilityDefaultRejectSharedFun",
("old_space", 0x05875): "PromiseCapabilityDefaultResolveSharedFun", ("old_space", 0x05879): "PromiseCapabilityDefaultResolveSharedFun",
("old_space", 0x05899): "PromiseCatchFinallySharedFun", ("old_space", 0x0589d): "PromiseCatchFinallySharedFun",
("old_space", 0x058bd): "PromiseGetCapabilitiesExecutorSharedFun", ("old_space", 0x058c1): "PromiseGetCapabilitiesExecutorSharedFun",
("old_space", 0x058e1): "PromiseThenFinallySharedFun", ("old_space", 0x058e5): "PromiseThenFinallySharedFun",
("old_space", 0x05905): "PromiseThrowerFinallySharedFun", ("old_space", 0x05909): "PromiseThrowerFinallySharedFun",
("old_space", 0x05929): "PromiseValueThunkFinallySharedFun", ("old_space", 0x0592d): "PromiseValueThunkFinallySharedFun",
("old_space", 0x0594d): "ProxyRevokeSharedFun", ("old_space", 0x05951): "ProxyRevokeSharedFun",
("old_space", 0x05971): "ShadowRealmImportValueFulfilledSFI", ("old_space", 0x05975): "ShadowRealmImportValueFulfilledSFI",
("old_space", 0x05995): "SourceTextModuleExecuteAsyncModuleFulfilledSFI", ("old_space", 0x05999): "SourceTextModuleExecuteAsyncModuleFulfilledSFI",
("old_space", 0x059b9): "SourceTextModuleExecuteAsyncModuleRejectedSFI", ("old_space", 0x059bd): "SourceTextModuleExecuteAsyncModuleRejectedSFI",
} }
# Lower 32 bits of first page addresses for various heap spaces. # Lower 32 bits of first page addresses for various heap spaces.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment