Revision: 23375
Author: [email protected]
Date: Mon Aug 25 19:32:23 2014 UTC
Log: Version 3.27.34.15 (merged r23129)
Fix access checks in GetAccessor
[email protected]
BUG=
Review URL: https://codereview.chromium.org/500203002
https://code.google.com/p/v8/source/detail?r=23375
Modified:
/branches/3.27/src/objects.cc
/branches/3.27/src/version.cc
=======================================
--- /branches/3.27/src/objects.cc Mon Aug 18 12:30:21 2014 UTC
+++ /branches/3.27/src/objects.cc Mon Aug 25 19:32:23 2014 UTC
@@ -6908,14 +6908,6 @@
// Make sure that the top context does not change when doing callbacks or
// interceptor calls.
AssertNoContextChange ncc(isolate);
-
- // Check access rights if needed.
- if (object->IsAccessCheckNeeded() &&
- !isolate->MayNamedAccess(object, name, v8::ACCESS_HAS)) {
- isolate->ReportFailedAccessCheck(object, v8::ACCESS_HAS);
- RETURN_EXCEPTION_IF_SCHEDULED_EXCEPTION(isolate, Object);
- return isolate->factory()->undefined_value();
- }
// Make the lookup and include prototypes.
uint32_t index = 0;
@@ -6923,6 +6915,15 @@
for (Handle<Object> obj = object;
!obj->IsNull();
obj = handle(JSReceiver::cast(*obj)->GetPrototype(), isolate)) {
+ if (obj->IsAccessCheckNeeded() &&
+ !isolate->MayNamedAccess(Handle<JSObject>::cast(obj), name,
+ v8::ACCESS_HAS)) {
+ isolate->ReportFailedAccessCheck(Handle<JSObject>::cast(obj),
+ v8::ACCESS_HAS);
+ RETURN_EXCEPTION_IF_SCHEDULED_EXCEPTION(isolate, Object);
+ return isolate->factory()->undefined_value();
+ }
+
if (obj->IsJSObject() &&
JSObject::cast(*obj)->HasDictionaryElements()) {
JSObject* js_object = JSObject::cast(*obj);
SeededNumberDictionary* dictionary =
js_object->element_dictionary();
@@ -6941,6 +6942,14 @@
for (Handle<Object> obj = object;
!obj->IsNull();
obj = handle(JSReceiver::cast(*obj)->GetPrototype(), isolate)) {
+ if (obj->IsAccessCheckNeeded() &&
+ !isolate->MayNamedAccess(Handle<JSObject>::cast(obj), name,
+ v8::ACCESS_HAS)) {
+ isolate->ReportFailedAccessCheck(Handle<JSObject>::cast(obj),
+ v8::ACCESS_HAS);
+ RETURN_EXCEPTION_IF_SCHEDULED_EXCEPTION(isolate, Object);
+ return isolate->factory()->undefined_value();
+ }
LookupResult result(isolate);
JSReceiver::cast(*obj)->LookupOwn(name, &result);
if (result.IsFound()) {
=======================================
--- /branches/3.27/src/version.cc Mon Aug 18 13:07:39 2014 UTC
+++ /branches/3.27/src/version.cc Mon Aug 25 19:32:23 2014 UTC
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 27
#define BUILD_NUMBER 34
-#define PATCH_LEVEL 14
+#define PATCH_LEVEL 15
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
