[proxies] Add missing stack overflow check.

Bug: v8:7716 Change-Id: I9cf71c1e9431ee751db595b6c94c09dab5f1610b Reviewed-on: https://chromium-review.googlesource.com/1047612Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#53045}

[proxies] Add missing stack overflow check.
Bug: v8:7716 Change-Id: I9cf71c1e9431ee751db595b6c94c09dab5f1610b Reviewed-on: https://chromium-review.googlesource.com/1047612Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#53045}
e91cd3c5 · Georg Neis · Commit Bot · 73933f2a · e91cd3c5 · e91cd3c5
Commit e91cd3c5 authored May 07, 2018 by Georg Neis Committed by Commit Bot May 07, 2018
Showing with 54 additions and 3 deletions

builtins-proxy-gen.cc src/builtins/builtins-proxy-gen.cc +2 -0

regress-7716.js test/mjsunit/regress/regress-7716.js +51 -0

regress-crbug-779344.js test/mjsunit/regress/regress-crbug-779344.js +1 -3

No files found.
--- a/src/builtins/builtins-proxy-gen.cc
+++ b/src/builtins/builtins-proxy-gen.cc
@@ -408,6 +408,8 @@ TF_BUILTIN(ProxyHasProperty, ProxiesCodeStubAssembler) {
  CSA_ASSERT(this, IsJSProxy(proxy));
+  PerformStackCheck(context);
  // 1. Assert: IsPropertyKey(P) is true.
  CSA_ASSERT(this, IsName(name));
  CSA_ASSERT(this, Word32Equal(IsPrivateSymbol(name), Int32Constant(0)));

--- a/test/mjsunit/regress/regress-7716.js
+++ b/test/mjsunit/regress/regress-7716.js
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+// Deeply nested target.
+let proxy = new Proxy(function(){}, {});
+for (let i = 0; i < 100000; i++) {
+  proxy = new Proxy(proxy, {});
+}
+// We get a stack overflow in all cases except for Reflect.apply, which here
+// happens to run in constant space: Call jumps into CallProxy and CallProxy
+// jumps into the next Call.
+assertDoesNotThrow(() => Reflect.apply(proxy, {}, []));
+assertThrows(() => Reflect.construct(proxy, []), RangeError);
+assertThrows(() => Reflect.defineProperty(proxy, "x", {}), RangeError);
+assertThrows(() => Reflect.deleteProperty(proxy, "x"), RangeError);
+assertThrows(() => Reflect.get(proxy, "x"), RangeError);
+assertThrows(() => Reflect.getOwnPropertyDescriptor(proxy, "x"), RangeError);
+assertThrows(() => Reflect.getPrototypeOf(proxy), RangeError);
+assertThrows(() => Reflect.has(proxy, "x"), RangeError);
+assertThrows(() => Reflect.isExtensible(proxy), RangeError);
+assertThrows(() => Reflect.ownKeys(proxy), RangeError);
+assertThrows(() => Reflect.preventExtensions(proxy), RangeError);
+assertThrows(() => Reflect.setPrototypeOf(proxy, {}), RangeError);
+assertThrows(() => Reflect.set(proxy, "x", {}), RangeError);
+// Recursive handler.
+function run(trap, ...args) {
+  let handler = {};
+  const proxy = new Proxy(function(){}, handler);
+  handler[trap] = (target, ...args) => Reflect[trap](proxy, ...args);
+  return Reflect[trap](proxy, ...args);
+}
+assertThrows(() => run("apply", {}, []), RangeError);
+assertThrows(() => run("construct", []), RangeError);
+assertThrows(() => run("defineProperty", "x", {}), RangeError);
+assertThrows(() => run("deleteProperty", "x"), RangeError);
+assertThrows(() => run("get", "x"), RangeError);
+assertThrows(() => run("getOwnPropertyDescriptor", "x"), RangeError);
+assertThrows(() => run("has", "x"), RangeError);
+assertThrows(() => run("isExtensible"), RangeError);
+assertThrows(() => run("ownKeys"), RangeError);
+assertThrows(() => run("preventExtensions"), RangeError);
+assertThrows(() => run("setPrototypeOf", {}), RangeError);
+assertThrows(() => run("set", "x", {}), RangeError);
--- a/test/mjsunit/regress/regress-crbug-779344.js
+++ b/test/mjsunit/regress/regress-crbug-779344.js
@@ -5,6 +5,4 @@
 var o = {};
 var proxy = new Proxy(() => {}, o);
 o.apply = proxy;
-assertThrows(
+assertThrows(proxy);
-  () => Function.prototype.call.call(proxy)
-);