[objects] Remove dangerous arguments accessors.

This removes dangerous accessors method from the arguments object accessor classes. The shape of an arguments object might transition, turning the fields into dictionary mode, making the accessors invalid. It also fixes a bug in the reported number of embedder fields on the arguments object. R=ishell@chromium.org TEST=cctest/test-api/InternalFieldsOfRegularObjects Change-Id: Ib7a73608c6236fe8864434e0cfdcb754ae012a75 Reviewed-on: https://chromium-review.googlesource.com/636368 Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#47643}

[objects] Remove dangerous arguments accessors.
This removes dangerous accessors method from the arguments object accessor classes. The shape of an arguments object might transition, turning the fields into dictionary mode, making the accessors invalid. It also fixes a bug in the reported number of embedder fields on the arguments object. R=ishell@chromium.org TEST=cctest/test-api/InternalFieldsOfRegularObjects Change-Id: Ib7a73608c6236fe8864434e0cfdcb754ae012a75 Reviewed-on: https://chromium-review.googlesource.com/636368 Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#47643}
a33b0d25 · Michael Starzinger · Commit Bot · b4712d52 · a33b0d25 · a33b0d25
Commit a33b0d25 authored Aug 28, 2017 by Michael Starzinger Committed by Commit Bot Aug 28, 2017
5 changed files
--- a/src/objects-debug.cc
+++ b/src/objects-debug.cc
@@ -470,29 +470,25 @@ void TransitionArray::TransitionArrayVerify() {

 void JSArgumentsObject::JSArgumentsObjectVerify() {
  if (IsSloppyArgumentsElementsKind(GetElementsKind())) {
-    JSSloppyArgumentsObject::cast(this)->JSSloppyArgumentsObjectVerify();
+    SloppyArgumentsElements::cast(elements())
+        ->SloppyArgumentsElementsVerify(this);
  }
-  JSObjectVerify();
-}
-
-void JSSloppyArgumentsObject::JSSloppyArgumentsObjectVerify() {
  Isolate* isolate = GetIsolate();
  if (isolate->IsInAnyContext(map(), Context::SLOPPY_ARGUMENTS_MAP_INDEX) ||
      isolate->IsInAnyContext(map(),
                              Context::SLOW_ALIASED_ARGUMENTS_MAP_INDEX) ||
      isolate->IsInAnyContext(map(),
                              Context::FAST_ALIASED_ARGUMENTS_MAP_INDEX)) {
-    VerifyObjectField(kLengthOffset);
-    VerifyObjectField(kCalleeOffset);
+    VerifyObjectField(JSSloppyArgumentsObject::kLengthOffset);
+    VerifyObjectField(JSSloppyArgumentsObject::kCalleeOffset);
+  } else if (isolate->IsInAnyContext(map(),
+                                     Context::STRICT_ARGUMENTS_MAP_INDEX)) {
+    VerifyObjectField(JSStrictArgumentsObject::kLengthOffset);
  }
-  ElementsKind kind = GetElementsKind();
-  CHECK(IsSloppyArgumentsElementsKind(kind));
-  SloppyArgumentsElements::cast(elements())
-      ->SloppyArgumentsElementsVerify(this);
+  JSObjectVerify();
 }

-void SloppyArgumentsElements::SloppyArgumentsElementsVerify(
-    JSSloppyArgumentsObject* holder) {
+void SloppyArgumentsElements::SloppyArgumentsElementsVerify(JSObject* holder) {
  Isolate* isolate = GetIsolate();
  FixedArrayVerify();
  // Abort verification if only partially initialized (can't use arguments()

--- a/src/objects.cc
+++ b/src/objects.cc
@@ -1385,7 +1385,7 @@ int JSObject::GetHeaderSize(InstanceType type) {
    case JS_MESSAGE_OBJECT_TYPE:
      return JSMessageObject::kSize;
    case JS_ARGUMENTS_TYPE:
-      return JSArgumentsObject::kHeaderSize;
+      return JSObject::kHeaderSize;
    case JS_ERROR_TYPE:
      return JSObject::kHeaderSize;
    case JS_STRING_ITERATOR_TYPE:

--- a/src/objects/arguments-inl.h
+++ b/src/objects/arguments-inl.h
@@ -15,12 +15,8 @@ namespace internal {

 CAST_ACCESSOR(AliasedArgumentsEntry)
 CAST_ACCESSOR(JSArgumentsObject)
-CAST_ACCESSOR(JSSloppyArgumentsObject)
 CAST_ACCESSOR(SloppyArgumentsElements)

-ACCESSORS(JSArgumentsObject, length, Object, kLengthOffset);
-ACCESSORS(JSSloppyArgumentsObject, callee, Object, kCalleeOffset);
-
 SMI_ACCESSORS(AliasedArgumentsEntry, aliased_context_slot, kAliasedContextSlot)

 TYPE_CHECKER(JSArgumentsObject, JS_ARGUMENTS_TYPE)

--- a/src/objects/arguments.h
+++ b/src/objects/arguments.h
@@ -14,16 +14,17 @@ namespace v8 {
 namespace internal {

 // Common superclass for JSSloppyArgumentsObject and JSStrictArgumentsObject.
+// Note that the instance type {JS_ARGUMENTS_TYPE} does _not_ guarantee the
+// below layout, the in-object properties might have transitioned to dictionary
+// mode already. Only use the below layout with the specific initial maps.
 class JSArgumentsObject : public JSObject {
 public:
  // Offsets of object fields.
  static const int kLengthOffset = JSObject::kHeaderSize;
-  static const int kHeaderSize = kLengthOffset + kPointerSize;
+  static const int kSize = kLengthOffset + kPointerSize;
  // Indices of in-object properties.
  static const int kLengthIndex = 0;

-  DECL_ACCESSORS(length, Object)
-
  DECL_VERIFIER(JSArgumentsObject)
  DECL_CAST(JSArgumentsObject)

@@ -36,16 +37,11 @@ class JSArgumentsObject : public JSObject {
 class JSSloppyArgumentsObject : public JSArgumentsObject {
 public:
  // Offsets of object fields.
-  static const int kCalleeOffset = JSArgumentsObject::kHeaderSize;
+  static const int kCalleeOffset = JSArgumentsObject::kSize;
  static const int kSize = kCalleeOffset + kPointerSize;
  // Indices of in-object properties.
  static const int kCalleeIndex = kLengthIndex + 1;

-  DECL_ACCESSORS(callee, Object)
-
-  DECL_VERIFIER(JSSloppyArgumentsObject)
-  DECL_CAST(JSSloppyArgumentsObject)
-
 private:
  DISALLOW_IMPLICIT_CONSTRUCTORS(JSSloppyArgumentsObject);
 };
@@ -55,9 +51,7 @@ class JSSloppyArgumentsObject : public JSArgumentsObject {
 class JSStrictArgumentsObject : public JSArgumentsObject {
 public:
  // Offsets of object fields.
-  static const int kSize = JSArgumentsObject::kHeaderSize;
-
-  DECL_CAST(JSStrictArgumentsObject)
+  static const int kSize = JSArgumentsObject::kSize;

 private:
  DISALLOW_IMPLICIT_CONSTRUCTORS(JSStrictArgumentsObject);
@@ -100,7 +94,7 @@ class SloppyArgumentsElements : public FixedArray {

  DECL_CAST(SloppyArgumentsElements)
 #ifdef VERIFY_HEAP
-  void SloppyArgumentsElementsVerify(JSSloppyArgumentsObject* holder);
+  void SloppyArgumentsElementsVerify(JSObject* holder);
 #endif

 private:

--- a/test/cctest/test-api.cc
+++ b/test/cctest/test-api.cc
@@ -2699,6 +2699,20 @@ THREADED_TEST(InternalFields) {
  CHECK_EQ(17, obj->GetInternalField(0)->Int32Value(env.local()).FromJust());
 }

+THREADED_TEST(InternalFieldsOfRegularObjects) {
+  LocalContext env;
+  v8::Isolate* isolate = env->GetIsolate();
+  v8::HandleScope scope(isolate);
+
+  const char* sources[] = {"new Object()", "{ a: 'a property' }", "arguments"};
+  for (size_t i = 0; i < arraysize(sources); ++i) {
+    i::ScopedVector<char> source(128);
+    i::SNPrintF(source, "(function() { return %s })()", sources[i]);
+    v8::Local<v8::Object> obj = CompileRun(source.start()).As<v8::Object>();
+    CHECK_EQ(0, obj->InternalFieldCount());
+  }
+}
+
 THREADED_TEST(GlobalObjectInternalFields) {
  v8::Isolate* isolate = CcTest::isolate();
  v8::HandleScope scope(isolate);