Reviewers: Igor Sheludko,
Message:
PTAL (commit if you like)
Description:
Check global object behind global proxy for extensibility
BUG=454091
Please review this at https://codereview.chromium.org/895573002/
Base URL: https://chromium.googlesource.com/v8/v8.git@master
Affected files (+18, -8 lines):
M src/accessors.cc
M src/objects.cc
A + test/mjsunit/regress/regress-crbug-454091.js
Index: src/accessors.cc
diff --git a/src/accessors.cc b/src/accessors.cc
index
1e8abd95ab6adc13d11d904826847e533fe8a559..375a92d589886d6a62a2443cbeb6c0200bb52ddd
100644
--- a/src/accessors.cc
+++ b/src/accessors.cc
@@ -136,6 +136,12 @@ bool SetPropertyOnInstanceIfInherited(
// This behaves sloppy since we lost the actual strict-mode.
// TODO(verwaest): Fix by making ExecutableAccessorInfo behave like
data
// properties.
+ if (object->IsJSGlobalProxy()) {
+ PrototypeIterator iter(isolate, object);
+ if (iter.IsAtEnd()) return true;
+ DCHECK(iter.GetCurrent()->IsJSGlobalObject());
+ object = Handle<JSObject>::cast(PrototypeIterator::GetCurrent(iter));
+ }
if (!object->map()->is_extensible()) return true;
JSObject::SetOwnPropertyIgnoreAttributes(object,
Utils::OpenHandle(*name),
value, NONE).Check();
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index
15909984b9f247921f4f06399b78e3f8c573cc1c..8d7244b6a91511a6c511f9bd956de99bd99a8d1f
100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -12115,6 +12115,13 @@ MaybeHandle<Object>
JSObject::SetPrototype(Handle<JSObject> object,
real_receiver =
Handle<JSObject>::cast(PrototypeIterator::GetCurrent(iter));
iter.Advance();
+ if (!real_receiver->map()->is_extensible()) {
+ Handle<Object> args[] = {object};
+ THROW_NEW_ERROR(isolate,
+ NewTypeError("non_extensible_proto",
+ HandleVector(args, arraysize(args))),
+ Object);
+ }
}
}
Index: test/mjsunit/regress/regress-crbug-454091.js
diff --git a/test/mjsunit/compiler/regress-451012.js
b/test/mjsunit/regress/regress-crbug-454091.js
similarity index 51%
copy from test/mjsunit/compiler/regress-451012.js
copy to test/mjsunit/regress/regress-crbug-454091.js
index
bffc8bc5bdfac32bb561a24153d00157b26ac3a5..2705e96bfd023f415cd5a7076017900cd251793c
100644
--- a/test/mjsunit/compiler/regress-451012.js
+++ b/test/mjsunit/regress/regress-crbug-454091.js
@@ -2,11 +2,8 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
-"use strict";
-function f() {
- for (let v; v; ) {
- let x;
- }
-}
-
-f();
+this.__proto__ = Array.prototype;
+Object.freeze(this);
+this.length = 1;
+assertThrows('this.__proto__ = {}');
+assertEquals(Array.prototype, this.__proto__);
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
