[v8-dev] Only allow calls to %InternalSetProperty from builtin context. (issue 491843002 by [email protected])

Wed, 20 Aug 2014 05:32:53 -0700 

Reviewers: Toon Verwaest,

Description:
Only allow calls to %InternalSetProperty from builtin context.

[email protected]
BUG=405499
LOG=N

Please review this at https://codereview.chromium.org/491843002/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files (+8, -7 lines):
  M src/runtime.cc
  A + test/mjsunit/regress/regress-crbug-405499.js


Index: src/runtime.cc
diff --git a/src/runtime.cc b/src/runtime.cc
index 4aeef9d4558b7a59c3dcb06aa3d2d8052d022b92..1c0a444a6fb1e94e029608cbfc3bf03efc6df41f 100644 
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -1878,6 +1878,9 @@ RUNTIME_FUNCTION(Runtime_InternalSetPrototype) {
   DCHECK(args.length() == 2);
   CONVERT_ARG_HANDLE_CHECKED(JSObject, obj, 0);
   CONVERT_ARG_HANDLE_CHECKED(Object, prototype, 1);
+  // Only callable from within builtin context.
+  RUNTIME_ASSERT(
+ isolate->global_object().is_identical_to(isolate->js_builtins_object())); 
   DCHECK(!obj->IsAccessCheckNeeded());
   DCHECK(!obj->map()->is_observed());
   Handle<Object> result;
Index: test/mjsunit/regress/regress-crbug-405499.js
diff --git a/test/mjsunit/regress/regress-355486.js b/test/mjsunit/regress/regress-crbug-405499.js 
similarity index 58%
copy from test/mjsunit/regress/regress-355486.js
copy to test/mjsunit/regress/regress-crbug-405499.js
index 55362a13416335b72bfa1ff92bc29f7a04edbd65..493442c1d213702d53091d1ab255c521eab2bcfd 100644 
--- a/test/mjsunit/regress/regress-355486.js
+++ b/test/mjsunit/regress/regress-crbug-405499.js
@@ -4,10 +4,8 @@

 // Flags: --allow-natives-syntax

-function f() { var v = arguments[0]; }
-function g() { f(); }
-
-g();
-g();
-%OptimizeFunctionOnNextCall(g);
-g();
+var global = this;
+assertThrows(function() {
+  %InternalSetPrototype(global, new Object());
+  global.__defineSetter__('x', function(v) { });
+});


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to