Commit f52c8f9f authored by Alexey Kozyatinskiy's avatar Alexey Kozyatinskiy Committed by Commit Bot

[inspector] console.context should be ready for GC

context_name pointer can be changed after GC triggered by AddProperty.

R=ishell@chromium.org

Bug: chromium:732717
Change-Id: Ie8e2497fa9f3bac80e0ad68153956e382731e284
Reviewed-on: https://chromium-review.googlesource.com/532994
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45898}
parent 5b427ad2
...@@ -75,7 +75,7 @@ CONSOLE_METHOD_LIST(CONSOLE_BUILTIN_IMPLEMENTATION) ...@@ -75,7 +75,7 @@ CONSOLE_METHOD_LIST(CONSOLE_BUILTIN_IMPLEMENTATION)
namespace { namespace {
void InstallContextFunction(Handle<JSObject> target, const char* name, void InstallContextFunction(Handle<JSObject> target, const char* name,
Builtins::Name call, int context_id, Builtins::Name call, int context_id,
Object* context_name) { Handle<Object> context_name) {
Factory* const factory = target->GetIsolate()->factory(); Factory* const factory = target->GetIsolate()->factory();
Handle<Code> call_code(target->GetIsolate()->builtins()->builtin(call)); Handle<Code> call_code(target->GetIsolate()->builtins()->builtin(call));
...@@ -94,7 +94,7 @@ void InstallContextFunction(Handle<JSObject> target, const char* name, ...@@ -94,7 +94,7 @@ void InstallContextFunction(Handle<JSObject> target, const char* name,
NONE); NONE);
if (context_name->IsString()) { if (context_name->IsString()) {
JSObject::AddProperty(fun, factory->console_context_name_symbol(), JSObject::AddProperty(fun, factory->console_context_name_symbol(),
handle(context_name, target->GetIsolate()), NONE); context_name, NONE);
} }
JSObject::AddProperty(target, name_string, fun, NONE); JSObject::AddProperty(target, name_string, fun, NONE);
} }
...@@ -114,7 +114,8 @@ BUILTIN(ConsoleContext) { ...@@ -114,7 +114,8 @@ BUILTIN(ConsoleContext) {
isolate->set_last_console_context_id(id); isolate->set_last_console_context_id(id);
#define CONSOLE_BUILTIN_SETUP(call, name) \ #define CONSOLE_BUILTIN_SETUP(call, name) \
InstallContextFunction(context, #name, Builtins::kConsole##call, id, args[1]); InstallContextFunction(context, #name, Builtins::kConsole##call, id, \
args.at(1));
CONSOLE_METHOD_LIST(CONSOLE_BUILTIN_SETUP) CONSOLE_METHOD_LIST(CONSOLE_BUILTIN_SETUP)
#undef CONSOLE_BUILTIN_SETUP #undef CONSOLE_BUILTIN_SETUP
......
// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let {session, contextGroup, Protocol} =
InspectorTest.start('Regression test for crbug.com/732717');
Protocol.Runtime.evaluate({expression: `var v3 = {};
var v6 = {};
Array.prototype.__defineGetter__(0, function() {
this[0] = 2147483647;
})
Array.prototype.__defineSetter__(0, function() {
console.context(v3);
this[0] = v6;
});
v60 = Array(0x8000).join();`}).then(InspectorTest.completeTest);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment